Container failed to run — Docker/runtime error
Production Risk
Container never starts; service is completely unavailable.
Exit code 125 means the container runtime itself failed to start the container — the process never launched. This is a runtime-level error, not an application error. Common causes include invalid container runtime options, an unsupported securityContext setting, or a malformed command passed to the runtime.
- 1Invalid or unsupported securityContext options (e.g., privileged mode blocked by admission)
- 2Container runtime (containerd/CRI-O) rejected the container spec
- 3Conflicting or malformed runtime flags
Pod fails to start and shows exit code 125 in describe output; logs may be empty.
kubectl describe pod mypod # Last State: Terminated Reason: Error Exit Code: 125 kubectl get events --field-selector involvedObject.name=mypod
expected output
Last State: Terminated Reason: Error Exit Code: 125
Fix 1
Check kubelet and runtime logs
WHEN Pod shows exit code 125 with no application logs
# On the node where the pod was scheduled journalctl -u kubelet --since "10 minutes ago" | grep mypod crictl inspect <container-id>
Why this works
The runtime error will be logged by the kubelet or the CRI runtime, not the application.
Fix 2
Review securityContext settings
WHEN Admission or policy controller may be blocking the spec
kubectl get pod mypod -o yaml | grep -A 20 securityContext
Why this works
Identifies privileged or capability settings that may be rejected by the runtime or OPA/Gatekeeper.
Kubernetes Documentation
Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev