If you’ve been working with Kubernetes for any length of time, chances are you’ve encountered the dreaded CreateContainerConfigError. This error can be particularly frustrating because it often appears right when you think your deployment should be working perfectly. Don’t worry though – while this error might seem intimidating at first, it’s actually quite straightforward to diagnose and fix once you understand what’s happening under the hood.
Today, we’ll walk through everything you need to know about CreateContainerConfigError, from understanding its root causes to implementing robust prevention strategies. By the end of this guide, you’ll have the confidence to tackle this error head-on and keep your Kubernetes deployments running smoothly.
1. Understanding CreateContainerConfigError
CreateContainerConfigError occurs when Kubernetes fails to generate the proper configuration for a container during the transition from Pending to Running state. Think of it as Kubernetes saying, “I know what container you want to run, but I can’t figure out how to configure it properly.”
This error typically arises from missing or misconfigured essential components like ConfigMaps or Secrets, and it prevents Kubernetes from assembling the configuration data needed to supply to the container.
When Does This Error Occur?
The error happens during the container creation phase, specifically when:
- Kubernetes attempts to validate container configuration
- The system tries to inject ConfigMap or Secret data
- Volume mounts are being resolved
- Environment variables are being processed
Common Symptoms
When this error occurs, you’ll typically see:
kubectl get pods
NAME READY STATUS RESTARTS AGE
web-app-5d7c8b9f4-xyz12 0/1 CreateContainerConfigError 0 2m30s
The pod remains stuck in this state until the underlying configuration issue is resolved.
2. Common Root Causes
<cite index=”14-1,16-1″>The most frequent causes of CreateContainerConfigError stem from missing Kubernetes ConfigMaps and Secrets, incorrect references, or misconfigured environment variables.</cite>
Let’s break down the primary culprits:
Missing ConfigMaps
- Referenced ConfigMap doesn’t exist in the cluster
- ConfigMap exists but in a different namespace
- Typos in ConfigMap names
Missing or Invalid Secrets
- Secret referenced in pod spec doesn’t exist
- Incorrect Secret name or namespace mismatch
- Missing keys within existing Secrets
Configuration Issues
- Invalid environment variable references
- Incorrect volume mount configurations
- Missing or misconfigured service accounts
Resource Problems
- Insufficient permissions to access resources
- Network connectivity issues
- Storage volume availability problems
3. Step-by-Step Diagnosis
When facing a CreateContainerConfigError, follow this systematic approach to identify the root cause:
3.1 Initial Assessment
First, confirm the error and gather basic information:
# Check pod status
kubectl get pods
# Get detailed pod information
kubectl describe pod <pod-name>
3.2 Examine Pod Events
<cite index=”11-1,15-1″>The Events section in the kubectl describe output is crucial for identifying the specific issue. Look for messages like “Error: configmap ‘configmap-3’ not found” or “Error: secret ‘mysql-secret’ not found”.</cite>
kubectl describe pod <pod-name> | grep -A 10 -B 10 Events
Look for event messages such as:
Warning Failed: Error: configmap "app-config" not foundWarning Failed: Error: secret "db-secret" not foundWarning Failed: couldn't find key database_url in ConfigMap
3.3 Verify Resource Existence
Check if the referenced resources actually exist:
# Check ConfigMaps
kubectl get configmap
kubectl get configmap <configmap-name> -o yaml
# Check Secrets
kubectl get secret
kubectl get secret <secret-name> -o yaml
# Check in specific namespace
kubectl get configmap,secret -n <namespace>
3.4 Validate Resource Contents
Even if resources exist, ensure they contain the expected keys:
# Examine ConfigMap structure
kubectl describe configmap <configmap-name>
# Examine Secret structure
kubectl describe secret <secret-name>
4. ConfigMap Solutions
4.1 Creating Missing ConfigMaps
When you discover a missing ConfigMap, here’s how to create it:
Problem Example:
apiVersion: v1
kind: Pod
metadata:
name: web-app
spec:
containers:
- name: app
image: nginx:latest
env:
- name: DATABASE_URL
valueFrom:
configMapKeyRef:
name: app-settings # This ConfigMap doesn't exist
key: db_connection
Solution:
# Method 1: Create from literals
kubectl create configmap app-settings \
--from-literal=db_connection="postgresql://user:pass@db:5432/myapp" \
--from-literal=app_env="production" \
--from-literal=debug_mode="false"
# Method 2: Create from YAML
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
name: app-settings
data:
db_connection: "postgresql://user:pass@db:5432/myapp"
app_env: "production"
debug_mode: "false"
EOF
4.2 Fixing Missing Keys
<cite index=”2-1″>Sometimes the ConfigMap exists, but specific keys referenced by the pod are missing, which also triggers CreateContainerConfigError.</cite>
Problem: ConfigMap exists but missing required keys
# Check current ConfigMap contents
kubectl get configmap app-settings -o yaml
# Add missing keys
kubectl patch configmap app-settings --patch='{"data":{"missing_key":"value"}}'
# Or edit directly
kubectl edit configmap app-settings
4.3 Namespace-Related Issues
Ensure ConfigMaps are in the correct namespace:
# Check which namespace your pod is in
kubectl get pod <pod-name> -o yaml | grep namespace
# Create ConfigMap in the correct namespace
kubectl create configmap app-settings \
--from-literal=db_connection="postgresql://localhost:5432/myapp" \
-n <target-namespace>
5. Secret Solutions
5.1 Creating Missing Secrets
Secrets require special handling due to their sensitive nature:
Problem Example:
apiVersion: v1
kind: Pod
metadata:
name: database
spec:
containers:
- name: mysql
image: mysql:8.0
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-credentials # Missing Secret
key: root-password
Solution:
# Method 1: From literals
kubectl create secret generic mysql-credentials \
--from-literal=root-password="my-secure-password" \
--from-literal=username="admin"
# Method 2: From files
echo -n "my-secure-password" > password.txt
kubectl create secret generic mysql-credentials \
--from-file=root-password=password.txt
# Method 3: From YAML (requires base64 encoding)
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: mysql-credentials
type: Opaque
data:
root-password: $(echo -n "my-secure-password" | base64)
username: $(echo -n "admin" | base64)
EOF
5.2 Fixing Secret Key Issues
<cite index=”19-1″>A common issue occurs when users create secrets with typos in the names or reference non-existent keys within existing secrets.</cite>
# Check secret keys
kubectl get secret mysql-credentials -o yaml
# Add missing keys to existing secret
kubectl patch secret mysql-credentials --patch='{"data":{"new-key":"'$(echo -n "new-value" | base64)'"}}'
5.3 Secret Permissions and Access
Verify that your pods have the necessary permissions:
# Check service account
kubectl get pod <pod-name> -o yaml | grep serviceAccount
# Verify service account permissions
kubectl describe serviceaccount <service-account-name>
# Check if service account can access secrets
kubectl auth can-i get secrets --as=system:serviceaccount:<namespace>:<service-account>
6. Real-World Troubleshooting Examples
Let’s walk through some practical scenarios you might encounter:
6.1 Web Application Deployment Scenario
Situation: Deploying a web application that needs database credentials and API configuration.
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-app
spec:
replicas: 2
selector:
matchLabels:
app: web-app
template:
metadata:
labels:
app: web-app
spec:
containers:
- name: web
image: my-web-app:latest
env:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: db-credentials
key: url
- name: API_KEY
valueFrom:
configMapKeyRef:
name: app-config
key: api_key
- name: LOG_LEVEL
valueFrom:
configMapKeyRef:
name: app-config
key: log_level
Troubleshooting Process:
- Check pod status:
kubectl get pods -l app=web-app
- Examine events:
kubectl describe pod <pod-name> | tail -20
- Verify resources:
kubectl get secret db-credentials
kubectl get configmap app-config
- Create missing resources:
# Create the Secret
kubectl create secret generic db-credentials \
--from-literal=url="postgresql://user:pass@db:5432/webapp"
# Create the ConfigMap
kubectl create configmap app-config \
--from-literal=api_key="your-api-key-here" \
--from-literal=log_level="info"
- Restart deployment:
kubectl rollout restart deployment web-app
6.2 Microservice with Volume Mounts
Problem: Service fails with ConfigMap volume mount issues.
apiVersion: v1
kind: Pod
metadata:
name: config-reader
spec:
containers:
- name: app
image: alpine:latest
command: ["sleep", "3600"]
volumeMounts:
- name: config-volume
mountPath: /etc/config
volumes:
- name: config-volume
configMap:
name: service-config # Missing ConfigMap
Resolution:
# Create the missing ConfigMap with configuration files
kubectl create configmap service-config \
--from-literal=config.yaml="server:\n port: 8080\n host: 0.0.0.0" \
--from-literal=database.conf="host=localhost\nport=5432"
# Verify the ConfigMap
kubectl describe configmap service-config
# Check if pod starts successfully
kubectl get pod config-reader
7. Prevention Best Practices
<cite index=”11-1″>Prevention is always better than troubleshooting. Here are proven strategies to avoid CreateContainerConfigError in the first place.</cite>
7.1 Pre-Deployment Validation
Always validate your manifests before applying them:
# Dry run validation
kubectl apply --dry-run=client -f deployment.yaml
# Server-side validation
kubectl apply --dry-run=server -f deployment.yaml
# Use kubeval for additional validation
kubeval deployment.yaml
7.2 Infrastructure as Code
Use tools like Helm to manage dependencies:
# values.yaml
database:
host: "localhost"
port: 5432
name: "myapp"
secrets:
dbPassword: "secure-password"
apiKey: "api-key-value"
# templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "myapp.fullname" . }}-config
data:
database-host: {{ .Values.database.host | quote }}
database-port: {{ .Values.database.port | quote }}
database-name: {{ .Values.database.name | quote }}
7.3 Deployment Scripts
Create deployment scripts that ensure proper order:
#!/bin/bash
set -e
echo "Creating namespace..."
kubectl create namespace myapp --dry-run=client -o yaml | kubectl apply -f -
echo "Creating ConfigMaps..."
kubectl apply -f configs/ -n myapp
echo "Creating Secrets..."
kubectl apply -f secrets/ -n myapp
echo "Deploying applications..."
kubectl apply -f deployments/ -n myapp
echo "Waiting for deployment to be ready..."
kubectl wait --for=condition=available --timeout=300s deployment/web-app -n myapp
7.4 Resource Monitoring
Set up monitoring for resource availability:
# Create a script to check for missing resources
#!/bin/bash
NAMESPACE=${1:-default}
echo "Checking ConfigMaps in namespace: $NAMESPACE"
kubectl get configmap -n $NAMESPACE
echo "Checking Secrets in namespace: $NAMESPACE"
kubectl get secret -n $NAMESPACE
echo "Checking for pods with errors..."
kubectl get pods -n $NAMESPACE --field-selector=status.phase!=Running
8. Advanced Troubleshooting Tips
8.1 Multi-Namespace Environments
In complex environments, namespace issues are common:
# Find all resources across namespaces
kubectl get configmap,secret --all-namespaces | grep <resource-name>
# Copy resources between namespaces
kubectl get configmap <name> -n source-namespace -o yaml | \
sed 's/namespace: source-namespace/namespace: target-namespace/' | \
kubectl apply -f -
8.2 Debugging Complex Dependencies
Create a troubleshooting checklist:
| Check | Command | Expected Result |
|---|---|---|
| Pod Status | kubectl get pods |
Running |
| Pod Events | kubectl describe pod <name> |
No errors in events |
| ConfigMap Exists | kubectl get configmap <name> |
ConfigMap found |
| Secret Exists | kubectl get secret <name> |
Secret found |
| Correct Namespace | kubectl get all -n <namespace> |
Resources in same namespace |
| Key Exists | kubectl get configmap <name> -o yaml |
Required keys present |
8.3 Automated Remediation
<cite index=”15-1″>Use monitoring tools and automation to catch and resolve issues quickly:</cite>
# Example monitoring script
#!/bin/bash
while true; do
ERROR_PODS=$(kubectl get pods --all-namespaces --field-selector=status.phase=Pending | grep CreateContainerConfigError | awk '{print $1"/"$2}')
if [ ! -z "$ERROR_PODS" ]; then
echo "Found pods with CreateContainerConfigError:"
echo "$ERROR_PODS"
# Send alert or trigger remediation
# webhook_notification.sh "$ERROR_PODS"
fi
sleep 30
done
8.4 Using kubectl Plugins
Install helpful kubectl plugins:
# Install krew (kubectl plugin manager)
curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/krew.tar.gz"
tar zxvf krew.tar.gz
./krew-linux_amd64 install krew
# Install useful plugins
kubectl krew install debug
kubectl krew install resource-capacity
kubectl krew install whoami
# Use debug plugin for troubleshooting
kubectl debug <pod-name> -it --image=busybox
The key to successfully managing CreateContainerConfigError is understanding that it’s almost always a configuration issue rather than a complex system problem. By following the systematic approach outlined in this guide, you’ll be able to quickly identify and resolve these errors, keeping your Kubernetes deployments running smoothly.
Remember that prevention is your best strategy. Implement proper validation in your CI/CD pipelines, use infrastructure as code practices, and maintain good documentation of your ConfigMaps and Secrets. With these practices in place, you’ll find that CreateContainerConfigError becomes a rare occurrence rather than a regular headache.