Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kubernetes commands #85776

Closed
kenotsolutions opened this issue Dec 1, 2019 · 12 comments

Comments

@kenotsolutions
Copy link

@kenotsolutions kenotsolutions commented Dec 1, 2019

https://cheatsheet.dennyzhang.com/cheatsheet-kubernetes-a4

Some USEFUL Commands from Denny Zhang.

Name Command
Run curl test temporarily kubectl run --rm mytest --image=yauritux/busybox-curl -it
Run wget test temporarily kubectl run --rm mytest --image=busybox -it
Run nginx deployment with 2 replicas kubectl run my-nginx --image=nginx --replicas=2 --port=80
Run nginx pod and expose it kubectl run my-nginx --restart=Never --image=nginx --port=80 --expose
Run nginx deployment and expose it kubectl run my-nginx --image=nginx --port=80 --expose
Set namespace preference kubectl config set-context <context_name> --namespace=<ns_name>
List pods with nodes info kubectl get pod -o wide
List everything kubectl get all --all-namespaces
Get all services kubectl get service --all-namespaces
Get all deployments kubectl get deployments --all-namespaces
Show nodes with labels kubectl get nodes --show-labels
Get resources with json output kubectl get pods --all-namespaces -o json
Validate yaml file with dry run kubectl create --dry-run --validate -f pod-dummy.yaml
Start a temporary pod for testing kubectl run --rm -i -t --image=alpine test-$RANDOM -- sh
kubectl run shell command kubectl exec -it mytest -- ls -l /etc/hosts
Get system conf via configmap kubectl -n kube-system get cm kubeadm-config -o yaml
Get deployment yaml kubectl -n denny-websites get deployment mysql -o yaml
Explain resource kubectl explain pods, kubectl explain svc
Watch pods kubectl get pods -n wordpress --watch
Query healthcheck endpoint curl -L http://127.0.0.1:10250/healthz
Open a bash terminal in a pod kubectl exec -it storage sh
Check pod environment variables kubectl exec redis-master-ft9ex env
Enable kubectl shell autocompletion echo "source <(kubectl completion bash)" >>~/.bashrc, and reload
Use minikube dockerd in your laptop eval $(minikube docker-env), No need to push docker hub any more
Kubectl apply a folder of yaml files kubectl apply -R -f .
Get services sorted by name kubectl get services –sort-by=.metadata.name
Get pods sorted by restart count kubectl get pods –sort-by=’.status.containerStatuses[0].restartCount’
List pods and images kubectl get pods -o=’custom-columns=PODS:.metadata.name,Images:.spec.containers[*].image’
List all container images list-all-images.sh
kubeconfig skip tls verification skip-tls-verify.md
Ubuntu install kubectl "deb https://apt.kubernetes.io/ kubernetes-xenial main"
Reference GitHub: kubernetes releases
Reference minikube cheatsheet, docker cheatsheet, OpenShift CheatSheet
Name Command
Get node resource usage kubectl top node
Get pod resource usage kubectl top pod
Get resource usage for a given pod kubectl top --containers
List resource utilization for all containers kubectl top pod --all-namespaces --containers=true
Name Command
Delete pod kubectl delete pod/ -n
Delete pod by force kubectl delete pod/ --grace-period=0 --force
Delete pods by labels kubectl delete pod -l env=test
Delete deployments by labels kubectl delete deployment -l app=wordpress
Delete all resources filtered by labels kubectl delete pods,services -l name=myLabel
Delete resources under a namespace kubectl -n my-ns delete po,svc --all
Delete persist volumes by labels kubectl delete pvc -l app=wordpress
Delete state fulset only (not pods) kubectl delete sts/<stateful_set_name> --cascade=false
Name Comment
Config folder /etc/kubernetes/
Certificate files /etc/kubernetes/pki/
Credentials to API server /etc/kubernetes/kubelet.conf
Superuser credentials /etc/kubernetes/admin.conf
kubectl config file ~/.kube/config
Kubernets working dir /var/lib/kubelet/
Docker working dir /var/lib/docker/, /var/log/containers/
Etcd working dir /var/lib/etcd/
Network cni /etc/cni/net.d/
Log files /var/log/pods/
log in worker node /var/log/kubelet.log, /var/log/kube-proxy.log
log in master node kube-apiserver.log, kube-scheduler.log, kube-controller-manager.log
Env /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
Env export KUBECONFIG=/etc/kubernetes/admin.conf
Name Command
List all pods kubectl get pods
List pods for all namespace kubectl get pods -all-namespaces
List all critical pods kubectl get -n kube-system pods -a
List pods with more info kubectl get pod -o wide, kubectl get pod/ -o yaml
Get pod info kubectl describe pod/srv-mysql-server
List all pods with labels kubectl get pods --show-labels
List all unhealthy pods kubectl get pods –field-selector=status.phase!=Running –all-namespaces
List running pods kubectl get pods –field-selector=status.phase=Running
Get Pod initContainer status kubectl get pod --template '{{.status.initContainerStatuses}}'
kubectl run command kubectl exec -it -n “$ns” “$podname” – sh -c “echo $msg >>/dev/err.log”
Watch pods kubectl get pods -n wordpress --watch
Get pod by selector kubectl get pods –selector=”app=syslog” -o jsonpath='{.items[*].metadata.name}’
List pods and images kubectl get pods -o=’custom-columns=PODS:.metadata.name,Images:.spec.containers[*].image’
List pods and containers -o=’custom-columns=PODS:.metadata.name,CONTAINERS:.spec.containers[*].name’
Reference Link: kubernetes yaml templates
Name Command
Filter pods by label kubectl get pods -l owner=denny
Manually add label to a pod kubectl label pods dummy-input owner=denny
Remove label kubectl label pods dummy-input owner-
Manually add annonation to a pod kubectl annotate pods dummy-input my-url=https://dennyzhang.com
Name Command
Scale out kubectl scale --replicas=3 deployment/nginx-app
online rolling upgrade kubectl rollout app-v1 app-v2 --image=img:v2
Roll backup kubectl rollout app-v1 app-v2 --rollback
List rollout kubectl get rs
Check update status kubectl rollout status deployment/nginx-app
Check update history kubectl rollout history deployment/nginx-app
Pause/Resume kubectl rollout pause deployment/nginx-deployment, resume
Rollback to previous version kubectl rollout undo deployment/nginx-deployment
Reference Link: kubernetes yaml templates, Link: Pausing and Resuming a Deployment
Name Command
List Resource Quota kubectl get resourcequota
List Limit Range kubectl get limitrange
Customize resource definition kubectl set resources deployment nginx -c=nginx --limits=cpu=200m
Customize resource definition kubectl set resources deployment nginx -c=nginx --limits=memory=512Mi
Reference Link: kubernetes yaml templates
Name Command
List all services kubectl get services
List service endpoints kubectl get endpoints
Get service detail kubectl get service nginx-service -o yaml
Get service cluster ip kubectl get service nginx-service -o go-template='{{.spec.clusterIP}}’
Get service cluster port kubectl get service nginx-service -o go-template='{{(index .spec.ports 0).port}}’
Expose deployment as lb service kubectl expose deployment/my-app --type=LoadBalancer --name=my-service
Expose service as lb service kubectl expose service/wordpress-1-svc --type=LoadBalancer --name=ns1
Reference Link: kubernetes yaml templates
Name Command
List secrets kubectl get secrets --all-namespaces
Generate secret echo -n 'mypasswd', then redirect to base64 --decode
Get secret kubectl get secret denny-cluster-kubeconfig
Get a specific field of a secret kubectl get secret denny-cluster-kubeconfig -o jsonpath=”{.data.value}”
Create secret from cfg file kubectl create secret generic db-user-pass –from-file=./username.txt
Reference Link: kubernetes yaml templates, Link: Secrets
Name Command
List statefulset kubectl get sts
Delete statefulset only (not pods) kubectl delete sts/<stateful_set_name> --cascade=false
Scale statefulset kubectl scale sts/<stateful_set_name> --replicas=5
Reference Link: kubernetes yaml templates
Name Command
List storage class kubectl get storageclass
Check the mounted volumes kubectl exec storage ls /data
Check persist volume kubectl describe pv/pv0001
Copy local file to pod kubectl cp /tmp/my /:/tmp/server
Copy pod file to local kubectl cp /:/tmp/server /tmp/my
Reference Link: kubernetes yaml templates
Name Command
View all events kubectl get events --all-namespaces
List Events sorted by timestamp kubectl get events –sort-by=.metadata.creationTimestamp
Name Command
Mark node as unschedulable kubectl cordon $NDOE_NAME
Mark node as schedulable kubectl uncordon $NDOE_NAME
Drain node in preparation for maintenance kubectl drain $NODE_NAME
Name Command
List authenticated contexts kubectl config get-contexts, ~/.kube/config
Set namespace preference kubectl config set-context <context_name> --namespace=<ns_name>
Load context from config file kubectl get cs --kubeconfig kube_config.yml
Switch context kubectl config use-context
Delete the specified context kubectl config delete-context
List all namespaces defined kubectl get namespaces
List certificates kubectl get csr
Reference Link: kubernetes yaml templates
Name Command
Temporarily add a port-forwarding kubectl port-forward redis-134 6379:6379
Add port-forwaring for deployment kubectl port-forward deployment/redis-master 6379:6379
Add port-forwaring for replicaset kubectl port-forward rs/redis-master 6379:6379
Add port-forwaring for service kubectl port-forward svc/redis-master 6379:6379
Get network policy kubectl get NetworkPolicy
Name Summary
Patch service to loadbalancer kubectl patch svc $svc_name -p '{"spec": {"type": "LoadBalancer"}}'
Name Summary
List api group kubectl api-versions
List all CRD kubectl get crd
List storageclass kubectl get storageclass
List all supported resources kubectl api-resources
Name Summary
kube-apiserver exposes the Kubernetes API from master nodes
etcd reliable data store for all k8s cluster data
kube-scheduler schedule pods to run on selected nodes
kube-controller-manager node controller, replication controller, endpoints controller, and service account & token controllers
Name Summary
kubelet makes sure that containers are running in a pod
kube-proxy perform connection forwarding
Container Runtime Kubernetes supported runtimes: Docker, rkt, runc and any OCI runtime-spec implementation.
Name Summary
DNS serves DNS records for Kubernetes services
Web UI a general purpose, web-based UI for Kubernetes clusters
Container Resource Monitoring collect, store and serve container metrics
Cluster-level Logging save container logs to a central log store with search/browsing interface
Name Summary
kubectl the command line util to talk to k8s cluster
kubeadm the command to bootstrap the cluster
kubefed the command line to control a Kubernetes Cluster Federation
Kubernetes Components Link: Kubernetes Components

/remove-sig cli
/triage support

@athenabot

This comment has been minimized.

Copy link

@athenabot athenabot commented Dec 1, 2019

/sig cli

These SIGs are my best guesses for this issue. Please comment /remove-sig <name> if I am incorrect about one.

🤖 I am a bot run by vllry. 👩‍🔬

@k8s-ci-robot k8s-ci-robot added sig/cli and removed needs-sig labels Dec 1, 2019
@neolit123

This comment has been minimized.

Copy link
Member

@neolit123 neolit123 commented Dec 2, 2019

hi, you might want to post these commands on https://www.reddit.com/r/kubernetes/

this is an issue tracker and a lot of users will not see your post here.

@neolit123

This comment has been minimized.

Copy link
Member

@neolit123 neolit123 commented Dec 2, 2019

/remove-sig cli
/triage support

@k8s-ci-robot k8s-ci-robot removed the sig/cli label Dec 2, 2019
@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

@k8s-ci-robot k8s-ci-robot commented Dec 2, 2019

@kenotsolutions: There are no sig labels on this issue. Please add a sig label by either:

  1. mentioning a sig: @kubernetes/sig-<group-name>-<group-suffix>
    e.g., @kubernetes/sig-contributor-experience-<group-suffix> to notify the contributor experience sig, OR

  2. specifying the label manually: /sig <group-name>
    e.g., /sig scalability to apply the sig/scalability label

Note: Method 1 will trigger an email to the group. See the group list.
The <group-suffix> in method 1 has to be replaced with one of these: bugs, feature-requests, pr-reviews, test-failures, proposals.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

@k8s-ci-robot k8s-ci-robot commented Dec 2, 2019

@kenotsolutions: Those labels are not set on the issue: sig/cli

In response to this:

https://cheatsheet.dennyzhang.com/cheatsheet-kubernetes-a4

Some USEFUL Commands from Denny Zhang.

Name Command
Run curl test temporarily kubectl run --rm mytest --image=yauritux/busybox-curl -it
Run wget test temporarily kubectl run --rm mytest --image=busybox -it
Run nginx deployment with 2 replicas kubectl run my-nginx --image=nginx --replicas=2 --port=80
Run nginx pod and expose it kubectl run my-nginx --restart=Never --image=nginx --port=80 --expose
Run nginx deployment and expose it kubectl run my-nginx --image=nginx --port=80 --expose
Set namespace preference kubectl config set-context <context_name> --namespace=<ns_name>
List pods with nodes info kubectl get pod -o wide
List everything kubectl get all --all-namespaces
Get all services kubectl get service --all-namespaces
Get all deployments kubectl get deployments --all-namespaces
Show nodes with labels kubectl get nodes --show-labels
Get resources with json output kubectl get pods --all-namespaces -o json
Validate yaml file with dry run kubectl create --dry-run --validate -f pod-dummy.yaml
Start a temporary pod for testing kubectl run --rm -i -t --image=alpine test-$RANDOM -- sh
kubectl run shell command kubectl exec -it mytest -- ls -l /etc/hosts
Get system conf via configmap kubectl -n kube-system get cm kubeadm-config -o yaml
Get deployment yaml kubectl -n denny-websites get deployment mysql -o yaml
Explain resource kubectl explain pods, kubectl explain svc
Watch pods kubectl get pods -n wordpress --watch
Query healthcheck endpoint curl -L http://127.0.0.1:10250/healthz
Open a bash terminal in a pod kubectl exec -it storage sh
Check pod environment variables kubectl exec redis-master-ft9ex env
Enable kubectl shell autocompletion echo "source <(kubectl completion bash)" >>~/.bashrc, and reload
Use minikube dockerd in your laptop eval $(minikube docker-env), No need to push docker hub any more
Kubectl apply a folder of yaml files kubectl apply -R -f .
Get services sorted by name kubectl get services –sort-by=.metadata.name
Get pods sorted by restart count kubectl get pods –sort-by=’.status.containerStatuses[0].restartCount’
List pods and images kubectl get pods -o=’custom-columns=PODS:.metadata.name,Images:.spec.containers[*].image’
List all container images list-all-images.sh
kubeconfig skip tls verification skip-tls-verify.md
Ubuntu install kubectl "deb https://apt.kubernetes.io/ kubernetes-xenial main"
Reference GitHub: kubernetes releases
Reference minikube cheatsheet, docker cheatsheet, OpenShift CheatSheet
Name Command
Get node resource usage kubectl top node
Get pod resource usage kubectl top pod
Get resource usage for a given pod kubectl top --containers
List resource utilization for all containers kubectl top pod --all-namespaces --containers=true
Name Command
Delete pod kubectl delete pod/ -n
Delete pod by force kubectl delete pod/ --grace-period=0 --force
Delete pods by labels kubectl delete pod -l env=test
Delete deployments by labels kubectl delete deployment -l app=wordpress
Delete all resources filtered by labels kubectl delete pods,services -l name=myLabel
Delete resources under a namespace kubectl -n my-ns delete po,svc --all
Delete persist volumes by labels kubectl delete pvc -l app=wordpress
Delete state fulset only (not pods) kubectl delete sts/<stateful_set_name> --cascade=false
Name Comment
Config folder /etc/kubernetes/
Certificate files /etc/kubernetes/pki/
Credentials to API server /etc/kubernetes/kubelet.conf
Superuser credentials /etc/kubernetes/admin.conf
kubectl config file ~/.kube/config
Kubernets working dir /var/lib/kubelet/
Docker working dir /var/lib/docker/, /var/log/containers/
Etcd working dir /var/lib/etcd/
Network cni /etc/cni/net.d/
Log files /var/log/pods/
log in worker node /var/log/kubelet.log, /var/log/kube-proxy.log
log in master node kube-apiserver.log, kube-scheduler.log, kube-controller-manager.log
Env /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
Env export KUBECONFIG=/etc/kubernetes/admin.conf
Name Command
List all pods kubectl get pods
List pods for all namespace kubectl get pods -all-namespaces
List all critical pods kubectl get -n kube-system pods -a
List pods with more info kubectl get pod -o wide, kubectl get pod/ -o yaml
Get pod info kubectl describe pod/srv-mysql-server
List all pods with labels kubectl get pods --show-labels
List all unhealthy pods kubectl get pods –field-selector=status.phase!=Running –all-namespaces
List running pods kubectl get pods –field-selector=status.phase=Running
Get Pod initContainer status kubectl get pod --template '{{.status.initContainerStatuses}}'
kubectl run command kubectl exec -it -n “$ns” “$podname” – sh -c “echo $msg >>/dev/err.log”
Watch pods kubectl get pods -n wordpress --watch
Get pod by selector kubectl get pods –selector=”app=syslog” -o jsonpath='{.items[*].metadata.name}’
List pods and images kubectl get pods -o=’custom-columns=PODS:.metadata.name,Images:.spec.containers[*].image’
List pods and containers -o=’custom-columns=PODS:.metadata.name,CONTAINERS:.spec.containers[*].name’
Reference Link: kubernetes yaml templates
Name Command
Filter pods by label kubectl get pods -l owner=denny
Manually add label to a pod kubectl label pods dummy-input owner=denny
Remove label kubectl label pods dummy-input owner-
Manually add annonation to a pod kubectl annotate pods dummy-input my-url=https://dennyzhang.com
Name Command
Scale out kubectl scale --replicas=3 deployment/nginx-app
online rolling upgrade kubectl rollout app-v1 app-v2 --image=img:v2
Roll backup kubectl rollout app-v1 app-v2 --rollback
List rollout kubectl get rs
Check update status kubectl rollout status deployment/nginx-app
Check update history kubectl rollout history deployment/nginx-app
Pause/Resume kubectl rollout pause deployment/nginx-deployment, resume
Rollback to previous version kubectl rollout undo deployment/nginx-deployment
Reference Link: kubernetes yaml templates, Link: Pausing and Resuming a Deployment
Name Command
List Resource Quota kubectl get resourcequota
List Limit Range kubectl get limitrange
Customize resource definition kubectl set resources deployment nginx -c=nginx --limits=cpu=200m
Customize resource definition kubectl set resources deployment nginx -c=nginx --limits=memory=512Mi
Reference Link: kubernetes yaml templates
Name Command
List all services kubectl get services
List service endpoints kubectl get endpoints
Get service detail kubectl get service nginx-service -o yaml
Get service cluster ip kubectl get service nginx-service -o go-template='{{.spec.clusterIP}}’
Get service cluster port kubectl get service nginx-service -o go-template='{{(index .spec.ports 0).port}}’
Expose deployment as lb service kubectl expose deployment/my-app --type=LoadBalancer --name=my-service
Expose service as lb service kubectl expose service/wordpress-1-svc --type=LoadBalancer --name=ns1
Reference Link: kubernetes yaml templates
Name Command
List secrets kubectl get secrets --all-namespaces
Generate secret echo -n 'mypasswd', then redirect to base64 --decode
Get secret kubectl get secret denny-cluster-kubeconfig
Get a specific field of a secret kubectl get secret denny-cluster-kubeconfig -o jsonpath=”{.data.value}”
Create secret from cfg file kubectl create secret generic db-user-pass –from-file=./username.txt
Reference Link: kubernetes yaml templates, Link: Secrets
Name Command
List statefulset kubectl get sts
Delete statefulset only (not pods) kubectl delete sts/<stateful_set_name> --cascade=false
Scale statefulset kubectl scale sts/<stateful_set_name> --replicas=5
Reference Link: kubernetes yaml templates
Name Command
List storage class kubectl get storageclass
Check the mounted volumes kubectl exec storage ls /data
Check persist volume kubectl describe pv/pv0001
Copy local file to pod kubectl cp /tmp/my /:/tmp/server
Copy pod file to local kubectl cp /:/tmp/server /tmp/my
Reference Link: kubernetes yaml templates
Name Command
View all events kubectl get events --all-namespaces
List Events sorted by timestamp kubectl get events –sort-by=.metadata.creationTimestamp
Name Command
Mark node as unschedulable kubectl cordon $NDOE_NAME
Mark node as schedulable kubectl uncordon $NDOE_NAME
Drain node in preparation for maintenance kubectl drain $NODE_NAME
Name Command
List authenticated contexts kubectl config get-contexts, ~/.kube/config
Set namespace preference kubectl config set-context <context_name> --namespace=<ns_name>
Load context from config file kubectl get cs --kubeconfig kube_config.yml
Switch context kubectl config use-context
Delete the specified context kubectl config delete-context
List all namespaces defined kubectl get namespaces
List certificates kubectl get csr
Reference Link: kubernetes yaml templates
Name Command
Temporarily add a port-forwarding kubectl port-forward redis-134 6379:6379
Add port-forwaring for deployment kubectl port-forward deployment/redis-master 6379:6379
Add port-forwaring for replicaset kubectl port-forward rs/redis-master 6379:6379
Add port-forwaring for service kubectl port-forward svc/redis-master 6379:6379
Get network policy kubectl get NetworkPolicy
Name Summary
Patch service to loadbalancer kubectl patch svc $svc_name -p '{"spec": {"type": "LoadBalancer"}}'
Name Summary
List api group kubectl api-versions
List all CRD kubectl get crd
List storageclass kubectl get storageclass
List all supported resources kubectl api-resources
Name Summary
kube-apiserver exposes the Kubernetes API from master nodes
etcd reliable data store for all k8s cluster data
kube-scheduler schedule pods to run on selected nodes
kube-controller-manager node controller, replication controller, endpoints controller, and service account & token controllers
Name Summary
kubelet makes sure that containers are running in a pod
kube-proxy perform connection forwarding
Container Runtime Kubernetes supported runtimes: Docker, rkt, runc and any OCI runtime-spec implementation.
Name Summary
DNS serves DNS records for Kubernetes services
Web UI a general purpose, web-based UI for Kubernetes clusters
Container Resource Monitoring collect, store and serve container metrics
Cluster-level Logging save container logs to a central log store with search/browsing interface
Name Summary
kubectl the command line util to talk to k8s cluster
kubeadm the command to bootstrap the cluster
kubefed the command line to control a Kubernetes Cluster Federation
Kubernetes Components Link: Kubernetes Components

/remove-sig cli
/triage support

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@kenotsolutions

This comment has been minimized.

Copy link
Author

@kenotsolutions kenotsolutions commented Dec 2, 2019

/remove-sig cli
/triage support

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

@k8s-ci-robot k8s-ci-robot commented Dec 2, 2019

@kenotsolutions: Those labels are not set on the issue: sig/cli

In response to this:

/remove-sig cli
/triage support

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@liggitt

This comment has been minimized.

Copy link
Member

@liggitt liggitt commented Dec 3, 2019

If you'd like to contribute this to documentation, I'd suggest opening an issue or PR against https://github.com/kubernetes/website/ and tagging sig-cli

/close

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

@k8s-ci-robot k8s-ci-robot commented Dec 3, 2019

@liggitt: Closing this issue.

In response to this:

If you'd like to contribute this to documentation, I'd suggest opening an issue or PR against https://github.com/kubernetes/website/ and tagging sig-cli

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@kenotsolutions

This comment has been minimized.

Copy link
Author

@kenotsolutions kenotsolutions commented Dec 8, 2019

kubectl exec -n kube-system etdc-master -- sh -c"ETCDCTL_API=3 etcdctl --endpoints=https://[127.0.0.1]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt --key=/etc/kubernetes/pki/etcd/healthcheck-client.key snapshot save /etc/kubernetes/pki/snapshotdb

@kenotsolutions

This comment has been minimized.

Copy link
Author

@kenotsolutions kenotsolutions commented Dec 8, 2019

`1. Create a Namespace for the user

kubectl create namespace office

  1. Create a private key for your user

openssl genrsa -out employee.key 2048

  1. Create a certificate sign request employee.csr using the private key employee.key

openssl req -new -key employee.key -out employee.csr -subj "/CN=employee/O=personal"

  1. Generate a CSR yaml blob and send it to the apiserver by running the following command

cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: employee.office
spec:
request: $(cat employee.csr | base64 | tr -d '\n')
usages:

  • digital signature
  • key encipherment
  • server auth
    EOF
  1. Approved the same by running:

kubectl certificate approve employee.office

  1. Download the employee crt file

kubectl get csr employee.office -o jsonpath='{.status.certificate}' | base64 --decode > employee.crt

  1. Add a new context with the new credentials for your Kubernetes cluster.

kubectl config set-credentials employee --client-certificate=employee-direct.crt --client-key=employee.key --embed-certs=true

kubectl config set-context employee-context --cluster=kubernetes --namespace=office --user=employee

kubectl --context=employee-context get pods --v=9`

@kenotsolutions

This comment has been minimized.

Copy link
Author

@kenotsolutions kenotsolutions commented Dec 8, 2019

Step 1: Create a new private key and CSR

openssl genrsa -out zeal.key 2048
openssl req -new -key zeal.key -out zeal.csr -subj "/CN=zeal/O=kplabs"

Step 2: Encode the csr

cat zeal.csr | base64 | tr -d '\n'

Step 3: Generate the Kubernetes Signing Request

apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: zeal-csr
spec:
groups:

system:authenticated
request:
usages:
digital signature
key encipherment
client auth
Step 4: Apply the Signing Requests:

kubectl apply -f signingrequest.yaml

Step 5: Approve the csr

kubectl certificate approve zeal-csr

Step 6: Download the Certificate from csr

kubectl get csr zeal-csr -o jsonpath='{.status.certificate}' | base64 -d > zeal.crt

Step 7: Create a new context

kubectl config set-credentials zeal --client-certificate=zeal.crt --client-key=zeal.key

Step 8: Set new Context

kubectl config set-context zeal-context --cluster do-blr1-kplabs-k8s --user=zeal

Step 9: Use Context to Verify

kubectl --context=zeal-context get pods

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.