kubectl Cheatsheet

Last Updated: 2023-09-18


# Get Clusters.
$ kubectl config get-clusters

# Get Cluster Info
$ kubectl cluster-info
Kubernetes control plane is running at
CoreDNS is running at

$ kubectl cluster-info dump

Specify output columns

$ kubectl get services -A -o=custom-columns=NAME:.metadata.name,Namespace:.metadata.namespace

API Resources

To see which Kubernetes resources are and aren't in a namespace:

# In a namespace
$ kubectl api-resources --namespaced=true

# Not in a namespace
$ kubectl api-resources --namespaced=false

Check resources

# Get a list of Services:
$ kubectl get services

# Check the service accounts:
$ kubectl -n kube-system get sa

# Get pods on a specific node.
$ kubectl get pods --all-namespaces -o wide --field-selector spec.nodeName=$NODE

Check resource consumption

$ kubectl top node
$ kubectl top pod -A

Delete multiple pods

Delete multiple pods by label:

$ kubectl delete pods -l app=my-app -n default

Delete multiple pods by name:

$ kubectl get pods -n $NAMESPACE --no-headers=true | awk '/pattern/{print $1}'| xargs  kubectl delete -n $NAMESPACE pod

$ kubectl get pods -n $NAMESPACE | grep $PATTERN | awk '{print $2}' | xargs kubectl delete pod -n $NAMESPACE


Check capacities:

$ kubectl describe pv
$ kubectl describe pvc

The PV's Status should be "Bound" if it has been successfully allocated to the application.

Check remaining disk space:

$ kubectl -n <namespace> exec <pod-name> -- df -ah


Add the tree plugin to visualize

$ kubectl krew install tree

How to force restart a pod

kubectl get pod PODNAME -n NAMESPACE -o yaml | kubectl replace --force -f -

Check status

$ kubectl get --raw='/readyz?verbose'

Who Am I and What Can I Do?

Who Am I?

# Show current-context
$ kubectl config current-context

# Check details of the Config
$ kubectl config view

What can i do?

# List all
$ kubectl auth can-i --list

# Check to see if I can do everything in my current namespace ("*" means all)
$ kubectl auth can-i '*' '*'

# Check to see if I can create pods in any namespace
$ kubectl auth can-i create pods --all-namespaces

# Check to see if I can list deployments in my current namespace
$ kubectl auth can-i list deployments.extensions


$ kubectl patch serviceaccount NAME -n NAMESPACE -p '{"imagePullSecrets": [{"name": "IMAGE_PULL_SECRET_NAME"}]}'
exec.Command("kubectl", "patch", "serviceaccount",
    "-n", "NAMESPACE",
    "-p", `'{"imagePullSecrets": [{"name": "IMAGE_PULL_SECRET_NAME"}]}'`).Run()

Search string in resources

# use grep, but hard to see which pod it is.
kubectl get pod -A -o yaml | grep "something"

# use jq, get pod name.
kubectl get pod -A -o json | jq -r '.items[] | select(tostring | contains("something")) | .metadata.name'

Check Node Status

e.g. check ephemeral storage

$ kubectl get --raw "/api/v1/nodes/$NODE_NAME/proxy/stats/summary"

# equivalent to
$ curl http://$HOST:$PORT/api/v1/nodes/$NODE_NAME/proxy/stats/summary

# and
$ kubectl get --raw "/api/v1/nodes/$NODE_NAME/proxy/metrics/resource"
$ kubectl get --raw "/api/v1/nodes/$NODE_NAME/proxy/metrics/cadvisor"

More Examples

# get PVs of a namespace
kubectl get pv -o json | jq -r '.items[] | select(.spec.claimRef.namespace == "NAMESPACE") | .metadata.name'

# Change the reclaim policies of the persistent volumes to Retain.
kubectl patch pv/${NAME} -p "{\"spec\":{\"persistentVolumeReclaimPolicy\":\"Retain\"}}"

# remove a field
kubectl patch pv/${NAME} --type json -p '[{"op":"remove","path":"/spec/claimRef"}]';

# Get and decode secret
kubectl get secret SECRET_NAME -n NAMESPACE --template="{{index .data \"ca.crt\" | base64decode}}" > https.crt

# cert is stored in certificate-authority-data in kubeconfig
curl $(kubectl config view --minify --output 'jsonpath={..cluster.server}')
# curl: (60) SSL certificate problem: unable to get local issuer certificate

# get cert
kubectl config view --minify --raw --output 'jsonpath={..cluster.certificate-authority-data}' | base64 -d > /tmp/kubectl-cacert

curl --cacert /tmp/kubectl-cacert $(kubectl config view --minify --output 'jsonpath={..cluster.server}')
# should get 403