The Kubernetes Failure Catalog
Simulating Kubernetes Control-Plane Failures Without a Cluster
How to realistically test API throttling, RBAC issues, and webhook failures without spinning up expensive infrastructure.
You don’t need a full Kubernetes cluster to test control-plane failures. In fact, simulating these failures with mocks and lightweight tools is often more effective than chaos engineering approaches — and according to Komodor’s 2025 Enterprise Kubernetes Report, nearly 80% of production outages stem from system changes, not random infrastructure failures.
Outages from Changes
Due to system changes, not infra
Security Incidents
Orgs with K8s incidents in 2024
Misconfigurations
Of security incidents caused
Troubleshooting Time
Lost to incident resolution
Why Simulate Instead of Chaos?
Traditional chaos engineering spins up a real cluster, deploys tools like Chaos Mesh or Litmus, and randomly kills components hoping to catch interesting failures. This approach costs money, produces non-deterministic results, and primarily tests failures Kubernetes already handles well — like pod terminations and node failures.
Simulation takes the opposite approach. You run lightweight mocks locally, inject specific failure conditions you care about, and get reproducible results every time. The feedback loop is fast, the cost is zero, and you test the exact scenarios that actually cause outages.
| Aspect | Chaos Engineering | Simulation Testing |
|---|---|---|
| Infrastructure cost | $50-500/month cluster | $0 (local mocks) |
| Reproducibility | Non-deterministic | 100% reproducible |
| Feedback speed | Minutes to hours | Seconds |
| Failure specificity | Random or broad | Exact scenarios |
| CI/CD integration | Complex | Native |
The failures that chaos engineering tests are the ones Kubernetes already handles. When a pod dies, the scheduler restarts it. When a node fails, workloads migrate. But when the API server throttles requests, when RBAC denies a critical operation, or when an admission webhook times out — those are the failures that actually bring down production. And they’re trivial to simulate.
API Server Throttling
The Kubernetes API server uses API Priority and Fairness to protect itself from being overwhelmed. When a client exceeds its allocated concurrency, the server returns HTTP 429 (Too Many Requests) with a Retry-After header indicating when to try again.
This isn’t theoretical. In large clusters, controllers competing for API access regularly hit throttling limits. The client logs warnings like “Waited for 1.03s due to client-side throttling” — and if your application doesn’t handle 429 responses gracefully, operations fail silently or retry infinitely.
The Hidden Throttling Problem
Default API server settings allow 400 concurrent requests (--max-requests-inflight). In clusters running dozens of operators, CRD controllers, and monitoring agents, this limit gets hit more often than you’d expect. Your application needs to back off correctly when it happens.
To simulate throttling, you don’t need to overload a real API server. A simple mock that counts requests per second and returns 429 when the count exceeds a threshold lets you verify your client handles backoff correctly. Test that your application respects Retry-After, implements exponential backoff, and doesn’t hammer the API server in a tight loop when throttled.
The key behaviors to verify: your client waits the appropriate time before retrying, it doesn’t queue up requests during backoff (causing a thundering herd when backoff expires), and it degrades gracefully rather than crashing when sustained throttling occurs.
RBAC Failures
Permission issues are among the most common Kubernetes failures, and Red Hat’s 2024 State of Kubernetes Security Report found that 90% of organizations experienced at least one Kubernetes security incident in the past year. Overly permissive RBAC is frequently cited as a root cause, but the opposite problem — RBAC that’s too restrictive — causes operational failures when legitimate operations get denied.
When RBAC denies a request, the API server returns a 403 Forbidden with a detailed message explaining which user couldn’t perform which verb on which resource. These messages are precise and actionable, but only if your application surfaces them correctly rather than swallowing them as generic errors.
Common RBAC failure scenarios include: a service account missing permissions after a namespace migration, a controller that worked in development failing in production due to different cluster roles, and automated processes breaking after RBAC policies are tightened during a security audit.
RBAC Testing Strategy
Mock RBAC failures by maintaining a permissions map and checking each request against it. Return 403 with realistic error messages that include the service account name, the denied verb, and the resource. This lets you verify your application logs meaningful errors and fails fast rather than retrying forbidden operations.
The test matrix should cover: operations that are allowed, operations that are denied, operations that are allowed in one namespace but denied in another, and the edge case where cluster-level permissions exist but namespace-level permissions don’t.
Admission Webhook Failures
Webhooks are a frequent source of cluster-wide failures. Cisco’s analysis of admission webhooks describes them as a double-edged sword — powerful for policy enforcement, but capable of bringing down entire clusters when misconfigured.
The failure modes are severe. If a webhook times out, all pod creations hang for 30 seconds (the default timeout) before failing. If a webhook crashes, it returns 500 errors and blocks deployments. If a webhook’s TLS certificate expires, the API server can’t establish connections and everything depending on admission fails. And in the worst case, a webhook that accidentally matches core Kubernetes resources can prevent system components from starting, cascading into full cluster failure.
| Failure Mode | Symptom | Impact |
|---|---|---|
| Timeout | 30s delay then rejection | Blocked deployments, slow rollouts |
| Server crash | 500 errors on create/update | All matching resources fail |
| Policy rejection | 403 with custom message | Intentional but can surprise |
| TLS/cert issue | x509 certificate errors | Complete webhook failure |
| Scope misconfiguration | Blocks kube-system resources | Cluster-wide outage |
The Kubernetes documentation now recommends setting failurePolicy: Ignore for mutating webhooks, allowing requests to proceed when the webhook is unavailable. But this creates its own problems — requests pass without policy enforcement, potentially introducing security or compliance violations.
To simulate webhook failures, build a mock webhook server that can be configured to: delay responses beyond the timeout threshold, return 500 errors on demand, reject specific requests with custom messages, and return malformed responses. Test that your application handles each case correctly and provides meaningful feedback to operators.
CRD Lifecycle Issues
Custom Resource Definitions add another layer of failure modes that traditional chaos testing doesn’t cover. When a CRD doesn’t exist, requests for its resources return 404 Not Found. When a CRD exists but the controller managing it isn’t running, resources get created but nothing reconciles them. When a CRD’s schema changes incompatibly, existing resources may become invalid.
These failures matter because modern Kubernetes deployments depend heavily on CRDs. Cert-manager, external-dns, service meshes, and most operators define custom resources. If any of these CRDs are missing or misconfigured, the functionality they provide fails.
Simulating CRD availability is straightforward. Maintain a set of installed CRDs in your mock and return 404 for any custom resource request that doesn’t match an installed CRD. Test that your application checks for CRD existence before attempting to create custom resources, handles missing CRDs gracefully with clear error messages, and can recover when CRDs are installed after initial startup.
Using envtest for Realistic Testing
For more realistic control-plane testing without a full cluster, envtest from controller-runtime provides a lightweight but real API server and etcd instance. The Operator SDK recommends envtest over its own test framework because envtest has a more active community, is more mature, and doesn’t require an actual cluster.
When to Use envtest
Use envtest when you need realistic API server behavior including watch semantics, resource versioning, and conflict detection. Use simple mocks when you only need to test specific error responses. The controller-runtime project explicitly advises against using fake clients, noting that “tests using fake clients gradually re-implement poorly-written impressions of a real API server.”
envtest runs actual Kubernetes binaries (kube-apiserver and etcd) locally, giving you a real API server without the scheduler, controller-manager, or kubelet. This makes it perfect for testing controller logic, admission webhooks, and API interactions — but not for testing pod scheduling or node behaviors.
The tradeoff is setup complexity. envtest requires downloading Kubernetes binaries and has stricter environmental requirements than simple mocks. For CI/CD pipelines, the overhead is usually worth the realism; for quick unit tests of specific error handling, mocks are faster and simpler.
Why Control-Plane Failures Matter More Than Pod Kills
The standard chaos engineering playbook focuses on killing pods, terminating nodes, and injecting network latency. These are valid tests, but they test Kubernetes doing exactly what it’s designed to do — recover from workload and infrastructure failures automatically.
Failure Impact by Type
The chart above represents relative impact severity. Pod terminations score low because Kubernetes handles them automatically — the scheduler restarts pods, the deployment controller maintains replica counts, and service endpoints update to route around failed instances. But webhook failures can block all deployments cluster-wide. API throttling can cause controllers to fall behind, creating drift between desired and actual state. RBAC issues can silently break automation that worked last week.
According to ARMO’s research, 100% of Kubernetes clusters tested contained at least one misconfiguration, with 65% having at least one high-severity misconfiguration. These configuration issues — not random infrastructure failures — are what simulation testing catches.
The Bottom Line
Simulation testing for Kubernetes control-plane failures is faster, cheaper, and more targeted than traditional chaos engineering. It catches the misconfigurations and edge cases that actually cause outages, while chaos engineering mostly validates that Kubernetes self-healing works (which it does, by design).
Build a mock API server that can return 429, 403, and 404 responses on demand. Create a mock webhook that can timeout or reject requests. Use envtest when you need realistic API semantics. Run these tests in CI on every change. The failures you catch in simulation are the failures that would have caused production incidents.
References
- Komodor: 2025 Enterprise Kubernetes Report
- Red Hat: State of Kubernetes Security Report 2024
- Kubernetes: API Priority and Fairness
- Kubernetes: Admission Webhook Good Practices
- Cisco: The Dark Side of Kubernetes Admission Webhooks
- Kubebuilder: Configuring envtest
- Operator SDK: Testing Operators
- ARMO: State of Kubernetes Security 2024
- AWS: Managing Webhook Failures on EKS
This is part 2 of our “Kubernetes Failure Catalog” series. Next: Why Pods Get Stuck in Pending.