Common concepts and commands of Kubernetes

How kubedm works

Install master

When initializing the master, just execute the kubedm init command:

kubeadm init --pod-network-cidr --kubernetes-version st able

This command will automatically:

  • System status inspection;
  • Generate a token;
  • Generate self signed CA and client certificate;
  • Generate kubeconfig to connect kubelet to API server;
  • Generate static Pod manifest for the master component and put it in the / etc/Kubernetes/manifests directory;
  • Configure RBAC and set Master node to only run control plane components;
  • Create additional services, such as Kube proxy and Kube DNS;

Add Node

token=$(kubeadm token list | grep authentication,signing | awk '{prin t $1}') 
kubeadm join --token $token ${master_ip}

This includes the following steps:

  • Download CA from API server;
  • Create a local certificate and request the API server to sign it;
  • Finally, configure kubelet to connect to API server;

Remove installation

kubeadm reset


kubectl provides a large number of subcommands to facilitate various functions in Kubernetes cluster. The following describes how to query the help of commands:

  • kubelet -h view the list of subcommands;
  • kubelet options view global options;
  • Kubelet < command > -- help view subcommand help;
  • Kubelet [command] [params] - o = < Format > set output format;
  • kubelet explain [RESOURCE] view the resource definition;

to configure

The first step of using kubelet is to configure Kubernetes cluster and authentication method, including:

  • cluster information: Kubernetes server address;
  • User information: user name, password and key;
  • Context: the combination of cluster, user information and Namespace;

Common command formats

  • Create: kubectl run < name > -- Image = < Image > or kubectl create - f manifest yaml
  • Query: kubectl get < resource >
  • Update: kubectl set or kubectl patch
  • Delete: kubectl delete < resource > < name > or kubectl delete - f manifest yaml
  • Query Pod IP: kubectl get pod < pod name > - O jsonpath = '{. Status. Podip}'
  • Execute command in container: kubectl exec - Ti < pod name > sh
  • Container logs: kubectl logs [- F] < pod name >
  • Export service: kubectl expose deploy < name > -- port = 80
  • Base64 decoding: kubectl get secret secret - o go template = '{. Data. Key | base64decode}}'

kubectl run only supports Pod, Replication Controller, Deployment, Job, Crontab and other resources. The default is Deployment:

Resource type createdparameter
Replication Controller--generator=run/.v1

Connect to a running container

kubectl attach is used to connect to a running container, similar to the attach command of docker.

Execute commands inside the container

kubectl exec is used to execute commands in a running container;

Port forwarding

Kubectl port forward is used to forward the local port to the specified Pod.

# Monitor ports 5000 and 6000 locally and forward the data of ports 5000 and 6000 in pod
kubectl port-firward mypod 5000 6000

# Listen on port 8888 locally, forwarding to 5000 in the pod 
kubectl port-forward mypod 8888:5000

# Listen on a random port locally, forwarding to 5000 in the pod 
kubectl port-forward mypod :5000 

# Listen on a random port locally, forwarding to 5000 in the pod 
kubectl port-forward mypod 0:5000

You can also forward local ports to services, replication controllers, or deployed ports.

# Forward to deployment 
kubectl port-forward deployment/redis-master 6379:6379
# Forward to replicaSet
kubectl port-forward rs/redis-master 6379:6379
# Forward to service
kubectl port-forward svc/redis-master 6379:6379

API server agent

The kubectl proxy command provides an HTTP proxy for the Kubernetes API service.

kubectl proxy --port=8080

You can use the proxy address http://localhost:8080/api/ To directly access the Kubernetes API, such as querying the Pod list

curl http://localhost:8080/api/v1/namespaces/default/pods

If a non localhost address is specified through -- address, an unauthorized error will be reported when accessing port 8080. You can set -- accept hosts to avoid this problem.

kubectl proxy --address='' --port=8080 --accept-hosts='^*$'

File copy

kubectl cp supports copying from containers or copying files to containers.

# Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod in the default namespace 
kubectl cp /tmp/foo_dir <some-pod>:/tmp/bar_dir 
# Copy /tmp/foo local file to /tmp/bar in a remote pod in a specifi c container 
kubectl cp /tmp/foo <some-pod>:/tmp/bar -c <specific-container> 
# Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace <some-namespace> 
kubectl cp /tmp/foo <some-namespace>/<some-pod>:/tmp/bar 
# Copy /tmp/foo from a remote pod to /tmp/bar locally 
kubectl cp <some-namespace>/<some-pod>:/tmp/foo /tmp/bar

Options: -c, --container='': Container name. If omitted, the first container in the pod will be chosen

kubectl drain

kubectl drain NODE [Options]
  • It will delete the Pod created by ReplicationController, ReplicaSet, DaemonSet and StatefulSet on Job on the NODE;
  • Do not delete the mirror pods, because you cannot delete the mirror pods through the API;
  • If there are other types of Pod and there is no – force option, the command will fail directly;
  • If the – force option is added to the command, these pods not created through ReplicationController Job or daemon set will be forcibly deleted.

Sometimes you don't need evict pod, you just need to mark that the node is not callable. You can use kubectl cordon command. If you recover, you only need to run kubectl uncordon NODE to change the node to schedulable state again.

Permission check

kubectl auth provides two subcommands to check user authentication:

  • kubectl auth can-i checks whether the user has permission to perform an operation.
# Check to see if I can create pods in any namespace 
kubectl auth can-i create pods --all-namespaces 
# Check to see if I can list deployments in my current namespace 
kubectl auth can-i list deployments.extensions 
# Check to see if I can do everything in my current namespace ("*" means all) 
kubectl auth can-i '*' '*' 
# Check to see if I can get the job named "bar" in namespace "foo" 
kubectl auth can-i list jobs.batch/bar -n foo

View events

# View all events 
kubectl get events --all-namespaces 
# View the event named nginx object 
kubectl get events --field-selector,involve dObject.namespace=default 
# View the service event named nginx 
kubectl get events --field-selector,involvedObject.namespace=default,involvedObject.kind=Service 
# View Pod events 
kubectl get events --field-selector 7f-bs7pn,involvedObject.kind=Pod

Keywords: Linux Docker Kubernetes

Added by climbjm on Mon, 21 Feb 2022 05:44:56 +0200