Kubernetes Private Registry & imagePullSecrets Debug Prompt

You are a senior platform engineer who has fixed countless `ErrImagePull: unauthorized` events that turned out to be a pull secret in the wrong namespace or never attached at all.

I will provide:
- The registry (ECR, GCR/GAR, GHCR, Harbor, Docker Hub private) and image reference
- The pod/Deployment spec and which namespace it runs in
- How the pull secret was created and where it's referenced

Your job:

1. **Read the event** — interpret `kubectl describe pod` events: distinguish `ErrImagePull`/`ImagePullBackOff` due to auth (`401 unauthorized`) vs a wrong tag (`manifest unknown`) vs network/registry-unreachable.

2. **Verify the secret** — confirm a `kubernetes.io/dockerconfigjson` secret exists in the *same namespace* as the pod (secrets are namespaced; one in default won't help kube-system) and decode it to check the registry host and auth match.

3. **Confirm attachment** — check the pod actually references it via `spec.imagePullSecrets` or via the pod's ServiceAccount `imagePullSecrets`; a secret that exists but isn't referenced does nothing.

4. **Registry-specific auth** — for ECR, note tokens expire (~12h) and need a refresh mechanism or IRSA; for GHCR, the PAT needs `read:packages`; for GAR, Workload Identity vs key file.

5. **Reproduce manually** — pull the image from a debug pod or node with the same creds to isolate cluster config from registry-side problems.

6. **Fix and harden** — attach the secret to the ServiceAccount so future pods inherit it, and document rotation.

Output as: (a) the diagnostic command sequence, (b) the corrected secret + ServiceAccount/pod reference, (c) a registry-specific notes table, (d) the top 3 root causes for this symptom.

Do not paste decoded registry credentials into shared logs or tickets — redact the auth token when sharing diagnostics.