aldengolab/k8s-hostnetwork-port-conflict
skills/k8s-hostnetwork-port-conflict/SKILL.md
Debug Kubernetes pods using hostNetwork: true that crash with "Address already in use" or "failed to create listening socket for port N". Use when: (1) a hostNetwork pod container is in CrashLoopBackOff and logs show a port bind failure, (2) the port works fine in non-hostNetwork pods but fails with hostNetwork, (3) you need to identify which host-level process holds a port from within Kubernetes (no SSH). Covers /proc/net/udp inspection and kubectl debug node with nsenter.
development
Updated Apr 10, 2026
$ install --global
skillsauthnpx skillsauth add aldengolab/lorist k8s-hostnetwork-port-conflictInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 10, 2026, 3:31 AM10.9s1 file scanned
SKILL.md
- name:
- k8s-hostnetwork-port-conflict
- description:
- |
- Debug Kubernetes pods using hostNetwork:
- true that crash with "Address already
- author:
- Claude Code
- version:
- 1.0.0
- date:
- 2026-04-07
Kubernetes hostNetwork Port Conflict Debugging
Problem
A pod with hostNetwork: true shares the host's network namespace. If a
system-level service on the node already binds the same port, the container
fails with "Address already in use" and enters CrashLoopBackOff. The error
is misleading because nothing inside Kubernetes appears to hold the port.
Context / Trigger Conditions
- Container logs show
failed to create listening socket for port <N>: Address already in useor similar bind errors - The pod spec includes
hostNetwork: true kubectl get podsshows CrashLoopBackOff with restarts climbing- No other pod in the cluster appears to use the conflicting port
- The same container image works in a non-hostNetwork pod
Solution
1. Confirm the port conflict from inside the cluster
From any running container on the same node with hostNetwork (or the crashing pod's surviving sidecar):
kubectl exec -n <ns> <pod> -c <container> -- cat /proc/net/udp # UDP
kubectl exec -n <ns> <pod> -c <container> -- cat /proc/net/tcp # TCP
Ports are in hex in column 2 (local_address). Convert: e.g. 0045 = 69.
Look for 00000000:<hex-port> (bound on all interfaces).
2. Identify the host process
Use kubectl debug node/ with the sysadmin profile to get root access:
kubectl debug node/<node-name> -it --image=ubuntu --profile=sysadmin -- bash
Inside the debug pod, enter the host namespaces:
nsenter -t 1 -m -u -i -n -p -- ss -tulnp | grep :<port>
This shows the process name and PID holding the port.
Note: Without --profile=sysadmin, nsenter fails with
"cannot open /proc/1/ns/ipc: Permission denied".
3. Resolve the conflict
Option A — Stop the host service (if it's redundant):
# systemd-based hosts:
nsenter -t 1 -m -u -i -n -p -- systemctl stop <service>
nsenter -t 1 -m -u -i -n -p -- systemctl disable <service>
# Non-systemd hosts (e.g., minimal k3s distros):
nsenter -t 1 -m -u -i -n -p -- kill <pid>
# Then find and disable the init mechanism (inetd.conf, xinetd.d/, init.d/)
Option B — Change the container's port (if the service must stay): Reconfigure the containerized application to use an alternative port. Note that for protocol-standard ports (TFTP/69, DHCP/67-68), clients may expect the default port, making Option A preferable.
4. Prevent recurrence
- Audit the node for existing services before deploying hostNetwork pods:
ss -tulnp | grep :<port>on the node - For bare-metal/on-prem clusters, document which ports are reserved by host services so future hostNetwork pods avoid them
- Consider whether hostNetwork is truly required; a NodePort or LoadBalancer Service avoids the conflict entirely
Verification
After removing the conflicting service, either wait for CrashLoopBackOff retry or delete the pod to force immediate recreation:
kubectl delete pod -n <ns> <pod-name>
Confirm the new pod reaches Running + Ready with 0 restarts.
Notes
- CrashLoopBackOff exponential backoff can delay retries significantly. Deleting the pod forces an immediate fresh attempt.
- On minimal OS distributions (common with k3s),
systemctlmay not exist. Fall back tokilland investigate the init system. - The
/proc/net/udptechnique works from any container sharing the host network namespace — it doesn't require privileges.
Related Skills
aldengolab/ubuntu-secureboot-pxe-netboot
development
VerifiedTrustedCommunity
Build a UEFI Secure Boot PXE netboot server for Ubuntu autoinstall. Use when: designing or implementing network boot infrastructure for automated Ubuntu provisioning with Secure Boot enabled. Covers the complete chain: signed shim+GRUB selection, TFTP layout, kernel parameters, autoinstall config requirements, and post-install bootstrapping scripts. Also applicable when debugging an existing PXE setup that uses the wrong GRUB binary or config paths.
SKILL.mdUpdated Apr 10, 2026
aldengolab/pxe-grub-persistent-server-pattern
development
VerifiedTrustedCommunity
Design pattern for running a persistent PXE/TFTP server that safely coexists with already-installed nodes. Use when: building PXE infrastructure that should stay always-on, designing automated bare-metal provisioning in GitOps/Kubernetes environments, or any PXE setup where UEFI boot order has network boot first. Eliminates boot loops without requiring UEFI firmware changes.
SKILL.mdUpdated Apr 10, 2026
aldengolab/orwell-clear-writing
development
VerifiedTrustedCommunity
This skill governs all prose output — Claude's own responses, documentation, PR descriptions, commit messages, README content, comments, and any text the user asks to draft or edit. It should also be used when the user asks to "review my writing", "edit this for clarity", "make this clearer", "simplify this text", "rewrite this", "check my prose", "tighten this up", or "make this more concise". Based on George Orwell's "Politics and the English Language" (1946).
SKILL.mdUpdated Apr 10, 2026
aldengolab/plan-review
development
VerifiedTrustedCommunity
Adversarial 3-stage review of an implementation plan before execution — checks completeness, security/best-practices, and multi-agent implementability. Use this skill whenever the user wants to validate, review, stress-test, or check an existing implementation plan before building or executing it. Trigger on phrases like "review the plan", "stress-test the plan", "is this plan ready", "check the plan", "validate the plan", "go through the plan", "find what's wrong with the plan", "is this ready for agents", "can subagents execute this", or any request to find gaps, security issues, or underspecified tasks in a plan that has already been written. Also trigger when the user has just finished /plan-implementation and is about to run /autonomous-plan-execution — the plan should be reviewed first. This skill is specifically for reviewing EXISTING plans, not for writing new ones (use plan-implementation for that), not for code review or PR review (use code-review for that), and not for debugging or post-deployment issues. If the user mentions a plan file, says "before we build", or asks whether phases can be parallelized, this skill almost certainly applies.
SKILL.mdUpdated Apr 3, 2026