// Diagnose Service connectivity issues (empty Endpoints, selector mismatch, port mismatch, no backend pods). Checks Service, Endpoints, and target pods to identify why traffic is not reaching backends.
| name | service-debug |
| description | Diagnose Service connectivity issues (empty Endpoints, selector mismatch, port mismatch, no backend pods). Checks Service, Endpoints, and target pods to identify why traffic is not reaching backends. |
When a Service is unreachable, returns connection refused, or has no backends, follow this flow to identify the root cause.
Scope: This skill is for diagnosis only. Once you identify the root cause, report it to the user and stop. Do NOT attempt to modify the Service, Endpoints, or pod specs — that should be left to the user.
kubectl get svc <service> -n <ns> -o wide
Confirm the Service exists and note:
None unless it is a headless servicekubectl get endpoints <service> -n <ns>
ENDPOINTS column shows <none> or is empty, no pods match the Service's selector — go to step 3.For more detail (including notReadyAddresses):
kubectl describe endpoints <service> -n <ns>
The Service's selector must match labels on running, ready pods.
Get the Service selector:
kubectl get svc <service> -n <ns> -o jsonpath='{.spec.selector}'
List pods that match the selector:
kubectl get pods -n <ns> -l <key>=<value> -o wide
(Replace <key>=<value> with each selector pair from the previous command.)
If no pods match:
If pods exist but none are Ready:
pod-crash-debug or check readiness probesVerify that the Service port, targetPort, and the container's actual listening port all align.
kubectl get svc <service> -n <ns> -o jsonpath='{range .spec.ports[*]}port={.port} targetPort={.targetPort} protocol={.protocol}{"\n"}{end}'
kubectl get pod <backend-pod> -n <ns> -o jsonpath='{range .spec.containers[*].ports[*]}containerPort={.containerPort} protocol={.protocol}{"\n"}{end}'
The Service's targetPort must match one of the container's containerPort values (or the named port). If they don't match, traffic will be sent to the wrong port.
Note: if the container does not declare containerPort, the traffic may still work — containerPort is informational. The real check is whether the application is actually listening on the targetPort.
The Service has no endpoints because no running, ready pods match its label selector.
Possible causes:
Advise the user to compare the Service selector with the pod labels and ensure pods are running and ready.
Connection refused — Port mismatch or application not listeningEndpoints exist, but connections to the Service are refused.
targetPort may not match the port the application is actually listening onCheck the application logs:
kubectl logs <backend-pod> -n <ns> --tail=50
ExternalName not resolving — DNS-based service issueExternalName services return a CNAME record. If the target hostname is unreachable or doesn't resolve, the service will appear broken.
kubectl get svc <service> -n <ns> -o jsonpath='{.spec.externalName}'
Verify the external name resolves from within the cluster (see dns-debug skill).
NodePort / LoadBalancer not reachable from outside — External access issueFor NodePort: verify the node's firewall allows the allocated port.
kubectl get svc <service> -n <ns> -o jsonpath='{.spec.ports[*].nodePort}'
For LoadBalancer: check the external IP assignment.
kubectl get svc <service> -n <ns>
If EXTERNAL-IP shows <pending>, the cloud load balancer provisioner may have failed:
kubectl describe svc <service> -n <ns>
Check events for errors from the cloud controller manager.
ClusterIP: None) — Expected behaviorHeadless services do not get a cluster IP. DNS returns the individual pod IPs directly. This is by design for StatefulSets and services that need direct pod addressing.
If clients are getting connection refused, verify the individual pod IPs are correct and the pods are ready.
sessionAffinity: ClientIP, connections from the same source IP are routed to the same pod — if that pod becomes unhealthy, the session sticks to it until the timeout.EndpointSlices (default in K8s 1.21+) replace Endpoints for large-scale services. You can check them with: kubectl get endpointslices -n <ns> -l kubernetes.io/service-name=<service>.networkpolicy-debug to check.Guide for writing and improving Siclaw skills. Read this when creating or modifying a skill. Covers SKILL.md format, script execution modes, and best practices.
Check node health and diagnose node-level issues (NotReady, DiskPressure, MemoryPressure, PIDPressure). Inspects node conditions, resource allocation, and real-time usage.
Diagnose DNS resolution failures in the cluster (NXDOMAIN, timeouts, SERVFAIL). Checks CoreDNS health, service endpoints, and DNS configuration.
Ping a pod's gateway for a given network interface. Auto-detects gateway IP from the routing table, then pings it. First resolve_pod_netns, then node_script with netns param.
Show the gateway for a network interface in a Kubernetes pod. Reads the routing table via `ip -j route` from the pod's network namespace. First resolve_pod_netns, then node_script with netns param.
Retrieve logs from a Kubernetes node. Supports journalctl (systemd units) and file-based logs. Use when you need to inspect node-level logs (containerd, kubelet, etc.). Execute via node_script tool.