11 - Kubernetes Essential Commands

Rohit PagoteRohit Pagote
5 min read

Table of contents

Security in Kubernetes

View Certificates

  • The manifests files (kubernetes configuration files) are stored at location

    /etc/kubernetes/manifests/

  • The certificate files (.crt and .key) are stored at location

    /etc/kubernetes/pki/

  • The etcd and ca certificate files (.crt and .key) are stored at location

    /etc/kubernetes/pki/etcd

  • Command to view the certificate information in detailed format

    openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout

Certificates API

  • Command to encode certificate (.csr) into base64 format to use it in the CSR object

    cat akshay.csr | base64 -w 0

  • Command to approve the CSR request

    kubectl certificate approve akshay

  • Command to deny the CSR request

    kubectl certificate deny akshay

  • Command to get more details on a particular CSR (groups, signerName, etc.)

    kubectl get csr akshay -o yaml

  • Command to delete the CSR request

    kubectl delete csr akshay

KubeConfig

  • Default location of kubeconfig file is (note: file name is config)

    /root/.kube/config

  • Structure of kubeconfig file

apiVersion: v1
kind: Config
current-context: user-name@cluster-name
clusters:
- cluster:
- cluster:
contexts:
- context:
- context:
users:
- name:
- name:

  • Command to view the context place at any other location than default

    kubectl config view --kubeconfig=my-kube-config

  • Command to change the current context

    kubectl config --kubeconfig=/root/my-kube-config use-context research

  • Command to know the current context

    kubectl config --kubeconfig=/root/my-kube-config current-context

Roles and RoleBindings

  • Command to count the number of lines from the kubectl output

    kubectl get roles --all-namespaces --no-headers | wc -l

  • Command to describe a particular role

    kubectl describe role kube-proxy -n kube-system

  • Command to check a particular operation as a another user

    kubectl auth can-i get pods --as dev-user

  • Command to describe a particular rolebinding

    kubectl describe rolebinding kube-proxy -n kube-system

ClusterRole and ClusterRoleBindings

  • Command to count the number of lines of clusterroles from the kubectl output

    kubectl get clusterroles --no-headers | wc -l

  • Command to count the number of lines of clusterrolebindings from the kubectl output

    kubectl get clusterrolebindings --no-headers | wc -l

Service Accounts

  • Command to create service account

    kubectl create sa <sa-name>

  • Command to describe service account (to see the tokens mounted)

    kubectl describe sa <-sa-name>

  • Command to inspect a application (pod) to identify service account

    kubectl get pod -o yaml

  • Location where the service account credentials available within the pod

    /var/run/secrets

    • (you can get this by firstly running kubectl describe pod <pod-name> command and then look for Mounts field)

  • Command to create a token for service account

    kubectl create token <sa-name>

  • Command to to inspect a application (pod) to identify service account

    kubectl get pod -o yaml

Install Kubeadm

Installing Kubeadm =>

Installing container runtime =>

Enable IPv4 packet forwarding =>

Getting started with containerd =>

GitHub =>

Docker Engine doc =>

systemctl status containerd =>

Configuring the systemd cgroup driver =>

systemctl restart containerd =>

Installing kubeadm, kubelet and kubectl

Linux commands

  • Command to check the OS distribution name and release

    cat /etc*-release

  • Command to remove all the content of a file after opening it using vi

    :1,$d

  • Command to check the OS distribution name and version

    cat /etc*-release

Linux Networking commands

  • Command to list the network interfaces for the hosts

    ip link

      root@linux:~# ip link
  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  2: enp0s1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
      link/ether c2:f6:aa:e3:7d:f5 brd ff:ff:ff:ff:ff:f

  • Command to list the IP addresses assigned to the network interfaces

    ip addr

  • Command to assign/set IP address on the system/host/interface

    ip addr add192.168.1.10/24 dev eth0

  • Command to view the routing table configuration on the system

    route / ip route

  • Command to add entries into the routing table

    ip route add 192.168.2.0/24 via 192.168.1.1

  • Command to check if IP forwarding is enabled on host

    cat /proc/sys/net/ipv4/ip_forward

    • If the output is 0, change it to 1 to enable the IP forwarding

DNS commands

  • File to put the details of host with IP and hostname on the host (local file)

    /etc/hosts

    • You can have as many names as you want for as many servers as you want in the /etc/hosts file.

    • Can have multiple hostnames for the same IP address as well.

    root@linux:~# cat /etc/hosts
    =>    192.168.1.10    web

  • File to put the details of host with IP and hostname on the host (DNS resolution configuration file)

    /etc/resolv.conf

      root@linux:~# cat /etc/resolv.conf
  =>    192.168.1.10    web
        Foward All to 8.8.8.8

  • File to change the sequence used by the system to resolve or map a hostname to IP addresses

    /etc/nsswitch.conf

      root@linux:~# cat /etc/nsswitch.conf
  =>    ...
        hosts:    file dns
        ...

change the default namespace

kubectl config set-context --current --namespace alpha

Networking commands

  • Command to view the bridge type interface

    ip addr show type bridge

  • If you were to ping google from the controlplane node, which route does it take?

    ip route - and look for default route ip

  • View the port the kube-scheduler is listening on

    netstat -nplt | grep scheduler

    netstat -nplt | grep etcd

  • ETCD is listening on two ports. Which of these have more client connections established?

    netstat -anp | grep etcd | grep 2379 | wc -l

  • Command to get the container-runtime endpoints defined in kubelet

    ps aux | grep kubelet | grep container-runtime

  • Path configured with all binaries of CNI supported plugins

    /opt/cni/bin

  • Path to view the configured CNI plugin on cluster

    /etc/cni/net.d

  • Range of IP addresses configured for PODs on this cluster

    kubectl logs <weave-pod-name> weave -n kube-system and look for ipalloc-range

  • IP Range configured for the services within the cluster

    cat /etc/kubernetes/manifests/kube-apiserver.yaml | grep cluster-ip-range

  • Type of proxy is the kube-proxy configured to use

    kubectl logs <kube-proxy-pod-name> -n kube-system

  • Identify the type of DNS

    kubectl get pods -A and look for dns pod

  • Path of configuration file for configuring the CoreDNS service

    /etc/coredns/Corefile

  • Corefile passed to coredns service

    as configmap

  • Root domain/zone configured for this kubernetes cluster

    kubectl describe configmap coredns -n kube-system

0
Subscribe to my newsletter

Read articles from Rohit Pagote directly inside your inbox. Subscribe to the newsletter, and don't miss out.

kubernetes-commandsKubernetes#kubernetes #container

Written by

Rohit Pagote
Rohit Pagote

I am an aspiring DevOps Engineer proficient with containers and container orchestration tools like Docker, Kubernetes along with experienced in Infrastructure as code tools and Configuration as code tools, Terraform, Ansible. Well-versed in CICD tool - Jenkins. Have hands-on experience with various AWS and Azure services. I really enjoy learning new things and connecting with people across a range of industries, so don't hesitate to reach out if you'd like to get in touch.