FAQ

Answers to the questions that come up most often. Each answer is short and points to the canonical page for the full explanation. If you are looking for a specific error message, the Troubleshooting index is a better starting point.

kubelogin and identity

Why does kubectl say “Unauthorized” even though I just logged in?

Your cached OIDC token may be stale or your Cloud RAP group claim may not match. Clear the cache and retry:

kubectl oidc-login clean
kubectl get ns

If it still fails, see the kubelogin troubleshooting section for the full diagnosis flow.

Why does kubectl get ns return zero namespaces after a successful login?

Your OIDC token was accepted, but its groups claim does not contain a Cloud RAP that maps to a Capsule Tenant. The most common cause is that your PI has not added you to the Cloud RAP in CCDB — Cloud RAPs do not auto-add sponsored users. Ask your PI to confirm your membership at ccdb.alliancecan.ca. See Requesting access for the full flow.

Which kubelogin do I need — the int128 one or the Microsoft one?

Kestrel uses the int128/kubelogin OIDC plugin, not the Microsoft Azure AD tool of the same name. If your package manager offers both, pick the int128 build. See Install kubelogin for per-OS instructions.

How do I log in from WSL2 or an SSH session with no browser?

Add --skip-open-browser to your kubeconfig exec.args, copy the printed URL to a local browser, and forward the callback port if the shell is remote. Full steps are in kubelogin troubleshooting — browser does not open.

ArgoCD and deployments

Why is my ArgoCD Application stuck in OutOfSync or Degraded?

Click into the Application in the ArgoCD UI, open the failing resource, and read the sync message. The most common failures are YAML validation errors, Kyverno Pod Security rejections, namespace prefix violations, and priority class not in the allowlist. The Triage page has the quick-check flow.

How do I add a new application to my ArgoCD repo?

Add the new resource’s manifests to your Git repo and push. ArgoCD reconciles them automatically. See ArgoCD on Kestrel for the full pattern and User brings a repo for bringing your own Helm chart or Kustomize overlay.

Why does ArgoCD reject my Pod with a security policy error?

Kestrel enforces the Kubernetes Pod Security Standards at the restricted level via Kyverno. Your Pod spec must include runAsNonRoot: true, seccompProfile.type: RuntimeDefault, and capabilities.drop: [ALL]. See Known limitations — Pod Security restricted for the full checklist.

Ingress and networking

Why does my Ingress return 404 even though the Pod is running?

The three most common causes are a missing ingressClassName: traefik annotation, a Service selector that does not match Pod labels, or a cert-manager certificate that has not issued yet. Run kubectl describe ingress and kubectl get certificate to check. See Ingress on Kestrel for the full recipe and Triage — Ingress 404 for the quick-check flow.

Can I use a LoadBalancer Service on Kestrel?

No. Capsule restricts Service types to ClusterIP only — NodePort, LoadBalancer, and ExternalName are all blocked. Use an Ingress with Traefik instead. See Service types for the rationale and Known limitations — LoadBalancer blocked for context.

How does TLS work on Kestrel?

cert-manager automatically provisions Let’s Encrypt certificates for Ingress resources that specify a tls block with a secretName. The first certificate issue takes about 30 seconds. See TLS on Kestrel for the full flow.

Storage and quotas

Why is my PVC stuck in Pending?

Check kubectl describe pvc for the event message. Common causes: the requested storage class does not exist, the quota is exhausted, or you requested ReadWriteMany (RWX) on a Cinder storage class. Kestrel provides two OpenStack Cinder storage classes: csi-cinder-sc-delete (the default; reclaim policy Delete) and csi-cinder-sc-retain (reclaim policy Retain). Both are block volumes and support ReadWriteOnce only. ReadWriteMany (shared) volumes are not offered through a storage class — open a ticket with RCS to have a per-tenant NFS volume provisioned. See Storage classes and Persistent volumes.

Why does my Pod fail to schedule with “Insufficient cpu” or “Insufficient memory”?

Your tenant’s ResourcePool quota is exhausted. Run kubectl describe resourcepool (it is cluster-scoped — the -n flag is ignored) to see current usage versus allocation; for per-namespace usage run kubectl describe resourcequota -n <namespace>. Common culprits are completed Jobs that still hold resources, orphaned PVCs, and overprovisioned requests. See Viewing your allocation and Triage — Storage or quota surprise.

How do I request a larger quota?

Open a ticket with RCS requesting a tier change. Include your tenant name, current tier, requested tier, and rationale. See Requesting quota changes for the full process and SLO expectations.

What is the difference between the four quota tiers?

Kestrel has sandbox, standard, premium, and custom tiers with progressively larger CPU, memory, and storage limits. See Resource pools and quotas — tier numbers for the exact numbers and Requesting quota changes for how to move between tiers.