JSON Path

Get restart count from container name

$.status.containerStatuses[?(@.name == 'xxx-container')].restartCount

Print node addresses

$.items[*].status.addresses[?(@.type=="InternalIP")].address

Get name of all resources

$[*].metadata.name

Events

List latest events ordered by time

kubectl get events -A --sort-by=.metadata.creationTimestamp

Resources

List all namespaced API resources by name

kubectl api-resources --namespaced -o name

Pods

Create pod on specific node

spec:
  nodeName: my-node

Create pod on specific tainted node

spec:
  tolerations:
  - effect: NoSchedule
    key: node-role.kubernetes.io/master

List pods with labels

Command:

kubectl get pods -L app,run

Note: This prevent using -o yaml or describe to just read a well-known label.

Create a pods with requests

kubectl run my-pod \
    --image=nginx:alpine \
    --requests "cpu=10m,memory=10Mi" \
    -o yaml \
    --dry-run=client > my-pod.yaml

Services

Expose to pod to NodePort on 80

kubectl expose pod my-pod \
  --name my-pod-service \
  --type=NodePort \
  --port 80

Certificates

Check certificate validity using `openssl`

Command:

openssl x509 \
    -noout \
    -text \
    -in /etc/kubernetes/pki/XXX.crt | grep Validity -A2

Output:

Validity
    Not Before: Xxx xx xx:xx:xx xxxx GMT
    Not After : Xxx xx xx:xx:xx xxxx GMT

Check certificate validity using `kubeadm`

Command:

kubeadm certs check-expiration

Output:

[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Xxx xx, xxxx xx:xx UTC   xxxd                                    no      
apiserver                  Xxx xx, xxxx xx:xx UTC   xxxd            ca                      no      
apiserver-etcd-client      Xxx xx, xxxx xx:xx UTC   xxxd            etcd-ca                 no      
apiserver-kubelet-client   Xxx xx, xxxx xx:xx UTC   xxxd            ca                      no      
controller-manager.conf    Xxx xx, xxxx xx:xx UTC   xxxd                                    no      
etcd-healthcheck-client    Xxx xx, xxxx xx:xx UTC   xxxd            etcd-ca                 no      
etcd-peer                  Xxx xx, xxxx xx:xx UTC   xxxd            etcd-ca                 no      
etcd-server                Xxx xx, xxxx xx:xx UTC   xxxd            etcd-ca                 no      
front-proxy-client         Xxx xx, xxxx xx:xx UTC   xxxd            front-proxy-ca          no      
scheduler.conf             Xxx xx, xxxx xx:xx UTC   xxxd                                    no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Xxx xx, xxxx xx:xx UTC   xy              no      
etcd-ca                 Xxx xx, xxxx xx:xx UTC   xy              no      
front-proxy-ca          Xxx xx, xxxx xx:xx UTC   xy              no

Renew api server certificate using `kubeadm`

Command:

kubeadm certs renew apiserver

Get `kubelet` client issuer

openssl x509  -noout -text -in /var/lib/kubelet/pki/kubelet-client-current.pem | grep Issuer

Get `kubelet` issuer

openssl x509  -noout -text -in /var/lib/kubelet/pki/kubelet.cert | grep Issuer

`kubelet`

Systemd configuration

/etc/systemd/system/kubelet.service.d/10-kubeadm.conf

`etcd`

Backing-up

Get arguments:

cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep etcd

Output:

- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- --etcd-servers=https://127.0.0.1:2379

Command:

ETCDCTL_API=3 etcdctl snapshot save /tmp/etcd-backup.db \
--cacert /etc/kubernetes/pki/etcd/ca.crt \
--cert /etc/kubernetes/pki/etcd/server.crt \
--key /etc/kubernetes/pki/etcd/server.key

Restore

Command:

ETCDCTL_API=3 etcdctl snapshot restore /tmp/etcd-backup.db \
--data-dir /var/lib/etcd-backup

Change volume in static etcd pod:

vim /etc/kubernetes/manifests/etcd.yaml

  volumes:
  - hostPath:
      path: /var/lib/etcd-backup
      type: DirectoryOrCreate
    name: etcd-data

JulienBreux/CKA.md

JSON Path

Get restart count from container name

Print node addresses

Get name of all resources

Events

List latest events ordered by time

Resources

List all namespaced API resources by name

Pods

Create pod on specific node

Create pod on specific tainted node

List pods with labels

Create a pods with requests

Services

Expose to pod to NodePort on 80

Certificates

Check certificate validity using openssl

Check certificate validity using kubeadm

Renew api server certificate using kubeadm

Get kubelet client issuer

Get kubelet issuer

kubelet

Systemd configuration

etcd

Backing-up

Restore

Check certificate validity using `openssl`

Check certificate validity using `kubeadm`

Renew api server certificate using `kubeadm`

Get `kubelet` client issuer

Get `kubelet` issuer

`kubelet`

`etcd`