Config
CLI Setup
alias k=kubectlCreate alias for kubectl.
source <(kubectl completion bash)Enable kubectl completion.
Kubeconfig
kubectl cluster-info --kubeconfig /path/to/kubeconfig.ymlShow info about the specifed Kubeconfig file.
export KUBECONFIG=/path/to/kubeconfig.ymlSet the Kubeconfig file to use.
kubectl config viewShow configured clusters in the current Kubeconfig file.
Context
kubectl -context my-context-name get podsSpecify context in a command.
kubectl -n my-namespace get podsSpecify namespace in a command.
kubectl config use-context myContextSwitch to the specify context.
kubectl config current-contextShow current context.
kubectl config view --minify | grep namespace:Show current namespace (other method).
kubectl config set-context --current --namespace myNameSpaceSet namespace for current context.
kubectl config unset current-contextUnset current context.
AWS EKS Kubeconfig
aws eks update-kubeconfig --name my-clusterUpdate
~/.kube/configfile to be able to connect to the cluster.
Basis
Apply
kubectl apply -f myResoyrce.ymlCreate or update a resource from a YAML file.
kubectl apply -f /myResourcesFolderCreate or update multiple resources from YAML files in a folder (requires
---at the beginning of files).
Get
kubectl get nodesList nodes.
kubectl get servicesReturn active services.
kubectl get ingressShow ingress.
kubectl get deploymentsShow deployments.
kubectl get podsShow Pods.
Describe
kubectl describes nodes myNodeReturn information about the resource.
Delete
kubectl delete pod my-pod Delete Pod.
kubectl delete pod my-pod --nowDelete Pod now.
kubectl delete pod my-pod --forceForce delete the Pod.
kubectl delete pods --allDelete all Pods.
kubectl delete -f myDeployment.ymlDelete deployment from file.
Ouput
kubectl get pods -o wideOuput more info (e.g. for Pods, outputs Node and IP).
kubectl get deployment -o custom-columns=DEPLOYMENT:.metadata.name,CONTAINER_IMAGE:.spec.template.spec.containers[].image,READY_REPLICAS:.status.readyReplicas --sort-by=.metadata.nameCustom column output.
kubectl get pods my-pod -o yamlOuput yaml configuration.
kubectl get nodes -o jsonpath='{.items[*].status.nodeInfo.osImage}'Jsonpath output.
Flags
--no-headersDo not output headers.
--as myUserExecute command as another user.
Monitoring
Metrics Server
Note: For the Metrics API to be available, metrics-server has to be installed on the cluster.
kubectl top nodesShow nodes metrics.
kubectl top podsShow pods metrics.
Metadata
Labels
kubectl label node myNode myLabel=myValueAdd a Label to a Node.
kubectl label node myNode myLabel-Remove a Label from a Node.
Label Selector
kubectl get pod --selector myLablel=myValueGet pods based on label value.
kubectl get pod --selector myLablel=myValue,myLablel2=myValue2Get pods based on multiple labels values.
Nodes
Unschedule
kubectl cordon myNodeMark the node as unschedulable (node status will be
Ready,SchedulingDisabled).kubectl uncordon myNodeMark the node as schedulable (node status will be
Ready).
kubectl drain myNodeMark the node as unschedulable and empty it from its pods.
kubectl drain myNode --ignore-daemonsetsAllows to drain node even if there are DaemonSets (DaemonSets can create Pods that ignore unschedulable taints).
kubectl drain myNode --forceAllows to drain node even if there are Pods that are not declared in the controller (Pods not in Job, DaemonSet, ReplicationSet, ...). Warning: pods that are not in the controller will be lost.
Taint
kubectl taint node myNode myKey=myValue:myEffectAdd a Taint to a Node (effect can be
NoExecute,NoSchedule,PreferNoSchedule...)
kubectl taint node myNode myKey=myValue:myEffect-Remove Taint from a Node.
Pods
Static Pods
To create a static pod, look at the path configured for staticPodPath in /var/lib/kubelet/config.yaml. Then create a manifest and move it in the specified path.
kubectl describe pods -A | grep "Controlled By"Find Static Pods (they are the ones controlled by
Node/controlplane).
Run (imperative)
kubectl run webserver --image=httpdStart a Pod (Appache in this case).
kubectl run webserver --image=httpd --port=80Start a Pod and set the
containerPortspec.LikeEXPOSEit is for information purpose only: it does not actually publish the port.
kubectl run my-pod --image=myImage -- /bin/bashRun a Pod that overrides the
CMDof the container.kubectl run my-pod --image=myImage --command -- /bin/bash --myArgRun a Pod that overrides the
ENTRYPOINTand theCMDof the container.kubectl run my-pod --image=myImage -rm -it --command -- /bin/bash --myArgRun a Pod that is interactive (
-it) and gets deleted when exited (--rm)
Exec
kubectl exec my-pod -c my-container -it -- /bin/bashExec a command in a container (when there is only one container
-cis not required).
Logs
kubectl logs my-pod -c my-containerShow logs of the specified container (when there is only one container
-cis not required).
kubectl logs -f my-podShow and follows logs.
Edit
kubectl edit pod myPodEdit pod configuration
The only specifications that can be edited without --force are the following:
spec.containers[*].imagespec.initContainers[*].imagespec.activeDeadlineSecondsspec.tolerations
Deployments
Create
kubectl create my-deployment --image=httpd:alpine --replicas=4Create a deployment with 4 replicas.
Update (imperative)
kubectl scale deployment my-deployment --replicas 4Change the number of replicas for the Deployment.
kubectl set image deployment/my-deployment my-container=my-new-imageChange the image used in a Deployment.
kubectl rollout status deployment/my-deploymentShow rollout status.
Service Exposure
Port Forward (imperative)
kubectl port-forward my-pod <HOST_PORT>:<POD_PORT>Create a port forward to the specified pod.Access via
localhost:<POD_PORT>
Expose Services (imperative)
kubectl expose pod my-pod --type=ClusterIP --port=<POD_PORT> --name my-app-serviceCreate a service of type ClusterIP.Access via
<CLUSTER_IP>:<POD_PORT>(only accessible inside the cluster).kubectl expose pod my-pod --type=NodePort --port=<POD_PORT> --name my-app-serviceCreate a service of type NodePort.Access via
<ANY_NODE_IP>:<NODE_PORT>kubectl expose pod my-pod --type=LoadBalancer --port=<POD_PORT> --name my-app-serviceCreate a service of type LoadBalancer (requires that cluster is able to ask for a load balancer).Access via
<EXTERNAL_IP>:<POD_PORT>(EXTERNAL_IPis the IP of the Load Balancer).
Ingress
kubectl create ingress my-ingress --rule="/mypath=my-app-cluster-ip-service:8080"Create an Ingress that route traffic address to
/mypathpath.
kubectl create ingress my-ingress --rule="myapp.local/*=my-app-cluster-ip-service:8080"Create an Ingress that route traffic addressed to
myapp.localhost.
Here are some annotations that could be usefull when using an Ingress of type Nginx.
metadata:
annotations:
# Allow to do /myapp -> /
nginx.ingress.kubernetes.io/rewrite-target: /
# Redirect HTTP traffic to HTTPS
nginx.ingress.kubernetes.io/ssl-redirect: "true"
Secrets
Create
kubectl create secret generic mySecret --from-literal my_key_1=my_value_1 --from-literal my_key_2=my_value_2Create a
genericSecret.
kubectl create secret docker-registry my-private-reg-creds --docker-server=myprivateregistry.com:5000 --docker-username=dock_user --docker-password=dock_password --docker-email=dock_user@myprivateregistry.comCreate a
docker-registrySecret.
Example of the usage of a docker-registry Secret:
deployment
spec:
imagePullSecrets:
- name: private-reg-cred
containers:
- image: myprivateregistry.com:5000/nginx:alpine
imagePullPolicy: IfNotPresent
Certificates
Signing Requests
kubect get certificatesigningrequests.certificates.k8s.ioReturn Signing Requests.
cat my-signing-request.csr | base64 -w 0Ouput base64 as only one line
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: my-singing-request
spec:
request: LS0tLS1CRUdJTiBDRV...
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
Create a Singing Request.
kubectl certificate approve my-singing-requestApprove Singning Request.
OpenSSL
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -nooutOutput certificate content.
RBAC
Service Accounts
kubectl create serviceaccount my-service-accountCreate a Serivce Account.
# Specify Service Account for a resource
spec:
spec:
serviceAccountName: dashboard-sa
kubectl create token my-service-accountCreate a Service Account token (JWT).
Roles
kubectl create role developer --verb=list,create,delete --resource=podsCreate a Role (can
list,create,deletePods).
kubectl create rolebinding dev-user-binding --role=developer --serviceaccount=default:dev-userCreate a Binding between a Role and a Service Account.
Cluster Roles
kubectl create clusterrole storage-admin --verb=* --resource=storageclasses --resource=persistentvolumesCreate a Cluster Role (can do anything on Persistant Volumes).
kubectl create clusterrolebinding myUser-storage-admin --clusterrole=storage-admin --user=myUserCreate a Binding between a Role and a User.
Troubleshooting
Broken Scheduler
If the scheduler isn't working, check the configuration of /etc/kubernetes/manifests/kube-scheduler.yaml.
Broken Worker Node
If a Worker Node isn't working, try systemctl status kubelet.service
If the service don't start check:
journalctl -u kubelet.service/var/lib/kubelet/config.yaml
If Connection refused to control node check the Kubeconfig file:
- Is the port right?
server: https://controlplane:6443
- Is the port right?
Troubleshoot Containers
crictl ps -aSee Containers that are CRI-compatible.
crictl logs containerIDSee Logs for a container.
Misc
Get all Objects
kubectl get allGet info about all objects.
Get all Images
kubectl get pods --all-namespaces -o jsonpath="{.items[].spec.containers[].image}" | \ tr -s '[[:space:]]' '\n' | \
sort | \ uniq -cRetrieve all images used by pods in the cluster.
Find Resouces API Name
kubectl api-resources | grep storageFind the API name of a resource using keyword.
Get Cluster IP Ranges Config
kubectl logs -n kube-system weave-net | grep ipalloc-rangeFind Pods IP range configuration.
cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep "--service-cluster-ip-range="Find Services IP range configuration.
Expose Kube-apiserver
kubectl proxyExpose Kube-apiserver to localhost.