The latest articles on DEV Community by JOE (@solojoe). https://dev.to/solojoe https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3984391%2F6dc215fd-ba97-4dc5-b88b-de3290759ee1.png https://dev.to/solojoe en JOE Sun, 14 Jun 2026 20:58:57 +0000 https://dev.to/solojoe/k8s-necromancer-a-black-box-flight-recorder-for-dead-kubernetes-pods-4pa8 https://dev.to/solojoe/k8s-necromancer-a-black-box-flight-recorder-for-dead-kubernetes-pods-4pa8 <p>Every K8s operator knows the feeling, a pod dies, kubelet garbage-collects it in 30 seconds, and you're left staring at a CrashLoopBackOff with no context. The logs have rotated. The events are gone. You're switching between kubectl describe, Loki, Grafana, and deploy histories trying to reconstruct what happened.</p> <p>I got tired of this, so I built K8s Necromancer — a controller that intercepts pod deaths before GC and freezes the entire forensic state.</p> <ul> <li>What it does</li> </ul> <p>When a pod crashes, it captures:</p> <ul> <li>Container logs (previous container + fallback)</li> <li>K8s events timeline</li> <li>Resolved ENV vars (reads ConfigMaps and Secrets via K8s API)</li> <li>Full pod spec snapshot</li> <li>ConfigMap volume snapshots</li> <li>CPU/Memory sparklines from Prometheus (optional)</li> </ul> <p>All of this goes into a Tomb CRD (lightweight metadata in etcd) + PersistentVolume (heavy data). SHA-256 dedup prevents duplicate tombs.</p> <ul> <li>6 capture triggers</li> </ul> <ol> <li>Restart count increase</li> <li>Pod phase = Failed</li> <li>Image pull error</li> <li>Non-zero exit code</li> <li>First restart detected</li> <li>Pending timeout (&gt;10m, configurable)</li> </ol> <p>Skips kube-system, necromancer namespaces, and clean job exits (exit=0).</p> <ul> <li><p>The CLI</p></li> <li><p><code>necromancer autopsy &lt;id&gt;</code> - generates a coroner's report with forensic timeline, resource sparklines, and ENV DIFF (compares against last healthy pod). Outputs to terminal or Markdown.</p></li> <li><p><code>necromancer resurrect &lt;id&gt;</code> - spins up a ghost pod in a sandboxed namespace so you can inspect the dead pod's filesystem and config. Not to run the app but to investigate.</p></li> <li><p><code>necromancer list / inspect / bury</code> - browse, query, and clean up old tombs with dry-run support.</p></li> <li><p>Safety (this was important to me)</p></li> </ul> <p>Ghost pods run in a locked-down namespace:</p> <ul> <li>deny-all-egress NetworkPolicy (DNS allowed only)</li> <li>Secrets stripped by default (opt-in with --include-secret-volumes)</li> <li>No SA tokens, no host namespaces, probes removed</li> <li>Entrypoint overridden to sleep infinity</li> <li>LimitRange (500m/512Mi) + ResourceQuota (10 pods) enforced</li> <li>Controller runs as non-root (UID 1000, drops ALL capabilities)</li> <li>SSRF protection on Prometheus URL (blocks loopback, cloud metadata)</li> <li><p>Path traversal prevention on all API inputs</p></li> <li><p>HA</p></li> </ul> <p>Default deployment runs 2 replicas with leader election enabled + ReadWriteMany PVC (EFS, Filestore, CephFS, etc). Dev overlay for Kind/Minikube runs 1 replica with ReadWriteOnce.</p> <ul> <li>Stack</li> </ul> <p>Go 1.26, controller-runtime, Cobra CLI, Prometheus integration, Kustomize overlays, Kind-based e2e tests.</p> <p>Repo: <a href="https://github.com/privjoesrepos/k8s-necromancer" rel="noopener noreferrer">https://github.com/privjoesrepos/k8s-necromancer</a></p> <p>Docker: <a href="https://hub.docker.com/r/privjoesrepos/k8s-necromancer" rel="noopener noreferrer">https://hub.docker.com/r/privjoesrepos/k8s-necromancer</a></p> <p>MIT licensed.</p> <p>Thrilled to answer questions or take feedback.</p> kubernetes go docker github