DevOps Buzz
Search…
Bash / Shell
Bitbucket
Distros
Elasticsearch
General
Guidelines / Standards
microk8s
Prometheus
RabbitMQ
VirtualBox
Kubectl Cheat Sheet
Useful commands list.

General

Overview

Install

1
curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl
2
chmod +rx ./kubectl
3
sudo mv ./kubectl /usr/local/bin
Copied!

Enable autocomplete

1
sudo apt-get install bash-completion
2
source /usr/share/bash-completion/bash_completion
3
echo 'source <(kubectl completion bash)' >>~/.bashrc
4
sudo su -
5
kubectl completion bash >/etc/bash_completion.d/kubectl
Copied!
Enable autocomplete for an alias.
1
alias k=kubectl
2
source <(kubectl completion bash | sed 's/kubectl/k/g')
Copied!

References

Explain components

1
kubectl explain pods
Copied!

Run kubectl from inside a container

TTY connect to your container and make sure kubectl is installed.

Import your Kubernetes config

When you are connected to a container deployed in Kubernetes cluster, it already has access to Kubernetes config and certificates, you only need to import them:
1
kubectl config set-cluster \
2
default --server=https://kubernetes.default \
3
--certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
4
5
kubectl config set-context default --cluster=default
6
token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
7
kubectl config set-credentials user --token=$token
8
kubectl config set-context default --user=user
9
kubectl config use-context default
Copied!
Do not replace any path or URL, you can use exactly the command above.
At this point you should have the file ~/.kube/config.
1
cat ~/.kube/config
Copied!
WORKAROUND: if, by any change, you are having a hard time, you can get the /root/.kube/config file from your original installation and restore it inside your container.

Generate kubeconfig from ServiceAccount

1
server=https://192.168.99.101:8443
2
namespace=myproject-sysadmin
3
secretName=myproject-001-admin-token-wszv8
4
5
ca=$(kubectl -n $namespace get secret/$secretName -o jsonpath='{.data.ca\.crt}')
6
token=$(kubectl -n $namespace get secret/$secretName -o jsonpath='{.data.token}' | base64 --decode)
7
namespace=$(kubectl -n $namespace get secret/$secretName -o jsonpath='{.data.namespace}' | base64 --decode)
8
9
echo "
10
apiVersion: v1
11
kind: Config
12
clusters:
13
- name: default-cluster
14
cluster:
15
certificate-authority-data: ${ca}
16
server: ${server}
17
contexts:
18
- name: default-context
19
context:
20
cluster: default-cluster
21
namespace: default
22
user: default-user
23
current-context: default-context
24
users:
25
- name: default-user
26
user:
27
token: ${token}
28
" > $secretName.kubeconfig
Copied!

Cluster management

Get cluster name

1
kubectl config get-clusters
Copied!

Get cluster endpoints

1
kubectl cluster-info
Copied!

List all API resources

1
kubectl api-resources -o wide
Copied!
1
kubectl api-resources --verbs=list -o name | xargs -n 1 kubectl get -o name
Copied!

Logs

Get logs from a previous restart pod:
1
kubectl \
2
-n nmp-fm-mcd-001 logs \
3
POD-NAME \
4
-c CONTAINER-NAME --previous
Copied!

Namespaces

Force delete namespace (hanging on "Terminating")

1
kubectl delete namespaces --grace-period=0 --force my-namespace
Copied!
If the namespace is not deleted, check its manifest:
1
kubectl get namespace my-namespace -o yaml
Copied!
Check if it has any finalizers, for example:
1
...
2
finalizers:
3
- controller.cattle.io/namespace-auth
4
...
Copied!
Edit it:
1
kubectl edit namespace my-namespace
Copied!
And delete the finalizers block.
If it does not work, export namespace manifest to a file.
1
kubectl get ns my-namespace -o json > my-namespace.json
Copied!
Edit the file, on finalizers block, remove "kubernetes" (or any other existing finalizer).
1
kubectl replace --raw "/api/v1/namespaces/my-namespace/finalize" -f ./my-namespace.json
Copied!

Nodes

Get nodes

1
kubectl get nodes --show-labels
Copied!

Permission

can-i

1
kubectl auth can-i list deployment
Copied!

Pods

Connect to pod TTY

The right way

List your pods:
1
kubectl get pods
Copied!
Locate the one you want access, get its name, and run:
1
kubectl exec -it --user=root hal-66b97c4c88-b675b bash
Copied!
Replace --user=root with your container user and hal-66b97c4c88-b675b with your pod name.
If your namespace has only one pod, your use only one command:
1
NAMESPACE=YOUR-NAMESPACE
2
kubectl -n $NAMESPACE \
3
exec -it \
4
$(kubectl -n $NAMESPACE get pods | sed -n 2p | awk '{print $1}') bash
Copied!

Workaround

If by any reason you could not use kubectl exec (for example, if your container does not allow root auth), then SSH to your K8s worker node which is hosting your pod.
Locate the container you want to connect to:
1
docker ps |grep "halyard"
Copied!
Replace halyard with any keyword you want.
Then connect to it:
1
docker exec -it --user root 261d763bf353 bash
Copied!

Force delete pod

Never force pod deletion unless it is really necessary
If you have a pod which is referenced by a Replica Set that does not exist and you are stuck, force pod deletion.
1
kubectl -n PUT-YOUR-NAMESPACE-HERE \
2
delete pod PUT-YOUR-POD-NAME-HERE \
3
--grace-period=0 --force
Copied!
Replace PUT-YOUR-NAMESPACE-HERE Replace PUT-YOUR-POD-NAME-HERE

References

Force Delete StatefulSet Pods
Kubernetes

RBAC

(Cluster)RoleBindings and the ServiceAccount(s) they reference with

1
kubectl get rolebindings,clusterrolebindings \
2
--all-namespaces \
3
-o custom-columns='KIND:kind,NAMESPACE:metadata.namespace,NAME:metadata.name,SERVICE_ACCOUNTS:subjects[?(@.kind=="ServiceAccount")].name'
Copied!

Resources

List pods resource limits

1
kubectl -n cxc get pod -o custom-columns=NAME:.metadata.name,MLIMIT:.spec.containers[].resources.limits.memory
Copied!
1
kubectl -n myns get pods -o json | jq .items[].spec.containers.resources.limits.cpu
Copied!