Skip to content
dubcluster

Troubleshooting

“the server has asked for the client to provide credentials” (401)

Section titled ““the server has asked for the client to provide credentials” (401)”

Your login token wasn’t accepted. Usually one of:

  • You picked the wrong Google account at the login screen. Re-run and choose the account you were onboarded with.
  • A stale cached token. Clear it and log in fresh:
    Terminal window
    rm -rf ~/.kube/cache/oidc-login        # macOS/Linux
    Remove-Item -Recurse -Force "$HOME\.kube\cache\oidc-login"   # PowerShell
  • The browser login never completed. Run a command and make sure the browser tab actually finishes and returns to the terminal.

”… cannot list resource … Forbidden”

Section titled “”… cannot list resource … Forbidden””

You tried to do something outside your namespace (like kubectl get nodes, or accessing another namespace). This is working as intended — your access is scoped to tenant-<you>. If you ran a plain command and got this, check your kubeconfig’s current context is your tenant context.

”exceeded quota”

Section titled “”exceeded quota””

You hit a resource cap. Check what’s in use:

Terminal window
kubectl describe resourcequota

Scale something down, delete unused workloads, or ask for more headroom. See Limits & rules.

Pod stuck in Pending

Section titled “Pod stuck in Pending”
Terminal window
kubectl describe pod <pod>

Look at the Events at the bottom. Common causes: no resource requests set (rejected by the LimitRange/quota), requesting more CPU/memory than your quota allows, or a PVC that can’t bind.

”Unable to connect to the server” / timeouts

Section titled “”Unable to connect to the server” / timeouts”

Network, not auth. Check Tailscale:

Terminal window
tailscale status        # are you connected?
ping 100.73.243.2       # can you reach the API server?

If Tailscale is down or you’ve been removed from the tailnet, you won’t be able to reach the cluster at all.

Image won’t pull (ImagePullBackOff) from the cluster registry

Section titled “Image won’t pull (ImagePullBackOff) from the cluster registry”
  • Make sure you pushed the image and the tag matches exactly (10.1.1.2:30500/<you>/app:v1).
  • The registry is plain HTTP — your local Docker needed insecure-registries set to push, but the cluster pulls fine internally. If the cluster can’t pull, double-check the image name in your manifest matches what you pushed.

Still stuck? Send the admin the output of kubectl describe on the failing resource — that’s almost always enough to diagnose it.