By name: openshift:debug description: Debug OpenShift-specific resources, operators, and platform issues
OpenShift Debug Skill
Debug OpenShift-specific resources and platform issues.
Context-Safe Execution (MANDATORY)
All oc/kubectl commands MUST redirect output to files.
export LOG_DIR=/tmp/kagenti/k8s/${CLUSTER:-local}
mkdir -p $LOG_DIR
# Pattern: redirect oc/kubectl output
oc get clusteroperators > $LOG_DIR/cluster-operators.log 2>&1 && echo "OK" || echo "FAIL"
oc describe clusterversion version > $LOG_DIR/cluster-version.log 2>&1 && echo "OK" || echo "FAIL"
# Analyze in subagent: Task(subagent_type='Explore') with Grep
When to Use
- OpenShift operators not working
- Cluster operator issues
- Authentication/OAuth problems
- Route or ingress issues
- Build failures
Quick Diagnostics
Cluster Health
# Cluster version and status
oc get clusterversion
oc describe clusterversion version
# Cluster operators status
oc get clusteroperators
oc get clusteroperators -o json | jq '.items[] | select(.status.conditions[] | select(.type=="Degraded" and .status=="True")) | .metadata.name'
# Check for degraded operators
oc get co -o json | jq -r '.items[] | select(.status.conditions[] | select(.type=="Degraded" and .status=="True")) | "\(.metadata.name): \(.status.conditions[] | select(.type=="Degraded") | .message)"'
Operator Debugging
# List installed operators
oc get csv -A
# Check operator logs
oc logs -n openshift-operators deployment/<operator-name>
# Check install plans
oc get installplans -A
# Check subscriptions
oc get subscriptions -A
Authentication Issues
# Check OAuth status
oc get clusteroperator authentication
oc describe clusteroperator authentication
# Check OAuth pods
oc get pods -n openshift-authentication
# Check OAuth logs
oc logs -n openshift-authentication deployment/oauth-openshift
Route Issues
# List all routes
oc get routes -A
# Check route status
oc describe route <route-name> -n <namespace>
# Check ingress controller
oc get ingresscontroller -n openshift-ingress-operator
oc logs -n openshift-ingress-operator deployment/ingress-operator
Build Issues
# Check builds
oc get builds -A
# Check build logs
oc logs -n <namespace> build/<build-name>
# Check build config
oc describe buildconfig <bc-name> -n <namespace>
OpenShift-Specific Resources
Routes
# Get route URL
oc get route <route-name> -n <namespace> -o jsonpath='{.spec.host}'
# Check route TLS
oc get route <route-name> -n <namespace> -o jsonpath='{.spec.tls.termination}'
Security Context Constraints
# List SCCs
oc get scc
# Check which SCC a pod uses
oc get pod <pod-name> -n <namespace> -o jsonpath='{.metadata.annotations.openshift\.io/scc}'
# Check SCC details
oc describe scc <scc-name>
Service Accounts
# List service accounts
oc get sa -n <namespace>
# Check SA tokens
oc get secrets -n <namespace> | grep <sa-name>
# Add SCC to service account
oc adm policy add-scc-to-user <scc-name> -z <sa-name> -n <namespace>
Common Issues
Issue: Route not accessible
# Check route exists
oc get route <route-name> -n <namespace>
# Check service has endpoints
oc get endpoints <service-name> -n <namespace>
# Check ingress controller logs
oc logs -n openshift-ingress deployment/router-default
Issue: Operator stuck
# Check CSV status
oc get csv -n <namespace>
# Check operator pod
oc get pods -n <namespace> -l name=<operator-name>
# Delete and reinstall
oc delete subscription <sub-name> -n <namespace>
oc delete csv <csv-name> -n <namespace>
Issue: Authentication failed
# Check OAuth pods
oc get pods -n openshift-authentication
# Check OAuth config
oc get oauth cluster -o yaml
# Check identity providers
oc get oauth cluster -o jsonpath='{.spec.identityProviders}'
Related Skills
- k8s:pods: Generic pod debugging
- k8s:logs: Log analysis
- k8s:health: Platform health checks