# error: unable to upgrade connection: dial tcp: i/o timeout

- **ID:** `kubernetes/kubectl-exec-tcp-timeout`
- **Domain:** kubernetes
- **Category:** network_error
- **Error Code:** `K8S-EXEC-005`
- **Verification:** ai_generated
- **Fix Rate:** 82%

## Root Cause

The kube-apiserver cannot establish a connection to the kubelet on the node for exec/logs/attach operations, usually due to network policies, firewall rules, or node unavailability.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| kubernetes 1.22 | active | — | — |
| kubernetes 1.23 | active | — | — |
| kubernetes 1.24 | active | — | — |
| kubernetes 1.27 | active | — | — |

## Workarounds

1. **Verify network connectivity from the control plane node to the target node on port 10250 (kubelet port): `nc -zv <node-ip> 10250`. If blocked, update firewall rules or network policies to allow traffic.** (90% success)
   ```
   Verify network connectivity from the control plane node to the target node on port 10250 (kubelet port): `nc -zv <node-ip> 10250`. If blocked, update firewall rules or network policies to allow traffic.
   ```
2. **Check if the node is in a 'NotReady' state. If so, investigate kubelet logs on the node (`journalctl -u kubelet`) and restart the kubelet service.** (80% success)
   ```
   Check if the node is in a 'NotReady' state. If so, investigate kubelet logs on the node (`journalctl -u kubelet`) and restart the kubelet service.
   ```

## Dead Ends

- **Restart the kube-apiserver pod.** — The issue is on the node side (kubelet or network), not the API server; restarting the API server won't help. (95% fail)
- **Increase the kubelet's timeout settings.** — The timeout is due to connectivity, not latency; increasing timeouts only delays the failure. (70% fail)