How do I fix 'Error: timed out waiting for the condition' in Helm?

Run `kubectl get events -n --sort-by='.lastTimestamp' --field-selector type!=Normal` immediately after the timeout. This surfaces the real root cause — usually ImagePullBackOff, CrashLoopBackOff, or a missing Secret/ConfigMap. Fix the underlying Kubernetes issue first, then re-run `helm upgrade --install` with `--timeout 10m0s --debug` to give the next attempt more time and verbose feedback.

Why does Helm say 'connection refused' when kubectl commands work fine?

Helm may be reading a different kubeconfig file or a stale context. Run `helm env` to see the value of `HELM_KUBECONFIG`, and compare it to `KUBECONFIG`. Also check for `HTTP_PROXY` or `HTTPS_PROXY` environment variables intercepting the API server connection. If credentials have expired (common with EKS, GKE, AKS), refresh them with the cloud CLI and regenerate the kubeconfig entry.

How do I recover from a Helm release stuck in 'pending-upgrade' state?

Confirm the state with `helm list --all -n `. The fastest recovery is `helm rollback -n `. If rollback also fails because the release is fully blocked, locate the pending Secret with `kubectl get secrets -n -l owner=helm,name= ` and delete the Secret whose `status` label is `pending-upgrade`. This unblocks the release and allows a fresh `helm upgrade` to proceed.

How can I see what Helm is waiting for during a timeout?

Add `--debug` to your helm command: `helm upgrade --install --wait --timeout 10m0s --debug`. You will see lines like `[debug] Deployment is not ready: my-app. 0 out of 1 expected pods are ready`. Run `kubectl get events -n -w` in a parallel terminal for a real-time Kubernetes event stream. Together these two outputs almost always reveal the blocking resource within seconds.

What is the difference between helm failed and helm timeout?

A helm timeout means Helm waited the full duration and gave up — the resources may still be running and retrying in Kubernetes. A helm failed release means Helm itself recorded a failure status (often from a post-install hook exit code, or a prior interrupted upgrade). Check `helm history -n ` to see the status of each revision. A `failed` revision can be rolled back; a release stuck mid-operation requires deleting the pending Secret to recover.

Helm Timeout: Fix helm install/upgrade Errors — connection refused, ImagePullBackOff, permission denied

Fix helm timeout, connection refused, crash, and permission denied errors with step-by-step diagnostic commands and proven Kubernetes solutions.

Last updated: February 23, 2026

Last verified: February 23, 2026

2,300 words

Key Takeaways

Helm timeout (default 5m0s) fires when pods never reach Ready state — root causes are ImagePullBackOff, CrashLoopBackOff, failing readiness probes, or resource quota exhaustion, not Helm itself
helm connection refused means the Kubernetes API server is unreachable: verify kubeconfig context, firewall rules on port 6443, expired cloud credentials (EKS/GKE/AKS), and proxy environment variables
Permission denied errors require RBAC fixes — create a Role or ClusterRoleBinding scoped to exactly the resource types the chart needs; helm crash from corrupted release state is recovered via helm rollback or deleting the stuck Helm Secret

Helm Error Fix Approaches Compared
Method	When to Use	Time to Fix	Risk Level
Increase --timeout flag	Slow image pulls, large charts, cold-start clusters	2 min	Low
Add imagePullSecret to chart values	Pod stuck with ImagePullBackOff from private registry	5–15 min	Low
Fix image name or tag in values.yaml	ImagePullBackOff due to wrong image reference	5 min	Low
Patch RBAC ClusterRoleBinding	helm install fails with 403 Forbidden or permission denied	10 min	Medium
Refresh kubeconfig credentials	Connection refused or Kubernetes cluster unreachable	5 min	Low
helm rollback to last good revision	UPGRADE FAILED or helm crash during upgrade	5–10 min	Low
Delete stuck Helm release Secret	Release locked in pending-upgrade or pending-install state	10 min	Medium

Understanding Helm Timeout and Related Errors

When you run helm install or helm upgrade --wait, Helm polls Kubernetes until every resource in the chart reaches a healthy state. If that does not happen within the deadline, Helm prints:

Error: timed out waiting for the condition

or during an upgrade:

Error: UPGRADE FAILED: timed out waiting for the condition

This single error message is a symptom, not a root cause. Helm itself is fine — something inside Kubernetes is blocking the deployment from completing. Since Helm 3 removed the Tiller server, all release state is stored as Kubernetes Secrets in the target namespace. A corrupted or orphaned release Secret produces its own failure class: helm failed, helm crash, or the blocked reinstall error cannot re-use a name that is still in use.

The related errors — helm connection refused, helm imagepullbackoff, and helm permission denied — each have distinct root causes and require different fixes. This guide walks through each one systematically.

Step 1: Identify the Specific Failure

Before attempting any fix, run these commands to pinpoint exactly which Kubernetes resource is failing and why:

# Check current release status and last deployed revision
helm status <release-name> -n <namespace>

# Get all events sorted by time — this surfaces the root cause fastest
kubectl get events -n <namespace> \
  --sort-by='.lastTimestamp' \
  --field-selector type!=Normal | tail -30

# List pods and their current state
kubectl get pods -n <namespace> -o wide

# Describe the specific failing pod
kubectl describe pod <pod-name> -n <namespace>

The pod status column tells you which fix track to follow:

Pod Status	Root Cause	Fix Section
`ImagePullBackOff`	Cannot pull container image	Step 2
`CrashLoopBackOff`	Container starts then exits	Step 3
`Pending`	No schedulable node / quota	Step 4
`CreateContainerConfigError`	Missing Secret or ConfigMap	Step 5
`Init:Error`	Init container failed	Step 3
`OOMKilled`	Exceeded memory limit	Step 3

Step 2: Fix Helm Timeout Caused by ImagePullBackOff

ImagePullBackOff is the most common cause of Helm timeout. The pod cannot pull the specified container image, so it never becomes Ready and Helm waits until the deadline expires.

Get the exact error message:

kubectl describe pod <pod-name> -n <namespace> | grep -A 15 Events

You will see output like:

Warning  Failed  12s  kubelet  
  Failed to pull image "myregistry.io/myapp:v1.2.3": 
  rpc error: code = Unknown desc = Error response from daemon: 
  pull access denied for myregistry.io/myapp, repository does not exist

Fix 1 — Wrong image name or tag: Update values.yaml or your --set override:

helm upgrade --install <release-name> <chart> \
  --set image.repository=myregistry.io/myapp \
  --set image.tag=v1.2.4 \
  -n <namespace>

Fix 2 — Private registry missing pull credentials:

# Create the registry credentials Secret
kubectl create secret docker-registry regcred \
  --docker-server=myregistry.io \
  --docker-username=myuser \
  --docker-password=mypassword \
  -n <namespace>

# Pass the Secret name to the chart
helm upgrade --install <release-name> <chart> \
  --set imagePullSecrets[0].name=regcred \
  -n <namespace>

Step 3: Fix CrashLoopBackOff and OOMKilled

If the image pulls successfully but the container crashes on startup, Kubernetes restarts it repeatedly. Helm waits, the pod never becomes Ready, and the timeout fires.

# Inspect logs from the crashed container instance
kubectl logs <pod-name> -n <namespace> --previous

# Check the termination reason and exit code
kubectl get pod <pod-name> -n <namespace> \
  -o jsonpath='{.status.containerStatuses[0].lastState.terminated}'

Exit Code	Meaning	Fix
`1`	Application startup error	Check app logs, fix config
`137`	OOMKilled (SIGKILL)	Increase `resources.limits.memory`
`139`	Segmentation fault	Broken binary or base image
`127`	Command not found	Wrong `command` or `args` in pod spec

For OOMKilled:

helm upgrade --install <release-name> <chart> \
  --set resources.limits.memory=512Mi \
  --set resources.requests.memory=256Mi \
  -n <namespace>

Step 4: Fix Helm Connection Refused

If Helm commands return:

Error: Kubernetes cluster unreachable: 
  Get "https://127.0.0.1:6443/version": 
  dial tcp 127.0.0.1:6443: connect: connection refused

Helm cannot reach the Kubernetes API server. Helm reads the same kubeconfig as kubectl.

Diagnose:

# Confirm active cluster context
kubectl config current-context

# Show the API server address helm is targeting
kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}'

# Test basic cluster connectivity
kubectl cluster-info

Fix 1 — Switch to correct context:

kubectl config get-contexts
kubectl config use-context <correct-context-name>

Fix 2 — Refresh expired cloud credentials:

# AWS EKS
aws eks update-kubeconfig --region us-east-1 --name my-cluster

# Google GKE
gcloud container clusters get-credentials my-cluster --zone us-central1-a

# Azure AKS
az aks get-credentials --resource-group myRG --name my-cluster

Fix 3 — Proxy interfering with API traffic: Unset proxy for the cluster subnet:

export NO_PROXY=<api-server-ip>,localhost,127.0.0.1
helm list -n <namespace>

Step 5: Fix Helm Permission Denied

Helm permission denied surfaces as:

Error: INSTALLATION FAILED:
  deployments.apps is forbidden: User "system:serviceaccount:default:default"
  cannot create resource "deployments" in API group "apps" in the namespace "production"

Diagnose what the current principal can do:

# Test specific permissions
kubectl auth can-i create deployments -n <namespace>
kubectl auth can-i create clusterroles

# List all permissions for the current user
kubectl auth can-i --list -n <namespace>

# List existing role bindings
kubectl get rolebindings,clusterrolebindings -A | grep <user-or-sa-name>

Fix — Bind cluster-admin for development clusters (scope tightly in production):

kubectl create clusterrolebinding helm-deploy \
  --clusterrole=cluster-admin \
  --serviceaccount=<namespace>:<service-account-name>

Production fix — Grant only required permissions:

kubectl create role helm-deployer \
  --verb=create,get,list,update,delete,patch \
  --resource=deployments,services,configmaps,secrets \
  -n <namespace>

kubectl create rolebinding helm-deployer-binding \
  --role=helm-deployer \
  --serviceaccount=<namespace>:<sa-name> \
  -n <namespace>

Step 6: Fix Helm Crash and Corrupted Release State

If a prior helm install or helm upgrade was interrupted (process killed, network drop, CI timeout), the release can become stuck in pending-install, pending-upgrade, or failed state. Subsequent operations fail with:

Error: UPGRADE FAILED: another operation (install/upgrade/rollback) is in progress

or:

Error: INSTALLATION FAILED: cannot re-use a name that is still in use

Diagnose:

# Show all releases including failed ones
helm list --all -n <namespace>

# Inspect the release Secret states directly
kubectl get secrets -n <namespace> \
  -l owner=helm,name=<release-name> \
  -o custom-columns='NAME:.metadata.name,STATUS:.metadata.labels.status,REVISION:.metadata.labels.version'

Fix 1 — Roll back to the last working revision:

# List revision history
helm history <release-name> -n <namespace>

# Roll back to a specific revision
helm rollback <release-name> <revision-number> -n <namespace>

Fix 2 — Delete the stuck pending Secret (use with care):

# Find the stuck secret name
STUCK=$(kubectl get secrets -n <namespace> \
  -l owner=helm,name=<release-name>,status=pending-upgrade \
  -o jsonpath='{.items[0].metadata.name}')

# Delete it to unblock the release
kubectl delete secret "$STUCK" -n <namespace>

# Now retry the upgrade
helm upgrade --install <release-name> <chart> -n <namespace>

Step 7: Increase Timeout for Legitimately Slow Deployments

For charts that pull large images, run database schema migrations in init containers, or wait for external services to become available, the default 5-minute timeout is too short. Use --timeout with --debug to extend the window and see real-time status:

helm upgrade --install <release-name> <chart> \
  --namespace <namespace> \
  --timeout 15m0s \
  --wait \
  --debug

The --debug flag prints each polled resource's readiness status, making it easy to see exactly which resource is blocking and why. Combine it with kubectl get events -n <namespace> -w in a second terminal for a live event stream.

Preventive Best Practices

Run helm lint <chart> and helm install --dry-run --debug before every deploy to catch schema and rendering errors early.
Set readinessProbe.initialDelaySeconds to a realistic value for your application startup time — an undersized delay causes premature restarts that snowball into Helm timeouts.
Pin image tags; never use latest in production as it causes unpredictable ImagePullBackOff failures after registry updates.
Store environment-specific values in values-staging.yaml and values-production.yaml committed to version control.
Install the helm diff plugin and run helm diff upgrade before every upgrade to review exactly what will change.

Frequently Asked Questions

bash

#!/usr/bin/env bash
# Helm Timeout Diagnostic Script
# Usage: NAMESPACE=myns RELEASE=myapp bash helm-debug.sh

NAMESPACE=${NAMESPACE:-default}
RELEASE=${RELEASE:-""}

echo "=== Cluster Connectivity ==="
kubectl cluster-info 2>&1 | head -3
kubectl config current-context

echo ""
echo "=== Helm Release Status ==="
if [ -n "$RELEASE" ]; then
  helm status "$RELEASE" -n "$NAMESPACE" 2>&1
  echo ""
  helm history "$RELEASE" -n "$NAMESPACE" 2>&1
else
  helm list --all -n "$NAMESPACE"
fi

echo ""
echo "=== Pod States ==="
kubectl get pods -n "$NAMESPACE" -o wide

echo ""
echo "=== Non-Normal Events (most recent 30) ==="
kubectl get events -n "$NAMESPACE" \
  --sort-by='.lastTimestamp' \
  --field-selector type!=Normal 2>/dev/null | tail -30

echo ""
echo "=== Failing Pod Details ==="
for pod in $(kubectl get pods -n "$NAMESPACE" \
  -o jsonpath='{range .items[?(@.status.phase!="Running")]}{.metadata.name}{"\n"}{end}' 2>/dev/null); do
  echo "--- Pod: $pod ---"
  kubectl describe pod "$pod" -n "$NAMESPACE" | grep -A 10 Events:
  kubectl logs "$pod" -n "$NAMESPACE" --previous --tail=20 2>/dev/null || \
    kubectl logs "$pod" -n "$NAMESPACE" --tail=20 2>/dev/null
  echo ""
done

echo "=== RBAC Permissions Check ==="
kubectl auth can-i create deployments -n "$NAMESPACE"
kubectl auth can-i create secrets -n "$NAMESPACE"
kubectl auth can-i create serviceaccounts -n "$NAMESPACE"
kubectl auth can-i create clusterroles

echo ""
echo "=== Helm Release Secrets (state check) ==="
if [ -n "$RELEASE" ]; then
  kubectl get secrets -n "$NAMESPACE" \
    -l "owner=helm,name=$RELEASE" \
    -o custom-columns='NAME:.metadata.name,STATUS:.metadata.labels.status,REVISION:.metadata.labels.version'
fi

echo ""
echo "=== Resource Quota Usage ==="
kubectl describe resourcequota -n "$NAMESPACE" 2>/dev/null || echo "No resource quotas found"

# -------------------------------------------------------
# Fix commands (run after identifying root cause above)
# -------------------------------------------------------

# Extend timeout and retry with verbose output:
# helm upgrade --install "$RELEASE" <chart> -n "$NAMESPACE" --timeout 15m0s --wait --debug

# Add imagePullSecret for private registries:
# kubectl create secret docker-registry regcred \
#   --docker-server=myregistry.io --docker-username=user --docker-password=pass \
#   -n "$NAMESPACE"

# Roll back to last good revision:
# helm rollback "$RELEASE" <revision-number> -n "$NAMESPACE"

# Delete stuck pending-upgrade Secret:
# STUCK=$(kubectl get secrets -n "$NAMESPACE" -l "owner=helm,name=$RELEASE,status=pending-upgrade" \
#   -o jsonpath='{.items[0].metadata.name}')
# kubectl delete secret "$STUCK" -n "$NAMESPACE"

Error Medic Editorial

The Error Medic Editorial team is composed of senior DevOps engineers and Site Reliability Engineers with extensive experience operating Kubernetes clusters at scale on AWS, GCP, and Azure. We translate complex infrastructure failures into actionable, copy-paste-ready solutions that get teams unblocked fast.

Sources

Explore More DevOps Config Guides

Ansible Failed: Fix Connection Refused, Permission Denied & Timeout Errors

Fix Ansible failures including connection refused, permission denied, and timeout errors. Step-by-step diagnosis with real commands and verified solutions.

ArgoCD 'connection refused' Error: Complete Troubleshooting Guide (2024)

Fix ArgoCD 'connection refused', CrashLoopBackOff, ImagePullBackOff, and timeout errors with step-by-step diagnostic commands and proven solutions.

ArgoCD Connection Refused: Fix CrashLoopBackOff, ImagePullBackOff, Permission Denied & Timeout Errors

Fix ArgoCD connection refused errors: diagnose CrashLoopBackOff, ImagePullBackOff, permission denied, and timeout with step-by-step kubectl commands and config