Fix CreateContainerError in Kubernetes
Troubleshoot Kubernetes CreateContainerError with step-by-step debugging. ConfigMap mounts, Secret references, volume permissions, and container runtime issues.
π‘ Quick Answer:
CreateContainerErrormeans the container canβt start β usually a missing ConfigMap/Secret, bad volume mount, or invalid security context. Debug:kubectl describe pod <name>β check Events section. Common fixes: create the missing ConfigMap/Secret, fix volume mount paths, or adjustsecurityContext(runAsUser, fsGroup).
The Problem
Pod stuck in CreateContainerError:
NAME READY STATUS RESTARTS AGE
my-pod 0/1 CreateContainerError 0 5mThe container runtime canβt create the container β different from CrashLoopBackOff (container starts then crashes) or ImagePullBackOff (canβt pull image).
The Solution
Step 1: Describe the Pod
kubectl describe pod my-pod
# Look at the Events section at the bottom:
# Events:
# Warning Failed kubelet Error: configmap "app-config" not found
# Warning Failed kubelet Error: secret "db-credentials" not found
# Warning Failed kubelet Error: container has runAsNonRoot and image will run as rootCommon Cause 1: Missing ConfigMap
# Error: configmap "app-config" not found
kubectl get configmap app-config
# Error from server (NotFound)
# Fix: create the ConfigMap
kubectl create configmap app-config \
--from-literal=DATABASE_HOST=db.example.com \
--from-literal=LOG_LEVEL=info
# Or from file
kubectl create configmap app-config --from-file=config.yaml# Pod referencing ConfigMap
spec:
containers:
- name: app
envFrom:
- configMapRef:
name: app-config # Must exist!
volumeMounts:
- name: config
mountPath: /etc/config
volumes:
- name: config
configMap:
name: app-config # Must exist!
optional: true # Add this to avoid CreateContainerErrorCommon Cause 2: Missing Secret
# Error: secret "db-credentials" not found
kubectl get secret db-credentials
# Error from server (NotFound)
# Fix: create the Secret
kubectl create secret generic db-credentials \
--from-literal=username=admin \
--from-literal=password=s3cur3p4ss# Make Secret references optional
spec:
containers:
- name: app
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-credentials
key: password
optional: true # Pod starts even if Secret missingCommon Cause 3: Security Context Mismatch
# Error: container has runAsNonRoot and image will run as root
# The image's default user is root (UID 0)
# But pod spec says runAsNonRoot: true# Fix: set a non-root user
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000 # Must be non-zero
fsGroup: 1000
containers:
- name: app
image: myapp:v2
securityContext:
allowPrivilegeEscalation: falseCommon Cause 4: Volume Mount Issues
# Error: failed to create containerd container: mount destination not allowed
# Subpath doesn't exist in ConfigMap/Secret
# Or PVC not bound
kubectl get pvc
# NAME STATUS VOLUME CAPACITY
# data-pvc Pending <none> <none> β Not bound!# Fix: ensure subPath key exists
volumes:
- name: config
configMap:
name: app-config
items:
- key: app.conf # This key must exist in ConfigMap
path: app.confCommon Cause 5: Resource Limit Issues
# Error: failed to create containerd task: OCI runtime create failed
# Possible: hugepages request without host support
# Or invalid resource format# Fix: valid resource format
resources:
requests:
cpu: 100m # Not "100 m" (no space)
memory: 256Mi # Not "256 mb" (case matters)
limits:
cpu: 500m
memory: 512MiDebugging Flowchart
CreateContainerError
βββ kubectl describe pod β check Events
β
βββ "configmap not found"
β βββ Create ConfigMap or add optional: true
β
βββ "secret not found"
β βββ Create Secret or add optional: true
β
βββ "runAsNonRoot and image will run as root"
β βββ Set runAsUser: 1000 or fix image
β
βββ "mount destination not allowed"
β βββ Check volume paths, PVC bound status
β
βββ "OCI runtime create failed"
β βββ Check container runtime logs on node
β βββ journalctl -u containerd | tail -50
β
βββ Other
βββ kubectl logs my-pod --previous
βββ Check node: journalctl -u kubelet | grep my-podCommon Issues
CreateContainerError vs CreateContainerConfigError
CreateContainerConfigError specifically means config resolution failed (missing ConfigMap/Secret). CreateContainerError is broader β includes runtime failures.
Error persists after creating ConfigMap
Pod may need to be deleted and recreated β or wait for kubelet retry cycle (~10s).
Works on one node, fails on another
Node-specific issue: SELinux, AppArmor, missing kernel module, or local volume path doesnβt exist.
Best Practices
- Use
optional: trueon non-critical ConfigMap/Secret references - Check
kubectl describeβ Events section tells you exactly whatβs wrong - Pre-create ConfigMaps/Secrets before Deployments in CI/CD
- Use Helm hooks or init containers to ensure dependencies exist
- Test securityContext locally β
docker run --user 1000 <image>to verify
Key Takeaways
- CreateContainerError = container canβt be created (config or runtime issue)
kubectl describe podEvents section gives the exact error- Top causes: missing ConfigMap/Secret, security context, volume mounts
- Use
optional: trueto prevent missing config from blocking pod start - Different from CrashLoopBackOff (container starts then dies) and ImagePullBackOff (image issue)
Recommended
Kubernetes Recipes β The Complete Book100+ production-ready patterns with detailed explanations, best practices, and copy-paste YAML. Everything in one place.
Get the Book βLearn by Doing
CopyPasteLearn β Hands-on Cloud & DevOps CoursesMaster Kubernetes, Ansible, Terraform, and MLOps with interactive, copy-paste-run lessons. Start free.
Browse Courses β
Want More Kubernetes Recipes?
This recipe is from Kubernetes Recipes, our 750-page practical guide with hundreds of production-ready patterns.