# Error: Deployment rollout status is stuck: waiting for deployment spec update to be observed...

- **ID:** `kubernetes/deployment-rollout-stuck-image-pull-back-off`
- **Domain:** kubernetes
- **Category:** runtime_error
- **Verification:** ai_generated
- **Fix Rate:** 75%

## Root Cause

Deployment's image pull back-off prevents new pods from starting, so rollout never completes.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| kubectl v1.28 | active | — | — |
| kubectl v1.29 | active | — | — |
| kubectl v1.30 | active | — | — |

## Workarounds

1. **Check image pull error: `kubectl describe pod <pod-name> | grep -A5 'Back-off'` to see exact reason (e.g., 'ImagePullBackOff'). Then fix image tag or registry credentials.** (85% success)
   ```
   Check image pull error: `kubectl describe pod <pod-name> | grep -A5 'Back-off'` to see exact reason (e.g., 'ImagePullBackOff'). Then fix image tag or registry credentials.
   ```
2. **Update deployment with correct image: `kubectl set image deployment/<name> <container>=<correct-image>:<tag>` and watch rollout.** (90% success)
   ```
   Update deployment with correct image: `kubectl set image deployment/<name> <container>=<correct-image>:<tag>` and watch rollout.
   ```
3. **If private registry, create image pull secret: `kubectl create secret docker-registry regcred --docker-server=<registry> --docker-username=<user> --docker-password=<pass> --docker-email=<email>` then patch service account.** (80% success)
   ```
   If private registry, create image pull secret: `kubectl create secret docker-registry regcred --docker-server=<registry> --docker-username=<user> --docker-password=<pass> --docker-email=<email>` then patch service account.
   ```

## Dead Ends

- **Force rollout restart with `kubectl rollout restart deployment`** — Restart does not fix the underlying image pull issue; new pods will still fail. (90% fail)
- **Delete and recreate the deployment** — Recreating deployment uses same image spec; problem persists unless image is fixed. (85% fail)
- **Wait longer (timeout >10 minutes)** — Back-off is exponential; waiting alone won't resolve if image doesn't exist or auth fails. (80% fail)