Kubernetes Commands - Kubectl

k8s_kubectl.md

Kubectl

Imperative == refers to cli commands Declarative == using YAML files

--export
--save-config
--record

kubectl replace

With the apply command the configuration will be saved in an annotation (kubectl.kubernetes.io/last-applied-configuration) and used during three way merges of changes. Kubernetes will check the state of the live object, the configuration stored in the annotation and the manifest being provided. It will then perform some advanced patching to modify only the fields that need to be modified.

Annotations == attach arbitrary non-identifying metadata to objects. Clients such as tools and libraries can retrieve this metadata. (Not actionable)

Labels and Selectors == Labels are key/value pairs that are attached to objects, such as pods. Labels are intended to be used to specify identifying attributes of objects that are meaningful and relevant to users, but do not directly imply semantics to the core system. Labels can be used to organize and to select subsets of objects. Labels can be attached to objects at creation time and subsequently added and modified at any time. Each object can have a set of key/value labels defined. Each Key must be unique for a given object.

LABEL MAGIC

K8S Cheatsheet

Access Cluster API

Configuration Best Practices

ENV Variables

The KUBECONFIG environment variable is a list of paths to configuration files. The list is colon-delimited for Linux and Mac.

• Export kubeconfig pointing to multiple files (append to existing) export KUBECONFIG=$KUBECONFIG:config-demo:config-demo-2

• Export Kubeconfig pointing to a single-file export KUBECONFIG='/path/to/kubeconfig'

• Export the current config to another var to restore later export KUBECONFIG_SAVED=$KUBECONFIG

Config

• View configuration kubectl config --kubeconfig ~/.kube/config view

• View configuration for the current-context (Must set the current-context to use) kubectl config --kubeconfig ~/.kube/config view --minify

• Set context kubectl config --kubeconfig ~/.kube/config use-context demo-cluster-1 kubectl config --kubeconfig ~/.kube/config use-context demo-cluster-2

Config - Bypass kubectl proxy

• Check all possible clusters configured kubectl config view -o jsonpath='{"Cluster name\tServer\n"}{range .clusters[*]}{.name}{"\t"}{.cluster.server}{"\n"}{end}'

• Check all possible clusters, as you .KUBECONFIG may have multiple contexts: kubectl config view -o jsonpath='{"Cluster name\tServer\n"}{range .clusters[*]}{.name}{"\t"}{.cluster.server}{"\n"}{end}'

• Select name of cluster you want to interact with from above output: export CLUSTER_NAME="some_server_name"

• Point to the API server refering the cluster name APISERVER=$(kubectl config view -o jsonpath="{.clusters[?(@.name==\"$CLUSTER_NAME\")].cluster.server}")

• Gets the token value TOKEN=$(kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='default')].data.token}"|base64 -d)

• Explore the API with TOKEN curl -X GET $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure

• JSON Path approach

APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
TOKEN=$(kubectl get secret $(kubectl get serviceaccount default -o jsonpath='{.secrets[0].name}') -o jsonpath='{.data.token}' | base64 --decode )
curl $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure

Cluster

• Display addresses of the master and services with label kubernetes.io/cluster-service=true kubectl cluster-info

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

• Show cluster components and their status (etcd, scheduler, controller-manager) kubectl get componentstatuses

• Export the cluster config file location -- '~/.kube/config' kubectl config view --flatten > config

Proxy/Port-Forward

• Runs kubectl in a mode where it acts as a reverse proxy. It handles locating the API server and authenticating kubectl proxy --port=8080 &

Use curl http://localhost:8080/api/

• Access an internal service using kubectl port-forward (in this case it allows curl localhost:9200 for ES API) kubectl port-forward --namespace elasticsearch svc/elasticsearch-master 9200:9200 &

• Access an internal service when the K8S port is unset kubectl port-forward -n elasticsearch svc/cerebro 9000: &

use kubectl port-forward -h for examples and other uses-cases

Users

• View all users & password kubectl config view -o template --template='{{range .users}} {{ index .user.username }} {{ index .user.password }}{{end}}'

• View passwords for all users (seperated by a space) kubectl config view -o template --template='{{range .users}}{{ index .user.password }}{{end}}'

Nodes

• Get nodes and their labels kubectl get nodes --show-labels

• Check Node usage kubectl top nodes

• List all nodes EXCLUDE nodes with node-role.kubernetes.io/master kubectl get node --selector='!node-role.kubernetes.io/master'

• List all node names without headers kubectl get node --no-headers -o custom-columns=NAME:.metadata.name

• List nodes by Age kubectl get node --sort-by .metadata.creationTimestamp

To figure out the correct JSON Path, use kubectl <command> -o json

• Get all nodes and return the specified fields (Name, ExtId, Unschedulable - True if cant deploy to node)

kubectl get no -o json | jq -r '[.items[] | {name:.metadata.name, id:.spec.externalID, unschedulable:.spec.unschedulable}]'

• Show Node utilization based on requests and limits (probably can do it better) kubectl describe node | grep -A5 "Allocated"

Pods

• Get Containers in a Pod (Return pod-name, container-image and container-name for each container) kubectl get pods -n prometheus --selector=app=prometheus -o=jsonpath='{range .items[*]}{"\n"}{.metadata.name}{"\t"}{range .spec.containers[*]}{.image}{"\t"}{.name}{end}{end}'

• Get containers by Pod-Label (Return the container Image) kubectl get pods --all-namespaces -o=jsonpath="{..image}" -l app=prometheus

• Pod count per node kubectl get po --all-namespaces -o json | jq '.items | group_by(.spec.nodeName) | map({"nodeName": .[0].spec.nodeName, "count": length}) | sort_by(.count)'

• Get Running pods only kubectl get pods --all-namespaces --field-selector=status.phase=Running

• Get !Running pods kubectl get pods --all-namespaces --field-selector='status.phase!=Running

• Get all pods in All-namespaces, return mem and cpu (FOR EACH POD!)

kubectl get po -n elasticsearch --selector=service=elasticsearch-data -o=jsonpath="{range .items[*]}{.metadata.namespace}:{.metadata.name}{'\n'}{range .spec.containers[*]} {.resources.requests.cpu}{'\t'}{end}{'\n'}{end}"

• Describe a POD and list its IP kubectl describe pod 'kube-dns-2948363707' -n kube-system | grep IP | sed -E 's/IP:[[:space:]]+//'

• Get the external IPs of PODs kubectl get nodes --all-namespaces -o jsonpath='{.items[*].status.addresses[?(@.type=="ExternalIP")].address}'

• Show the images and their versions for each pod kubectl get pods --all-namespaces -o jsonpath="{..image}" | tr -s '[[:space:]]' '\n' | sort | uniq -c kubectl get pods --all-namespaces -o jsonpath="{.items[*].spec.containers[*].image}" kubectl get pods -n default --field-selector=status.phase=Running --selector=app=my-service -o jsonpath="{..image}" | tr -s '[[:space:]]' '\n' | sort | uniq -c

• Delete terminated/evicted pods kubectl get po --selector=app=devops-logstash-service --field-selector=status.phase=Failed --no-headers -n elasticsearch | awk '{ print $1 }' | xargs -I {} kubectl delete po -n elasticsearch {}

Deployments

• Get deployments, output as JSON, format output with JQ kubectl get deployment --namespace=kube-system -o=json | jq '.items[].metadata.labels'

• Get K8S Deployments matching the selector (look for key k8s-app with value heapster) kubectl get deployment --all-namespaces --selector=k8s-app=heapster kubectl get svc --namespace=kube-system --selector=name=tiller

• Scale a deployment kubectl scale -n kube-system --replicas=0 'deployments/kube-dns' kubectl scale -n kube-system --replicas=2 'deployments/kube-dns'

• Export the YAML file of a deployment (for reuse, modification, etc,.) kubectl get deployments ghost --export -n ghost -o yaml > ghost.yaml

Replicasets

• Get all replicasets sorted by the number of replicas kubectl get rs -n elasticsearch --sort-by='.spec.replicas'

• Get all replicasets where replicas==0 in a specific namespace kubectl get rs -n elasticsearch -o json | jq -r '.items[] |select(.status.replicas==0) | .metadata.name'

• Delete all replicasets that equal 0 in a specific namespace kubectl get rs -n elasticsearch -o json | jq -r '.items[] |select(.status.replicas==0) | .metadata.name' | xargs -I {} kubectl delete rs {}

Services

• Get the self-link for a service using JSONPATH to format the output kubectl get svc heapster --namespace=kube-system -o=jsonpath={.metadata.selfLink}

• Get 'service' external LB address kubectl get svc --namespace=kube-system -o=json | jq -r '.items[] | .status.loadBalancer.ingress[0]'

• List all services in cluster and their nodePorts: kubectl get --all-namespaces svc -o json | jq -r '.items[] | [.metadata.name,([.spec.ports[].nodePort | tostring ] | join("|"))] | @csv'

• Get Token for a service account & then get the secret

DEFAULT_TOKEN=$(kubectl --namespace=kube-system get serviceaccount default -o jsonpath="{.secrets[0].name}")
TOKEN_VALUE=$(kubectl --namespace=kube-system get secret "$DEFAULT_TOKEN" -o go-template="{{.data.token}}" | base64 -d)

# Use it in a curl request to the api-server

curl -k -H "Authorization: Bearer $TOKEN_VALUE" https://10.0.1.212:6443/version
curl -k -H "Authorization: Bearer $TOKEN_VALUE" https://localhost:6443/version

Ingress

• List all ingresses hosts and paths: kubectl get --all-namespaces ing -o='custom-columns=NAME:.metadata.name,HOSTS:.spec.rules[*].host,PATHS:.spec.rules[*].http.paths[*].path'

Persistent Volumes

• List persistent volume claims in the elasticsearch namespace and for each print name & capacity kubectl get persistentvolumeclaims -n elasticsearch -o=jsonpath="{range .items[*]}{..name}{'\t'}{..capacity}{'\n'}{end}"