asaphe/k8s_kubectl.md

## k8s_kubectl.md

      
    Raw
  

              k8s_kubectl.md
            
          
    Kubectl

Imperative == refers to cli commands
Declarative == using YAML files
--export
--save-config
--record
kubectl replace
With the apply command the configuration will be saved in an annotation (kubectl.kubernetes.io/last-applied-configuration) and used during three way merges of changes. Kubernetes will check the state of the live object, the configuration stored in the annotation and the manifest being provided. It will then perform some advanced patching to modify only the fields that need to be modified.
Annotations == attach arbitrary non-identifying metadata to objects. Clients such as tools and libraries can retrieve this metadata. (Not actionable)
Labels and Selectors == Labels are key/value pairs that are attached to objects, such as pods. Labels are intended to be used to specify identifying attributes of objects that are meaningful and relevant to users, but do not directly imply semantics to the core system. Labels can be used to organize and to select subsets of objects. Labels can be attached to objects at creation time and subsequently added and modified at any time. Each object can have a set of key/value labels defined. Each Key must be unique for a given object.
LABEL MAGIC
K8S Cheatsheet
Access Cluster API
Configuration Best Practices
ENV Variables

The KUBECONFIG environment variable is a list of paths to configuration files. The list is colon-delimited for Linux and Mac.


Export kubeconfig pointing to multiple files (append to existing)
export  KUBECONFIG=$KUBECONFIG:config-demo:config-demo-2


Export Kubeconfig pointing to a single-file
export KUBECONFIG='/path/to/kubeconfig'


Export the current config to another var to restore later
export  KUBECONFIG_SAVED=$KUBECONFIG


Config


View configuration
kubectl config --kubeconfig ~/.kube/config view


View configuration for the current-context (Must set the current-context to use)
kubectl config --kubeconfig ~/.kube/config view --minify


Set context
kubectl config --kubeconfig ~/.kube/config use-context demo-cluster-1
kubectl config --kubeconfig ~/.kube/config use-context demo-cluster-2


Config - Bypass kubectl proxy


Check all possible clusters configured
kubectl config view -o jsonpath='{"Cluster name\tServer\n"}{range .clusters[*]}{.name}{"\t"}{.cluster.server}{"\n"}{end}'


Check all possible clusters, as you .KUBECONFIG may have multiple contexts:
kubectl config view -o jsonpath='{"Cluster name\tServer\n"}{range .clusters[*]}{.name}{"\t"}{.cluster.server}{"\n"}{end}'


Select name of cluster you want to interact with from above output:
export CLUSTER_NAME="some_server_name"


Point to the API server refering the cluster name
APISERVER=$(kubectl config view -o jsonpath="{.clusters[?(@.name==\"$CLUSTER_NAME\")].cluster.server}")


Gets the token value
TOKEN=$(kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='default')].data.token}"|base64 -d)


Explore the API with TOKEN
curl -X GET $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure


JSON Path approach


APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
TOKEN=$(kubectl get secret $(kubectl get serviceaccount default -o jsonpath='{.secrets[0].name}') -o jsonpath='{.data.token}' | base64 --decode )
curl $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure
Cluster


Display addresses of the master and services with label kubernetes.io/cluster-service=true
kubectl cluster-info


To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.


Show cluster components and their status (etcd, scheduler, controller-manager)
kubectl get componentstatuses


Export the cluster config file location -- '~/.kube/config'
kubectl config view --flatten > config


Proxy/Port-Forward


Runs kubectl in a mode where it acts as a reverse proxy. It handles locating the API server and authenticating
kubectl proxy --port=8080 &


Use curl http://localhost:8080/api/


Access an internal service using kubectl port-forward (in this case it allows curl localhost:9200 for ES API)
kubectl port-forward --namespace elasticsearch svc/elasticsearch-master 9200:9200 &


Access an internal service when the K8S port is unset
kubectl port-forward -n elasticsearch svc/cerebro 9000: &


use kubectl port-forward -h for examples and other uses-cases

Users


View all users & password
kubectl config view -o template --template='{{range .users}} {{ index .user.username }} {{ index .user.password }}{{end}}'


View passwords for all users (seperated by a space)
kubectl config view -o template --template='{{range .users}}{{ index .user.password }}{{end}}'


Nodes


Get nodes and their labels
kubectl get nodes --show-labels


Check Node usage
kubectl top nodes


List all nodes EXCLUDE nodes with node-role.kubernetes.io/master
kubectl get node --selector='!node-role.kubernetes.io/master'


List all node names without headers
kubectl get node --no-headers -o custom-columns=NAME:.metadata.name


List nodes by Age
kubectl get node --sort-by .metadata.creationTimestamp


To figure out the correct JSON Path, use kubectl <command> -o json


Get all nodes and return the specified fields (Name, ExtId, Unschedulable - True if cant deploy to node)

kubectl get no -o json | jq -r '[.items[] | {name:.metadata.name, id:.spec.externalID, unschedulable:.spec.unschedulable}]'

Show Node utilization based on requests and limits (probably can do it better)
kubectl describe node | grep -A5 "Allocated"

Pods


Get Containers in a Pod (Return pod-name, container-image and container-name for each container)
kubectl get pods -n prometheus --selector=app=prometheus -o=jsonpath='{range .items[*]}{"\n"}{.metadata.name}{"\t"}{range .spec.containers[*]}{.image}{"\t"}{.name}{end}{end}'


Get containers by Pod-Label (Return the container Image)
kubectl get pods --all-namespaces -o=jsonpath="{..image}" -l app=prometheus


Pod count per node
kubectl get po --all-namespaces -o json | jq '.items | group_by(.spec.nodeName) | map({"nodeName": .[0].spec.nodeName, "count": length}) | sort_by(.count)'


Get Running pods only
kubectl get pods --all-namespaces --field-selector=status.phase=Running


Get !Running pods
kubectl get pods --all-namespaces --field-selector='status.phase!=Running


Get all pods in All-namespaces, return mem and cpu (FOR EACH POD!)


kubectl get po -n elasticsearch --selector=service=elasticsearch-data -o=jsonpath="{range .items[*]}{.metadata.namespace}:{.metadata.name}{'\n'}{range .spec.containers[*]} {.resources.requests.cpu}{'\t'}{end}{'\n'}{end}"


Describe a POD and list its IP
kubectl describe pod 'kube-dns-2948363707' -n kube-system | grep IP | sed -E 's/IP:[[:space:]]+//'


Get the external IPs of PODs
kubectl get nodes --all-namespaces -o jsonpath='{.items[*].status.addresses[?(@.type=="ExternalIP")].address}'


Show the images and their versions for each pod
kubectl get pods --all-namespaces -o jsonpath="{..image}" | tr -s '[[:space:]]' '\n' | sort | uniq -c
kubectl get pods --all-namespaces -o jsonpath="{.items[*].spec.containers[*].image}"
kubectl get pods -n default --field-selector=status.phase=Running --selector=app=my-service -o jsonpath="{..image}" | tr -s '[[:space:]]' '\n' | sort | uniq -c


Delete terminated/evicted pods
kubectl get po --selector=app=devops-logstash-service --field-selector=status.phase=Failed --no-headers -n elasticsearch | awk '{ print $1 }' | xargs -I {} kubectl delete po -n elasticsearch {}


Deployments


Get deployments, output as JSON, format output with JQ
kubectl get deployment --namespace=kube-system -o=json | jq '.items[].metadata.labels'


Get K8S Deployments matching the selector (look for key k8s-app with value heapster)
kubectl get deployment --all-namespaces --selector=k8s-app=heapster
kubectl get svc --namespace=kube-system --selector=name=tiller


Scale a deployment
kubectl scale -n kube-system --replicas=0 'deployments/kube-dns'
kubectl scale -n kube-system --replicas=2 'deployments/kube-dns'


Export the YAML file of a deployment (for reuse, modification, etc,.)
kubectl get deployments ghost --export -n ghost -o yaml > ghost.yaml


Replicasets


Get all replicasets sorted by the number of replicas
kubectl get rs -n elasticsearch --sort-by='.spec.replicas'


Get all replicasets where replicas==0 in a specific namespace
kubectl get rs -n elasticsearch -o json | jq -r '.items[] |select(.status.replicas==0) | .metadata.name'


Delete all replicasets that equal 0 in a specific namespace
kubectl get rs -n elasticsearch -o json | jq -r '.items[] |select(.status.replicas==0) | .metadata.name' | xargs -I {} kubectl delete rs {}


Services


Get the self-link for a service using JSONPATH to format the output
kubectl get svc heapster --namespace=kube-system -o=jsonpath={.metadata.selfLink}


Get 'service' external LB address
kubectl get svc --namespace=kube-system -o=json | jq -r '.items[] | .status.loadBalancer.ingress[0]'


List all services in cluster and their nodePorts:
kubectl get --all-namespaces svc -o json | jq -r '.items[] | [.metadata.name,([.spec.ports[].nodePort | tostring ] | join("|"))] | @csv'


Get Token for a service account & then get the secret


DEFAULT_TOKEN=$(kubectl --namespace=kube-system get serviceaccount default -o jsonpath="{.secrets[0].name}")
TOKEN_VALUE=$(kubectl --namespace=kube-system get secret "$DEFAULT_TOKEN" -o go-template="{{.data.token}}" | base64 -d)

# Use it in a curl request to the api-server

curl -k -H "Authorization: Bearer $TOKEN_VALUE" https://10.0.1.212:6443/version
curl -k -H "Authorization: Bearer $TOKEN_VALUE" https://localhost:6443/version
Ingress


List all ingresses hosts and paths:
kubectl get --all-namespaces ing -o='custom-columns=NAME:.metadata.name,HOSTS:.spec.rules[*].host,PATHS:.spec.rules[*].http.paths[*].path'

Persistent Volumes


List persistent volume claims in the elasticsearch namespace and for each print name & capacity
kubectl get persistentvolumeclaims -n elasticsearch -o=jsonpath="{range .items[*]}{..name}{'\t'}{..capacity}{'\n'}{end}"