My Kubernetes and Kubectl Cheat Sheet

Here are few commands that I find myself using a lot when I am working with Kubectl/Kubernetes

Validate a k8s yaml file

kubectl create --dry-run=true --validate=true -f <my-file>.yaml

Get shell in a running pod

kubectl exec -it <pod-name> -- /bin/bash

Get a shell in running container in a pod

Use bin/sh if you are running Alpine

kubectl exec -it <pod-name> --container <container-name> -- /bin/bash

Get logs from a running container in a pod

kubectl logs <pod-name> <container-name>

Get a file from running pod

pass --container <container-name> to connect to specific container when you have multiple containers in pod

kubectl cp <pod-name>:<file-path> <dest-path>

Switch cluster

See available contexts by running kubectl config get-contexts

kubectl config use-context <context_name_cluster-name>

TIP: use kubectl aliases script to work with multiple clusters. This script provides context and namespace aware aliases, which makes working with multiple clusters easy.

Get pods ordered by creation timestamp

kubectl get pods --sort-by=.metadata.creationTimestamp

Get all pods with namespace, node name and status of the pod

kubectl get pod --output=custom-columns=NAME:.metadata.name,NAMESPACE:.metadata.namespace,STATUS:.status.phase,NODE:.spec.nodeName --all-namespaces

You can adapt this command to show more details by adding the field you want in --output format

Add or update label of a pod

Add a new label to already running pod

kubectl label pod <pod_name> <label_key>=<label_value>
# example
kubectl label pod suraj app=test

Update existing label of already running pod using --overwrite flag

kubectl label pod <pod_name> <label_key>=<label_value> --overwrite
# example
kubectl label pod suraj app=test --overwrite

Remove a pod from deployment and keep it alive for debugging

Assuming you have a deployment with 6 replicas and one of those pod is misbehaving. Now you don’t want to send anymore traffic to that but you want to keep it alive for debugging purposes.

You can remove the label from your target pod. that will remove that pod from deployment but leave it running.

kubectl label pod <pod_name> <label_key>-

Example: you have a deployment with label app=backend, env=staging and service with same label selector now you want to remove backend-staging-wadwad-wad54 from deployment.

kubectl label pod backend-staging-wadwad-wad54 app- will remove pod backend-staging-wadwad-wad54 from deployment.

Select attributes of an object

You can use custom-columns in output to select custom columns

kubectl get pods -o=custom-columns=NAME:.metadata.name

This will list down pod names

# select multiple attributes(service object in this case)
kubectl get service -n kube-system  -o=custom-columns=NAME:.metadata.name,IP:.spec.clusterIP,PORT:.spec.ports[*].targetPort

Delete multiple pods

Use custom-columns to get name of pods(tip: pass ---no-headers to remove header), and then force delete them one by one

# get all pod names
pods=$(kubectl get pods -o=custom-columns=NAME:.metadata.name --no-headers)
# iterate and delete pods
for item in $pods
do
  kubectl delete pod $item
done

pass --grace-period=0 --force to force delete

NOTE: force delete is NOT a good idea, you should know the effects of it before using it. see more

Trigger a cronjob manually

One use case would be testing a cronjob after deployment. You can trigger a cronjob right away by creating a job from a cronjob, and it will create a pod which will run to completion

kubectl create job --from=cronjob/<name of cronjob> <name of job>

For example, if the name of your cronjob is “pgdump”, then you might run:

kubectl create job --from=cronjob/pgdump pgdump-test-1

Test Auth and allow actions

you can use can-i to see if you are allowed to perform an action, this comes handy when you are testing out permission on service accounts, or roles when you are setting up RBAC. want to learn more about RBAC, read my introduction to RBAC in Kubernetes

# check if you can create pods
kubectl auth can-i create pods --all-namespaces
# check if you can create service accounts
kubectl auth can-i create serviceaccount
# check if you can delete a service
kubectl auth can-i delete service

You can also use can-i to see allowed actions and capabilities

# list all allowed actions
kubectl auth can-i --list

Wait for resources

you can use wait to wait for your resources to reach a certain state. this comes in handy when you are scripting things, and want to do something once something is ready or in another state.

# wait for pod drillbit-0 to be ready
kubectl wait --for=condition=Ready pod/drillbit-0

Debugging Things in Kubernetes

Kubernetes docs on this topic is good, and easy to read so I will just link to them

• Troubleshoot Applications - Kubernetes Docs
• Application Introspection and Debugging - Kubernetes Docs
• Debug Pods and ReplicationControllers - Kubernetes Docs
• Debug Services - Kubernetes Docs
• Developing and debugging services locally - Kubernetes Docs
• Debug Init Containers - Kubernetes Docs
• Debug a StatefulSet - Kubernetes Docs
• Debugging Kubernetes nodes with crictl - Kubernetes Docs
• Monitor Node Health - Kubernetes Docs
• Troubleshoot Clusters - Kubernetes Docs

Kubernetes Internals

Few blog posts which explains internals of Kubernetes

• The Almighty Pause Container - Ian Lewis
• What are Kubernetes Pods Anyway? - Ian Lewis
• Container Runtimes Part 1: An Introduction to Container Runtimes - Ian Lewis
• Container Runtimes Part 2: Anatomy of a Low-Level Container Runtime - Ian Lewis
• Container Runtimes Part 3: High-Level Runtimes - Ian Lewis
• Container Runtimes Part 4: Kubernetes Container Runtimes & CRI - Ian Lewis
• Operating a Kubernetes network - Julia Evans

Further Reading

• kubectl commands - Kubernetes docs
• introduction to RBAC in Kubernetes
• kubectl aliases script