Diagnostic rules¶
klue ships with a set of built-in diagnostic rules that run against the resource
graph whenever you execute klue why. Each rule produces zero or more
findings — structured observations with a severity, a confidence score, an
explanation, and one or more kubectl remediation suggestions.
Rule anatomy¶
Every rule has:
| Field | Description |
|---|---|
| ID | Unique dotted identifier (for example pod/crashloop) used with --rule / --disable-rule flags |
| Severity | critical, error, warning, or info — how serious the condition is |
| Confidence | 0.0–1.0 — how certain klue is that the finding represents a real problem |
| Applies to | The Kubernetes resource kind(s) the rule evaluates |
Severity levels¶
| Level | Meaning |
|---|---|
critical |
The resource is broken and likely affecting availability right now |
error |
A definite problem that prevents the resource from working correctly |
warning |
A degraded or risky state that warrants attention |
info |
A noteworthy configuration state that is not necessarily a problem |
All rules¶
The table below lists every built-in rule. Click the ID link to jump to the detailed description.
| ID | Severity | Confidence | Applies to |
|---|---|---|---|
| builtin/failed-condition | error | 0.60 | Any |
| builtin/log-signal | warning | 0.70–0.95 | Pod |
| builtin/missing-reference | error | 0.70 | Any |
| builtin/orphaned-owner | warning | 0.60 | Any |
| builtin/terminating-stuck | warning | 0.70 | Any |
| builtin/warning-events | warning | 0.40 | Any |
| pod/crashloop | critical | 0.95 | Pod |
| pod/image-pull | error | 0.60–0.90 | Pod |
| pod/config-missing | error | 0.85 | Pod |
| pod/mount-failure | error | 0.85 | Pod |
| pod/pending | error | 0.80 | Pod |
| pod/probe-failure | warning | 0.70 | Pod |
| deployment/rollout-stuck | error | 0.85 | Deployment |
| deployment/unavailable | warning | 0.70 | Deployment |
| statefulset/unavailable | warning | 0.70 | StatefulSet |
| statefulset/rollout-stuck | warning | 0.70 | StatefulSet |
| replicaset/unavailable | warning | 0.70 | ReplicaSet |
| replicaset/replica-failure | error | 0.80 | ReplicaSet |
| daemonset/unavailable | warning | 0.70 | DaemonSet |
| daemonset/misscheduled | warning | 0.60 | DaemonSet |
| job/failed | error | 0.85 | Job |
| cronjob/suspended | info | 0.90 | CronJob |
| cronjob/job-failures | error | 0.75 | CronJob |
| node/not-ready | error / critical | 0.90 | Node |
| node/pressure | error | 0.85 | Node |
| node/network-unavailable | error | 0.80 | Node |
| node/unschedulable | warning | 0.95 | Node |
| service/no-endpoints | error | 0.80 | Service |
| service/selector-mismatch | error | 0.75 | Service |
| service/target-port-mismatch | warning | 0.70 | Service |
| ingress/backend-missing | error | 0.85 | Ingress |
| ingress/tls-secret-missing | warning | 0.75 | Ingress |
| networkpolicy/no-matching-pods | warning | 0.60 | NetworkPolicy |
| pvc/unbound | warning | 0.80 | PersistentVolumeClaim |
| pvc/missing-storageclass | error | 0.85 | PersistentVolumeClaim |
| pvc/provisioner-stuck | error | 0.80 | PersistentVolumeClaim |
| pv/failed | error | 0.85 | PersistentVolume |
| pv/released-retained | warning | 0.70 | PersistentVolume |
| storageclass/no-provisioner | info | 0.90 | StorageClass |
| storageclass/wait-for-first-consumer | info | 0.80 | StorageClass |
| hpa/scaling-disabled | error | 0.80 | HorizontalPodAutoscaler |
| hpa/missing-scale-target | error | 0.80 | HorizontalPodAutoscaler |
| pdb/disruptions-blocked | warning | 0.70 | PodDisruptionBudget |
| pdb/no-matching-pods | warning | 0.65 | PodDisruptionBudget |
| lease/stale | warning | 0.60 | Lease |
| rbac/missing-role | error | 0.80 | RoleBinding, ClusterRoleBinding |
| rbac/no-subjects | warning | 0.70 | RoleBinding, ClusterRoleBinding |
| csr/denied | error | 0.85 | CertificateSigningRequest |
| csr/pending | warning | 0.60 | CertificateSigningRequest |
Selecting rules¶
Use the --rule and --disable-rule flags with klue why to control which
rules run:
# Run only specific rules
klue why pod my-pod -n default --rule pod/crashloop --rule pod/image-pull
# Disable low-signal rules
klue why deployment api -n prod --disable-rule builtin/warning-events
See Flags for the complete flag reference.
Rule categories¶
| Category | Page | Rules |
|---|---|---|
| Generic (any resource) | Builtin | builtin/* |
| Workloads | Workloads | pod/*, deployment/*, statefulset/*, replicaset/*, daemonset/* |
| Batch | Batch | job/*, cronjob/* |
| Nodes | Node | node/* |
| Networking | Networking | service/*, ingress/*, networkpolicy/* |
| Storage | Storage | pvc/*, pv/*, storageclass/* |
| Reliability & autoscaling | Reliability | hpa/*, pdb/*, lease/* |
| Security & certificates | Security | rbac/*, csr/* |