Merge pull request #137 from amanycodes/k8s-exit-code

Add Kubernetes Exit-Code CREs: 137 (OOMKilled), 127 (Command Not Found), 134 (SIGABRT), 139 (SIGSEGV)

Author: Lyndon-prequel

rules/cre-2025-0127/cre-exit-127.yaml

@@ -0,0 +1,44 @@
+rules:
+  - metadata:
+      kind: prequel
+      id: TDtvSvVJU5vUaLZuRZBVk9
+    cre:
+      id: CRE-2025-0127
+      severity: 2
+      title: Container exited 127 due to command not found (bad entrypoint/command)
+      category: configuration-problem
+      author: CRE Community
+      description: |
+        Exit code 127 indicates the configured command/entrypoint was not found in the image or PATH.
+        New or misconfigured deployments commonly hit this and immediately crash.
+      cause: |
+        - Typo in command/entrypoint or wrong binary path.
+        - Missing executable in the image or non-executable file permissions.
+        - Different base image where the tool isn’t installed by default.
+      impact: |
+        - Pod fails to start; controllers may enter CrashLoopBackOff.
+        - Service remains unavailable until the image/command is fixed.
+      tags:
+        - k8s
+        - exit-code
+        - command
+        - entrypoint
+        - startup-failure
+      mitigation: |
+        - Verify the binary exists and is executable (`chmod +x`).
+        - Use absolute paths or fix PATH; test with `docker run` locally.
+        - Add pre-deploy checks in CI to validate entrypoint presence.
+      references:
+        - "https://kubernetes.io/docs/concepts/workloads/pods/"
+      applications:
+        - name: kubernetes
+          version: ">=1.16"
+      impactScore: 3
+      mitigationScore: 3
+      reports: 6
+    rule:
+      set:
+        event:
+          source: cre.log.k8s
+        match:
+          - regex: "^[^\\t]+\\t[^\\t/]+/[^\\t]+\\t[^\\t]+\\t[^\\t]*\\t127$"

rules/cre-2025-0127/test.log

@@ -0,0 +1 @@
+2025-08-27T13:18:27Z	cre-demo/cmd-127	bad-cmd	Error	127

rules/cre-2025-0134/cre-exit-134.yaml

@@ -0,0 +1,44 @@
+rules:
+  - metadata:
+      kind: prequel
+      id: T8tPh6u4Bj7nXidQWbRvvj
+    cre:
+      id: CRE-2025-0134
+      severity: 2
+      title: Container exited 134 due to SIGABRT / assertion failure
+      category: runtime-problem
+      author: CRE Community
+      description: |
+        Exit code 134 indicates the process aborted via SIGABRT, commonly due to failed assertions,
+        allocator checks (e.g., glibc detecting heap corruption), or explicit abort() calls.
+      cause: |
+        - assert(false) / std::abort() in C/C++.
+        - Memory allocator consistency errors (double free, corruption).
+        - Defensive abort on unrecoverable invariant violations.
+      impact: |
+        - Immediate termination of the container; possible loss of in-flight work.
+        - Repeated crashes if the triggering condition is deterministic at startup.
+      tags:
+        - k8s
+        - exit-code
+        - sigabrt
+        - assertion
+        - native
+      mitigation: |
+        - Enable core dumps and symbols; capture backtraces.
+        - Run ASAN/UBSAN builds in staging to localize corruption.
+        - Pin and verify libc/libstdc++ versions; roll back recent native changes.
+      references:
+        - "https://www.gnu.org/software/libc/manual/html_node/Aborting-a-Program.html"
+      applications:
+        - name: kubernetes
+          version: ">=1.16"
+      impactScore: 6
+      mitigationScore: 2
+      reports: 4
+    rule:
+      set:
+        event:
+          source: cre.log.k8s
+        match:
+          - regex: "^[^\\t]+\\t[^\\t/]+/[^\\t]+\\t[^\\t]+\\t[^\\t]*\\t134$"

rules/cre-2025-0134/test.log

@@ -0,0 +1 @@
+2025-08-27T13:26:39Z	cre-demo/abort-134	aborter	Error	134

rules/cre-2025-0137/cre-exit-137.yaml

@@ -0,0 +1,50 @@
+rules:
+  - metadata:
+      kind: prequel
+      id: VuPxiuWkYodzUqupa7gh9N
+    cre:
+      id: CRE-2025-0137
+      severity: 1
+      title: Pod terminated with Exit Code 137 due to OOMKilled (memory limit exceeded)
+      category: memory-problem
+      author: CRE Community
+      description: |
+        The container exceeded its memory limit and was killed by the kernel OOM killer.
+        Kubernetes reports a terminated state with Reason=OOMKilled and exitCode=137.
+        This often manifests as CrashLoopBackOff under sustained memory pressure.
+      cause: |
+        - Memory limit too low relative to peak usage.
+        - Sudden traffic spikes causing allocation bursts.
+        - Memory leaks or fragmentation in long-running processes.
+        - Under-provisioned nodes or overly strict pod limits.
+      impact: |
+        - Request errors and latency spikes during restarts.
+        - CrashLoopBackOff and reduced availability.
+        - Potential loss of in-flight work not checkpointed to durable storage.
+      tags:
+        - k8s
+        - exit-code
+        - out-of-memory
+        - memory
+        - crash-loop
+        - reliability
+      mitigation: |
+        - Raise memory requests/limits; add headroom for peak allocations.
+        - Enable profiling and leak detection; tune GC/heap where applicable.
+        - Consider Vertical Pod Autoscaler for right-sizing.
+        - Watch node memory pressure and eviction thresholds.
+      references:
+        - "https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-states"
+        - "https://kubernetes.io/docs/tasks/administer-cluster/out-of-resource/"
+      applications:
+        - name: kubernetes
+          version: ">=1.16"
+      impactScore: 6
+      mitigationScore: 2
+      reports: 12
+    rule:
+      set:
+        event:
+          source: cre.log.k8s      
+        match:
+          - regex: "^[^\\t]+\\t[^\\t/]+/[^\\t]+\\t[^\\t]+\\tOOMKilled\\t137$"

rules/cre-2025-0137/test.log

@@ -0,0 +1 @@
+2025-08-27T11:51:17Z	cre-demo/oom-137	eater	OOMKilled	137

rules/cre-2025-0139/cre-exit-139.yaml

@@ -0,0 +1,44 @@
+rules:
+  - metadata:
+      kind: prequel
+      id: KHtVUpTbZHaevdn4EABmQEe
+    cre:
+      id: CRE-2025-0139
+      severity: 2
+      title: Container exited 139 due to segmentation fault (SIGSEGV)
+      category: runtime-problem
+      author: CRE Community
+      description: |
+        Exit code 139 indicates SIGSEGV (invalid memory access) in native/runtime code.
+        Frequently caused by unsafe pointer operations, ABI/library mismatches, or native extensions.
+      cause: |
+        - Null dereference or out-of-bounds access in C/C++/Rust unsafe blocks.
+        - Incompatible glibc/musl or driver/library versions.
+        - Faulty JNI/ctypes/native extension code paths.
+      impact: |
+        - Hard crash; requests being processed may be dropped.
+        - Repeated crashes if the segfault occurs deterministically at startup.
+      tags:
+        - k8s
+        - exit-code
+        - segfault
+        - native
+        - reliability
+      mitigation: |
+        - Enable core dumps and symbol files; capture stack traces.
+        - Pin compatible base image/libc; verify ABI expectations.
+        - Use ASAN/UBSAN builds; bisect recent native/library changes.
+      references:
+        - "https://man7.org/linux/man-pages/man7/signal.7.html"
+      applications:
+        - name: kubernetes
+          version: ">=1.16"
+      impactScore: 7
+      mitigationScore: 2
+      reports: 5
+    rule:
+      set:
+        event:
+          source: cre.log.k8s
+        match:
+          - regex: "^[^\\t]+\\t[^\\t/]+/[^\\t]+\\t[^\\t]+\\t[^\\t]*\\t139$"

rules/cre-2025-0139/test.log

@@ -0,0 +1 @@
+2025-08-27T13:32:40Z	cre-demo/segv-139	segv	Error	139

rules/tags/tags.yaml

@@ -845,6 +845,24 @@ tags:
   - name: cluster-scaling
     displayName: Cluster Scaling
     description: Problems related to Kubernetes cluster scaling operations and capacity management
+  - name: exit-code
+    displayName: Exit Code
+    description: Problems identified by specific process/container exit codes (e.g., 137, 127, 134, 139).
+  - name: entrypoint
+    displayName: Entrypoint
+    description: Failures caused by invalid or missing container ENTRYPOINT/CMD definitions.
+  - name: command
+    displayName: Command
+    description: Problems caused by invalid commands or arguments at startup (e.g., not found, bad path, non-executable).
+  - name: sigabrt
+    displayName: SIGABRT
+    description: Crashes where a process aborts with SIGABRT (exit 134), often due to assertion failures or allocator checks.
+  - name: native
+    displayName: Native
+    description: Issues in native code paths (C/C++/Rust, libc/ABI), including crashes and memory faults.
+  - name: reliability
+    displayName: Reliability
+    description: Unstable behavior such as unexpected restarts, crash loops, or intermittent failures affecting service reliability.
   - name: autogpt
     displayName: AutoGPT
     description: Problems related to AutoGPT autonomous AI agent framework