Skip to content

Diagnostic rules

klue ships with a set of built-in diagnostic rules that run against the resource graph whenever you execute klue why. Each rule produces zero or more findings — structured observations with a severity, a confidence score, an explanation, and one or more kubectl remediation suggestions.

Rule anatomy

Every rule has:

Field Description
ID Unique dotted identifier (for example pod/crashloop) used with --rule / --disable-rule flags
Severity critical, error, warning, or info — how serious the condition is
Confidence 0.01.0 — how certain klue is that the finding represents a real problem
Applies to The Kubernetes resource kind(s) the rule evaluates

Severity levels

Level Meaning
critical The resource is broken and likely affecting availability right now
error A definite problem that prevents the resource from working correctly
warning A degraded or risky state that warrants attention
info A noteworthy configuration state that is not necessarily a problem

All rules

The table below lists every built-in rule. Click the ID link to jump to the detailed description.

ID Severity Confidence Applies to
builtin/failed-condition error 0.60 Any
builtin/log-signal warning 0.70–0.95 Pod
builtin/missing-reference error 0.70 Any
builtin/orphaned-owner warning 0.60 Any
builtin/terminating-stuck warning 0.70 Any
builtin/warning-events warning 0.40 Any
pod/crashloop critical 0.95 Pod
pod/image-pull error 0.60–0.90 Pod
pod/config-missing error 0.85 Pod
pod/mount-failure error 0.85 Pod
pod/pending error 0.80 Pod
pod/probe-failure warning 0.70 Pod
deployment/rollout-stuck error 0.85 Deployment
deployment/unavailable warning 0.70 Deployment
statefulset/unavailable warning 0.70 StatefulSet
statefulset/rollout-stuck warning 0.70 StatefulSet
replicaset/unavailable warning 0.70 ReplicaSet
replicaset/replica-failure error 0.80 ReplicaSet
daemonset/unavailable warning 0.70 DaemonSet
daemonset/misscheduled warning 0.60 DaemonSet
job/failed error 0.85 Job
cronjob/suspended info 0.90 CronJob
cronjob/job-failures error 0.75 CronJob
node/not-ready error / critical 0.90 Node
node/pressure error 0.85 Node
node/network-unavailable error 0.80 Node
node/unschedulable warning 0.95 Node
service/no-endpoints error 0.80 Service
service/selector-mismatch error 0.75 Service
service/target-port-mismatch warning 0.70 Service
ingress/backend-missing error 0.85 Ingress
ingress/tls-secret-missing warning 0.75 Ingress
networkpolicy/no-matching-pods warning 0.60 NetworkPolicy
pvc/unbound warning 0.80 PersistentVolumeClaim
pvc/missing-storageclass error 0.85 PersistentVolumeClaim
pvc/provisioner-stuck error 0.80 PersistentVolumeClaim
pv/failed error 0.85 PersistentVolume
pv/released-retained warning 0.70 PersistentVolume
storageclass/no-provisioner info 0.90 StorageClass
storageclass/wait-for-first-consumer info 0.80 StorageClass
hpa/scaling-disabled error 0.80 HorizontalPodAutoscaler
hpa/missing-scale-target error 0.80 HorizontalPodAutoscaler
pdb/disruptions-blocked warning 0.70 PodDisruptionBudget
pdb/no-matching-pods warning 0.65 PodDisruptionBudget
lease/stale warning 0.60 Lease
rbac/missing-role error 0.80 RoleBinding, ClusterRoleBinding
rbac/no-subjects warning 0.70 RoleBinding, ClusterRoleBinding
csr/denied error 0.85 CertificateSigningRequest
csr/pending warning 0.60 CertificateSigningRequest

Selecting rules

Use the --rule and --disable-rule flags with klue why to control which rules run:

# Run only specific rules
klue why pod my-pod -n default --rule pod/crashloop --rule pod/image-pull

# Disable low-signal rules
klue why deployment api -n prod --disable-rule builtin/warning-events

See Flags for the complete flag reference.

Rule categories

Category Page Rules
Generic (any resource) Builtin builtin/*
Workloads Workloads pod/*, deployment/*, statefulset/*, replicaset/*, daemonset/*
Batch Batch job/*, cronjob/*
Nodes Node node/*
Networking Networking service/*, ingress/*, networkpolicy/*
Storage Storage pvc/*, pv/*, storageclass/*
Reliability & autoscaling Reliability hpa/*, pdb/*, lease/*
Security & certificates Security rbac/*, csr/*