Table of Contents
- Basic Concepts & Architecture
- Installation & Setup
- Cluster Management
- Workload Resources
- Service Discovery & Networking
- Configuration Management
- Storage
- Security & RBAC
- Monitoring & Observability
- Autoscaling
- Advanced Topics
- Troubleshooting
- Best Practices
- YAML Examples
- Helm Package Manager
- kubectl Tips & Tricks
- Gateway API
- Modern Kubernetes Features
- Cloud Native Ecosystem
- Kubernetes 1.28+ Features
Basic Concepts & Architecture
Kubernetes Architecture
┌─────────────────┐ ┌─────────────────────────────────────┐
│ Master Node │ │ Worker Nodes │
│ │ │ │
│ ┌─────────────┐│ │ ┌─────────────┐ ┌─────────────┐ │
│ │ API Server ││ │ │ kubelet │ │ kubelet │ │
│ └─────────────┘│ │ └─────────────┘ │─────────────┘ │
│ ┌─────────────┐│ │ ┌─────────────┐ ┌─────────────┐ │
│ │ etcd ││ │ │ kube-proxy │ │ kube-proxy │ │
│ └─────────────┘│ │ └─────────────┘ └─────────────┘ │
│ ┌─────────────┐│ │ ┌─────────────┐ ┌─────────────┐ │
│ │ Scheduler ││ │ │ Runtime │ │ Runtime │ │
│ └─────────────┘│ │ └─────────────┘ └─────────────┘ │
│ ┌─────────────┐│ │ │
│ │Controller ││ │ [Pod][Pod] [Pod][Pod] │
│ │Manager ││ │ │
│ └─────────────┘│ │ │
└─────────────────┘ └─────────────────────────────────────┘%% Kubernetes architecture (comprehensive)
%% Orientation: LR (left->right)
graph LR
%% === Cloud / External ===
subgraph Cloud[Cloud Provider / External]
LB[External Load Balancer]
Registry["Container Registry\n(e.g. DockerHub/Registry)"]
Git["Git / SCM"]
CI_CD["CI/CD (Jenkins/GitHub Actions/GitLab CI)"]
CloudProvider[Cloud Provider API]
end
%% === Control Plane ===
subgraph ControlPlane["Control Plane (Master)"]
direction TB
APIServer["API Server (kube-apiserver)"]
Scheduler["Scheduler (kube-scheduler)"]
Controller["Controller Manager"]
ETCD["etcd (Cluster KV store)"]
CloudCtrl["Cloud Controller Manager"]
Auth["RBAC / Admission Controllers"]
end
%% === Cluster Add-ons / Core Services ===
subgraph Addons["Cluster Add-ons / System"]
CoreDNS[CoreDNS]
Metrics[metrics-server]
KubeProxy[kube-proxy]
CNI["CNI Plugin (Calico/Weave/Flannel)"]
KubeState[kube-state-metrics]
end
%% === Observability & Logging ===
subgraph Observability["Monitoring & Logging"]
Prom[Prometheus]
Grafana[Grafana]
Fluentd["Fluentd / Log Aggregator"]
Loki["Loki (optional)"]
AlertMgr[Alertmanager]
end
%% === Service Mesh ===
subgraph ServiceMesh["Service Mesh (optional)"]
Istio[Istio / Linkerd / Consul]
Sidecar["Envoy / Sidecar proxies\n(per Pod)"]
end
%% === Worker Nodes & Pods ===
subgraph Nodes["Worker Nodes"]
direction TB
node1["Node-1"]
node2["Node-2"]
node3["Node-3"]
end
%% Define contents of each node (Pods, Kubelet, kube-proxy)
subgraph N1["Node-1: kubelet, kube-proxy"]
direction TB
Kubelet1[kubelet]
KubeProxy1[kube-proxy]
PodSet1["Deployment: frontend\nPods (frontend-*)"]
PodSet2["Deployment: backend\nPods (backend-*)"]
Daemon1[DaemonSet: node-exporter/log-collector]
PVC1[Pod -> PVC]
end
subgraph N2["Node-2: kubelet, kube-proxy"]
direction TB
Kubelet2[kubelet]
KubeProxy2[kube-proxy]
PodSet3["Deployment: backend\nPods (backend-*)"]
PodSet4[StatefulSet: db\nPod-0, Pod-1]
Daemon2[DaemonSet: node-exporter/log-collector]
PVC2[Pod -> PVC]
end
subgraph N3["Node-3: kubelet, kube-proxy"]
direction TB
Kubelet3[kubelet]
KubeProxy3[kube-proxy]
PodSet5["Deployment: cache\nPods (redis-*)"]
PodSet6["Deployment: worker\nPods (worker-*)"]
Daemon3[DaemonSet: node-exporter/log-collector]
PVC3[Pod -> PVC]
end
%% === Storage ===
subgraph Storage["Storage"]
StorageClass[StorageClass]
PV["PersistentVolumes (PV)"]
PVC["PersistentVolumeClaims (PVC)"]
end
%% === Networking / Ingress ===
subgraph Networking["Ingress & Services"]
IngressCtrl["Ingress Controller (NGINX/Traefik)"]
ClusterIPSvc[Service: ClusterIP]
NodePortSvc[Service: NodePort]
LoadBalancerSvc[Service: LoadBalancer]
end
%% === Autoscaling / Cluster Management ===
subgraph Autoscale["Autoscaling & Cluster Ops"]
HPA[Horizontal Pod Autoscaler]
VPA["Vertical Pod Autoscaler (optional)"]
CA[Cluster Autoscaler]
KubeletMetrics[Resource metrics from kubelet]
end
%% === CI/CD pipeline connections ===
Git -->|push| CI_CD
CI_CD -->|build/push image| Registry
CI_CD -.->|apply manifests| APIServer
%% Cloud / LB connections
LB -->|routes traffic| IngressCtrl
CloudProvider --> CloudCtrl
CloudProvider --> LB
%% Control plane interactions
APIServer --> Scheduler
APIServer --> Controller
APIServer --> ETCD
APIServer --> Auth
APIServer --> CoreDNS
APIServer --> Metrics
APIServer --> KubeState
%% Addons interactions
APIServer --> KubeProxy
APIServer --> CNI
CoreDNS -->|DNS for services| ClusterIPSvc
%% Nodes to ControlPlane
node1 -->|registers| APIServer
node2 -->|registers| APIServer
node3 -->|registers| APIServer
node1 --> Kubelet1
node2 --> Kubelet2
node3 --> Kubelet3
Kubelet1 -->|sync| APIServer
Kubelet2 -->|sync| APIServer
Kubelet3 -->|sync| APIServer
%% Pods & services
PodSet1 -->|exposes| ClusterIPSvc
PodSet2 -->|exposes| ClusterIPSvc
PodSet3 -->|exposes| ClusterIPSvc
PodSet4 -->|headless/stateful| ClusterIPSvc
PodSet5 -->|exposes| ClusterIPSvc
PodSet6 -->|worker| ClusterIPSvc
ClusterIPSvc --> IngressCtrl
IngressCtrl --> LoadBalancerSvc
LoadBalancerSvc -->|external| LB
%% Service mesh wiring
Istio --> Sidecar
Sidecar --> PodSet1
Sidecar --> PodSet2
Sidecar --> PodSet3
Sidecar --> PodSet4
Sidecar --> PodSet5
Sidecar --> PodSet6
%% Monitoring & logging flows
Kubelet1 --> Prom
Kubelet2 --> Prom
Kubelet3 --> Prom
KubeState --> Prom
Prom --> Grafana
Prom --> AlertMgr
Daemon1 --> Fluentd
Daemon2 --> Fluentd
Daemon3 --> Fluentd
Fluentd -->|push logs| Loki
Fluentd -->|push logs| LogStorage[(Elasticsearch/Opensearch)]
%% Storage connections
PVC1 --> PV
PVC2 --> PV
PVC3 --> PV
PV --> StorageClass
StorageClass --> CloudProvider
%% Autoscaling connections
HPA --> APIServer
APIServer -->|metrics| KubeletMetrics
KubeletMetrics --> HPA
CA --> CloudProvider
CA --> APIServer
%% Observability connections grouped
Prom -->|scrape| PodSet1
Prom -->|scrape| PodSet2
Prom -->|scrape| PodSet3
Prom -->|scrape| PodSet4
Prom -->|scrape| PodSet5
Prom -->|scrape| PodSet6
%% Endpoints to registry and image pulling
node1 -->|pull images| Registry
node2 -->|pull images| Registry
node3 -->|pull images| Registry
%% Labels / Decorations (for readability)
classDef cp fill:#f8f0ff,stroke:#b084ff;
classDef worker fill:#f0fff4,stroke:#2bb673;
classDef addon fill:#fff7e6,stroke:#ffb86b;
class ControlPlane cp;
class Nodes worker;
class Addons addon;
class Observability addon;
class ServiceMesh addon;
class Storage addon;
class Networking addon;
class Autoscale addon;Core Components
Master Node Components
- API Server: Central management entity, handles REST operations
- etcd: Distributed key-value store for cluster data
- Scheduler: Assigns pods to nodes based on resource requirements
- Controller Manager: Runs controller processes (replication, endpoints, etc.)
- Cloud Controller Manager: Manages cloud-specific controllers
Worker Node Components
- kubelet: Primary node agent, manages pods and containers
- kube-proxy: Network proxy, maintains network rules
- Container Runtime: Docker, containerd, or CRI-O
Kubernetes Objects Hierarchy
Cluster
├── Namespaces
│ ├── Pods
│ ├── Services
│ ├── Deployments
│ │ └── ReplicaSets
│ │ └── Pods
│ ├── ConfigMaps
│ ├── Secrets
│ └── PersistentVolumeClaims
└── PersistentVolumes (cluster-wide)kubectl Basics & Configuration
# Check kubectl version and client configuration
kubectl version --output=yaml
kubectl version --short
# Get cluster information
kubectl cluster-info
kubectl cluster-info dump
# Get all resources in current namespace
kubectl get all
# Get all resources across all namespaces
kubectl get all --all-namespaces
kubectl get all -A
# Get API resources and their short names
kubectl api-resources
kubectl api-resources --namespaced=true
kubectl api-resources --namespaced=false
# Explain resource types and their fields
kubectl explain pods
kubectl explain deployment.spec
kubectl explain service.spec.ports
# Get API versions
kubectl api-versionsInstallation & Setup
Installing kubectl
# macOS using Homebrew
brew install kubectl
# Linux using curl
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
# Windows using Chocolatey
choco install kubernetes-cli
# Verify installation
kubectl version --clientCluster Setup Options
# Local development clusters
# Minikube
minikube start
minikube status
minikube dashboard
# Kind (Kubernetes in Docker)
kind create cluster
kind create cluster --config=cluster-config.yaml
# k3s (lightweight Kubernetes)
curl -sfL https://get.k3s.io | sh -
# Docker Desktop Kubernetes
# Enable in Docker Desktop settings
# Cloud managed clusters
# AWS EKS
eksctl create cluster --name my-cluster --region us-west-2
# Google GKE
gcloud container clusters create my-cluster --zone us-central1-a
# Azure AKS
az aks create --resource-group myResourceGroup --name myClusterkubeconfig Management
# View current config
kubectl config view
kubectl config view --raw
# List contexts
kubectl config get-contexts
# Create new context
kubectl config set-context my-context --cluster=my-cluster --user=my-user
# Switch context
kubectl config use-context my-context
# Set current namespace
kubectl config set-context --current --namespace=my-namespace
# Merge kubeconfig files
KUBECONFIG=~/.kube/config:~/.kube/config2 kubectl config view --merge --flatten
# Backup and restore config
cp ~/.kube/config ~/.kube/config.backup
export KUBECONFIG=~/.kube/config.backupCluster Management
Context and Configuration
# Advanced context management
kubectl config current-context
kubectl config get-contexts -o name
kubectl config delete-context old-context
# Rename context
kubectl config rename-context old-name new-name
# Set cluster, user, and context
kubectl config set-cluster my-cluster --server=https://1.2.3.4
kubectl config set-credentials my-user --token=abc123
kubectl config set-context my-context --cluster=my-cluster --user=my-user
# View specific context
kubectl config view --context=my-context
# Temporary context override
kubectl --context=other-context get podsNode Management
# Detailed node information
kubectl get nodes -o wide
kubectl get nodes --show-labels
kubectl get nodes -o jsonpath='{.items[*].status.addresses[?(@.type=="ExternalIP")].address}'
# Node conditions and capacity
kubectl describe node <node-name>
kubectl get nodes -o custom-columns=NAME:.metadata.name,STATUS:.status.conditions[-1].type,ROLES:.metadata.labels.node-role\.kubernetes\.io/*
# Node maintenance
kubectl drain <node-name> --ignore-daemonsets --delete-emptydir-data
kubectl uncordon <node-name>
kubectl cordon <node-name>
# Node labels and annotations
kubectl label nodes <node-name> environment=production
kubectl label nodes <node-name> environment- # Remove label
kubectl annotate nodes <node-name> description="Production node"
# Node taints and tolerations
kubectl taint nodes <node-name> key=value:NoSchedule
kubectl taint nodes <node-name> key=value:NoExecute
kubectl taint nodes <node-name> key- # Remove taint
# Node resource usage
kubectl top nodes
kubectl describe node <node-name> | grep -A 5 "Allocated resources"Cluster Information
# Cluster components health
kubectl get componentstatuses
kubectl get cs
# Cluster events
kubectl get events --sort-by=.metadata.creationTimestamp
kubectl get events --field-selector type=Warning
# API server endpoints
kubectl get endpoints kubernetes
# Cluster roles and bindings
kubectl get clusterroles
kubectl get clusterrolebindings
# Resource quotas and limits
kubectl describe limitrange
kubectl describe resourcequotaWorkload Resources
Pods
Basic Pod Operations
# Create and manage pods
kubectl run nginx --image=nginx:1.21 --port=80
kubectl run debug --image=busybox --rm -it --restart=Never -- /bin/sh
kubectl run nginx --image=nginx --dry-run=client -o yaml > pod.yaml
# Advanced pod creation
kubectl run nginx --image=nginx:1.21 --env="ENV=production" --labels="app=nginx,tier=frontend"
kubectl run nginx --image=nginx --requests="cpu=100m,memory=128Mi" --limits="cpu=200m,memory=256Mi"
kubectl run nginx --image=nginx --restart=Never --command -- nginx -g "daemon off;"
# Pod lifecycle management
kubectl get pods -o wide --show-labels
kubectl get pods --field-selector=status.phase=Running
kubectl get pods --field-selector=metadata.namespace=default
# Pod logs and debugging
kubectl logs <pod-name> --previous --timestamps
kubectl logs <pod-name> -c <container-name> --since=1h
kubectl logs -l app=nginx --all-containers=true
kubectl logs <pod-name> --tail=50 -f
# Pod execution and files
kubectl exec -it <pod-name> -- /bin/bash
kubectl exec <pod-name> -c <container-name> -- whoami
kubectl exec <pod-name> -- cat /etc/hostname
# File operations
kubectl cp <pod-name>:/path/to/file ./local-file
kubectl cp ./local-file <pod-name>:/path/to/file
kubectl cp <pod-name>:/path/to/file - | tar -tv # List contents
# Port forwarding and proxying
kubectl port-forward <pod-name> 8080:80
kubectl port-forward <pod-name> :80 # Random local port
kubectl proxy --port=8080 # Access cluster via proxyPod Status and Monitoring
# Pod phases and conditions
kubectl get pods -o custom-columns=NAME:.metadata.name,STATUS:.status.phase,READY:.status.conditions[?(@.type==\"Ready\")].status
# Resource usage
kubectl top pods --sort-by=cpu
kubectl top pods --sort-by=memory
kubectl top pods -l app=nginx
# Pod events and troubleshooting
kubectl describe pod <pod-name>
kubectl get events --field-selector involvedObject.name=<pod-name>
kubectl get pods <pod-name> -o jsonpath='{.status.containerStatuses[*].state}'
# Pod security context
kubectl get pod <pod-name> -o jsonpath='{.spec.securityContext}'
kubectl get pod <pod-name> -o jsonpath='{.spec.containers[*].securityContext}'Deployments
Deployment Management
# Create deployments
kubectl create deployment nginx --image=nginx:1.21 --replicas=3
kubectl create deployment nginx --image=nginx --dry-run=client -o yaml > deployment.yaml
# Advanced deployment options
kubectl create deployment nginx --image=nginx:1.21 --port=80 --replicas=3
kubectl set env deployment/nginx DATABASE_URL=postgres://localhost
# List and describe deployments
kubectl get deployments -o wide
kubectl get deploy --show-labels
kubectl describe deployment <deployment-name>
# Scaling operations
kubectl scale deployment <deployment-name> --replicas=5
kubectl scale deployment <deployment-name> --current-replicas=3 --replicas=5 # Conditional scaling
# Image updates and rollouts
kubectl set image deployment/<deployment-name> container-name=new-image:tag
kubectl set image deployment/nginx nginx=nginx:1.22 --record
# Rollout management
kubectl rollout status deployment/<deployment-name>
kubectl rollout status deployment/<deployment-name> --timeout=600s
kubectl rollout history deployment/<deployment-name>
kubectl rollout history deployment/<deployment-name> --revision=2
# Rollback operations
kubectl rollout undo deployment/<deployment-name>
kubectl rollout undo deployment/<deployment-name> --to-revision=2
# Pause and resume deployments
kubectl rollout pause deployment/<deployment-name>
kubectl rollout resume deployment/<deployment-name>
# Deployment strategies
kubectl patch deployment <deployment-name> -p '{"spec":{"strategy":{"type":"RollingUpdate","rollingUpdate":{"maxSurge":"50%","maxUnavailable":"50%"}}}}'ReplicaSets Management
# List and manage replica sets
kubectl get replicasets -o wide
kubectl get rs --show-labels
kubectl describe rs <replicaset-name>
# Scale replica sets (not recommended for managed deployments)
kubectl scale rs <replicaset-name> --replicas=3
# ReplicaSet owner references
kubectl get rs -o jsonpath='{.items[*].metadata.ownerReferences[*].name}'StatefulSets
StatefulSet Operations
# Create StatefulSet
kubectl create -f statefulset.yaml
# List StatefulSets
kubectl get statefulsets
kubectl get sts
# Describe StatefulSet
kubectl describe statefulset <statefulset-name>
# Scale StatefulSet (ordered scaling)
kubectl scale statefulset <statefulset-name> --replicas=5
# Update StatefulSet
kubectl patch statefulset <statefulset-name> -p '{"spec":{"updateStrategy":{"type":"RollingUpdate"}}}'
# StatefulSet pod management
kubectl get pods -l app=<statefulset-app> -o wide
kubectl delete pod <statefulset-pod-name> # Pod will be recreated with same identity
# Headless service for StatefulSet
kubectl get svc <headless-service-name>DaemonSets
DaemonSet Management
# Create DaemonSet
kubectl create -f daemonset.yaml
# List DaemonSets
kubectl get daemonsets
kubectl get ds
# Describe DaemonSet
kubectl describe daemonset <daemonset-name>
# Update DaemonSet
kubectl set image daemonset/<daemonset-name> container-name=new-image:tag
# DaemonSet rollout
kubectl rollout status daemonset/<daemonset-name>
kubectl rollout history daemonset/<daemonset-name>
# Node selection for DaemonSet
kubectl get ds <daemonset-name> -o wide
kubectl describe ds <daemonset-name> | grep -A 10 "Node-Selectors"Jobs & CronJobs
Job Management
# Create job
kubectl create job hello --image=busybox -- echo "Hello World"
kubectl create job hello --image=busybox --dry-run=client -o yaml -- echo "Hello World"
# List jobs
kubectl get jobs
kubectl get jobs --show-labels
# Job status and completion
kubectl describe job <job-name>
kubectl get job <job-name> -o jsonpath='{.status.conditions[*].type}'
# Job parallelism and completions
kubectl create job parallel-job --image=busybox --parallelism=3 --completions=6 -- /bin/sh -c "echo hello; sleep 30"
# Delete jobs and pods
kubectl delete job <job-name>
kubectl delete job <job-name> --cascade=false # Keep podsCronJob Management
# Create CronJob
kubectl create cronjob hello --image=busybox --schedule="*/1 * * * *" -- echo "Hello World"
# List CronJobs
kubectl get cronjobs
kubectl get cj
# CronJob history and management
kubectl describe cronjob <cronjob-name>
kubectl get jobs --selector=job-name=<cronjob-name>
# Suspend and resume CronJob
kubectl patch cronjob <cronjob-name> -p '{"spec":{"suspend":true}}'
kubectl patch cronjob <cronjob-name> -p '{"spec":{"suspend":false}}'
# Manual trigger
kubectl create job --from=cronjob/<cronjob-name> <manual-job-name>Service Discovery & Networking
Services
Service Types and Operations
# Create services
kubectl expose deployment <deployment-name> --port=80 --target-port=8080
kubectl expose pod <pod-name> --port=80 --target-port=8080 --name=pod-service
# Service types
kubectl expose deployment nginx --type=ClusterIP --port=80
kubectl expose deployment nginx --type=NodePort --port=80
kubectl expose deployment nginx --type=LoadBalancer --port=80
kubectl expose deployment nginx --type=ExternalName --external-name=example.com
# Advanced service creation
kubectl create service clusterip my-service --tcp=80:8080
kubectl create service nodeport my-service --tcp=80:8080 --node-port=30080
kubectl create service loadbalancer my-service --tcp=80:8080
# List and describe services
kubectl get services -o wide
kubectl get svc --show-labels
kubectl describe service <service-name>
# Service endpoints
kubectl get endpoints
kubectl get endpoints <service-name>
kubectl describe endpoints <service-name>
# Service discovery testing
kubectl run test-pod --image=busybox --rm -it -- /bin/sh
# Inside pod:
nslookup <service-name>
nslookup <service-name>.<namespace>.svc.cluster.local
wget -qO- http://<service-name>:<port>
# Service annotations and labels
kubectl annotate service <service-name> description="My service"
kubectl label service <service-name> environment=productionService Mesh and Advanced Networking
# Service mesh integration (Istio example)
kubectl label namespace <namespace> istio-injection=enabled
# Service monitor for Prometheus
kubectl get servicemonitor
kubectl describe servicemonitor <monitor-name>
# Headless services
kubectl create service clusterip my-headless --clusterip="None" --tcp=80:8080Ingress
Ingress Management
# List ingress resources
kubectl get ingress
kubectl get ing -o wide
# Describe ingress
kubectl describe ingress <ingress-name>
# Create ingress
kubectl create ingress my-ingress --rule="example.com/path=service:80"
kubectl create ingress my-ingress --class=nginx --rule="example.com/*=service:80"
# Ingress with TLS
kubectl create ingress secure-ingress --rule="example.com/*=service:80,tls=my-cert"
# Ingress controllers
kubectl get ingressclass
kubectl describe ingressclass nginx
# Ingress annotations
kubectl annotate ingress <ingress-name> nginx.ingress.kubernetes.io/rewrite-target=/
kubectl annotate ingress <ingress-name> cert-manager.io/cluster-issuer=letsencrypt-prod
# Ingress status and events
kubectl describe ingress <ingress-name>
kubectl get events --field-selector involvedObject.name=<ingress-name>Network Policies
Network Policy Management
# List network policies
kubectl get networkpolicies
kubectl get netpol
# Describe network policy
kubectl describe networkpolicy <policy-name>
# Test network connectivity
kubectl run test-pod --image=busybox --rm -it -- /bin/sh
# Test connection: nc -zv <target-ip> <port>
# Network policy troubleshooting
kubectl describe pod <pod-name> | grep -A 10 "Network Policy"Configuration Management
ConfigMaps & Secrets
ConfigMaps
# Create ConfigMaps
kubectl create configmap app-config --from-literal=database_url=postgres://localhost
kubectl create configmap app-config --from-literal=key1=value1 --from-literal=key2=value2
# From files
kubectl create configmap app-config --from-file=app.properties
kubectl create configmap app-config --from-file=config-key=app.properties
kubectl create configmap app-config --from-file=configs/
# From environment file
kubectl create configmap app-config --from-env-file=app.env
# List and describe ConfigMaps
kubectl get configmaps
kubectl get cm -o wide
kubectl describe configmap <name>
# View ConfigMap data
kubectl get configmap <name> -o yaml
kubectl get configmap <name> -o jsonpath='{.data}'
kubectl get configmap <name> -o jsonpath='{.data.app\.properties}'
# Edit ConfigMap
kubectl edit configmap <name>
kubectl patch configmap <name> --patch '{"data":{"key":"new-value"}}'
# ConfigMap usage in pods
kubectl set env deployment/<deployment-name> --from=configmap/<configmap-name>
kubectl set volume deployment/<deployment-name> --add --name=config-volume --configmap-name=<configmap-name> --mount-path=/etc/configSecrets
# Create Secrets
kubectl create secret generic app-secret --from-literal=username=admin --from-literal=password=secret123
kubectl create secret generic app-secret --from-file=credentials.txt
# TLS secrets
kubectl create secret tls tls-secret --cert=tls.crt --key=tls.key
# Docker registry secrets
kubectl create secret docker-registry regcred \
--docker-server=registry.example.com \
--docker-username=user \
--docker-password=pass \
--docker-email=user@example.com
# Service account token secrets
kubectl create secret generic sa-secret --from-literal=token=<token>
# List and describe secrets
kubectl get secrets
kubectl describe secret <name>
# View secret data (base64 decoded)
kubectl get secret <name> -o jsonpath='{.data.password}' | base64 --decode
kubectl get secret <name> -o yaml
# Edit secrets
kubectl edit secret <name>
echo -n "new-password" | base64 # Encode for manual editing
# Secret usage in pods
kubectl set env deployment/<deployment-name> --from=secret/<secret-name>
kubectl patch deployment <deployment-name> -p '{"spec":{"template":{"spec":{"imagePullSecrets":[{"name":"regcred"}]}}}}'Environment Variables
Environment Configuration
# Set environment variables
kubectl set env deployment/<deployment-name> ENV_VAR=value
kubectl set env deployment/<deployment-name> --from=configmap/<configmap-name>
kubectl set env deployment/<deployment-name> --from=secret/<secret-name>
# Environment variable sources
kubectl set env deployment/<deployment-name> DB_HOST=postgres.example.com
kubectl set env deployment/<deployment-name> DB_PASSWORD --from=secret/db-secret:password
# List environment variables
kubectl set env deployment/<deployment-name> --list
kubectl describe deployment <deployment-name> | grep -A 10 Environment
# Remove environment variables
kubectl set env deployment/<deployment-name> ENV_VAR-Storage
Volumes
Volume Types and Management
# List persistent volumes
kubectl get persistentvolumes
kubectl get pv -o wide
# List persistent volume claims
kubectl get persistentvolumeclaims
kubectl get pvc -o wide
# Describe storage resources
kubectl describe pv <pv-name>
kubectl describe pvc <pvc-name>
# PVC status and events
kubectl get events --field-selector involvedObject.name=<pvc-name>
# Volume binding and provisioning
kubectl get pvc --field-selector=status.phase=Pending
kubectl get pv --field-selector=status.phase=Available
# Storage capacity and usage
kubectl top pods --containers
kubectl describe pod <pod-name> | grep -A 10 VolumesStorage Classes
Storage Class Management
# List storage classes
kubectl get storageclasses
kubectl get sc
# Describe storage class
kubectl describe storageclass <storage-class-name>
# Default storage class
kubectl get sc -o jsonpath='{.items[?(@.metadata.annotations.storageclass\.kubernetes\.io/is-default-class=="true")].metadata.name}'
# Storage class parameters
kubectl get sc <storage-class-name> -o yaml
# Dynamic provisioning
kubectl get pvc --field-selector=spec.storageClassName=<storage-class>Security & RBAC
Role-Based Access Control
# List RBAC resources
kubectl get roles
kubectl get rolebindings
kubectl get clusterroles
kubectl get clusterrolebindings
# Create service account
kubectl create serviceaccount <sa-name>
kubectl get serviceaccounts
kubectl describe serviceaccount <sa-name>
# Create role
kubectl create role pod-reader --verb=get,list,watch --resource=pods
kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods
# Create role binding
kubectl create rolebinding pod-reader-binding --role=pod-reader --user=jane
kubectl create clusterrolebinding pod-reader-binding --clusterrole=pod-reader --user=jane
kubectl create rolebinding pod-reader-binding --role=pod-reader --serviceaccount=default:my-sa
# Check permissions
kubectl auth can-i create pods
kubectl auth can-i create pods --as=jane
kubectl auth can-i create pods --as=system:serviceaccount:default:my-sa
# Who can perform actions
kubectl auth can-i --list
kubectl auth can-i --list --as=jane
# Describe RBAC
kubectl describe role <role-name>
kubectl describe rolebinding <binding-name>
kubectl describe clusterrole <role-name>
# Security contexts
kubectl get pod <pod-name> -o jsonpath='{.spec.securityContext}'
kubectl get pod <pod-name> -o jsonpath='{.spec.containers[*].securityContext}'Pod Security Standards
# Pod Security Standards (PSS) enforcement
kubectl label namespace <namespace> pod-security.kubernetes.io/enforce=restricted
kubectl label namespace <namespace> pod-security.kubernetes.io/audit=restricted
kubectl label namespace <namespace> pod-security.kubernetes.io/warn=restricted
# Network security
kubectl get networkpolicies
kubectl describe networkpolicy <policy-name>
# Secrets and sensitive data
kubectl get secrets --all-namespaces
kubectl get secret <secret-name> -o yaml | grep -v "password\|token\|key"Monitoring & Observability
Resource Monitoring
# Resource usage
kubectl top nodes
kubectl top pods
kubectl top pods --all-namespaces
kubectl top pods --sort-by=cpu
kubectl top pods --sort-by=memory
# Metrics server
kubectl get pods -n kube-system | grep metrics-server
kubectl top nodes --use-protocol-buffers
# Resource quotas and limits
kubectl describe quota
kubectl describe limitrange
# Node conditions and capacity
kubectl get nodes -o custom-columns=NAME:.metadata.name,STATUS:.status.conditions[-1].type,CPU-CAPACITY:.status.capacity.cpu,MEMORY-CAPACITY:.status.capacity.memory
# Pod resource requests and limits
kubectl get pods -o custom-columns=NAME:.metadata.name,CPU-REQUEST:.spec.containers[*].resources.requests.cpu,MEMORY-REQUEST:.spec.containers[*].resources.requests.memoryLogging and Events
# Centralized logging
kubectl logs -l app=nginx --all-containers=true
kubectl logs -f deployment/<deployment-name>
kubectl logs --previous <pod-name>
# Events and debugging
kubectl get events --sort-by=.metadata.creationTimestamp
kubectl get events --field-selector type=Warning
kubectl get events --field-selector reason=Failed
# Event filtering
kubectl get events --field-selector involvedObject.kind=Pod
kubectl get events --field-selector involvedObject.name=<pod-name>
# Audit logs (if enabled)
kubectl get events --field-selector reason=PolicyViolationHealth Checks and Probes
# Probe configuration
kubectl get pod <pod-name> -o jsonpath='{.spec.containers[*].livenessProbe}'
kubectl get pod <pod-name> -o jsonpath='{.spec.containers[*].readinessProbe}'
kubectl get pod <pod-name> -o jsonpath='{.spec.containers[*].startupProbe}'
# Pod readiness and conditions
kubectl get pods -o custom-columns=NAME:.metadata.name,READY:.status.conditions[?(@.type==\"Ready\")].status
kubectl describe pod <pod-name> | grep -A 5 ConditionsAutoscaling
Horizontal Pod Autoscaler (HPA)
# Create HPA
kubectl autoscale deployment <deployment-name> --cpu-percent=50 --min=1 --max=10
kubectl autoscale deployment <deployment-name> --cpu-percent=70 --memory-percent=80 --min=2 --max=15
# List HPAs
kubectl get hpa
kubectl get horizontalpodautoscalers
# Describe HPA
kubectl describe hpa <hpa-name>
# HPA with custom metrics
kubectl get hpa <hpa-name> -o yaml
# HPA status and events
kubectl get events --field-selector involvedObject.name=<hpa-name>
# Delete HPA
kubectl delete hpa <hpa-name>Vertical Pod Autoscaler (VPA)
# VPA resources (if installed)
kubectl get vpa
kubectl describe vpa <vpa-name>
# VPA recommendations
kubectl get vpa <vpa-name> -o jsonpath='{.status.recommendation}'Cluster Autoscaler
# Cluster autoscaler status (cloud-specific)
kubectl get pods -n kube-system | grep cluster-autoscaler
kubectl logs -n kube-system deployment/cluster-autoscaler
# Node groups and scaling
kubectl get nodes --show-labels | grep -E "node-role|instance-type"Advanced Topics
Custom Resources and Operators
# Custom Resource Definitions (CRDs)
kubectl get crd
kubectl describe crd <crd-name>
kubectl get <custom-resource-name>
# Operators
kubectl get operators
kubectl get subscriptions
kubectl get installplans
# API aggregation
kubectl get apiservices
kubectl describe apiservice <service-name>Multi-cluster Management
# Context management for multiple clusters
kubectl config get-clusters
kubectl config set-cluster <cluster-name> --server=https://cluster-api-endpoint
# Cross-cluster service discovery
kubectl get endpointslices
kubectl describe endpointslice <slice-name>
# Cluster federation (if available)
kubectl get federatedclustersGitOps and CI/CD Integration
# ArgoCD resources (if installed)
kubectl get applications -n argocd
kubectl describe application <app-name> -n argocd
# Flux resources (if installed)
kubectl get gitrepositories
kubectl get kustomizations
# Tekton pipelines (if installed)
kubectl get pipelines
kubectl get pipelineruns
kubectl get tasksAdvanced Scheduling
# Node affinity and anti-affinity
kubectl get pods -o wide --field-selector spec.nodeName=<node-name>
# Pod affinity and anti-affinity
kubectl describe pod <pod-name> | grep -A 10 "Affinity"
# Taints and tolerations
kubectl describe node <node-name> | grep -A 5 Taints
kubectl get pod <pod-name> -o jsonpath='{.spec.tolerations}'
# Priority classes
kubectl get priorityclasses
kubectl describe priorityclass <priority-class-name>
# Pod disruption budgets
kubectl get poddisruptionbudgets
kubectl get pdb
kubectl describe pdb <pdb-name>Troubleshooting
Common Debugging Commands
# Pod troubleshooting
kubectl describe pod <pod-name>
kubectl logs <pod-name> --previous --timestamps
kubectl get events --field-selector involvedObject.name=<pod-name>
# Resource inspection
kubectl get all --all-namespaces
kubectl top nodes
kubectl top pods --all-namespaces
# Network debugging
kubectl exec -it <pod-name> -- nslookup <service-name>
kubectl exec -it <pod-name> -- netstat -tulpn
kubectl exec -it <pod-name> -- curl -v http://<service-name>:<port>
# DNS troubleshooting
kubectl run dns-test --image=busybox --rm -it -- nslookup kubernetes.default
kubectl exec -it <pod-name> -- cat /etc/resolv.conf
# Storage troubleshooting
kubectl describe pvc <pvc-name>
kubectl get events --field-selector involvedObject.name=<pvc-name>
kubectl describe pv <pv-name>
# RBAC troubleshooting
kubectl auth can-i <verb> <resource> --as=<user>
kubectl describe rolebinding,clusterrolebinding
# Node troubleshooting
kubectl describe node <node-name>
kubectl get events --field-selector involvedObject.name=<node-name>
kubectl top node <node-name>
# Cluster component health
kubectl get componentstatuses
kubectl get events --field-selector type=Warning --all-namespaces
# API server debugging
kubectl cluster-info dump
kubectl get --raw=/healthz
kubectl get --raw=/metricsPerformance Troubleshooting
# Resource utilization
kubectl top pods --sort-by=cpu --all-namespaces
kubectl top pods --sort-by=memory --all-namespaces
kubectl describe node <node-name> | grep -A 5 "Allocated resources"
# Pod resource analysis
kubectl get pods -o custom-columns=NAME:.metadata.name,CPU-REQUEST:.spec.containers[*].resources.requests.cpu,MEMORY-REQUEST:.spec.containers[*].resources.requests.memory,CPU-LIMIT:.spec.containers[*].resources.limits.cpu,MEMORY-LIMIT:.spec.containers[*].resources.limits.memory
# Evicted pods analysis
kubectl get pods --field-selector=status.phase=Failed --all-namespaces
kubectl describe pod <evicted-pod-name>
# Resource quotas and limits
kubectl describe quota --all-namespaces
kubectl describe limitrange --all-namespacesCommon Issues and Solutions
Pod Issues
# ImagePullBackOff
kubectl describe pod <pod-name> # Check image name and registry credentials
kubectl get secret <registry-secret> -o yaml
# CrashLoopBackOff
kubectl logs <pod-name> --previous # Check previous container logs
kubectl describe pod <pod-name> # Check restart reason
# Pending Pods
kubectl describe pod <pod-name> # Check scheduling constraints
kubectl get nodes --show-labels # Check node labels and taints
kubectl describe node <node-name> | grep -A 5 "Allocated resources"
# Pod Stuck in Terminating
kubectl delete pod <pod-name> --force --grace-period=0
kubectl patch pod <pod-name> -p '{"metadata":{"finalizers":null}}'
# Pod Security Context Issues
kubectl get pod <pod-name> -o jsonpath='{.spec.securityContext}'
kubectl describe pod <pod-name> | grep -A 10 "Security Context"Service Issues
# Service not accessible
kubectl get endpoints <service-name> # Check if pods are selected
kubectl describe service <service-name> # Check selectors and ports
kubectl get pods --selector=<label-selector> # Verify pod labels
# DNS resolution issues
kubectl run dns-debug --image=busybox --rm -it -- nslookup <service-name>
kubectl exec -it <pod-name> -- cat /etc/resolv.conf
kubectl get svc kube-dns -n kube-system # Check DNS serviceStorage Issues
# PVC stuck in Pending
kubectl describe pvc <pvc-name> # Check events and requirements
kubectl get storageclass # Verify storage class exists
kubectl get pv --field-selector=status.phase=Available # Check available PVs
# Mount issues
kubectl describe pod <pod-name> | grep -A 10 "Volumes"
kubectl exec -it <pod-name> -- df -h # Check mounted volumes
kubectl exec -it <pod-name> -- ls -la /path/to/mountBest Practices
Resource Management
# Always set resource requests and limits
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
# Use appropriate resource quotas
apiVersion: v1
kind: ResourceQuota
metadata:
name: compute-quota
spec:
hard:
requests.cpu: "1"
requests.memory: 1Gi
limits.cpu: "2"
limits.memory: 2GiSecurity Best Practices
# Use non-root containers
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
# Network policies for segmentation
kubectl apply -f network-policy.yaml
# RBAC with least privilege
kubectl create role pod-reader --verb=get,list,watch --resource=pods
kubectl create rolebinding pod-reader-binding --role=pod-reader --user=jane
# Secret management
kubectl create secret generic app-secret --from-literal=password="$(openssl rand -base64 32)"
# Image security scanning
kubectl get pods -o jsonpath='{.items[*].spec.containers[*].image}' | tr ' ' '\n' | sort -uDeployment Strategies
# Rolling update strategy
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
# Blue-green deployment preparation
metadata:
labels:
version: blue # or green
# Canary deployment with traffic splitting
spec:
replicas: 10 # 9 stable + 1 canaryMonitoring and Observability
# Health checks
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
# Structured logging
spec:
containers:
- name: app
env:
- name: LOG_LEVEL
value: "INFO"
- name: LOG_FORMAT
value: "json"High Availability
# Pod anti-affinity
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- myapp
topologyKey: kubernetes.io/hostname
# Pod disruption budget
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: myapp-pdb
spec:
minAvailable: 2
selector:
matchLabels:
app: myappYAML Examples
Complete Application Stack
# Namespace
apiVersion: v1
kind: Namespace
metadata:
name: myapp
labels:
name: myapp
environment: production
---
# ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
name: myapp-config
namespace: myapp
data:
database.host: "postgres.myapp.svc.cluster.local"
database.port: "5432"
app.config: |
debug: false
cache_size: 1000
features:
- feature1
- feature2
---
# Secret
apiVersion: v1
kind: Secret
metadata:
name: myapp-secret
namespace: myapp
type: Opaque
data:
database.password: cGFzc3dvcmQxMjM= # password123
api.key: YWJjZGVmZ2hpams= # abcdefghijk
---
# PersistentVolumeClaim
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: myapp-data
namespace: myapp
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
storageClassName: fast-ssd
---
# Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
namespace: myapp
labels:
app: myapp
version: v1.2.0
spec:
replicas: 3
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
version: v1.2.0
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
containers:
- name: myapp
image: myapp:v1.2.0
ports:
- containerPort: 8080
name: http
- containerPort: 8443
name: https
env:
- name: DATABASE_HOST
valueFrom:
configMapKeyRef:
name: myapp-config
key: database.host
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: myapp-secret
key: database.password
volumeMounts:
- name: config-volume
mountPath: /etc/config
readOnly: true
- name: data-volume
mountPath: /data
resources:
requests:
memory: "256Mi"
cpu: "250m"
limits:
memory: "512Mi"
cpu: "500m"
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 3
startupProbe:
httpGet:
path: /startup
port: 8080
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 30
volumes:
- name: config-volume
configMap:
name: myapp-config
- name: data-volume
persistentVolumeClaim:
claimName: myapp-data
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- myapp
topologyKey: kubernetes.io/hostname
---
# Service
apiVersion: v1
kind: Service
metadata:
name: myapp-service
namespace: myapp
labels:
app: myapp
spec:
type: ClusterIP
selector:
app: myapp
ports:
- name: http
port: 80
targetPort: 8080
protocol: TCP
- name: https
port: 443
targetPort: 8443
protocol: TCP
---
# Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myapp-ingress
namespace: myapp
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/use-regex: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
tls:
- hosts:
- myapp.example.com
secretName: myapp-tls
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: myapp-service
port:
number: 80
---
# HorizontalPodAutoscaler
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: myapp-hpa
namespace: myapp
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: myapp
minReplicas: 3
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 80
---
# PodDisruptionBudget
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: myapp-pdb
namespace: myapp
spec:
minAvailable: 2
selector:
matchLabels:
app: myapp
---
# NetworkPolicy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: myapp-netpol
namespace: myapp
spec:
podSelector:
matchLabels:
app: myapp
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: ingress-nginx
- podSelector:
matchLabels:
app: allowed-app
ports:
- protocol: TCP
port: 8080
egress:
- to:
- namespaceSelector:
matchLabels:
name: database
ports:
- protocol: TCP
port: 5432
- to: [] # Allow DNS
ports:
- protocol: UDP
port: 53StatefulSet Example
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: database
namespace: myapp
spec:
serviceName: database-headless
replicas: 3
selector:
matchLabels:
app: database
template:
metadata:
labels:
app: database
spec:
containers:
- name: postgres
image: postgres:13
env:
- name: POSTGRES_DB
value: myapp
- name: POSTGRES_USER
value: myapp
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: db-secret
key: password
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
ports:
- containerPort: 5432
name: postgres
volumeMounts:
- name: data
mountPath: /var/lib/postgresql/data
resources:
requests:
memory: "512Mi"
cpu: "500m"
limits:
memory: "1Gi"
cpu: "1"
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes: ["ReadWriteOnce"]
storageClassName: fast-ssd
resources:
requests:
storage: 20Gi
---
apiVersion: v1
kind: Service
metadata:
name: database-headless
namespace: myapp
spec:
clusterIP: None
selector:
app: database
ports:
- port: 5432
targetPort: 5432Helm Package Manager
Helm Basics
# Install Helm
curl https://get.helm.sh/helm-v3.12.0-linux-amd64.tar.gz | tar xz
sudo mv linux-amd64/helm /usr/local/bin/
# Initialize Helm (v3 doesn't need Tiller)
helm version
# Add repositories
helm repo add stable https://charts.helm.sh/stable
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update
# Search charts
helm search repo nginx
helm search hub nginx
# Install charts
helm install my-nginx bitnami/nginx
helm install my-app ./my-chart --values values.yaml
helm install my-app ./my-chart --set image.tag=v1.2.0
# List releases
helm list
helm list --all-namespaces
# Get release info
helm get values my-app
helm get manifest my-app
helm status my-app
# Upgrade releases
helm upgrade my-app bitnami/nginx --version 10.1.0
helm upgrade my-app ./my-chart --values new-values.yaml
# Rollback releases
helm rollback my-app 1
helm history my-app
# Uninstall releases
helm uninstall my-appHelm Chart Development
# Create new chart
helm create my-chart
# Chart structure
my-chart/
├── Chart.yaml
├── values.yaml
├── charts/
└── templates/
├── deployment.yaml
├── service.yaml
├── ingress.yaml
└── _helpers.tpl
# Validate chart
helm lint my-chart
helm template my-chart --debug
# Package chart
helm package my-chart
# Chart testing
helm test my-releaseHelm Values and Templates
# values.yaml
image:
repository: nginx
tag: "1.21"
pullPolicy: IfNotPresent
service:
type: ClusterIP
port: 80
ingress:
enabled: false
annotations: {}
hosts:
- host: chart-example.local
paths: []
# Template example (deployment.yaml)
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "my-chart.fullname" . }}
labels:
{{- include "my-chart.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
{{- include "my-chart.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "my-chart.selectorLabels" . | nindent 8 }}
spec:
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: 80kubectl Tips & Tricks
Useful Aliases and Functions
# Add to ~/.bashrc or ~/.zshrc
alias k='kubectl'
alias kgp='kubectl get pods'
alias kgs='kubectl get services'
alias kgd='kubectl get deployments'
alias kgn='kubectl get nodes'
alias kga='kubectl get all'
alias kdp='kubectl describe pod'
alias kds='kubectl describe service'
alias kdd='kubectl describe deployment'
alias kdn='kubectl describe node'
alias kaf='kubectl apply -f'
alias kdel='kubectl delete'
alias klog='kubectl logs'
alias kexec='kubectl exec -it'
alias kpf='kubectl port-forward'
# Advanced aliases
alias kgpw='kubectl get pods -o wide'
alias kgpa='kubectl get pods --all-namespaces'
alias kgpf='kubectl get pods --field-selector'
alias kgsf='kubectl get services --field-selector'
alias kcdp='kubectl delete pod --force --grace-period=0'
# Functions
kns() {
kubectl config set-context --current --namespace=$1
}
klog-all() {
kubectl logs -f deployment/$1 --all-containers=true
}
kdebug() {
kubectl run debug-pod --image=busybox --rm -it --restart=Never -- /bin/sh
}Advanced kubectl Usage
# Output formats
kubectl get pods -o wide
kubectl get pods -o yaml
kubectl get pods -o json
kubectl get pods -o name
kubectl get pods -o custom-columns=NAME:.metadata.name,STATUS:.status.phase
# JSONPath examples
kubectl get pods -o jsonpath='{.items[*].metadata.name}'
kubectl get pods -o jsonpath='{.items[*].status.podIP}'
kubectl get nodes -o jsonpath='{.items[*].status.addresses[?(@.type=="ExternalIP")].address}'
# Field selectors
kubectl get pods --field-selector=status.phase=Running
kubectl get events --field-selector=type=Warning
kubectl get pods --field-selector=spec.nodeName=node-1
# Label selectors
kubectl get pods -l app=nginx
kubectl get pods -l 'app in (nginx,apache)'
kubectl get pods -l 'app!=nginx'
kubectl get pods -l 'environment,tier=frontend'
# Watch resources
kubectl get pods -w
kubectl get events -w
kubectl get nodes -w
# Sort resources
kubectl get pods --sort-by=.metadata.name
kubectl get pods --sort-by=.status.startTime
kubectl top pods --sort-by=cpu
# Multiple resources
kubectl get pods,services,deployments
kubectl describe pods,services
kubectl delete pods,services -l app=myapp
# Resource scaling
kubectl scale --replicas=5 deployment/myapp
kubectl scale --replicas=3 -f deployment.yaml
kubectl scale --current-replicas=2 --replicas=3 deployment/myapp
# Patch resources
kubectl patch deployment myapp -p '{"spec":{"replicas":5}}'
kubectl patch service myservice -p '{"spec":{"type":"LoadBalancer"}}'
kubectl patch pod mypod -p '{"metadata":{"labels":{"newlabel":"newvalue"}}}'Productivity Tips
# Tab completion
source <(kubectl completion bash) # For bash
source <(kubectl completion zsh) # For zsh
# Set default editor
export KUBE_EDITOR=vim
# Quick context switching
kubectl config use-context $(kubectl config get-contexts -o name | fzf)
# Resource shortcuts
kubectl get po # pods
kubectl get svc # services
kubectl get ing # ingress
kubectl get deploy # deployments
kubectl get rs # replicasets
kubectl get ds # daemonsets
kubectl get sts # statefulsets
kubectl get cm # configmaps
kubectl get pv # persistentvolumes
kubectl get pvc # persistentvolumeclaims
kubectl get sa # serviceaccounts
kubectl get netpol # networkpolicies
# Multi-container operations
kubectl logs pod-name -c container-name
kubectl exec -it pod-name -c container-name -- /bin/bash
# Resource cleanup
kubectl delete pods --field-selector=status.phase=Succeeded
kubectl delete pods --field-selector=status.phase=Failed
kubectl get pods --all-namespaces | grep Evicted | awk '{print $1 " " $2}' | xargs -n2 kubectl delete pod -n
# Quick resource inspection
kubectl get all -l app=myapp
kubectl top nodes --sort-by=cpu
kubectl get events --sort-by=.metadata.creationTimestampPerformance Optimization
Resource Optimization
# Identify resource-heavy pods
kubectl top pods --sort-by=cpu --all-namespaces | head -20
kubectl top pods --sort-by=memory --all-namespaces | head -20
# Check resource requests vs limits
kubectl get pods -o custom-columns=NAME:.metadata.name,CPU-REQUEST:.spec.containers[*].resources.requests.cpu,CPU-LIMIT:.spec.containers[*].resources.limits.cpu,MEMORY-REQUEST:.spec.containers[*].resources.requests.memory,MEMORY-LIMIT:.spec.containers[*].resources.limits.memory
# Node resource allocation
kubectl describe nodes | grep -A 5 "Allocated resources"
# Pod resource efficiency
kubectl top pods --containers --all-namespacesCluster Optimization
# Unused resources
kubectl get pvc --all-namespaces --field-selector=status.phase=Pending
kubectl get pods --all-namespaces --field-selector=status.phase=Failed
# Resource quotas utilization
kubectl describe quota --all-namespaces
# Image pull optimization
kubectl get pods -o jsonpath='{.items[*].spec.containers[*].image}' | tr ' ' '\n' | sort | uniq -c | sort -nr
# Network policies efficiency
kubectl get networkpolicy --all-namespacesThis comprehensive Kubernetes cheatsheet covers everything from basic concepts to advanced topics, providing both students and professionals with the knowledge and commands needed for effective Kubernetes management and troubleshooting.
Gateway API
Gateway API Overview
Gateway API is the next-generation API for Kubernetes networking, designed to replace and improve upon Ingress. It provides more expressive, extensible, and role-oriented interfaces for configuring load balancing and traffic management.
Gateway API Components
# Install Gateway API CRDs
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml
# List Gateway API resources
kubectl api-resources --api-group=gateway.networking.k8s.io
# Core resources
kubectl get gatewayclasses
kubectl get gateways
kubectl get httproutes
kubectl get referencegrantsGateway Class Management
# List Gateway Classes
kubectl get gatewayclasses
kubectl get gc
# Describe Gateway Class
kubectl describe gatewayclass <gatewayclass-name>
# View Gateway Class status
kubectl get gatewayclass <gatewayclass-name> -o yamlGateway Management
# List Gateways
kubectl get gateways
kubectl get gw
# Describe Gateway
kubectl describe gateway <gateway-name>
# Gateway status and events
kubectl get events --field-selector involvedObject.name=<gateway-name>
kubectl get gateway <gateway-name> -o jsonpath='{.status.conditions[*].message}'HTTPRoute Management
# List HTTPRoutes
kubectl get httproutes
kubectl get httproute
# Describe HTTPRoute
kubectl describe httproute <httproute-name>
# HTTPRoute with path matching
kubectl get httproute <httproute-name> -o yaml
# Debug HTTPRoute issues
kubectl describe httproute <httproute-name> | grep -A 10 "Conditions"Gateway API Examples
# GatewayClass
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: example-gatewayclass
spec:
controllerName: example.com/gateway-controller
---
# Gateway
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: example-gateway
namespace: default
spec:
gatewayClassName: example-gatewayclass
listeners:
- name: http
protocol: HTTP
port: 80
hostname: "*.example.com"
- name: https
protocol: HTTPS
port: 443
hostname: "*.example.com"
tls:
mode: Terminate
certificateRefs:
- name: example-com-tls
---
# HTTPRoute
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: example-httproute
namespace: default
spec:
parentRefs:
- name: example-gateway
hostnames:
- "api.example.com"
rules:
- matches:
- path:
type: PathPrefix
value: /api/v1
- headers:
- name: "version"
value: "v1"
backendRefs:
- name: api-v1-service
port: 80
weight: 90
- name: api-v1-canary-service
port: 80
weight: 10
filters:
- type: RequestHeaderModifier
requestHeaderModifier:
set:
- name: "X-Source"
value: "gateway"
- matches:
- path:
type: PathPrefix
value: /api/v2
backendRefs:
- name: api-v2-service
port: 80
---
# TCPRoute (for TCP traffic)
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TCPRoute
metadata:
name: tcp-route
namespace: default
spec:
parentRefs:
- name: example-gateway
sectionName: tcp
rules:
- backendRefs:
- name: tcp-service
port: 9000
---
# ReferenceGrant (for cross-namespace references)
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
name: allow-gateways-to-ref-secrets
namespace: default
spec:
from:
- group: gateway.networking.k8s.io
kind: Gateway
namespace: gateway-system
to:
- group: ""
kind: SecretAdvanced Gateway API Features
# Traffic splitting and canary deployments
kubectl apply -f httproute-canary.yaml
# Request/Response modification
kubectl get httproute <route-name> -o jsonpath='{.spec.rules[*].filters}'
# Cross-namespace routing with ReferenceGrant
kubectl get referencegrant -A
kubectl describe referencegrant <grant-name>
# Gateway API policy attachment (if supported)
kubectl get backendtlspolicy
kubectl get healthcheckpolicy
kubectl get retrypolicyModern Kubernetes Features
Pod Security Standards (PSS)
# Pod Security Standards enforcement
kubectl label namespace <namespace> pod-security.kubernetes.io/enforce=restricted
kubectl label namespace <namespace> pod-security.kubernetes.io/enforce-version=latest
kubectl label namespace <namespace> pod-security.kubernetes.io/audit=restricted
kubectl label namespace <namespace> pod-security.kubernetes.io/warn=restricted
# Check Pod Security Standards
kubectl get namespace <namespace> -o yaml | grep pod-security
# Validate pod against security standards
kubectl apply --dry-run=server -f pod.yaml
# Pod security violations
kubectl get events --field-selector reason=PolicyViolationCEL (Common Expression Language) in Kubernetes
# ValidatingAdmissionPolicy with CEL
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicy
metadata:
name: "demo-policy"
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["apps"]
apiVersions: ["v1"]
resources: ["deployments"]
validations:
- expression: "object.spec.replicas <= 5"
message: "Deployment replicas cannot exceed 5"
- expression: "object.spec.template.spec.containers.all(c, has(c.resources.limits))"
message: "All containers must have resource limits"Sidecar Containers (Kubernetes 1.28+)
apiVersion: v1
kind: Pod
metadata:
name: myapp-with-sidecar
spec:
initContainers:
- name: setup
image: busybox
command: ['sh', '-c', 'echo Setting up...']
containers:
- name: myapp
image: myapp:latest
ports:
- containerPort: 8080
- name: sidecar
image: sidecar:latest
restartPolicy: Always # Sidecar-specific restart policy
lifecycle:
preStop:
exec:
command: ["/bin/sh", "-c", "cleanup.sh"]Node Features and Management
# Node feature discovery
kubectl get nodefeatures
kubectl describe nodefeature <node-name>
# Node resource topology
kubectl get noderesourcetopology
kubectl describe noderesourcetopology <node-name>
# Dynamic resource allocation (Alpha)
kubectl get resourceclaims
kubectl get resourceclaimtemplates
kubectl get deviceclassesEnhanced Container Features
# Container runtime information
kubectl get nodes -o jsonpath='{.items[*].status.nodeInfo.containerRuntimeVersion}'
# Image volume mounts (Kubernetes 1.28+)
kubectl describe pod <pod-name> | grep -A 10 "Image Volumes"
# User namespaces (Alpha)
kubectl get pod <pod-name> -o jsonpath='{.spec.securityContext.hostUsers}'Cloud Native Ecosystem
Service Mesh Integration
Istio
# Install Istio
curl -L https://istio.io/downloadIstio | sh -
istioctl install --set values.defaultRevision=default
# Istio resources
kubectl get virtualservices
kubectl get destinationrules
kubectl get gateways.networking.istio.io
kubectl get serviceentries
kubectl get sidecars
kubectl get authorizationpolicies
kubectl get peerauthentications
kubectl get requestauthentications
# Istio proxy status
istioctl proxy-status
istioctl proxy-config cluster <pod-name>
# Istio traffic management
kubectl describe virtualservice <vs-name>
kubectl describe destinationrule <dr-name>
# Istio security
kubectl get peerauthentication -A
kubectl get authorizationpolicy -ALinkerd
# Install Linkerd
curl -sL https://run.linkerd.io/install | sh
linkerd install | kubectl apply -f -
# Linkerd resources
kubectl get serviceprofiles
kubectl get trafficsplits
# Linkerd proxy injection
kubectl annotate namespace <namespace> linkerd.io/inject=enabled
linkerd inject deployment.yaml | kubectl apply -f -
# Linkerd observability
linkerd stat deployments
linkerd top pods
linkerd edges deploymentGitOps Tools
ArgoCD
# ArgoCD resources
kubectl get applications -n argocd
kubectl get appprojects -n argocd
kubectl get applicationsets -n argocd
# ArgoCD application management
kubectl describe application <app-name> -n argocd
kubectl get application <app-name> -n argocd -o jsonpath='{.status.sync.status}'
kubectl get application <app-name> -n argocd -o jsonpath='{.status.health.status}'
# ArgoCD CLI
argocd app list
argocd app sync <app-name>
argocd app diff <app-name>Flux
# Flux v2 resources
kubectl get gitrepositories -A
kubectl get kustomizations -A
kubectl get helmrepositories -A
kubectl get helmreleases -A
# Flux source management
flux get sources git
flux get sources helm
flux reconcile source git <repo-name>
# Flux kustomization
flux get kustomizations
flux suspend kustomization <kustomization-name>
flux resume kustomization <kustomization-name>Observability and Monitoring
Prometheus Operator
# Prometheus resources
kubectl get prometheuses
kubectl get alertmanagers
kubectl get servicemonitors
kubectl get podmonitors
kubectl get prometheusrules
# Thanos (if installed)
kubectl get thanosrulers
kubectl get thanosqueriersJaeger
# Jaeger resources
kubectl get jaegers -A
kubectl get jaegerconfigs -A
# Jaeger tracing
kubectl port-forward svc/jaeger-query 16686:16686OpenTelemetry
# OpenTelemetry Operator
kubectl get opentelemetrycollectors
kubectl get instrumentations
# OpenTelemetry configuration
kubectl describe opentelemetrycollector <collector-name>Security Tools
Falco
# Falco resources
kubectl get falcos -A
kubectl get falcorules -A
# Falco events
kubectl logs daemonset/falco -n falco-systemOpen Policy Agent (OPA) Gatekeeper
# Gatekeeper resources
kubectl get constrainttemplates
kubectl get k8srequiredlabels # Example constraint
kubectl get assign
kubectl get assignmetadata
# Gatekeeper violations
kubectl get events --field-selector reason=ConstraintViolation
kubectl describe k8srequiredlabels <constraint-name>Pod Security Policy (Deprecated) / Pod Security Standards
# Pod Security Standards (current approach)
kubectl label namespace <namespace> pod-security.kubernetes.io/enforce=restricted
# Security Context Constraints (OpenShift)
kubectl get securitycontextconstraints # If on OpenShiftKubernetes 1.28+ Features
API Server Tracing
# Enable API server tracing (if configured)
kubectl get --raw=/metrics | grep apiserver_request_duration
# Trace API requests
kubectl get pods --v=9 # Verbose logging to see API callsEnhanced kubectl Features
# kubectl events with improved filtering (1.28+)
kubectl events --for pod/<pod-name>
kubectl events --types=Warning
kubectl events --since=1h
# Interactive pod deletion confirmation (1.28+)
kubectl delete pod <pod-name> --interactive
# Enhanced kubectl apply --prune
kubectl apply --prune -l app=myapp --prune-whitelist=core/v1/ConfigMap -f .
# kubectl patch with strategic merge patch improvements
kubectl patch deployment myapp --type='strategic' --patch-file=patch.yamlValidatingAdmissionPolicy (Alpha/Beta)
# List ValidatingAdmissionPolicies
kubectl get validatingadmissionpolicies
kubectl get validatingadmissionpolicybindings
# Describe policy
kubectl describe validatingadmissionpolicy <policy-name>
# Test policy
kubectl apply --dry-run=server -f resource.yamlCRI-O and Container Runtime Improvements
# Container runtime information
kubectl get nodes -o jsonpath='{.items[*].status.nodeInfo.containerRuntimeVersion}'
# Runtime class usage
kubectl get runtimeclasses
kubectl describe runtimeclass <runtime-class-name>Kubernetes Jobs Enhancements
# Job with success policy (1.28+)
apiVersion: batch/v1
kind: Job
metadata:
name: success-policy-job
spec:
successPolicy:
rules:
- succeededIndexes: "0-2"
succeededCount: 3
completionMode: Indexed
completions: 5
parallelism: 5
template:
spec:
containers:
- name: worker
image: busybox
command: ["sh", "-c", "echo Job $JOB_COMPLETION_INDEX && sleep 10"]
restartPolicy: NeverDynamic Resource Allocation (Alpha)
# DRA resources (if enabled)
kubectl get resourceclaims
kubectl get resourceclaimtemplates
kubectl get deviceclasses
# Resource allocation status
kubectl describe resourceclaim <claim-name>Node Shutdown Handling
# Node graceful shutdown configuration
kubectl get node <node-name> -o jsonpath='{.metadata.annotations}'
# Check node shutdown events
kubectl get events --field-selector involvedObject.kind=Node,reason=NodeShutdownContextual Logging (Beta)
# Enhanced logging with context (if enabled in cluster)
kubectl logs <pod-name> --timestamps --prefix
# Structured logging output
kubectl get events -o json | jq '.items[] | select(.reason=="FailedScheduling")'KMS v2 Encryption at Rest
# Check encryption configuration (cluster admin)
kubectl get --raw=/api/v1/namespaces/kube-system/secrets | jq '.items[0].metadata' 2>/dev/null || echo "Encryption status check requires cluster admin access"Topology Aware Hints
# Service topology hints
kubectl get service <service-name> -o jsonpath='{.metadata.annotations.service\.kubernetes\.io/topology-mode}'
# EndpointSlice topology information
kubectl get endpointslices -o yaml | grep -A 5 "topology"Advanced Scheduling Features
# Pod topology spread constraints improvements (1.28+)
apiVersion: v1
kind: Pod
metadata:
name: pod-with-topology-spread
spec:
topologySpreadConstraints:
- maxSkew: 1
topologyKey: node
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app: myapp
minDomains: 2 # New in 1.28+
containers:
- name: app
image: nginxkubectl Plugin Management
# Krew plugin manager
kubectl krew install neat
kubectl krew list
kubectl krew update
# Popular kubectl plugins
kubectl neat get pod <pod-name> -o yaml # Clean YAML output
kubectl tree deployment <deployment-name> # Resource hierarchy
kubectl cost namespace <namespace> # Resource costs (if cost plugin installed)
kubectl sniff <pod-name> # Network packet captureCustom Resource Definition v1 Enhancements
# CRD with CEL validation (1.28+)
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: mycustomresources.example.com
spec:
group: example.com
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
replicas:
type: integer
x-kubernetes-validations:
- rule: "self >= 1 && self <= 100"
message: "replicas must be between 1 and 100"
name:
type: string
x-kubernetes-validations:
- rule: "self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$')"
message: "name must be a valid DNS name"
scope: Namespaced
names:
plural: mycustomresources
singular: mycustomresource
kind: MyCustomResourceDebugging and Troubleshooting Enhancements
# Enhanced debugging with kubectl debug (1.28+)
kubectl debug <pod-name> --image=busybox --target=<container-name>
kubectl debug node/<node-name> --image=busybox
# Copy pod for debugging
kubectl debug <pod-name> --copy-to=debug-pod --container=<container-name> --image=busybox
# Attach ephemeral container
kubectl debug <pod-name> --image=busybox --attach
# Profile pod resource usage
kubectl top pod <pod-name> --containers --use-protocol-buffersThis comprehensive Kubernetes cheatsheet now includes the latest features and ecosystem tools, keeping you current with modern Kubernetes development and operations practices.
Discover more from Altgr Blog
Subscribe to get the latest posts sent to your email.
