Skip to content

Instantly share code, notes, and snippets.

@revolunet

revolunet/kube-tips.md

Last active September 19, 2023 13:57
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save revolunet/37b2252f46d9a779fc6c50c420beea45 to your computer and use it in GitHub Desktop.
Save revolunet/37b2252f46d9a779fc6c50c420beea45 to your computer and use it in GitHub Desktop.
Download ZIP
kubectl memo. some bash/jq/yq/kubectl black magic
Raw
kube-tips.md

List all uid in running pods :

#!/bin/bash

CONTEXT=xxx

pods=$(kubectl --context $CONTEXT get pods --all-namespaces --field-selector=status.phase=Running -o jsonpath='{.items[*].metadata.name}')
namespaces=$(kubectl --context $CONTEXT get pods --all-namespaces --field-selector=status.phase=Running -o jsonpath='{.items[*].metadata.namespace}')

IFS=' ' read -ra pods_array <<< "$pods"
IFS=' ' read -ra namespaces_array <<< "$namespaces"

for i in "${!pods_array[@]}"; do
  pod="${pods_array[$i]}"
  namespace="${namespaces_array[$i]}"
  containers=$(kubectl --context $CONTEXT get pods "$pod" -n "$namespace" -o jsonpath='{.spec.containers[*].name}')

  IFS=' ' read -ra containers_array <<< "$containers"

  for container in "${containers_array[@]}"; do
    user_id=$(kubectl --context $CONTEXT exec "$pod" -n "$namespace" -- id -u);
    echo "$namespace/$container: $user_id";
  done
done

List all images in use :

#!/bin/sh

CONTEXT=dev2
CONTAINERS=$(kubectl --context $CONTEXT get pods --all-namespaces -o json | jq  '.items[] | {namespace:.metadata.namespace,name:.metadata.name,image:.spec.containers[].image}')
INITCONTAINERS=$(kubectl --context $CONTEXT get pods --all-namespaces -o json | jq  '.items[] | select(.spec.initContainers | length > 0) | {namespace:.metadata.namespace,name:("initcontainer-" + .metadata.name),image:.spec.initContainers[].image}')
JOBS=$(kubectl --context $CONTEXT get jobs --all-namespaces -o json | jq  '.items[] | 
{namespace:.metadata.namespace,name:("job-" + .metadata.name),image:.spec.template.spec.containers[].image}')
CRONJOBS=$(kubectl --context $CONTEXT get cronjobs --all-namespaces -o json | jq  '.items[] |
{namespace:.metadata.namespace,name:("cronjob-" + .metadata.name),image:.spec.jobTemplate.spec.template.spec.containers[].image}')
echo $CRONJOBS $JOBS $CONTAINERS $INITCONTAINERS | jq -s .

echo $CRONJOBS $JOBS $CONTAINERS $INITCONTAINERS | jq -s . > image.json

# check all images availability
for row in $(jq '[.[] .image ] | unique | sort' ./images.json); do
    docker pull "$row"
done

check all docker images

#!/bin/bash

set +e

# check all images availability
for row in $(jq -r '[.[] .image] | [.[] | select(. | ((startswith("harbor.xxx") or startswith("ghcr.io/xxx") )) )] | unique | sort | .[]' -); do

   (timeout --preserve-status 5 docker pull "$row" &>/dev/null && echo "$row") || ( [ $? -eq 255 ] && echo "$row" || echo "$row" )

done

⚠ Beware, this naïve script fully pull all docker images.

We made another script that use skopeo to prevent downloading the full image, see here

List all containers requests+limits and produce a TSV sheet

kubectl --context dev get pods -A -o json | jq -r '.items[] | [.metadata.namespace, .metadata.name,  .status.phase, .spec.containers[].resources.requests.cpu, .spec.containers[].resources.limits.cpu, .spec.containers[].resources.requests.memory, .spec.containers[].resources.limits.memory] | @tsv'

List all pods without securityContext

kubectl pods -A -o=json | jq -r '.items[] | select(.spec.containers[].securityContext == null) | "\(.metadata.namespace)/\(.metadata.name)"'

Copy secret between clusters

kubectl --context prod2 get secret some-secret --namespace=some-namespace --export -o yaml | \
   kubectl --context prod apply --namespace=some-namespace -f -

Convert a secret to a sealed secret

kubectl --context dev --namespace xxx-secret get secret some-secret -ojson | \
   kubeseal --scope cluster-wide --controller-namespace sealed-secrets-system --context dev | \
   yq eval -P \
   > sealed-secret-dev.yml

Pop a psql shell on the cluster

# use any docker image
kubectl --context xxx run my-shell --rm -i --tty --image postgres:10 -- bash

Pop a pod with a secretRef

apiVersion: v1
kind: Pod
metadata:
  name: debug
  namespace: xxx
spec:
  containers:
    - name: postgres
      image: postgres:11
      command: ["sleep", "60000"]
      envFrom:
        - secretRef:
            name: some-secret

Replay a Job

kubectl --context xxx --namespace some-ns get job/some-job-id -o json > job.json
kubectl --context xxx replace --force -f job.json

Copy files

# From pod
kubectl cp k8s-xm-cm-pod:/path/to/files ./backup
# To pod
kubectl cp ./backup k8s-xm-cm-pod:/path/to/files

List all hostnames

kubectl --context prod get --all-namespaces ing -o json | jq -r '.items[] .spec.rules[] .host'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment