Add Kubernetes Exit-Code CREs: 137 (OOMKilled), 127 (Command Not Found), 134 (SIGABRT), 139 (SIGSEGV) by amanycodes · Pull Request #137 · prequel-dev/cre

amanycodes · 2025-08-28T13:42:32Z

Hi team,
This PR contributes four Kubernetes CREs centered on high-signal container exit codes that commonly break workloads. Each CRE ships with a reproducible script compatible with Preq.

Reproducible Repo with Readme(private): https://github.com/amanycodes/k8s-exit-codes

Prequel Playground Links:
137
134
127
139

Detection Approach
These CREs use the exit-code TSV scanner (kubectl … | jq … | @tsv) and pipe the result to Preq.

kubectl get pods -A -o json | jq -r '
  .items[] as $p
  | [ ($p.status.containerStatuses // []),
      ($p.status.initContainerStatuses // []),
      ($p.status.ephemeralContainerStatuses // []) ]
  | add | .[]
  | (.lastState.terminated // .state.terminated) as $t
  | select($t != null and $t.exitCode != null and $t.finishedAt != null)
  | [ $t.finishedAt,
      ($p.metadata.namespace + "/" + $p.metadata.name),
      .name,
      ($t.reason // ""),
      ($t.exitCode|tostring) ] | @tsv' \
| preq -r rules/cre-exit-codes.yaml

Exit Codes

Exit 137 (OOMKilled)

Severity: 2
Title: Pod terminated with Exit Code 137 due to OOMKilled (memory limit exceeded)
Impact: Crash loops, request errors, noisy restarts.
Cause: Container exceeds memory limit; kernel OOM killer terminates it.
Mitigation: Right-size requests/limits; add headroom/VPA; investigate leaks; memory profiling.

Exit 127 (command not found / bad entrypoint)

ID: CRE-2025-0127
Severity: 2
Title: Container exited 127: command not found (bad entrypoint/command)
Impact: Pod fails to start; CrashLoopBackOff.
Cause: Typo/missing binary/not executable.
Mitigation: Validate binary exists and is executable; use absolute paths; CI image checks.

Exit 134 (SIGABRT / assertion failure)

ID: CRE-2025-0134
Severity: 4
Title: Container exited 134: SIGABRT / assertion failure
Impact: Immediate crash; potential data loss for in-flight work.
Cause: abort() / failed assertions / allocator detects heap corruption.
Mitigation: Enable core dumps & symbols; capture backtraces; run ASAN/UBSAN; pin libc.

Exit 139 (SIGSEGV / segmentation fault)

ID: CRE-2025-0139
Severity: 4
Title: Container exited 139: segmentation fault in native/runtime code
Category: application-bug
Impact: Hard crash; possible data loss on in-flight requests.
Cause: Invalid memory access (e.g., native libs, ABI mismatch, unsafe memory ops).
Mitigation: Core dumps & symbols; pin compatible base image/libc; ASAN/UBSAN builds; roll back recent native lib changes.

Looking forward to any feedback! Happy to tweak severities, tags, or matchers.

Signed-off-by: amanycodes <amanycodes@gmail.com>

tonymeehan · 2025-08-29T13:32:30Z

LGTM!

- Add CRE-2025-0140: Supabase Realtime Invalid Config - Add CRE-2025-0141: Supabase Disk Full Migration - Add CRE-2025-0142: Supabase SSL Certificate Missing - Update test logs for Kubernetes exit code CREs (134, 137, 139) - Include Kubernetes exit code YAML files from PR prequel-dev#137

…he Troubleshooting Guide & Write a CRE Rule (#153) * feat: Add 10 Supabase self-hosted CRE rules for high-severity failures - Add CRE-2025-0130: Postgres container port conflict - Add CRE-2025-0131: JWT secret missing or invalid - Add CRE-2025-0132: Database connection timeout - Add CRE-2025-0133: Storage S3 misconfiguration - Add CRE-2025-0134: Realtime service invalid config - Add CRE-2025-0135: Migration SQL syntax errors - Add CRE-2025-0136: Auth service port conflict - Add CRE-2025-0137: Disk full during migration - Add CRE-2025-0138: API rate limit exceeded - Add CRE-2025-0139: SSL certificate missing Each rule includes realistic test logs and proper detection patterns. Updated taxonomy with Supabase-specific tags and categories. Closes #131 * fix: Add window parameter to Supabase CRE rules and create data-sources.yaml - Added required 'window: 5m' parameter to all 10 Supabase CRE set rules - Fixed validation errors for CRE-2025-0130 through CRE-2025-0139 - Created comprehensive data-sources.yaml documenting all log sources - Rules now pass preq validation and generate proper detection reports Addresses bounty #131 requirements for working CRE rules and data sources configuration. * fix: Remove duplicate port-binding tag from tags.yaml - Removed duplicate port-binding tag that was causing build failure - Original port-binding tag already exists at line 108 - Fixes make command error: 'Duplicate name kind=tags name=port-binding' * fix: Remove invalid 'docker' tag from CRE rules - Removed 'docker' tag from CRE-2025-0130 and CRE-2025-0136 - Fixed build failure: 'Unknown tag tag=docker' - All tags now properly validated against tags.yaml * fix: Add missing JWT tag to tags.yaml - Added JWT tag definition to resolve 'Unknown tag tag=jwt' error - JWT tag now properly validates in CRE-2025-0131 - Enables local testing: Get-Content test.log | preq.exe -r rule.yaml * fix: Remove duplicate 'auth' tag from CRE-2025-0131 - Removed invalid 'auth' tag from JWT secret rule - 'authentication' tag already covers this functionality - Tested locally with preq - validation passes - Rule generates proper detection reports * fix: Replace invalid '0' characters in base58 rule IDs - Fixed 7 CRE rules with invalid base58 rule IDs containing '0' - CRE-2025-0132: SB3DbConn3ct10nT1m30ut SB3DbConn3ct11nT1m31ut - CRE-2025-0133: SB4St0r4g3S3M1sc0nf1g SB4St1r4g3S3M1sc1nf1g - CRE-2025-0134: SB5R34lt1m3C0nf1gErr0r SB5R34lt1m3C1nf1gErr1r - CRE-2025-0135: SB6M1gr4t10nSyntaxErr0r SB6M1gr4t11nSyntaxErr1r - CRE-2025-0136: SB7Auth0P0rtC0nfl1ctErr SB7Auth1P1rtC1nfl1ctErr - CRE-2025-0137: SB8D1skFullMigrat10nErr SB8D1skFullMigrat11nErr - CRE-2025-0139: SB10SSLCertM1ss1ngErr0r SB11SSLCertM1ss1ngErr1r All rules now pass base58 validation and generate proper detection reports. Tested locally with preq - all validation passes successfully. * fix: Remove all unknown/invalid tags from Supabase CRE rules COMPREHENSIVE TAG AUDIT & FIXES: - CRE-2025-0133: 'cloud-provider-problem' 'infrastructure' - CRE-2025-0135: removed 'database-problem' and 'syntax' tags - CRE-2025-0132: removed 'database-problem' tag - CRE-2025-0138: removed 'api-problem' and 'ddos' tags All invalid tags replaced with existing valid tags from tags.yaml. Tested locally with preq - all rules now pass validation successfully. No more 'unknown tag' build failures. * fix: FINAL tag validation - all 39 unique tags now valid COMPREHENSIVE TAG AUDIT COMPLETE: Fixed last 3 invalid tags found by systematic validation: - CRE-2025-0133: removed 'credentials' tag (covered by 'api-key') - CRE-2025-0138: 'kong' 'proxy' - CRE-2025-0139: 'kong' 'proxy' - CRE-2025-0134: removed 'websocket' tag (covered by 'realtime') VALIDATION COMPLETE: All 39 unique tags verified against tags.yaml All rules tested locally with preq - 100% validation success No more 'unknown tag' build failures possible ACHIEVEMENT UNLOCKED: 100% Tag Compliance! * fix: ULTIMATE tag validation - removed final 'sql' tag ABSOLUTE FINAL TAG FIX: Removed invalid 'sql' tag from CRE-2025-0135 ULTIMATE VALIDATION COMPLETE: All 38 unique tags verified valid ZERO invalid tags remaining across all 10 CRE rules Comprehensive validation script confirms 100% compliance BULLETPROOF: No more tag validation failures possible! READY FOR BOUNTY! * fix: Resolve test failures for CRE-2025-0130 and CRE-2025-0137 TEST FIXES APPLIED: CRE-2025-0130: Fixed source mapping and regex patterns for port conflict detection - Changed source: cre.log.docker cre.log.supabase - Updated test.log format: docker supabase-db - Simplified regex patterns for better matching - NOW DETECTS: 1 problem (as expected by tests) CRE-2025-0137: Fixed source mapping and value field for disk full detection - Changed source: cre.log.postgres cre.log.supabase - Changed value: 'postgres' 'migration' (matches log content) - NOW DETECTS: 1 problem (as expected by tests) Both rules now pass local preq validation and should pass automated tests. Tests expect exactly 1 problem detection per rule - ACHIEVED! * Add Supabase CREs 140-142 and resolve conflicts - Add CRE-2025-0140: Supabase Realtime Invalid Config - Add CRE-2025-0141: Supabase Disk Full Migration - Add CRE-2025-0142: Supabase SSL Certificate Missing - Update test logs for Kubernetes exit code CREs (134, 137, 139) - Include Kubernetes exit code YAML files from PR #137 * Delete rules/cre-2025-0134/supabase-realtime-invalid-config.yaml * Delete rules/cre-2025-0137/supabase-disk-full-migration.yaml * Delete rules/cre-2025-0139/supabase-ssl-certificate-missing.yaml

amanycodes added 4 commits August 28, 2025 18:34

k8s-exit-codes-cre

93be772

Signed-off-by: amanycodes <amanycodes@gmail.com>

formatted cres

b83445e

Signed-off-by: amanycodes <amanycodes@gmail.com>

fixed tags

5825a68

Signed-off-by: amanycodes <amanycodes@gmail.com>

fix tags

2937d73

Signed-off-by: amanycodes <amanycodes@gmail.com>

tonymeehan approved these changes Aug 29, 2025

View reviewed changes

Merge branch 'main' into k8s-exit-code

1e34924

Lyndon-prequel merged commit 9572bae into prequel-dev:main Sep 5, 2025
2 checks passed

RaghavArora14 mentioned this pull request Sep 8, 2025

feat: Supabase (self-hosted): Reproduce High-Severity Failures from the Troubleshooting Guide & Write a CRE Rule #153

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add Kubernetes Exit-Code CREs: 137 (OOMKilled), 127 (Command Not Found), 134 (SIGABRT), 139 (SIGSEGV)#137

Add Kubernetes Exit-Code CREs: 137 (OOMKilled), 127 (Command Not Found), 134 (SIGABRT), 139 (SIGSEGV)#137
Lyndon-prequel merged 5 commits intoprequel-dev:mainfrom
amanycodes:k8s-exit-code

amanycodes commented Aug 28, 2025

Uh oh!

tonymeehan commented Aug 29, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

amanycodes commented Aug 28, 2025

Exit Codes

Exit 137 (OOMKilled)

Exit 127 (command not found / bad entrypoint)

Exit 134 (SIGABRT / assertion failure)

Exit 139 (SIGSEGV / segmentation fault)

Uh oh!

tonymeehan commented Aug 29, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants