ImagePullBackOff occurs when Kubernetes cannot pull a container image from a registry. The kubelet retries with exponential backoff while you resolve authentication, network, or image reference issues.
ImagePullBackOff is a pod status indicating that Kubernetes failed to pull a container image and is retrying with increasing delays. After an initial ErrImagePull error, the kubelet enters a backoff state with delays growing from 5 seconds up to 5 minutes between attempts. This error typically stems from one of three categories: the image doesn't exist (wrong name, tag, or registry), authentication is failing (missing or invalid credentials for private registries), or network issues prevent reaching the registry. The specific cause is revealed in the pod events.
Get detailed information about the pull failure:
kubectl describe pod <pod-name>Look at the Events section for messages like "unauthorized", "not found", "manifest unknown", or network errors. This tells you which category of problem you're dealing with.
Test pulling the image from a machine with registry access:
docker pull <image>:<tag>Check for typos in your pod spec. Verify the exact image path including registry prefix if not using Docker Hub:
image: gcr.io/project-id/image-name:tag
# or
image: 123456789.dkr.ecr.us-east-1.amazonaws.com/repo:tagCreate a Docker registry secret:
kubectl create secret docker-registry regcred \
--docker-server=<registry-url> \
--docker-username=<username> \
--docker-password=<password> \
--docker-email=<email>Reference it in your pod spec:
spec:
imagePullSecrets:
- name: regcredSecrets are namespace-scoped—create them in each namespace that needs them.
Docker Hub limits pulls for unauthenticated users (100 per 6 hours) and free accounts (200 per 6 hours). Events will show "toomanyrequests" errors.
Authenticate to Docker Hub even for public images:
kubectl create secret docker-registry dockerhub \
--docker-server=https://index.docker.io/v1/ \
--docker-username=<dockerhub-username> \
--docker-password=<dockerhub-token>Consider mirroring frequently-used images to your own registry.
Test connectivity from a node or debug pod:
kubectl run debug --rm -it --image=busybox -- /bin/sh
# Inside the pod:
nslookup gcr.io
wget -O- https://gcr.io/v2/Check that firewall rules and network policies allow outbound HTTPS (port 443) to registry endpoints.
If you've fixed the underlying issue, delete the pod to trigger an immediate retry instead of waiting for backoff:
kubectl delete pod <pod-name>For deployments, the ReplicaSet will create a new pod automatically. For stuck pods older than 60 minutes, deleting also clears stale events.
On EKS, use IAM Roles for Service Accounts (IRSA) for ECR authentication instead of static credentials. The node IAM role needs ecr:GetAuthorizationToken and ecr:BatchGetImage permissions.
For GKE with Artifact Registry or Container Registry, use Workload Identity to authenticate. Verify the service account has the artifactregistry.reader role.
In AKS, integrate directly with Azure Container Registry using managed identity—this eliminates the need for imagePullSecrets entirely.
For air-gapped or restricted environments, consider running a local registry mirror or using image caching solutions. Large images may also timeout during pull; increase the kubelet's image-pull-progress-deadline if needed.
Failed to connect to server: connection refused (HTTP/2)
How to fix "HTTP/2 connection refused" error in Kubernetes
missing request for cpu in container
How to fix "missing request for cpu in container" in Kubernetes HPA
error: invalid configuration
How to fix "error: invalid configuration" in Kubernetes
etcdserver: cluster ID mismatch
How to fix "etcdserver: cluster ID mismatch" in Kubernetes
running with swap on is not supported
How to fix "running with swap on is not supported" in kubeadm