Skip to content

Instantly share code, notes, and snippets.

@lentzi90

lentzi90/kubectl-tips.md

Last active December 23, 2021 07:08
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save lentzi90/d2a12c94dc0927e3278cef94825edba2 to your computer and use it in GitHub Desktop.
Save lentzi90/d2a12c94dc0927e3278cef94825edba2 to your computer and use it in GitHub Desktop.
Download ZIP
Tips and tricks with kubectl
Raw
kubectl-tips.md

Kubectl tips and tricks

Auth

Can the service account test-sa in namespace test create pods in the namespace test?

kubectl auth can-i create pods --namespace test --as system:serviceaccount:test:test-sa

What can the service account test in namespace test do in namespace test?

kubectl auth can-i -n test --as system:serviceaccount:test:test-sa --list

Can test use the privileged pod security policy in namespace test?

kubectl auth can-i use podsecuritypolicies.policy/privileged -n test --as system:serviceaccount:test:test-sa

Resource usage and utilization

Check current usage:

kubectl top pods --all-namespaces

Check requests:

kubectl get pods -o custom-columns=NAME:.metadata.name,"CPU(cores)":.spec.containers[*].resources.requests.cpu,"MEMORY(bytes)":.spec.containers[*].resources.requests.memory --all-namespaces

Delete evicted pods

# Check what you are doing
kubectl get pods --all-namespaces --field-selector "status.phase==Failed" --field-selector "status.reason==Evicted"
# Delete the pods
kubectl delete pods --all-namespaces --field-selector "status.phase==Failed" --field-selector "status.reason==Evicted"

Check container images used

kubectl get pods -A -o jsonpath="{range .items[*].spec.containers[*]}{.image}{'\n'}{end}" | sort | uniq

Check certificate status (cert-manager)

kubectl get certificate --all-namespaces --sort-by status.notAfter \
    --output=custom-columns=NAMESPACE:metadata.namespace,NAME:metadata.name,NOT_AFTER:status.notAfter,RENEWAL_TIME:status.renewalTime,MESSAGE:status.conditions[0].message

Alias and completion

See kubectl completion --help for how to get auto completion for kubectl. If you use an alias (e.g. k) instead of kubectl, the completion won't work without an extra step:

# use k instead of kubectl
alias k=kubectl
# enable autocompletion for the k alias
complete -o default -F __start_kubectl k

Clean up cloud provider resources

WARNING! This will delete things from your cluster!

Delete persistent volumes:

volume_namespaces="$(kubectl get pv -o jsonpath="{.items[*].spec.claimRef.namespace}" |
    tr " " "\n" | sort -u | tr "\n" " ")"

echo "Namespaces with volumes: ${volume_namespaces}"

kubectl delete ns ${volume_namespaces}
kubectl delete pv --all --wait

volumes_left="$(kubectl get pv -o json |
    jq ".items[] | {
        pv_name: .metadata.name,
        pvc_namespace: .spec.claimRef.namespace,
        pvc_name: .spec.claimRef.name
    }")"

if [ "${volumes_left}" != "" ]; then
    echo "WARNING: There seems to be volumes left in the"
    echo "         cluster, this will result in volumes that"
    echo "         needs to be cleaned up manually."
    echo "Volumes left:"
    echo "${volumes_left}"
else
    echo "All volumes where successfully cleaned up!"
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment