**Situation & goal**Quickly restore service after many pods were OOMKilled, identify the bad release/image, mitigate impact, and perform RCA to prevent recurrence.**1) Immediate triage — logs & metrics to check**- Cluster metrics: check node memory pressure, pod OOM counts, and kubelet eviction metrics (Prometheus / Grafana).- Kubelet & node logs:bash
# on affected node
journalctl -u kubelet -u docker --since "1h"
dmesg | grep -i oom
- Container runtime logs (containerd/docker) for OOM events and exit codes.- Pod & container logs:bash
kubectl get pods -A --field-selector=status.phase=Failed
kubectl describe pod <pod>
kubectl logs <pod> -c <container> --previous
- Deployment/ReplicaSet rollout history:bash
kubectl rollout history deploy/<name>
kubectl get replicaset -l app=<app> -o wide
- CI/CD / image tags and recent commits from pipeline logs.**2) Identify failing release & offending image**- Correlate timestamp of OOM events with rollout time from deployment annotations and CI pipeline.- Inspect ReplicaSets: the new RS with many failing pods points to the release. Check pod spec.image and imageDigest:bash
kubectl get pod <pod> -o yaml | yq '.spec.containers[].image'
kubectl get pod <pod> -o jsonpath='{.status.containerStatuses[].imageID}'
- Cross-check image digest with registry to map to a build/commit.**3) Immediate mitigations to restore service**- Roll back to previous stable ReplicaSet:bash
kubectl rollout undo deploy/<name>
- Temporarily scale up healthy replicas / scale down failing rollout to reduce noise:bash
kubectl scale deploy/<name> --replicas=<n>
kubectl scale rs/<bad-rs> --replicas=0
- Add a memory limit guard or QoS change if missing: patch deployment to set safe memory requests/limits (use small patch, then finalize after testing).- If nodes under pressure, cordon/drain compromised nodes and add capacity:bash
kubectl cordon <node>
kubectl drain <node> --ignore-daemonsets --delete-local-data
**4) Root cause analysis**- Reproduce in staging using same image/diffed config. Run stress tests while capturing: - Application logs, heap profiles, metrics (memory RSS, GC), and container metrics.- Inspect image changes: added memory-heavy feature, dependency bump, different JVM options, or missing limits.- Analyze runtime metrics: RSS vs cgroup memory, memory spikes patterns, OOM killer logs (dmesg shows process killed).- Check resource requests/limits: missing or too-low limits cause OOMKilled or eviction.- CI: inspect build that produced offending digest for config changes (env vars, startup flags).**5) Prevent recurrence**- Enforce mandatory resource requests/limits via admission controller (LimitRange/ResourceQuota or OPA/Gatekeeper policy).- Add pre-deployment memory/soak tests in CI using the same image and realistic load.- Improve observability: instrument app with memory metrics (heap, native), add Prometheus alerts for memory growth and OOM events, and record image digests in deployment annotations.- Automate safe rollbacks in pipeline and add canary deployments with traffic shaping.- Postmortem: document timeline, root cause, decisions, and action items with owners and deadlines.This plan prioritizes quick recovery, precise identification of the offending image/release, and both technical and process fixes to avoid repeat incidents.