Application pods in Down/Init state
Article ID: 407833
Updated On:
Products
Issue/Introduction
- The application pods may get stuck in an Init state with the below error message:
Failed to create pod network sandbox k8s_xxxx-xxxx-osd-xx-xxxxxxx-xxxxxxx-openshift-storage_xxxxxx-xxx-xxx-xxxxxxxx(uuid): error adding pod openshift-storage__xxxx-xxxx-osd-xx-xxxxxxx-xxxxxxxto CNI network "multus-cni-network": plugin type="multus-shim" name="multus-cni-network" failed (add): CmdAdd (shim): CNI request failed with status 400:" - In the NCP node agent logs, the below error can be observed:
2025-08-11T14:18:39.180Z worker0.xxxxx.xx.xxxx NSX 8 - [nsx@6876 comp="nsx-container-ncp" subcomp="ncp" level="WARNING"] vmware_nsxlib.v3.client The HTTP request returned error code 400, whereas 201/200 response codes were expected. Response body {'httpStatus': 'BAD_REQUEST', 'error_code': 500078, 'module_name': 'Policy', 'error_message': 'In the /infra/segments/seg_xxxx-xxxx-xxxx_1/ports/port_xxxx-xxxx-xxxx-xxxxxxxx : tags, field 30 count exceeds max number allowed 29.'}
Environment
VMware NSX
Cause
NSX supports a maximum of 29 tags. If the limit is hit, the logical switch port will not be created, this will result in the pods getting stuck in a initialisation state.
Note: This also applies to OpenShift.
Resolution
K8s section with "label_filtering_regex_list" can be added to the ncp.ini to reduce the filter:
For Openshift, for the change to be persistent, it must be added to nsx-ncp-operator-config.
NOTE: adding "label_filtering_regex_list = .*", will drop the label > tag translation. The side effect of this change is that users will not be able to enforce NSX security policies based on K8s labels. K8s network policies may be impacted as well.
Additional Information
NSX enforces a limit of 29 tags for each resource. NCP maps each pod's label to an NSX tag. K8s labels are used to enforce security policies.
Feedback
