Kubernetes cheatsheet

Useful commands for K8s administration

view on github

Kubernetes cheatsheet

Lists of commands for kubeadm based clusters using cri-o as a container runtime and flannel as a pod network add-on.

Table of contents

  1. kubectl commands
  2. kubeadm commands
  3. crictl commands
  4. etcdctl commands
  5. Inspect kube-proxy DNAT rules
  6. Review ServiceAccount information from token

kubectl commands

# display cluster info
kubectl cluster-info

# view / approve kubelet CSRs
kubectl get certificatesigningrequests.certificates.k8s.io "$kubeletcsr"
kubectl describe certificatesigningrequests.certificates.k8s.io "$kubeletcsr"
kubectl certificate approve "$kubeletcsr"

# read control plane static pod logs from mirror pod
kubectl logs --namespace kube-system "kube-apiserver-$(hostname)"

# restart control plane component running as static pod
sudo touch /etc/kubernetes/manifests/kube-apiserver.yaml

# proxy cluster API, filter connections
kubectl proxy --api-prefix "/" --address "192.168.1.12" --accept-hosts "192.168.1.10" --port 8080

# summarize / describe cluster and workload resources
kubectl get nodes
kubectl get pods --all-namespaces
kubectl describe configmaps --namespace kube-system kube-proxy

# delete cluster resource
kubectl delete nodes "$worker"

# help for specific command
kubectl taint node --help

# create cluster and workload resources
kubectl create namespace "$namespace"
kubectl create deployment "$deployment" --namespace "$namespace" --image=httpd --port=80

# view all replica sets
kubectl get replicasets.apps --namespace "$namespace"

# rollout new pod revision according to strategy directive for daemonset, deployment, statefulset
# changes to container image or env variables auto rolls out a new revision
kubectl rollout restart deployment "$deployment" --namespace "$namespace"

# view revisions history for deployment
kubectl rollout history deployment "$deployment" --namespace "$namespace"

# create a named service to expose a deployment
kubectl expose deployment "$deployment" --name="$service" --namespace "$namespace"

# view all cluster services, format and watch command output
kubectl get service --all-namespaces --output wide --watch

# delete workload resource
kubectl delete deployments.apps "$deployment" --namespace "$namespace"

# liste namespaced api resource types
kubectl api-resources --namespaced=true

# apply and delete resources from manifest file
kubectl apply -f "basic-service/deployment.yaml"
kubectl delete -f "basic-service/deployment.yaml"

# wait for a condition to be met on a resource
kubectl wait --namespace "$namespace" --for=condition=ready pod --selector=app.kubernetes.io/name=httpd --timeout=120s

# run a command inside a pod's container
kubectl exec --namespace "$namespace" "pods/$pod" -- ip --family inet addr list

# start an ihnteractive shell inside a pod's container
kubectl exec -i -t --namespace "$namespace" "pods/$pod" -- /bin/sh

# forward host traffic on 192.168.1.12:8443 to pod on port 443
kubectl port-forward --namespace "$namespace" --address "192.168.1.12" "pods/$pod" 8443:443

# drain current node
kubectl drain "$(hostname)" --delete-emptydir-data --force --ignore-daemonsets

kubeadm commands

# print default config for kubeadm command
kubeadm config print "$command-defaults"

# list existing / create new cluster bootstrap token
kubeadm token list
kubeadm token create

# list control plane certificates + expiration date / renew all certificates
sudo kubeadm certs check-expiration
sudo kubeadm certs renew all

crictl commands

# list container runtime images
sudo crictl images

# remove image by tag
sudo crictl rmi 4287863bff87e

# list running containers
sudo crictl --runtime-endpoint unix:///var/run/crio/crio.sock ps -a | grep -v pause

# view container logs
sudo crictl --runtime-endpoint unix:///var/run/crio/crio.sock logs 4287863bff87e

etcdctl commands

# configure etcd pki assets
CA="/etc/kubernetes/pki/etcd/ca.crt"
CERT="/etc/kubernetes/pki/apiserver-etcd-client.crt"
KEY="/etc/kubernetes/pki/apiserver-etcd-client.key"

# print control plane nodes ips list
MEMBERS=$(kubectl get nodes -l node-role.kubernetes.io/control-plane -o json | jq -r '[.items[].status.addresses[] | select(.type=="InternalIP") | "\(.address):2379"] | join(",")')

# list cluster etcd members
sudo etcdctl member list --cacert="$CA" --cert="$CERT" --key="$KEY" --write-out="table"

# list detailed instances statuses
sudo etcdctl endpoint status --cacert="$CA" --cert="$CERT" --key="$KEY" --write-out="table" --endpoints="$MEMBERS"

Inspect kube-proxy DNAT rules

  • Only valid if kube-proxy runs in iptables mode.
# points to cluster services chain
# matches all incoming packets
sudo iptables -t nat -L PREROUTING

# stores 1 chain per service (ClusterIP + NodePort)
# each one matches incoming packets destination against ClusterIP
sudo iptables -t nat -L KUBE-SERVICES

# stores 1 chain per service pod
# matches all incoming packets, distributes packets
sudo iptables -t nat -L KUBE-SVC-TCOU7JCQXEZGVUNU

# DNAT packet to selected pod address
# matches all incoming packets
sudo iptables -t nat -L KUBE-SEP-YT5RCDY62A5D5HGT

# flannel installs and configures cni0
# NATed packet routed to pod network
unicast 172.30.0.0/24 dev cni0 table main proto kernel scope link src 172.30.0.1

Review ServiceAccount information from token

  • Save the following to a script and call with a service account token as parameter :
#!/bin/bash
cat << EOF | kubectl create -o yaml -f -
apiVersion: authentication.k8s.io/v1
kind: TokenReview
spec:
  token: "$1"
EOF