kubectl Cheatsheet
Last Updated: 2023-09-18
Clusters
# Get Clusters.
$ kubectl config get-clusters
# Get Cluster Info
$ kubectl cluster-info
Kubernetes control plane is running at https://127.0.0.1:36397
CoreDNS is running at https://127.0.0.1:36397/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
$ kubectl cluster-info dump
Specify output columns
$ kubectl get services -A -o=custom-columns=NAME:.metadata.name,Namespace:.metadata.namespace
API Resources
To see which Kubernetes resources are and aren't in a namespace:
# In a namespace
$ kubectl api-resources --namespaced=true
# Not in a namespace
$ kubectl api-resources --namespaced=false
Check resources
# Get a list of Services:
$ kubectl get services
# Check the service accounts:
$ kubectl -n kube-system get sa
# Get pods on a specific node.
$ kubectl get pods --all-namespaces -o wide --field-selector spec.nodeName=$NODE
Check resource consumption
$ kubectl top node
$ kubectl top pod -A
Delete multiple pods
Delete multiple pods by label:
$ kubectl delete pods -l app=my-app -n default
Delete multiple pods by name:
$ kubectl get pods -n $NAMESPACE --no-headers=true | awk '/pattern/{print $1}'| xargs kubectl delete -n $NAMESPACE pod
$ kubectl get pods -n $NAMESPACE | grep $PATTERN | awk '{print $2}' | xargs kubectl delete pod -n $NAMESPACE
Storage
Check capacities:
$ kubectl describe pv
$ kubectl describe pvc
The PV's Status should be "Bound" if it has been successfully allocated to the application.
Check remaining disk space:
$ kubectl -n <namespace> exec <pod-name> -- df -ah
Plugins
Add the tree plugin to visualize
$ kubectl krew install tree
How to force restart a pod
kubectl get pod PODNAME -n NAMESPACE -o yaml | kubectl replace --force -f -
Check status
$ kubectl get --raw='/readyz?verbose'
Who Am I and What Can I Do?
Who Am I?
# Show current-context
$ kubectl config current-context
# Check details of the Config
$ kubectl config view
What can i do?
# List all
$ kubectl auth can-i --list
# Check to see if I can do everything in my current namespace ("*" means all)
$ kubectl auth can-i '*' '*'
# Check to see if I can create pods in any namespace
$ kubectl auth can-i create pods --all-namespaces
# Check to see if I can list deployments in my current namespace
$ kubectl auth can-i list deployments.extensions
Patch
$ kubectl patch serviceaccount NAME -n NAMESPACE -p '{"imagePullSecrets": [{"name": "IMAGE_PULL_SECRET_NAME"}]}'
exec.Command("kubectl", "patch", "serviceaccount",
"NAME",
"-n", "NAMESPACE",
"-p", `'{"imagePullSecrets": [{"name": "IMAGE_PULL_SECRET_NAME"}]}'`).Run()
Search string in resources
# use grep, but hard to see which pod it is.
kubectl get pod -A -o yaml | grep "something"
# use jq, get pod name.
kubectl get pod -A -o json | jq -r '.items[] | select(tostring | contains("something")) | .metadata.name'
Check Node Status
e.g. check ephemeral storage
$ kubectl get --raw "/api/v1/nodes/$NODE_NAME/proxy/stats/summary"
# equivalent to
$ curl http://$HOST:$PORT/api/v1/nodes/$NODE_NAME/proxy/stats/summary
# and
$ kubectl get --raw "/api/v1/nodes/$NODE_NAME/proxy/metrics/resource"
$ kubectl get --raw "/api/v1/nodes/$NODE_NAME/proxy/metrics/cadvisor"
More Examples
# get PVs of a namespace
kubectl get pv -o json | jq -r '.items[] | select(.spec.claimRef.namespace == "NAMESPACE") | .metadata.name'
# Change the reclaim policies of the persistent volumes to Retain.
kubectl patch pv/${NAME} -p "{\"spec\":{\"persistentVolumeReclaimPolicy\":\"Retain\"}}"
# remove a field
kubectl patch pv/${NAME} --type json -p '[{"op":"remove","path":"/spec/claimRef"}]';
# Get and decode secret
kubectl get secret SECRET_NAME -n NAMESPACE --template="{{index .data \"ca.crt\" | base64decode}}" > https.crt
# cert is stored in certificate-authority-data in kubeconfig
curl $(kubectl config view --minify --output 'jsonpath={..cluster.server}')
# curl: (60) SSL certificate problem: unable to get local issuer certificate
# get cert
kubectl config view --minify --raw --output 'jsonpath={..cluster.certificate-authority-data}' | base64 -d > /tmp/kubectl-cacert
curl --cacert /tmp/kubectl-cacert $(kubectl config view --minify --output 'jsonpath={..cluster.server}')
# should get 403