sheet codes development day

README.md

kubectl cheatsheet and kubernetes kb

Openshift vs. Kubernetes

• 10 most important differences between OpenShift and Kubernetes

Training

• Red Hat Training Courses and Learning Paths - Openshift Curriculum
• Red Hat Learning Subscription Enterprise Developer

Collections of Links

• Awesome-Kubernetes

Deployment

• Kubespray - Generates Ansible playbooks
• Kind - Local cluster in Docker

Distributions of k8s

• Kubernetes for workstations and appliances

Secrets

• KubeCon + CloudNativeCon North America 2018: So You Want to Run Vault in Kubernetes?.

Resources & Resource Handling

DiskPressure

• https://kubernetes.io/docs/tasks/administer-cluster/out-of-resource/
• node DiskPressure
• https://docs.openshift.com/container-platform/3.5/admin_guide/out_of_resource_handling.html
• https://kubernetes.io/docs/concepts/architecture/nodes/#info

Resource Requests & Limits

• https://cloud.google.com/blog/products/gcp/kubernetes-best-practices-resource-requests-and-limits?hl=fa

Resources

• https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/
• Kubernetes best practices: Resource requests and limits
• Managing Compute Resources for Containers

Release Notes

• https://kubernetes.io/blog/2018/12/03/kubernetes-1-13-release-announcement/
• OpenShift Container Platform 3.10 Release Notes
• OpenShift roadmap: You won't believe what's next
• OpenShift 4.0 - Features, Functions, Future at OpenShift Commons Gathering Seattle 2018
• Openshift 4.0 product roadmap

Operators & CRDs

• Extending Kubernetes: Create Controllers for Core and Custom Resources
• https://github.com/trstringer/k8s-controller-core-resource/blob/master/main.go
• https://github.com/trstringer/k8s-controller-core-resource/blob/master/controller.go
• https://github.com/trstringer/k8s-controller-core-resource/blob/master/handler.go

Performance Tuning

• OpenShift Container Platform 3.11 Scaling and Performance Guide
• CPU limits and aggressive throttling in Kubernetes
• CFS Scheduler - Linux Kernel

Architectures

• Level Triggering and Reconciliation in Kubernetes

Example Apps

• Lobsters & lobsters-on-kubernetes
  • https://github.com/kelseyhightower?utf8=%E2%9C%93&tab=repositories&q=lobster&type=&language=
  • OpenShift roadmap: You won't believe what's next 2018

Cleanup Tools

• draino
• kubecleaner
• k8s-cleanup
• Jamadar
• Self Healing

Configuration Management

• kustomize
• Kustomize: Kubernetes Configuration Customization - K8s, Kustomize & Ship SF Meetup

Monitoring

• Monitor the World: Meaningful Metrics for Containerized Apps & Clusters - Nicholas Turner & Nic Cope
  • slides
  • videos
  • Monitoring Kubernetes (part 1)
  • goldpinger
  • Visualise Cluster Connectivity with Goldpinger; Smash it with PowerfulSeal - Mikolaj Pawlikowski
  • kube-eagle dashboard w/ Prometheus
  • pod-reaper: kills pods dead
  • Resilience4j is a fault tolerance library designed for Java8 and functional programming
  • DevOpsProdigy KubeGraf: Revised K8S monitoring in Grafana
  • How to Monitor Kubernetes API Server

Observability

• Kiali
• Kiali video
• Jaeger

Canary deployments

• Kubernetes Canary deployments 🐤 for mere mortals

Fuzzing

• Open sourcing ClusterFuzz

DNS

• On OpenShift
• Understanding CoreDNS in Kubernetes - John Belamaric, Google & Cricket Liu, Francois Tur, Infoblox

Workshops, Books & Videos

• AWS Workshop for Kubernetes
• edX - Introduction to Kubernetes
• Kubernetes Introduction
• From Containerized Applications to secure and scaling with Kubernetes
• Kubernetes in the Enterprise - Deploying and Operating Production Applications on Kubernetes in Hybrid Cloud Environments

Checks

• Environment health checks
• CUE - Configure Unify Execute Lang
• CUE Docs

CI/CD

Serverless

• jenkins-x-serverless A monorepo to build all of the Jenkins-X serverless build images for Prow
• Serverless Jenkins with Jenkins X
• JenkinsX – new Kubernetes dream? Part 1
• Kubernetes, Serverless, and You (Cloud Next '18)
• Serverless - Your own FaaS built-in to GitLab
• GitLab and TriggerMesh announce GitLab Serverless
• Using Prow for Testing Outside of K8s - Matt Landis, Amazon Web Services

Image Registries & Catalogs

• image container promotion b/w registries w/ skopeo
• Service Catalog Walkthrough

Knative

• https://kccna18.sched.com/event/Grdv/deep-dive-knative-productivity-bof-jessie-zhu-adriano-cunha-google
• Deep Dive: Knative Productivity BoF
• https://kccna18.sched.com/event/Grbz/intro-knative-productivity-bof-srinivas-v-hegde-adriano-cunha-google
• Intro Knative Productivity BOF
• State of Serverless in Kubernetes: Knative and OpenShift Cloud Functions
• Knative
• Camel K on Knative
• Kubernetes Event Source example shows how to wire kubernetes cluster events for consumption by a function that has been implemented as a Knative Service

Flux

• Flux is a tool that automatically ensures that the state of a cluster matches the config in git

Test Infrastructure

• Prow - getting started

Vault & Secrets

• TGI Kubernetes 057: Vault on Kubernetes

Service Brokers

• Ansible Service Broker

StatefulSets

• https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#limitations

Ebooks

• Kubernetes in the Enterprise

SDNs

• OpenShift SDN

Tips

• How do you cleanly list all the containers in a kubernetes pod?
  • https://stackoverflow.com/questions/33924198/how-do-you-cleanly-list-all-the-containers-in-a-kubernetes-pod
• List All Container Images Running in a Cluster
• Set of maintenance scripts & cron jobs for OpenShift Container Platform
• Five tips to move your project to Kubernetes
• Openshift Cheatsheet
• Openshift Cheatsheet

AWS EKS

• https://velotio.com/blog/2018/10/04/taking-eks-for-a-spin
• Amazon ECS Container Instance IAM Role

RBAC

• Sync Groups w/ LDAP
• Authorization
• LDAP Group Sync
• Using RBAC, Generally Available in Kubernetes v1.8
• Managing Authorization Policies
• Managing Role-based Access Control (RBAC)
• Get started with Flux
• Kubernetes Authorization
• Kubernetes Authentication means validating the identity of who or what is issuing the request

Controllers

• https://github.com/kubernetes/sample-controller

Logging

• Aggregating Container Logs
• Hints based autodiscover - Elasticsearch & Kubernetes

Images

• https://fedoramagazine.org/experimenting-docker-openshift/

Pods

• https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods

CLI Tutorials

• Developers: Basic Walkthrough Using the CLI
• Kubectl output options
• Openshift Cheatsheet
• Openshift Cheatsheet

CLI Tools

• kubectx

eBPF & Performance

• eBPF Powered Kubernetes Performance Analysis
• https://kccna18.sched.com/event/GrYw/ebpf-powered-distributed-kubernetes-performance-analysis-lorenzo-fontana-influxdata
• iovisor/gobpf
• iovisor/bpftrace
• iovisor/bpftrace/tools

Networking

• https://kccna18.sched.com/event/GrWr/troubleshooting-on-premise-kubernetes-network-underlay-overlay-and-pod-tomofumi-hayashi-red-hat
• kokotap
• Troubleshooting On-Premise Kubernetes Network: Underlay, Overlay and Pod
• https://kccnceu18.sched.com/event/Dquy)
• Blackholes & Wormholes: Understand and Troubleshoot the “Magic” of k8s Networking
• Understand and Troubleshoot the “Magic” of Kubernetes Networking - Minhan Xia & Rohit Ramkumar
• Networking with OpenShift Enterprise 3.1 by Red Hat
• Deploying a Customized HAProxy Router
• Available router plug-ins
• NetworkPolicies and Microsegmentation
• Understanding kubernetes networking: pods
• Kubernetes Port Forwarding for Local Development - kubefwd
• traefix - gitrepo
• Back to Traefik 2.0
• Network Policy Objects in Action
• Debugging network stalls on Kubernetes

KubeVirt

• KubeVirt pxe boot demo
• KubeVirt - Kubernetes, Virtualization and Your Future Data Center [I] - Itamar Heim & Fabian Deutsch
• https://kubevirt.io/

Cluster API

• The Cluster API is a Kubernetes project to bring declarative, Kubernetes-style APIs to cluster creation, configuration, and management
• openshift-install installer

Booting

• ignition
  • supported platforms
  • What is ignition?

Audit Logging

• Basic Audit Log
• Advanced Audit Log
• Auditing

Kubebuilder & Operators

• Kubebuilder quickstart book
• If I were to build an operator what should I use, operator-framework, kubebuilder or start from scratch?

Troubleshooting/Debugging Tools

• node-problem-detector

Certification

• Journey to the CKA
• Tips to crack Certified Kubernetes Administrator (CKA) Exam
• What is a CrashLoopBackOff? How to alert, debug / troubleshoot, and fix Kubernetes CrashLoopBackOff events

Storage (Trident - Netapp)

• Trident - Managing storage classes
• Trident docs
• Simplifying Trident Management with tridentctl
• Trident troubleshooting
• tridentctl

Client tools & templates

• Go client for Kuberenetes - https://github.com/kubernetes/client-go/
• Kubebuilder is a framework for building Kubernetes APIs using custom resource definitions (CRDs)
• Make a Kubernetes Operator in 15 minutes with Helm
• Golang code-generators used to implement Kubernetes-style API types

Load testing

• slow_cooker

linkerd

• linkerd2
• linkerd2
• linkerd
• linkerd examples
• adding more steps - tutorial
• Linkerd Intro – Andrew Seigner, Buoyant.io, & George Miranda (Any Skill Level)

Docker

Overlays

• How to enter a Docker container
• Some way to clean up / identify contents of /var/lib/docker/overlay

Namespaces

• Introducing Linux Network Namespaces
• how to find out namespace of a particular process?
• Linux namespaces

Logging

• Top 10 Docker logging gotchas every Docker user should know

Devicemapper

• APPENDIX A. THE DEVICE MAPPER
• A.2. THE DMSETUP COMMAND

Images

• Building Container Images Securely on Kubernetes

Security & CVE vulns

• Secure Pods - Tim Allclair, Google (Advanced Skill Level)
• Kata & gVisor Containers
• CONTAINER SECURITY IN MULTITENANT ENVIRONMENTS
• Kata Containers: Secure, Lightweight Virtual Machines for Container Environments
• How to Implement Secure Containers Using Google’s gVisor
• container native -or- native containers
• Docker and Kubernetes in high security environments
• Kata Containers
• gVisor
• Hardening OpenShift Containers to complement Incident Handling
• Container Deployment and Security Best Practices - Twistlock
• TEN LAYERS OF CONTAINER SECURITY - Redhat
• [Image Policy Configuration

• AllowedRegistriesForImport](https://docs.okd.io/latest/install_config/master_node_configuration.html#master-config-image-policy-config)

• K8Guard - An Auditing System for Kubernetes
• kubeaudit
• Falco Blog post
• Falco
• kube-bench
• Clair is an open source project for the static analysis of vulnerabilities in application containers
• Quay/Clair
• Tuf - A framework for securing software update systems theupdateframework.com
• Grafeas - Cloud artifact metadata CRUD API and resource specifications
• Notary is a project that allows anyone to have trust over arbitrary collections of data
• Kubernetes Security Best-Practices
• 10+ top open-source tools for Docker security

Redhat Virtualization

• RED HAT VIRTUALIZATION 4.3-BETA

Architecture Diagrams

• Source: https://thenewstack.io/myth-cloud-native-portability/
  • 
  • 

TLS Certificates

• Certifik8s: All You Need to Know About Certificates in Kubernetes [I] - Alexander Brand, Apprenda

Admission Controller

• Using Admission Controllers

Kube Janitor

• Clean up (delete) Kubernetes resources after a configured TTL (time to live)

Scheduler

• Kubernetes Scheduler 101
• Kubernetes Scheduler 101

OPA

• Admission Control On Kubernetes

CLI management tools

• YAML Management Tool - ytt
• kapp

kubernetes.md

kubectl cheatsheet

kubctl process flow

"You run kubectl apply on a Deployment. A few minutes later a Pod is running. Describe in as much detail as possible, the exact chain of events from kubectl apply to the running pod."

kubectl -> client-side validation -> api-server(authentication, authorization, admission control) -> etcd (add Deployment resource) -> api-server -> controller-manager (deployment controller creates hash of pod template and create a ReplicaSet with hash appended to name) -> ReplicaSet reource created -> api-server -> etcd(add ReplicaSet resource) -> api-server -> controller-manager (replicaset controller creates the same number of pods given in replica spec with a random name appended) -> api-server -> etcd(add the pods) -> api-server -> scheduler(find the best possible node for the pods) -> api-server -> Kubelet of the node set by scheduler -> CRI -> Actual Container Runtime(translate pod to actual containers) -> pause container -> CNI -> CNI plugin -> bridge -> veth -> assign IP to pod -> inter-host networking -> container starts running

1.1 Common Commands

Run curl test temporarily

kubectl run --generator=run-pod/v1 --rm mytest --image=yauritux/busybox-curl -it

Run wget test temporarily

kubectl run --generator=run-pod/v1 --rm mytest --image=busybox -it wget

Run nginx deployment with 2 replicas

kubectl run my-nginx --image=nginx --replicas=2 --port=80

Run nginx pod and expose it

kubectl run my-nginx --restart=Never --image=nginx --port=80 --expose

Run nginx deployment and expose it

kubectl run my-nginx --image=nginx --port=80 --expose

List authenticated contexts

kubectl config get-contexts, ~/.kube/config

Set namespace preference

kubectl config set-context <context_name> --namespace=<ns_name>

List pods with nodes info

kubectl get pod -o wide

List everything

kubectl get all --all-namespaces

Get all services

kubectl get service --all-namespaces

Get all deployments

kubectl get deployments --all-namespaces

Show nodes with labels

kubectl get nodes --show-labels

Get resources with json output

kubectl get pods --all-namespaces -o json

Validate yaml file with dry run

kubectl create --dry-run --validate -f pod-dummy.yaml

Start a temporary pod for testing

kubectl run --rm -i -t --image=alpine test-$RANDOM -- sh

kubectl run shell command

kubectl exec -it mytest -- ls -l /etc/hosts

Get system conf via configmap

kubectl -n kube-system get cm kubeadm-config -o yaml

Get deployment yaml

kubectl -n denny-websites get deployment mysql -o yaml

Explain resource

kubectl explain pods, kubectl explain svc

Watch pods

kubectl get pods -n wordpress --watch

Query healthcheck endpoint

curl -L http://127.0.0.1:10250/healthz

Open a bash terminal in a pod

kubectl exec -it storage sh

Check pod environment variables

kubectl exec redis-master-ft9ex env

Enable kubectl shell autocompletion

echo "source <(kubectl completion bash)" >>~/.bashrc, and reload

Use minikube dockerd in your laptop

eval $(minikube docker-env), No need to push docker hub any more

Kubectl apply a folder of yaml files

kubectl apply -R -f .

Get services sorted by name

kubectl get services -sort-by=.metadata.name

Get pods sorted by restart count

kubectl get pods -sort-by='.status.containerStatuses\[0\].restartCount'

List pods and images

kubectl get pods -o='custom-columns=PODS:.metadata.name,Images:.spec.containers\[\*\].image'

List all container images

list-all-images.sh

kubeconfig skip tls verification

skip-tls-verify.md

Ubuntu install kubectl

"deb https://apt.kubernetes.io/ kubernetes-xenial main"

Reference

GitHub: kubernetes releases

Reference

minikube cheatsheet, docker cheatsheet, OpenShift CheatSheet

1.2 Check Performance

Get node resource usage

kubectl top node

Get pod resource usage

kubectl top pod

Get resource usage for a given pod

kubectl top <podname> --containers

List resource utilization for all containers

kubectl top pod --all-namespaces --containers=true

1.3 Resources Deletion

Delete pod

kubectl delete pod/<pod-name> -n <my-namespace>

Delete pod by force

kubectl delete pod/<pod-name> --grace-period=0 --force

Delete pods by labels

kubectl delete pod -l env=test

Delete deployments by labels

kubectl delete deployment -l app=wordpress

Delete all resources filtered by labels

kubectl delete pods,services -l name=myLabel

Delete resources under a namespace

kubectl -n my-ns delete po,svc --all

Delete persist volumes by labels

kubectl delete pvc -l app=wordpress

Delete state fulset only (not pods)

kubectl delete sts/<stateful_set_name> --cascade=false

1.4 Log & Conf Files

Config folder

/etc/kubernetes/

Certificate files

/etc/kubernetes/pki/

Credentials to API server

/etc/kubernetes/kubelet.conf

Superuser credentials

/etc/kubernetes/admin.conf

kubectl config file

~/.kube/config

Kubernets working dir

/var/lib/kubelet/

Docker working dir

/var/lib/docker/, /var/log/containers/

Etcd working dir

/var/lib/etcd/

Network cni

/etc/cni/net.d/

Log files

/var/log/pods/

log in worker node

/var/log/kubelet.log, /var/log/kube-proxy.log

log in master node

kube-apiserver.log, kube-scheduler.log, kube-controller-manager.log

Env

/etc/systemd/system/kubelet.service.d/10-kubeadm.conf

Env

export KUBECONFIG=/etc/kubernetes/admin.conf

1.5 Pod

List all pods

kubectl get pods

List pods for all namespace

kubectl get pods -all-namespaces

List all critical pods

kubectl get -n kube-system pods -a

List pods with more info

kubectl get pod -o wide, kubectl get pod/<pod-name> -o yaml

Get pod info

kubectl describe pod/srv-mysql-server

List all pods with labels

kubectl get pods --show-labels

List all unhealthy pods

kubectl get pods -field-selector=status.phase!=Running -all-namespaces

List running pods

kubectl get pods -field-selector=status.phase=Running

Get Pod initContainer status

kubectl get pod --template '{{.status.initContainerStatuses}}' <pod-name>

kubectl run command

kubectl exec -it -n "$ns" "$podname" - sh -c "echo $msg >>/dev/err.log"

Watch pods

kubectl get pods -n wordpress --watch

Get pod by selector

kubectl get pods -selector="app=syslog" -o jsonpath='{.items\[\*\].metadata.name}'

List pods and images

kubectl get pods -o='custom-columns=PODS:.metadata.name,Images:.spec.containers\[\*\].image'

List pods and containers

kubectl get pods -o='custom-columns=PODS:.metadata.name,CONTAINERS:.spec.containers\[\*\].name'

Reference

Link: kubernetes yaml templates

1.6 Label & Annontation

Filter pods by label

kubectl get pods -l owner=denny

Manually add label to a pod

kubectl label pods dummy-input owner=denny

Remove label

kubectl label pods dummy-input owner-

Manually add annonation to a pod

kubectl annotate pods dummy-input my-url=https://dennyzhang.com

1.7 Deployment & Scale

Scale out

kubectl scale --replicas=3 deployment/nginx-app

online rolling upgrade

kubectl rollout app-v1 app-v2 --image=img:v2

Roll backup

kubectl rollout app-v1 app-v2 --rollback

List rollout

kubectl get rs

Check update status

kubectl rollout status deployment/nginx-app

Check update history

kubectl rollout history deployment/nginx-app

Pause/Resume

kubectl rollout pause deployment/nginx-deployment, resume

Rollback to previous version

kubectl rollout undo deployment/nginx-deployment

Reference

Link: kubernetes yaml templates, Link: Pausing and Resuming a Deployment

1.8 Quota & Limits & Resource

List Resource Quota

kubectl get resourcequota

List Limit Range

kubectl get limitrange

Customize resource definition

kubectl set resources deployment nginx -c=nginx --limits=cpu=200m

Customize resource definition

kubectl set resources deployment nginx -c=nginx --limits=memory=512Mi

Reference

Link: kubernetes yaml templates

1.9 Service

List all services

kubectl get services

List service endpoints

kubectl get endpoints

Get service detail

kubectl get service nginx-service -o yaml

Get service cluster ip

kubectl get service nginx-service -o go-template='{{.spec.clusterIP}}'

Get service cluster port

kubectl get service nginx-service -o go-template='{{(index .spec.ports 0).port}}'

Expose deployment as lb service

kubectl expose deployment/my-app --type=LoadBalancer --name=my-service

Expose service as lb service

kubectl expose service/wordpress-1-svc --type=LoadBalancer --name=ns1

Reference

Link: kubernetes yaml templates

1.10 Secrets

List secrets

kubectl get secrets --all-namespaces

Generate secret

echo -n 'mypasswd', then redirect to base64 --decode

Get secret

kubectl get secret denny-cluster-kubeconfig

Get a specific field of a secret

kubectl get secret denny-cluster-kubeconfig -o jsonpath="{.data.value}"

Create secret from cfg file

kubectl create secret generic db-user-pass -from-file=./username.txt

Reference

Link: kubernetes yaml templates, Link: Secrets

1.11 StatefulSet

List statefulset

kubectl get sts

Delete statefulset only (not pods)

kubectl delete sts/<stateful_set_name> --cascade=false

Scale statefulset

kubectl scale sts/<stateful_set_name> --replicas=5

Reference

Link: kubernetes yaml templates

1.12 Volumes & Volume Claims

List storage class

kubectl get storageclass

Check the mounted volumes

kubectl exec storage ls /data

Check persist volume

kubectl describe pv/pv0001

Copy local file to pod

kubectl cp /tmp/my <some-namespace>/<some-pod>:/tmp/server

Copy pod file to local

kubectl cp <some-namespace>/<some-pod>:/tmp/server /tmp/my

Reference

Link: kubernetes yaml templates

1.13 Events & Metrics

Name

Command

View all events

kubectl get events --all-namespaces

List Events sorted by timestamp

kubectl get events -sort-by=.metadata.creationTimestamp

1.14 Node Maintenance

Mark node as unschedulable

kubectl cordon $NDOE_NAME

Mark node as schedulable

kubectl uncordon $NDOE_NAME

Drain node in preparation for maintenance

kubectl drain $NODE_NAME

1.15 Namespace & Security

List authenticated contexts

kubectl config get-contexts, ~/.kube/config

Set namespace preference

kubectl config set-context <context_name> --namespace=<ns_name>

Switch context

kubectl config use-context <cluster-name>

Load context from config file

kubectl get cs --kubeconfig kube_config.yml

Delete the specified context

kubectl config delete-context <cluster-name>

List all namespaces defined

kubectl get namespaces

List certificates

kubectl get csr

Check user privilege

kubectl –as=system:serviceaccount:ns-denny:test-privileged-sa -n ns-denny auth can-i use pods/list

Check user privilege

kubectl auth can-i use pods/list

Reference

Link: kubernetes yaml templates

1.16 Network

Temporarily add a port-forwarding

kubectl port-forward redis-134 6379:6379

Add port-forwaring for deployment

kubectl port-forward deployment/redis-master 6379:6379

Add port-forwaring for replicaset

kubectl port-forward rs/redis-master 6379:6379

Add port-forwaring for service

kubectl port-forward svc/redis-master 6379:6379

Get network policy

kubectl get NetworkPolicy

1.17 Patch

Name

Summary

Patch service to loadbalancer

kubectl patch svc $svc_name -p '{"spec": {"type": "LoadBalancer"}}'

1.18 Extenstions

Enumerates the resource types available

kubectl api-resources

List api group

kubectl api-versions

List all CRD

kubectl get crd

List storageclass

kubectl get storageclass

1.19 Components & Services

1.19.1 Services on Master Nodes

kube-apiserver

exposes the Kubernetes API from master nodes

etcd

reliable data store for all k8s cluster data

kube-scheduler

schedule pods to run on selected nodes

kube-controller-manager

node controller, replication controller, endpoints controller, and service account & token controllers

1.19.3 Addons: pods and services that implement cluster features

Name

Summary

DNS

serves DNS records for Kubernetes services

Web UI

a general purpose, web-based UI for Kubernetes clusters

Container Resource Monitoring

collect, store and serve container metrics

Cluster-level Logging

save container logs to a central log store with search/browsing interface

1.19.4 Tools

Name

Summary

kubectl

the command line util to talk to k8s cluster

kubeadm

the command to bootstrap the cluster

kubefed

the command line to control a Kubernetes Cluster Federation

Kubernetes Components

Link: Kubernetes Components