This section contains the most basic commands for getting a workload running on your cluster.
run
will start running 1 or more instances of a container image on your cluster.expose
will load balance traffic across the running instances, and can create a HA proxy for accessing the containers from outside the cluster.Once your workloads are running, you can use the commands in the WORKING WITH APPS section to inspect them.
Create a pod using the data in pod.json.
kubectl create -f ./pod.json
Create a pod based on the JSON passed into stdin.
cat pod.json | kubectl create -f -
Edit the data in docker-registry.yaml in JSON then create the resource using the edited data.
kubectl create -f docker-registry.yaml --edit -o json
Create a resource from a file or from stdin.
JSON and YAML formats are accepted.
$ kubectl create -f FILENAME
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
edit | false | Edit the API resource before creating | |
field-manager | kubectl-create | Name of the manager used to track field ownership. | |
filename | f | [] | Filename, directory, or URL to files to use to create the resource |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
raw | Raw URI to POST to the server. Uses the transport specified by the kubeconfig file. | ||
record | false | Record current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
selector | l | Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
validate | true | If true, use a schema to validate the input before sending it | |
windows-line-endings | false | Only relevant if --edit=true. Defaults to the line ending native to your platform. |
Create a ClusterRole named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods
Create a ClusterRole named "pod-reader" with ResourceName specified
kubectl create clusterrole pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
Create a ClusterRole named "foo" with API Group specified
kubectl create clusterrole foo --verb=get,list,watch --resource=rs.extensions
Create a ClusterRole named "foo" with SubResource specified
kubectl create clusterrole foo --verb=get,list,watch --resource=pods,pods/status
Create a ClusterRole name "foo" with NonResourceURL specified
kubectl create clusterrole "foo" --verb=get --non-resource-url=/logs/*
Create a ClusterRole name "monitoring" with AggregationRule specified
kubectl create clusterrole monitoring --aggregation-rule="rbac.example.com/aggregate-to-monitoring=true"
Create a ClusterRole.
$ kubectl create clusterrole NAME --verb=verb --resource=resource.group [--resource-name=resourcename] [--dry-run=server|client|none]
Name | Shorthand | Default | Usage |
---|---|---|---|
aggregation-rule | An aggregation label selector for combining ClusterRoles. | ||
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-create | Name of the manager used to track field ownership. | |
non-resource-url | [] | A partial url that user should have access to. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
resource | [] | Resource that the rule applies to | |
resource-name | [] | Resource in the white list that the rule applies to, repeat this flag for multiple items | |
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
validate | true | If true, use a schema to validate the input before sending it | |
verb | [] | Verb that applies to the resources contained in the rule |
Create a ClusterRoleBinding for user1, user2, and group1 using the cluster-admin ClusterRole
kubectl create clusterrolebinding cluster-admin --clusterrole=cluster-admin --user=user1 --user=user2 --group=group1
Create a ClusterRoleBinding for a particular ClusterRole.
$ kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none]
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
clusterrole | ClusterRole this ClusterRoleBinding should reference | ||
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-create | Name of the manager used to track field ownership. | |
group | [] | Groups to bind to the clusterrole | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
serviceaccount | [] | Service accounts to bind to the clusterrole, in the format <namespace>:<name> | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
validate | true | If true, use a schema to validate the input before sending it |
Create a new configmap named my-config based on folder bar
kubectl create configmap my-config --from-file=path/to/bar
Create a new configmap named my-config with specified keys instead of file basenames on disk
kubectl create configmap my-config --from-file=key1=/path/to/bar/file1.txt --from-file=key2=/path/to/bar/file2.txt
Create a new configmap named my-config with key1=config1 and key2=config2
kubectl create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2
Create a new configmap named my-config from the key=value pairs in the file
kubectl create configmap my-config --from-file=path/to/bar
Create a new configmap named my-config from an env file
kubectl create configmap my-config --from-env-file=path/to/bar.env
Create a configmap based on a file, directory, or specified literal value.
A single configmap may package one or more key/value pairs.
When creating a configmap based on a file, the key will default to the basename of the file, and the value will default to the file content. If the basename is an invalid key, you may specify an alternate key.
When creating a configmap based on a directory, each file whose basename is a valid key in the directory will be packaged into the configmap. Any directory entries except regular files are ignored (e.g. subdirectories, symlinks, devices, pipes, etc).
$ kubectl create configmap NAME [--from-file=[key=]source] [--from-literal=key1=value1] [--dry-run=server|client|none]
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
append-hash | false | Append a hash of the configmap to its name. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-create | Name of the manager used to track field ownership. | |
from-env-file | Specify the path to a file to read lines of key=val pairs to create a configmap (i.e. a Docker .env file). | ||
from-file | [] | Key file can be specified using its file path, in which case file basename will be used as configmap key, or optionally with a key and file path, in which case the given key will be used. Specifying a directory will iterate each named file in the directory whose basename is a valid configmap key. | |
from-literal | [] | Specify a key and literal value to insert in configmap (i.e. mykey=somevalue) | |
generator | configmap/v1 | The name of the API generator to use. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
validate | true | If true, use a schema to validate the input before sending it |
Create a cronjob
kubectl create cronjob my-job --image=busybox --schedule="*/1 * * * *"
Create a cronjob with command
kubectl create cronjob my-job --image=busybox --schedule="*/1 * * * *" -- date
Create a cronjob with the specified name.
$ kubectl create cronjob NAME --image=image --schedule='0/5 * * * ?' -- [COMMAND] [args...]
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-create | Name of the manager used to track field ownership. | |
image | Image name to run. | ||
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
restart | job's restart policy. supported values: OnFailure, Never | ||
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
schedule | A schedule in the Cron format the job should be run with. | ||
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
validate | true | If true, use a schema to validate the input before sending it |
Create a deployment named my-dep that runs the busybox image.
kubectl create deployment my-dep --image=busybox
Create a deployment with command
kubectl create deployment my-dep --image=busybox -- date
Create a deployment named my-dep that runs the nginx image with 3 replicas.
kubectl create deployment my-dep --image=nginx --replicas=3
Create a deployment named my-dep that runs the busybox image and expose port 5701.
kubectl create deployment my-dep --image=busybox --port=5701
Create a deployment with the specified name.
$ kubectl create deployment NAME --image=image -- [COMMAND] [args...]
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-create | Name of the manager used to track field ownership. | |
generator | The name of the API generator to use. | ||
image | [] | Image names to run. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
port | -1 | The port that this container exposes. | |
replicas | r | 1 | Number of replicas to create. Default is 1. |
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
validate | true | If true, use a schema to validate the input before sending it |
Create a job
kubectl create job my-job --image=busybox
Create a job with command
kubectl create job my-job --image=busybox -- date
Create a job from a CronJob named "a-cronjob"
kubectl create job test-job --from=cronjob/a-cronjob
Create a job with the specified name.
$ kubectl create job NAME --image=image [--from=cronjob/name] -- [COMMAND] [args...]
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-create | Name of the manager used to track field ownership. | |
from | The name of the resource to create a Job from (only cronjob is supported). | ||
image | Image name to run. | ||
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
validate | true | If true, use a schema to validate the input before sending it |
Create a new namespace named my-namespace
kubectl create namespace my-namespace
Create a namespace with the specified name.
$ kubectl create namespace NAME [--dry-run=server|client|none]
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-create | Name of the manager used to track field ownership. | |
generator | namespace/v1 | The name of the API generator to use. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
validate | true | If true, use a schema to validate the input before sending it |
Create a pod disruption budget named my-pdb that will select all pods with the app=rails label # and require at least one of them being available at any point in time.
kubectl create poddisruptionbudget my-pdb --selector=app=rails --min-available=1
Create a pod disruption budget named my-pdb that will select all pods with the app=nginx label # and require at least half of the pods selected to be available at any point in time.
kubectl create pdb my-pdb --selector=app=nginx --min-available=50%
Create a pod disruption budget with the specified name, selector, and desired minimum available pods
$ kubectl create poddisruptionbudget NAME --selector=SELECTOR --min-available=N [--dry-run=server|client|none]
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-create | Name of the manager used to track field ownership. | |
generator | poddisruptionbudget/v1beta1/v2 | The name of the API generator to use. | |
max-unavailable | The maximum number or percentage of unavailable pods this budget requires. | ||
min-available | The minimum number or percentage of available pods this budget requires. | ||
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
selector | A label selector to use for this budget. Only equality-based selector requirements are supported. | ||
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
validate | true | If true, use a schema to validate the input before sending it |
Create a priorityclass named high-priority
kubectl create priorityclass high-priority --value=1000 --description="high priority"
Create a priorityclass named default-priority that considered as the global default priority
kubectl create priorityclass default-priority --value=1000 --global-default=true --description="default priority"
Create a priorityclass named high-priority that can not preempt pods with lower priority
kubectl create priorityclass high-priority --value=1000 --description="high priority" --preemption-policy="Never"
Create a priorityclass with the specified name, value, globalDefault and description
$ kubectl create priorityclass NAME --value=VALUE --global-default=BOOL [--dry-run=server|client|none]
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
description | description is an arbitrary string that usually provides guidelines on when this priority class should be used. | ||
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-create | Name of the manager used to track field ownership. | |
generator | priorityclass/v1 | The name of the API generator to use. | |
global-default | false | global-default specifies whether this PriorityClass should be considered as the default priority. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
preemption-policy | PreemptLowerPriority | preemption-policy is the policy for preempting pods with lower priority. | |
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
validate | true | If true, use a schema to validate the input before sending it | |
value | 0 | the value of this priority class. |
Create a new resourcequota named my-quota
kubectl create quota my-quota --hard=cpu=1,memory=1G,pods=2,services=3,replicationcontrollers=2,resourcequotas=1,secrets=5,persistentvolumeclaims=10
Create a new resourcequota named best-effort
kubectl create quota best-effort --hard=pods=100 --scopes=BestEffort
Create a resourcequota with the specified name, hard limits and optional scopes
$ kubectl create quota NAME [--hard=key1=value1,key2=value2] [--scopes=Scope1,Scope2] [--dry-run=server|client|none]
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-create | Name of the manager used to track field ownership. | |
generator | resourcequotas/v1 | The name of the API generator to use. | |
hard | A comma-delimited set of resource=quantity pairs that define a hard limit. | ||
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
scopes | A comma-delimited set of quota scopes that must all match each object tracked by the quota. | ||
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
validate | true | If true, use a schema to validate the input before sending it |
Create a Role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods
Create a Role named "pod-reader" with ResourceName specified
kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
Create a Role named "foo" with API Group specified
kubectl create role foo --verb=get,list,watch --resource=rs.extensions
Create a Role named "foo" with SubResource specified
kubectl create role foo --verb=get,list,watch --resource=pods,pods/status
Create a role with single rule.
$ kubectl create role NAME --verb=verb --resource=resource.group/subresource [--resource-name=resourcename] [--dry-run=server|client|none]
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-create | Name of the manager used to track field ownership. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
resource | [] | Resource that the rule applies to | |
resource-name | [] | Resource in the white list that the rule applies to, repeat this flag for multiple items | |
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
validate | true | If true, use a schema to validate the input before sending it | |
verb | [] | Verb that applies to the resources contained in the rule |
Create a RoleBinding for user1, user2, and group1 using the admin ClusterRole
kubectl create rolebinding admin --clusterrole=admin --user=user1 --user=user2 --group=group1
Create a RoleBinding for a particular Role or ClusterRole.
$ kubectl create rolebinding NAME --clusterrole=NAME|--role=NAME [--user=username] [--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none]
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
clusterrole | ClusterRole this RoleBinding should reference | ||
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-create | Name of the manager used to track field ownership. | |
generator | rolebinding.rbac.authorization.k8s.io/v1alpha1 | The name of the API generator to use. | |
group | [] | Groups to bind to the role | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
role | Role this RoleBinding should reference | ||
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
serviceaccount | [] | Service accounts to bind to the role, in the format <namespace>:<name> | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
validate | true | If true, use a schema to validate the input before sending it |
Create a secret using specified subcommand.
$ kubectl create secret
If you don't already have a .dockercfg file, you can create a dockercfg secret directly by using:
kubectl create secret docker-registry my-secret --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
Create a new secret for use with Docker registries.
Dockercfg secrets are used to authenticate against Docker registries.
When using the Docker command line to push images, you can authenticate to a given registry by running: '$ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --password=DOCKER_PASSWORD --email=DOCKER_EMAIL'.
That produces a ~/.dockercfg file that is used by subsequent 'docker push' and 'docker pull' commands to authenticate to the registry. The email address is optional.
When creating applications, you may have a Docker registry that requires authentication. In order for the nodes to pull images on your behalf, they have to have the credentials. You can provide this information by creating a dockercfg secret and attaching it to your service account.
$ kubectl create docker-registry NAME --docker-username=user --docker-password=password --docker-email=email [--docker-server=string] [--from-literal=key1=value1] [--dry-run=server|client|none]
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
append-hash | false | Append a hash of the secret to its name. | |
docker-email | Email for Docker registry | ||
docker-password | Password for Docker registry authentication | ||
docker-server | https://index.docker.io/v1/ | Server location for Docker registry | |
docker-username | Username for Docker registry authentication | ||
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-create | Name of the manager used to track field ownership. | |
from-file | [] | Key files can be specified using their file path, in which case a default name will be given to them, or optionally with a name and file path, in which case the given name will be used. Specifying a directory will iterate each named file in the directory that is a valid secret key. | |
generator | secret-for-docker-registry/v1 | The name of the API generator to use. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
validate | true | If true, use a schema to validate the input before sending it |
Create a new secret named my-secret with keys for each file in folder bar
kubectl create secret generic my-secret --from-file=path/to/bar
Create a new secret named my-secret with specified keys instead of names on disk
kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-file=ssh-publickey=path/to/id_rsa.pub
Create a new secret named my-secret with key1=supersecret and key2=topsecret
kubectl create secret generic my-secret --from-literal=key1=supersecret --from-literal=key2=topsecret
Create a new secret named my-secret using a combination of a file and a literal
kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-literal=passphrase=topsecret
Create a new secret named my-secret from an env file
kubectl create secret generic my-secret --from-env-file=path/to/bar.env
Create a secret based on a file, directory, or specified literal value.
A single secret may package one or more key/value pairs.
When creating a secret based on a file, the key will default to the basename of the file, and the value will default to the file content. If the basename is an invalid key or you wish to chose your own, you may specify an alternate key.
When creating a secret based on a directory, each file whose basename is a valid key in the directory will be packaged into the secret. Any directory entries except regular files are ignored (e.g. subdirectories, symlinks, devices, pipes, etc).
$ kubectl create generic NAME [--type=string] [--from-file=[key=]source] [--from-literal=key1=value1] [--dry-run=server|client|none]
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
append-hash | false | Append a hash of the secret to its name. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-create | Name of the manager used to track field ownership. | |
from-env-file | Specify the path to a file to read lines of key=val pairs to create a secret (i.e. a Docker .env file). | ||
from-file | [] | Key files can be specified using their file path, in which case a default name will be given to them, or optionally with a name and file path, in which case the given name will be used. Specifying a directory will iterate each named file in the directory that is a valid secret key. | |
from-literal | [] | Specify a key and literal value to insert in secret (i.e. mykey=somevalue) | |
generator | secret/v1 | The name of the API generator to use. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
type | The type of secret to create | ||
validate | true | If true, use a schema to validate the input before sending it |
Create a new TLS secret named tls-secret with the given key pair:
kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/to/tls.key
Create a TLS secret from the given public/private key pair.
The public/private key pair must exist before hand. The public key certificate must be .PEM encoded and match the given private key.
$ kubectl create tls NAME --cert=path/to/cert/file --key=path/to/key/file [--dry-run=server|client|none]
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
append-hash | false | Append a hash of the secret to its name. | |
cert | Path to PEM encoded public key certificate. | ||
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-create | Name of the manager used to track field ownership. | |
generator | secret-for-tls/v1 | The name of the API generator to use. | |
key | Path to private key associated with given certificate. | ||
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
validate | true | If true, use a schema to validate the input before sending it |
Create a service using specified subcommand.
$ kubectl create service
Create a new ClusterIP service named my-cs
kubectl create service clusterip my-cs --tcp=5678:8080
Create a new ClusterIP service named my-cs (in headless mode)
kubectl create service clusterip my-cs --clusterip="None"
Create a ClusterIP service with the specified name.
$ kubectl create clusterip NAME [--tcp=<port>:<targetPort>] [--dry-run=server|client|none]
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
clusterip | Assign your own ClusterIP or set to 'None' for a 'headless' service (no loadbalancing). | ||
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-create | Name of the manager used to track field ownership. | |
generator | service-clusterip/v1 | The name of the API generator to use. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
tcp | [] | Port pairs can be specified as '<port>:<targetPort>'. | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
validate | true | If true, use a schema to validate the input before sending it |
Create a new ExternalName service named my-ns
kubectl create service externalname my-ns --external-name bar.com
Create an ExternalName service with the specified name.
ExternalName service references to an external DNS address instead of only pods, which will allow application authors to reference services that exist off platform, on other clusters, or locally.
$ kubectl create externalname NAME --external-name external.name [--dry-run=server|client|none]
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
external-name | External name of service | ||
field-manager | kubectl-create | Name of the manager used to track field ownership. | |
generator | service-externalname/v1 | The name of the API generator to use. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
tcp | [] | Port pairs can be specified as '<port>:<targetPort>'. | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
validate | true | If true, use a schema to validate the input before sending it |
Create a new LoadBalancer service named my-lbs
kubectl create service loadbalancer my-lbs --tcp=5678:8080
Create a LoadBalancer service with the specified name.
$ kubectl create loadbalancer NAME [--tcp=port:targetPort] [--dry-run=server|client|none]
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-create | Name of the manager used to track field ownership. | |
generator | service-loadbalancer/v1 | The name of the API generator to use. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
tcp | [] | Port pairs can be specified as '<port>:<targetPort>'. | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
validate | true | If true, use a schema to validate the input before sending it |
Create a new NodePort service named my-ns
kubectl create service nodeport my-ns --tcp=5678:8080
Create a NodePort service with the specified name.
$ kubectl create nodeport NAME [--tcp=port:targetPort] [--dry-run=server|client|none]
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-create | Name of the manager used to track field ownership. | |
generator | service-nodeport/v1 | The name of the API generator to use. | |
node-port | 0 | Port used to expose the service on each node in a cluster. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
tcp | [] | Port pairs can be specified as '<port>:<targetPort>'. | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
validate | true | If true, use a schema to validate the input before sending it |
Create a new service account named my-service-account
kubectl create serviceaccount my-service-account
Create a service account with the specified name.
$ kubectl create serviceaccount NAME [--dry-run=server|client|none]
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-create | Name of the manager used to track field ownership. | |
generator | serviceaccount/v1 | The name of the API generator to use. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
validate | true | If true, use a schema to validate the input before sending it |
List all pods in ps output format.
kubectl get pods
List all pods in ps output format with more information (such as node name).
kubectl get pods -o wide
List a single replication controller with specified NAME in ps output format.
kubectl get replicationcontroller web
List deployments in JSON output format, in the "v1" version of the "apps" API group:
kubectl get deployments.v1.apps -o json
List a single pod in JSON output format.
kubectl get -o json pod web-pod-13je7
List a pod identified by type and name specified in "pod.yaml" in JSON output format.
kubectl get -f pod.yaml -o json
List resources from a directory with kustomization.yaml - e.g. dir/kustomization.yaml.
kubectl get -k dir/
Return only the phase value of the specified pod.
kubectl get -o template pod/web-pod-13je7 --template={{.status.phase}}
List resource information in custom columns.
kubectl get pod test-pod -o custom-columns=CONTAINER:.spec.containers[0].name,IMAGE:.spec.containers[0].image
List all replication controllers and services together in ps output format.
kubectl get rc,services
List one or more resources by their type and names.
kubectl get rc/web service/frontend pods/web-pod-13je7
Display one or many resources
Prints a table of the most important information about the specified resources. You can filter the list using a label selector and the --selector flag. If the desired resource type is namespaced you will only see results in your current namespace unless you pass --all-namespaces.
Uninitialized objects are not shown unless --include-uninitialized is passed.
By specifying the output as 'template' and providing a Go template as the value of the --template flag, you can filter the attributes of the fetched resources.
Use "kubectl api-resources" for a complete list of supported resources.
$ kubectl get [(-o|--output=)json|yaml|wide|custom-columns=...|custom-columns-file=...|go-template=...|go-template-file=...|jsonpath=...|jsonpath-file=...] (TYPE[.VERSION][.GROUP] [NAME | -l label] | TYPE[.VERSION][.GROUP]/NAME ...) [flags]
Name | Shorthand | Default | Usage |
---|---|---|---|
all-namespaces | A | false | If present, list the requested object(s) across all namespaces. Namespace in current context is ignored even if specified with --namespace. |
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
chunk-size | 500 | Return large lists in chunks rather than all at once. Pass 0 to disable. This flag is beta and may change in the future. | |
field-selector | Selector (field query) to filter on, supports '=', '==', and '!='.(e.g. --field-selector key1=value1,key2=value2). The server only supports a limited number of field queries per type. | ||
filename | f | [] | Filename, directory, or URL to files identifying the resource to get from a server. |
ignore-not-found | false | If the requested object does not exist the command will return exit code 0. | |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
label-columns | L | [] | Accepts a comma separated list of labels that are going to be presented as columns. Names are case-sensitive. You can also use multiple flag options like -L label1 -L label2... |
no-headers | false | When using the default or custom-column output format, don't print headers (default print headers). | |
output | o | Output format. One of: json|yaml|wide|name|custom-columns=...|custom-columns-file=...|go-template=...|go-template-file=...|jsonpath=...|jsonpath-file=... See custom columns [http://kubernetes.io/docs/user-guide/kubectl-overview/#custom-columns], golang template [http://golang.org/pkg/text/template/#pkg-overview] and jsonpath template [http://kubernetes.io/docs/user-guide/jsonpath]. | |
output-watch-events | false | Output watch event objects when --watch or --watch-only is used. Existing objects are output as initial ADDED events. | |
raw | Raw URI to request from the server. Uses the transport specified by the kubeconfig file. | ||
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
selector | l | Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) | |
server-print | true | If true, have the server return the appropriate table output. Supports extension APIs and CRDs. | |
show-kind | false | If present, list the resource type for the requested object(s). | |
show-labels | false | When printing, show all labels as the last column (default hide labels column) | |
sort-by | If non-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string. | ||
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
use-openapi-print-columns | false | If true, use x-kubernetes-print-column metadata (if present) from the OpenAPI schema for displaying a resource. | |
watch | w | false | After listing/getting the requested object, watch for changes. Uninitialized objects are excluded if no object name is provided. |
watch-only | false | Watch for changes to the requested object(s), without listing/getting first. |
Start a nginx pod.
kubectl run nginx --image=nginx
Start a hazelcast pod and let the container expose port 5701.
kubectl run hazelcast --image=hazelcast/hazelcast --port=5701
Start a hazelcast pod and set environment variables "DNS_DOMAIN=cluster" and "POD_NAMESPACE=default" in the container.
kubectl run hazelcast --image=hazelcast/hazelcast --env="DNS_DOMAIN=cluster" --env="POD_NAMESPACE=default"
Start a hazelcast pod and set labels "app=hazelcast" and "env=prod" in the container.
kubectl run hazelcast --image=hazelcast/hazelcast --labels="app=hazelcast,env=prod"
Dry run. Print the corresponding API objects without creating them.
kubectl run nginx --image=nginx --dry-run=client
Start a nginx pod, but overload the spec with a partial set of values parsed from JSON.
kubectl run nginx --image=nginx --overrides='{ "apiVersion": "v1", "spec": { ... } }'
Start a busybox pod and keep it in the foreground, don't restart it if it exits.
kubectl run -i -t busybox --image=busybox --restart=Never
Start the nginx pod using the default command, but use custom arguments (arg1 .. argN) for that command.
kubectl run nginx --image=nginx -- <arg1> <arg2> ... <argN>
Start the nginx pod using a different command and custom arguments.
kubectl run nginx --image=nginx --command -- <cmd> <arg1> ... <argN>
Create and run a particular image in a pod.
$ kubectl run NAME --image=image [--env="key=value"] [--port=port] [--dry-run=server|client] [--overrides=inline-json] [--command] -- [COMMAND] [args...]
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
attach | false | If true, wait for the Pod to start running, and then attach to the Pod as if 'kubectl attach ...' were called. Default false, unless '-i/--stdin' is set, in which case the default is true. With '--restart=Never' the exit code of the container process is returned. | |
cascade | true | If true, cascade the deletion of the resources managed by this resource (e.g. Pods created by a ReplicationController). Default true. | |
command | false | If true and extra arguments are present, use them as the 'command' field in the container, rather than the 'args' field which is the default. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
env | [] | Environment variables to set in the container. | |
expose | false | If true, service is created for the container(s) which are run | |
field-manager | kubectl-run | Name of the manager used to track field ownership. | |
filename | f | [] | to use to replace the resource. |
force | false | If true, immediately remove resources from API and bypass graceful deletion. Note that immediate deletion of some resources may result in inconsistency or data loss and requires confirmation. | |
generator | run-pod/v1 | The name of the API generator to use, see http://kubernetes.io/docs/user-guide/kubectl-conventions/#generators for a list. | |
grace-period | -1 | Period of time in seconds given to the resource to terminate gracefully. Ignored if negative. Set to 1 for immediate shutdown. Can only be set to 0 when --force is true (force deletion). | |
hostport | -1 | The host port mapping for the container port. To demonstrate a single-machine container. | |
image | The image for the container to run. | ||
image-pull-policy | The image pull policy for the container. If left empty, this value will not be specified by the client and defaulted by the server | ||
kustomize | k | Process a kustomization directory. This flag can't be used together with -f or -R. | |
labels | l | Comma separated labels to apply to the pod(s). Will override previous values. | |
leave-stdin-open | false | If the pod is started in interactive mode or with stdin, leave stdin open after the first attach completes. By default, stdin will be closed after the first attach completes. | |
limits | The resource requirement limits for this container. For example, 'cpu=200m,memory=512Mi'. Note that server side components may assign limits depending on the server configuration, such as limit ranges. | ||
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
overrides | An inline JSON override for the generated object. If this is non-empty, it is used to override the generated object. Requires that the object supply a valid apiVersion field. | ||
pod-running-timeout | 1m0s | The length of time (like 5s, 2m, or 3h, higher than zero) to wait until at least one pod is running | |
port | The port that this container exposes. | ||
privileged | false | If true, run the container in privileged mode. | |
quiet | false | If true, suppress prompt messages. | |
record | false | Record current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
replicas | r | 1 | Number of replicas to create for this container. Default is 1. |
requests | The resource requirement requests for this container. For example, 'cpu=100m,memory=256Mi'. Note that server side components may assign requests depending on the server configuration, such as limit ranges. | ||
restart | Always | The restart policy for this Pod. Legal values [Always, OnFailure, Never]. | |
rm | false | If true, delete resources created in this command for attached containers. | |
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
schedule | A schedule in the Cron format the job should be run with. | ||
service-generator | service/v2 | The name of the generator to use for creating a service. Only used if --expose is true | |
service-overrides | An inline JSON override for the generated service object. If this is non-empty, it is used to override the generated object. Requires that the object supply a valid apiVersion field. Only used if --expose is true. | ||
serviceaccount | Service account to set in the pod spec. | ||
stdin | i | false | Keep stdin open on the container(s) in the pod, even if nothing is attached. |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
timeout | 0s | The length of time to wait before giving up on a delete, zero means determine a timeout from the size of the object | |
tty | t | false | Allocated a TTY for each container in the pod. |
wait | false | If true, wait for resources to be gone before returning. This waits for finalizers. |
Create a service for a replicated nginx, which serves on port 80 and connects to the containers on port 8000.
kubectl expose rc nginx --port=80 --target-port=8000
Create a service for a replication controller identified by type and name specified in "nginx-controller.yaml", which serves on port 80 and connects to the containers on port 8000.
kubectl expose -f nginx-controller.yaml --port=80 --target-port=8000
Create a service for a pod valid-pod, which serves on port 444 with the name "frontend"
kubectl expose pod valid-pod --port=444 --name=frontend
Create a second service based on the above service, exposing the container port 8443 as port 443 with the name "nginx-https"
kubectl expose service nginx --port=443 --target-port=8443 --name=nginx-https
Create a service for a replicated streaming application on port 4100 balancing UDP traffic and named 'video-stream'.
kubectl expose rc streamer --port=4100 --protocol=UDP --name=video-stream
Create a service for a replicated nginx using replica set, which serves on port 80 and connects to the containers on port 8000.
kubectl expose rs nginx --port=80 --target-port=8000
Create a service for an nginx deployment, which serves on port 80 and connects to the containers on port 8000.
kubectl expose deployment nginx --port=80 --target-port=8000
Expose a resource as a new Kubernetes service.
Looks up a deployment, service, replica set, replication controller or pod by name and uses the selector for that resource as the selector for a new service on the specified port. A deployment or replica set will be exposed as a service only if its selector is convertible to a selector that service supports, i.e. when the selector contains only the matchLabels component. Note that if no port is specified via --port and the exposed resource has multiple ports, all will be re-used by the new service. Also if no labels are specified, the new service will re-use the labels from the resource it exposes.
Possible resources include (case insensitive):
pod (po), service (svc), replicationcontroller (rc), deployment (deploy), replicaset (rs)
$ kubectl expose (-f FILENAME | TYPE NAME) [--port=port] [--protocol=TCP|UDP|SCTP] [--target-port=number-or-name] [--name=name] [--external-ip=external-ip-of-service] [--type=type]
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
cluster-ip | ClusterIP to be assigned to the service. Leave empty to auto-allocate, or set to 'None' to create a headless service. | ||
container-port | Synonym for --target-port | ||
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
external-ip | Additional external IP address (not managed by Kubernetes) to accept for the service. If this IP is routed to a node, the service can be accessed by this IP in addition to its generated service IP. | ||
field-manager | kubectl-expose | Name of the manager used to track field ownership. | |
filename | f | [] | Filename, directory, or URL to files identifying the resource to expose a service |
generator | service/v2 | The name of the API generator to use. There are 2 generators: 'service/v1' and 'service/v2'. The only difference between them is that service port in v1 is named 'default', while it is left unnamed in v2. Default is 'service/v2'. | |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
labels | l | Labels to apply to the service created by this call. | |
load-balancer-ip | IP to assign to the LoadBalancer. If empty, an ephemeral IP will be created and used (cloud-provider specific). | ||
name | The name for the newly created object. | ||
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
overrides | An inline JSON override for the generated object. If this is non-empty, it is used to override the generated object. Requires that the object supply a valid apiVersion field. | ||
port | The port that the service should serve on. Copied from the resource being exposed, if unspecified | ||
protocol | The network protocol for the service to be created. Default is 'TCP'. | ||
record | false | Record current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
selector | A label selector to use for this service. Only equality-based selector requirements are supported. If empty (the default) infer the selector from the replication controller or replica set.) | ||
session-affinity | If non-empty, set the session affinity for the service to this; legal values: 'None', 'ClientIP' | ||
target-port | Name or number for the port on the container that the service should direct traffic to. Optional. | ||
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
type | Type for this service: ClusterIP, NodePort, LoadBalancer, or ExternalName. Default is 'ClusterIP'. |
Delete a pod using the type and name specified in pod.json.
kubectl delete -f ./pod.json
Delete resources from a directory containing kustomization.yaml - e.g. dir/kustomization.yaml.
kubectl delete -k dir
Delete a pod based on the type and name in the JSON passed into stdin.
cat pod.json | kubectl delete -f -
Delete pods and services with same names "baz" and "foo"
kubectl delete pod,service baz foo
Delete pods and services with label name=myLabel.
kubectl delete pods,services -l name=myLabel
Delete a pod with minimal delay
kubectl delete pod foo --now
Force delete a pod on a dead node
kubectl delete pod foo --force
Delete all pods
kubectl delete pods --all
Delete resources by filenames, stdin, resources and names, or by resources and label selector.
JSON and YAML formats are accepted. Only one type of the arguments may be specified: filenames, resources and names, or resources and label selector.
Some resources, such as pods, support graceful deletion. These resources define a default period before they are forcibly terminated (the grace period) but you may override that value with the --grace-period flag, or pass --now to set a grace-period of 1. Because these resources often represent entities in the cluster, deletion may not be acknowledged immediately. If the node hosting a pod is down or cannot reach the API server, termination may take significantly longer than the grace period. To force delete a resource, you must specify the --force flag. Note: only a subset of resources support graceful deletion. In absence of the support, --grace-period is ignored.
IMPORTANT: Force deleting pods does not wait for confirmation that the pod's processes have been terminated, which can leave those processes running until the node detects the deletion and completes graceful deletion. If your processes use shared storage or talk to a remote API and depend on the name of the pod to identify themselves, force deleting those pods may result in multiple processes running on different machines using the same identification which may lead to data corruption or inconsistency. Only force delete pods when you are sure the pod is terminated, or if your application can tolerate multiple copies of the same pod running at once. Also, if you force delete pods the scheduler may place new pods on those nodes before the node has released those resources and causing those pods to be evicted immediately.
Note that the delete command does NOT do resource version checks, so if someone submits an update to a resource right when you submit a delete, their update will be lost along with the rest of the resource.
$ kubectl delete ([-f FILENAME] | [-k DIRECTORY] | TYPE [(NAME | -l label | --all)])
Name | Shorthand | Default | Usage |
---|---|---|---|
all | false | Delete all resources, including uninitialized ones, in the namespace of the specified resource types. | |
all-namespaces | A | false | If present, list the requested object(s) across all namespaces. Namespace in current context is ignored even if specified with --namespace. |
cascade | true | If true, cascade the deletion of the resources managed by this resource (e.g. Pods created by a ReplicationController). Default true. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-selector | Selector (field query) to filter on, supports '=', '==', and '!='.(e.g. --field-selector key1=value1,key2=value2). The server only supports a limited number of field queries per type. | ||
filename | f | [] | containing the resource to delete. |
force | false | If true, immediately remove resources from API and bypass graceful deletion. Note that immediate deletion of some resources may result in inconsistency or data loss and requires confirmation. | |
grace-period | -1 | Period of time in seconds given to the resource to terminate gracefully. Ignored if negative. Set to 1 for immediate shutdown. Can only be set to 0 when --force is true (force deletion). | |
ignore-not-found | false | Treat "resource not found" as a successful delete. Defaults to "true" when --all is specified. | |
kustomize | k | Process a kustomization directory. This flag can't be used together with -f or -R. | |
now | false | If true, resources are signaled for immediate shutdown (same as --grace-period=1). | |
output | o | Output mode. Use "-o name" for shorter output (resource/name). | |
raw | Raw URI to DELETE to the server. Uses the transport specified by the kubeconfig file. | ||
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
selector | l | Selector (label query) to filter on, not including uninitialized ones. | |
timeout | 0s | The length of time to wait before giving up on a delete, zero means determine a timeout from the size of the object | |
wait | true | If true, wait for resources to be gone before returning. This waits for finalizers. |
This section contains commands for creating, updating, deleting, and viewing your workloads in a Kubernetes cluster.
Apply the configuration in pod.json to a pod.
kubectl apply -f ./pod.json
Apply resources from a directory containing kustomization.yaml - e.g. dir/kustomization.yaml.
kubectl apply -k dir/
Apply the JSON passed into stdin to a pod.
cat pod.json | kubectl apply -f -
Note: --prune is still in Alpha # Apply the configuration in manifest.yaml that matches label app=nginx and delete all the other resources that are not in the file and match label app=nginx.
kubectl apply --prune -f manifest.yaml -l app=nginx
Apply the configuration in manifest.yaml and delete all the other configmaps that are not in the file.
kubectl apply --prune -f manifest.yaml --all --prune-whitelist=core/v1/ConfigMap
Apply a configuration to a resource by filename or stdin. The resource name must be specified. This resource will be created if it doesn't exist yet. To use 'apply', always create the resource initially with either 'apply' or 'create --save-config'.
JSON and YAML formats are accepted.
Alpha Disclaimer: the --prune functionality is not yet complete. Do not use unless you are aware of what the current state is. See https://issues.k8s.io/34274.
$ kubectl apply (-f FILENAME | -k DIRECTORY)
Name | Shorthand | Default | Usage |
---|---|---|---|
all | false | Select all resources in the namespace of the specified resource types. | |
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
cascade | true | If true, cascade the deletion of the resources managed by this resource (e.g. Pods created by a ReplicationController). Default true. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-client-side-apply | Name of the manager used to track field ownership. | |
filename | f | [] | that contains the configuration to apply |
force | false | If true, immediately remove resources from API and bypass graceful deletion. Note that immediate deletion of some resources may result in inconsistency or data loss and requires confirmation. | |
force-conflicts | false | If true, server-side apply will force the changes against conflicts. | |
grace-period | -1 | Period of time in seconds given to the resource to terminate gracefully. Ignored if negative. Set to 1 for immediate shutdown. Can only be set to 0 when --force is true (force deletion). | |
kustomize | k | Process a kustomization directory. This flag can't be used together with -f or -R. | |
openapi-patch | true | If true, use openapi to calculate diff when the openapi presents and the resource can be found in the openapi spec. Otherwise, fall back to use baked-in types. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
overwrite | true | Automatically resolve conflicts between the modified and live configuration by using values from the modified configuration | |
prune | false | Automatically delete resource objects, including the uninitialized ones, that do not appear in the configs and are created by either apply or create --save-config. Should be used with either -l or --all. | |
prune-whitelist | [] | Overwrite the default whitelist with <group/version/kind> for --prune | |
record | false | Record current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
selector | l | Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) | |
server-side | false | If true, apply runs in the server instead of the client. | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
timeout | 0s | The length of time to wait before giving up on a delete, zero means determine a timeout from the size of the object | |
validate | true | If true, use a schema to validate the input before sending it | |
wait | false | If true, wait for resources to be gone before returning. This waits for finalizers. |
Edit the last-applied-configuration annotations by type/name in YAML.
kubectl apply edit-last-applied deployment/nginx
Edit the last-applied-configuration annotations by file in JSON.
kubectl apply edit-last-applied -f deploy.yaml -o json
Edit the latest last-applied-configuration annotations of resources from the default editor.
The edit-last-applied command allows you to directly edit any API resource you can retrieve via the command line tools. It will open the editor defined by your KUBE_EDITOR, or EDITOR environment variables, or fall back to 'vi' for Linux or 'notepad' for Windows. You can edit multiple objects, although changes are applied one at a time. The command accepts filenames as well as command line arguments, although the files you point to must be previously saved versions of resources.
The default format is YAML. To edit in JSON, specify "-o json".
The flag --windows-line-endings can be used to force Windows line endings, otherwise the default for your operating system will be used.
In the event an error occurs while updating, a temporary file will be created on disk that contains your unapplied changes. The most common error when updating a resource is another editor changing the resource on the server. When this occurs, you will have to apply your changes to the newer version of the resource, or update your temporary saved copy to include the latest resource version.
$ kubectl apply edit-last-applied (RESOURCE/NAME | -f FILENAME)
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
field-manager | kubectl-client-side-apply | Name of the manager used to track field ownership. | |
filename | f | [] | Filename, directory, or URL to files to use to edit the resource |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
record | false | Record current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
windows-line-endings | false | Defaults to the line ending native to your platform. |
Set the last-applied-configuration of a resource to match the contents of a file.
kubectl apply set-last-applied -f deploy.yaml
Execute set-last-applied against each configuration file in a directory.
kubectl apply set-last-applied -f path/
Set the last-applied-configuration of a resource to match the contents of a file, will create the annotation if it does not already exist.
kubectl apply set-last-applied -f deploy.yaml --create-annotation=true
Set the latest last-applied-configuration annotations by setting it to match the contents of a file. This results in the last-applied-configuration being updated as though 'kubectl apply -f
$ kubectl apply set-last-applied -f FILENAME
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
create-annotation | false | Will create 'last-applied-configuration' annotations if current objects doesn't have one | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
filename | f | [] | Filename, directory, or URL to files that contains the last-applied-configuration annotations |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
View the last-applied-configuration annotations by type/name in YAML.
kubectl apply view-last-applied deployment/nginx
View the last-applied-configuration annotations by file in JSON
kubectl apply view-last-applied -f deploy.yaml -o json
View the latest last-applied-configuration annotations by type/name or file.
The default output will be printed to stdout in YAML format. One can use -o option to change output format.
$ kubectl apply view-last-applied (TYPE [NAME | -l label] | TYPE/NAME | -f FILENAME)
Name | Shorthand | Default | Usage |
---|---|---|---|
all | false | Select all resources in the namespace of the specified resource types | |
filename | f | [] | Filename, directory, or URL to files that contains the last-applied-configuration annotations |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
output | o | yaml | Output format. Must be one of yaml|json |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
selector | l | Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) |
Update pod 'foo' with the annotation 'description' and the value 'my frontend'. # If the same annotation is set multiple times, only the last value will be applied
kubectl annotate pods foo description='my frontend'
Update a pod identified by type and name in "pod.json"
kubectl annotate -f pod.json description='my frontend'
Update pod 'foo' with the annotation 'description' and the value 'my frontend running nginx', overwriting any existing value.
kubectl annotate --overwrite pods foo description='my frontend running nginx'
Update all pods in the namespace
kubectl annotate pods --all description='my frontend running nginx'
Update pod 'foo' only if the resource is unchanged from version 1.
kubectl annotate pods foo description='my frontend running nginx' --resource-version=1
Update pod 'foo' by removing an annotation named 'description' if it exists. # Does not require the --overwrite flag.
kubectl annotate pods foo description-
Update the annotations on one or more resources
All Kubernetes objects support the ability to store additional data with the object as annotations. Annotations are key/value pairs that can be larger than labels and include arbitrary string values such as structured JSON. Tools and system extensions may use annotations to store their own data.
Attempting to set an annotation that already exists will fail unless --overwrite is set. If --resource-version is specified and does not match the current resource version on the server the command will fail.
Use "kubectl api-resources" for a complete list of supported resources.
$ kubectl annotate [--overwrite] (-f FILENAME | TYPE NAME) KEY_1=VAL_1 ... KEY_N=VAL_N [--resource-version=version]
Name | Shorthand | Default | Usage |
---|---|---|---|
all | false | Select all resources, including uninitialized ones, in the namespace of the specified resource types. | |
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-annotate | Name of the manager used to track field ownership. | |
field-selector | Selector (field query) to filter on, supports '=', '==', and '!='.(e.g. --field-selector key1=value1,key2=value2). The server only supports a limited number of field queries per type. | ||
filename | f | [] | Filename, directory, or URL to files identifying the resource to update the annotation |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
list | false | If true, display the annotations for a given resource. | |
local | false | If true, annotation will NOT contact api-server but run locally. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
overwrite | false | If true, allow annotations to be overwritten, otherwise reject annotation updates that overwrite existing annotations. | |
record | false | Record current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
resource-version | If non-empty, the annotation update will only succeed if this is the current resource-version for the object. Only valid when specifying a single resource. | ||
selector | l | Selector (label query) to filter on, not including uninitialized ones, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
Auto scale a deployment "foo", with the number of pods between 2 and 10, no target CPU utilization specified so a default autoscaling policy will be used:
kubectl autoscale deployment foo --min=2 --max=10
Auto scale a replication controller "foo", with the number of pods between 1 and 5, target CPU utilization at 80%:
kubectl autoscale rc foo --max=5 --cpu-percent=80
Creates an autoscaler that automatically chooses and sets the number of pods that run in a kubernetes cluster.
Looks up a Deployment, ReplicaSet, StatefulSet, or ReplicationController by name and creates an autoscaler that uses the given resource as a reference. An autoscaler can automatically increase or decrease number of pods deployed within the system as needed.
$ kubectl autoscale (-f FILENAME | TYPE NAME | TYPE/NAME) [--min=MINPODS] --max=MAXPODS [--cpu-percent=CPU]
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
cpu-percent | -1 | The target average CPU utilization (represented as a percent of requested CPU) over all the pods. If it's not specified or negative, a default autoscaling policy will be used. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-autoscale | Name of the manager used to track field ownership. | |
filename | f | [] | Filename, directory, or URL to files identifying the resource to autoscale. |
generator | horizontalpodautoscaler/v1 | The name of the API generator to use. Currently there is only 1 generator. | |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
max | -1 | The upper limit for the number of pods that can be set by the autoscaler. Required. | |
min | -1 | The lower limit for the number of pods that can be set by the autoscaler. If it's not specified or negative, the server will apply a default value. | |
name | The name for the newly created object. If not specified, the name of the input resource will be used. | ||
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
record | false | Record current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
Convert 'pod.yaml' to latest version and print to stdout.
kubectl convert -f pod.yaml
Convert the live state of the resource specified by 'pod.yaml' to the latest version # and print to stdout in JSON format.
kubectl convert -f pod.yaml --local -o json
Convert all files under current directory to latest version and create them all.
kubectl convert -f . | kubectl create -f -
Convert config files between different API versions. Both YAML and JSON formats are accepted.
The command takes filename, directory, or URL as input, and convert it into format of version specified by --output-version flag. If target version is not specified or not supported, convert to latest version.
The default output will be printed to stdout in YAML format. One can use -o option to change to output destination.
$ kubectl convert -f FILENAME
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
filename | f | [] | Filename, directory, or URL to files to need to get converted. |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
local | true | If true, convert will NOT try to contact api-server but run locally. | |
output | o | yaml | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. |
output-version | Output the formatted object with the given group version (for ex: 'extensions/v1beta1'). | ||
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
validate | true | If true, use a schema to validate the input before sending it |
Diff resources included in pod.json.
kubectl diff -f pod.json
Diff file read from stdin
cat service.yaml | kubectl diff -f -
Diff configurations specified by filename or stdin between the current online configuration, and the configuration as it would be if applied.
Output is always YAML.
KUBECTL_EXTERNAL_DIFF environment variable can be used to select your own diff command. By default, the "diff" command available in your path will be run with "-u" (unified diff) and "-N" (treat absent files as empty) options.
Exit status: 0 No differences were found. 1 Differences were found. >1 Kubectl or diff failed with an error.
Note: KUBECTL_EXTERNAL_DIFF, if used, is expected to follow that convention.
$ kubectl diff -f FILENAME
Name | Shorthand | Default | Usage |
---|---|---|---|
field-manager | kubectl-client-side-apply | Name of the manager used to track field ownership. | |
filename | f | [] | Filename, directory, or URL to files contains the configuration to diff |
force-conflicts | false | If true, server-side apply will force the changes against conflicts. | |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
selector | l | Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) | |
server-side | false | If true, apply runs in the server instead of the client. |
Edit the service named 'docker-registry':
kubectl edit svc/docker-registry
Use an alternative editor
KUBE_EDITOR="nano" kubectl edit svc/docker-registry
Edit the job 'myjob' in JSON using the v1 API format:
kubectl edit job.v1.batch/myjob -o json
Edit the deployment 'mydeployment' in YAML and save the modified config in its annotation:
kubectl edit deployment/mydeployment -o yaml --save-config
Edit a resource from the default editor.
The edit command allows you to directly edit any API resource you can retrieve via the command line tools. It will open the editor defined by your KUBE_EDITOR, or EDITOR environment variables, or fall back to 'vi' for Linux or 'notepad' for Windows. You can edit multiple objects, although changes are applied one at a time. The command accepts filenames as well as command line arguments, although the files you point to must be previously saved versions of resources.
Editing is done with the API version used to fetch the resource. To edit using a specific API version, fully-qualify the resource, version, and group.
The default format is YAML. To edit in JSON, specify "-o json".
The flag --windows-line-endings can be used to force Windows line endings, otherwise the default for your operating system will be used.
In the event an error occurs while updating, a temporary file will be created on disk that contains your unapplied changes. The most common error when updating a resource is another editor changing the resource on the server. When this occurs, you will have to apply your changes to the newer version of the resource, or update your temporary saved copy to include the latest resource version.
$ kubectl edit (RESOURCE/NAME | -f FILENAME)
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
field-manager | kubectl-edit | Name of the manager used to track field ownership. | |
filename | f | [] | Filename, directory, or URL to files to use to edit the resource |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
output-patch | false | Output the patch if the resource is edited. | |
record | false | Record current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
validate | true | If true, use a schema to validate the input before sending it | |
windows-line-endings | false | Defaults to the line ending native to your platform. |
Use the current working directory
kubectl%20kustomize%20.
Use some shared configuration directory
kubectl kustomize /home/configuration/production
Use a URL
kubectl kustomize github.com/kubernetes-sigs/kustomize.git/examples/helloWorld?ref=v1.0.6
Print a set of API resources generated from instructions in a kustomization.yaml file.
The argument must be the path to the directory containing the file, or a git repository URL with a path suffix specifying same with respect to the repository root.
kubectl kustomize somedir
$ kubectl kustomize <dir>
Update pod 'foo' with the label 'unhealthy' and the value 'true'.
kubectl label pods foo unhealthy=true
Update pod 'foo' with the label 'status' and the value 'unhealthy', overwriting any existing value.
kubectl label --overwrite pods foo status=unhealthy
Update all pods in the namespace
kubectl label pods --all status=unhealthy
Update a pod identified by the type and name in "pod.json"
kubectl label -f pod.json status=unhealthy
Update pod 'foo' only if the resource is unchanged from version 1.
kubectl label pods foo status=unhealthy --resource-version=1
Update pod 'foo' by removing a label named 'bar' if it exists. # Does not require the --overwrite flag.
kubectl label pods foo bar-
Update the labels on a resource.
$ kubectl label [--overwrite] (-f FILENAME | TYPE NAME) KEY_1=VAL_1 ... KEY_N=VAL_N [--resource-version=version]
Name | Shorthand | Default | Usage |
---|---|---|---|
all | false | Select all resources, including uninitialized ones, in the namespace of the specified resource types | |
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-label | Name of the manager used to track field ownership. | |
field-selector | Selector (field query) to filter on, supports '=', '==', and '!='.(e.g. --field-selector key1=value1,key2=value2). The server only supports a limited number of field queries per type. | ||
filename | f | [] | Filename, directory, or URL to files identifying the resource to update the labels |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
list | false | If true, display the labels for a given resource. | |
local | false | If true, label will NOT contact api-server but run locally. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
overwrite | false | If true, allow labels to be overwritten, otherwise reject label updates that overwrite existing labels. | |
record | false | Record current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
resource-version | If non-empty, the labels update will only succeed if this is the current resource-version for the object. Only valid when specifying a single resource. | ||
selector | l | Selector (label query) to filter on, not including uninitialized ones, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
Partially update a node using a strategic merge patch. Specify the patch as JSON.
kubectl patch node k8s-node-1 -p '{"spec":{"unschedulable":true}}'
Partially update a node using a strategic merge patch. Specify the patch as YAML.
kubectl patch node k8s-node-1 -p $'spec:\n unschedulable: true'
Partially update a node identified by the type and name specified in "node.json" using strategic merge patch.
kubectl patch -f node.json -p '{"spec":{"unschedulable":true}}'
Update a container's image; spec.containers[*].name is required because it's a merge key.
kubectl patch pod valid-pod -p '{"spec":{"containers":[{"name":"kubernetes-serve-hostname","image":"new image"}]}}'
Update a container's image using a json patch with positional arrays.
kubectl patch pod valid-pod --type='json' -p='[{"op": "replace", "path": "/spec/containers/0/image", "value":"new image"}]'
Update field(s) of a resource using strategic merge patch, a JSON merge patch, or a JSON patch.
JSON and YAML formats are accepted.
$ kubectl patch (-f FILENAME | TYPE NAME) -p PATCH
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-patch | Name of the manager used to track field ownership. | |
filename | f | [] | Filename, directory, or URL to files identifying the resource to update |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
local | false | If true, patch will operate on the content of the file, not the server-side resource. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
patch | p | The patch to be applied to the resource JSON file. | |
record | false | Record current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
type | strategic | The type of patch being provided; one of [json merge strategic] |
Replace a pod using the data in pod.json.
kubectl replace -f ./pod.json
Replace a pod based on the JSON passed into stdin.
cat pod.json | kubectl replace -f -
Update a single-container pod's image version (tag) to v4
kubectl get pod mypod -o yaml | sed 's/\(image: myimage\):.*$/\1:v4/' | kubectl replace -f -
Force replace, delete and then re-create the resource
kubectl replace --force -f ./pod.json
Replace a resource by filename or stdin.
JSON and YAML formats are accepted. If replacing an existing resource, the complete resource spec must be provided. This can be obtained by
$ kubectl get TYPE NAME -o yaml
$ kubectl replace -f FILENAME
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
cascade | true | If true, cascade the deletion of the resources managed by this resource (e.g. Pods created by a ReplicationController). Default true. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-replace | Name of the manager used to track field ownership. | |
filename | f | [] | to use to replace the resource. |
force | false | If true, immediately remove resources from API and bypass graceful deletion. Note that immediate deletion of some resources may result in inconsistency or data loss and requires confirmation. | |
grace-period | -1 | Period of time in seconds given to the resource to terminate gracefully. Ignored if negative. Set to 1 for immediate shutdown. Can only be set to 0 when --force is true (force deletion). | |
kustomize | k | Process a kustomization directory. This flag can't be used together with -f or -R. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
raw | Raw URI to PUT to the server. Uses the transport specified by the kubeconfig file. | ||
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
save-config | false | If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
timeout | 0s | The length of time to wait before giving up on a delete, zero means determine a timeout from the size of the object | |
validate | true | If true, use a schema to validate the input before sending it | |
wait | false | If true, wait for resources to be gone before returning. This waits for finalizers. |
Rollback to the previous deployment
kubectl rollout undo deployment/abc
Check the rollout status of a daemonset
kubectl rollout status daemonset/foo
Manage the rollout of a resource.
Valid resource types include:
$ kubectl rollout SUBCOMMAND
View the rollout history of a deployment
kubectl rollout history deployment/abc
View the details of daemonset revision 3
kubectl rollout history daemonset/abc --revision=3
View previous rollout revisions and configurations.
$ kubectl rollout history (TYPE NAME | TYPE/NAME) [flags]
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
filename | f | [] | Filename, directory, or URL to files identifying the resource to get from a server. |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
revision | 0 | See the details, including podTemplate of the revision specified | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
Mark the nginx deployment as paused. Any current state of # the deployment will continue its function, new updates to the deployment will not # have an effect as long as the deployment is paused.
kubectl rollout pause deployment/nginx
Mark the provided resource as paused
Paused resources will not be reconciled by a controller. Use "kubectl rollout resume" to resume a paused resource. Currently only deployments support being paused.
$ kubectl rollout pause RESOURCE
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
field-manager | kubectl-rollout | Name of the manager used to track field ownership. | |
filename | f | [] | Filename, directory, or URL to files identifying the resource to get from a server. |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
Restart a deployment
kubectl rollout restart deployment/nginx
Restart a daemonset
kubectl rollout restart daemonset/abc
Restart a resource.
Resource will be rollout restarted.
$ kubectl rollout restart RESOURCE
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
field-manager | kubectl-rollout | Name of the manager used to track field ownership. | |
filename | f | [] | Filename, directory, or URL to files identifying the resource to get from a server. |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
Resume an already paused deployment
kubectl rollout resume deployment/nginx
Resume a paused resource
Paused resources will not be reconciled by a controller. By resuming a resource, we allow it to be reconciled again. Currently only deployments support being resumed.
$ kubectl rollout resume RESOURCE
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
field-manager | kubectl-rollout | Name of the manager used to track field ownership. | |
filename | f | [] | Filename, directory, or URL to files identifying the resource to get from a server. |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
Watch the rollout status of a deployment
kubectl rollout status deployment/nginx
Show the status of the rollout.
By default 'rollout status' will watch the status of the latest rollout until it's done. If you don't want to wait for the rollout to finish then you can use --watch=false. Note that if a new rollout starts in-between, then 'rollout status' will continue watching the latest revision. If you want to pin to a specific revision and abort if it is rolled over by another revision, use --revision=N where N is the revision you need to watch for.
$ kubectl rollout status (TYPE NAME | TYPE/NAME) [flags]
Name | Shorthand | Default | Usage |
---|---|---|---|
filename | f | [] | Filename, directory, or URL to files identifying the resource to get from a server. |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
revision | 0 | Pin to a specific revision for showing its status. Defaults to 0 (last revision). | |
timeout | 0s | The length of time to wait before ending watch, zero means never. Any other values should contain a corresponding time unit (e.g. 1s, 2m, 3h). | |
watch | w | true | Watch the status of the rollout until it's done. |
Rollback to the previous deployment
kubectl rollout undo deployment/abc
Rollback to daemonset revision 3
kubectl rollout undo daemonset/abc --to-revision=3
Rollback to the previous deployment with dry-run
kubectl rollout undo --dry-run=server deployment/abc
Rollback to a previous rollout.
$ kubectl rollout undo (TYPE NAME | TYPE/NAME) [flags]
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
filename | f | [] | Filename, directory, or URL to files identifying the resource to get from a server. |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
to-revision | 0 | The revision to rollback to. Default to 0 (last revision). |
Scale a replicaset named 'foo' to 3.
kubectl scale --replicas=3 rs/foo
Scale a resource identified by type and name specified in "foo.yaml" to 3.
kubectl scale --replicas=3 -f foo.yaml
If the deployment named mysql's current size is 2, scale mysql to 3.
kubectl scale --current-replicas=2 --replicas=3 deployment/mysql
Scale multiple replication controllers.
kubectl scale --replicas=5 rc/foo rc/bar rc/baz
Scale statefulset named 'web' to 3.
kubectl scale --replicas=3 statefulset/web
Set a new size for a Deployment, ReplicaSet, Replication Controller, or StatefulSet.
Scale also allows users to specify one or more preconditions for the scale action.
If --current-replicas or --resource-version is specified, it is validated before the scale is attempted, and it is guaranteed that the precondition holds true when the scale is sent to the server.
$ kubectl scale [--resource-version=version] [--current-replicas=count] --replicas=COUNT (-f FILENAME | TYPE NAME)
Name | Shorthand | Default | Usage |
---|---|---|---|
all | false | Select all resources in the namespace of the specified resource types | |
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
current-replicas | -1 | Precondition for current size. Requires that the current size of the resource match this value in order to scale. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
filename | f | [] | Filename, directory, or URL to files identifying the resource to set a new size |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
record | false | Record current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
replicas | 0 | The new desired number of replicas. Required. | |
resource-version | Precondition for resource version. Requires that the current resource version match this value in order to scale. | ||
selector | l | Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
timeout | 0s | The length of time to wait before giving up on a scale operation, zero means don't wait. Any other values should contain a corresponding time unit (e.g. 1s, 2m, 3h). |
Configure application resources
These commands help you make changes to existing application resources.
$ kubectl set SUBCOMMAND
Update deployment 'registry' with a new environment variable
kubectl set env deployment/registry STORAGE_DIR=/local
List the environment variables defined on a deployments 'sample-build'
kubectl set env deployment/sample-build --list
List the environment variables defined on all pods
kubectl set env pods --all --list
Output modified deployment in YAML, and does not alter the object on the server
kubectl set env deployment/sample-build STORAGE_DIR=/data -o yaml
Update all containers in all replication controllers in the project to have ENV=prod
kubectl set env rc --all ENV=prod
Import environment from a secret
kubectl set env --from=secret/mysecret deployment/myapp
Import environment from a config map with a prefix
kubectl set env --from=configmap/myconfigmap --prefix=MYSQL_ deployment/myapp
Import specific keys from a config map
kubectl set env --keys=my-example-key --from=configmap/myconfigmap deployment/myapp
Remove the environment variable ENV from container 'c1' in all deployment configs
kubectl set env deployments --all --containers="c1" ENV-
Remove the environment variable ENV from a deployment definition on disk and # update the deployment config on the server
kubectl set env -f deploy.json ENV-
Set some of the local shell environment into a deployment config on the server
env | grep RAILS_ | kubectl set env -e - deployment/registry
Update environment variables on a pod template.
List environment variable definitions in one or more pods, pod templates. Add, update, or remove container environment variable definitions in one or more pod templates (within replication controllers or deployment configurations). View or modify the environment variable definitions on all containers in the specified pods or pod templates, or just those that match a wildcard.
If "--env -" is passed, environment variables can be read from STDIN using the standard env syntax.
Possible resources include (case insensitive):
pod (po), replicationcontroller (rc), deployment (deploy), daemonset (ds), job, replicaset (rs)
$ kubectl set env RESOURCE/NAME KEY_1=VAL_1 ... KEY_N=VAL_N
Name | Shorthand | Default | Usage |
---|---|---|---|
all | false | If true, select all resources in the namespace of the specified resource types | |
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
containers | c | * | The names of containers in the selected pod templates to change - may use wildcards |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
env | e | [] | Specify a key-value pair for an environment variable to set into each container. |
field-manager | kubectl-set | Name of the manager used to track field ownership. | |
filename | f | [] | Filename, directory, or URL to files the resource to update the env |
from | The name of a resource from which to inject environment variables | ||
keys | [] | Comma-separated list of keys to import from specified resource | |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
list | false | If true, display the environment and any changes in the standard format. this flag will removed when we have kubectl view env. | |
local | false | If true, set env will NOT contact api-server but run locally. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
overwrite | true | If true, allow environment to be overwritten, otherwise reject updates that overwrite existing environment. | |
prefix | Prefix to append to variable names | ||
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
resolve | false | If true, show secret or configmap references when listing variables | |
selector | l | Selector (label query) to filter on | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
Set a deployment's nginx container image to 'nginx:1.9.1', and its busybox container image to 'busybox'.
kubectl set image deployment/nginx busybox=busybox nginx=nginx:1.9.1
Update all deployments' and rc's nginx container's image to 'nginx:1.9.1'
kubectl set image deployments,rc nginx=nginx:1.9.1 --all
Update image of all containers of daemonset abc to 'nginx:1.9.1'
kubectl set image daemonset abc *=nginx:1.9.1
Print result (in yaml format) of updating nginx container image from local file, without hitting the server
kubectl set image -f path/to/file.yaml nginx=nginx:1.9.1 --local -o yaml
Update existing container image(s) of resources.
Possible resources include (case insensitive):
pod (po), replicationcontroller (rc), deployment (deploy), daemonset (ds), replicaset (rs)
$ kubectl set image (-f FILENAME | TYPE NAME) CONTAINER_NAME_1=CONTAINER_IMAGE_1 ... CONTAINER_NAME_N=CONTAINER_IMAGE_N
Name | Shorthand | Default | Usage |
---|---|---|---|
all | false | Select all resources, including uninitialized ones, in the namespace of the specified resource types | |
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-set | Name of the manager used to track field ownership. | |
filename | f | [] | Filename, directory, or URL to files identifying the resource to get from a server. |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
local | false | If true, set image will NOT contact api-server but run locally. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
record | false | Record current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
selector | l | Selector (label query) to filter on, not including uninitialized ones, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
Set a deployments nginx container cpu limits to "200m" and memory to "512Mi"
kubectl set resources deployment nginx -c=nginx --limits=cpu=200m,memory=512Mi
Set the resource request and limits for all containers in nginx
kubectl set resources deployment nginx --limits=cpu=200m,memory=512Mi --requests=cpu=100m,memory=256Mi
Remove the resource requests for resources on containers in nginx
kubectl set resources deployment nginx --limits=cpu=0,memory=0 --requests=cpu=0,memory=0
Print the result (in yaml format) of updating nginx container limits from a local, without hitting the server
kubectl set resources -f path/to/file.yaml --limits=cpu=200m,memory=512Mi --local -o yaml
Specify compute resource requirements (cpu, memory) for any resource that defines a pod template. If a pod is successfully scheduled, it is guaranteed the amount of resource requested, but may burst up to its specified limits.
for each compute resource, if a limit is specified and a request is omitted, the request will default to the limit.
Possible resources include (case insensitive): Use "kubectl api-resources" for a complete list of supported resources..
$ kubectl set resources (-f FILENAME | TYPE NAME) ([--limits=LIMITS & --requests=REQUESTS]
Name | Shorthand | Default | Usage |
---|---|---|---|
all | false | Select all resources, including uninitialized ones, in the namespace of the specified resource types | |
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
containers | c | * | The names of containers in the selected pod templates to change, all containers are selected by default - may use wildcards |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-set | Name of the manager used to track field ownership. | |
filename | f | [] | Filename, directory, or URL to files identifying the resource to get from a server. |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
limits | The resource requirement requests for this container. For example, 'cpu=100m,memory=256Mi'. Note that server side components may assign requests depending on the server configuration, such as limit ranges. | ||
local | false | If true, set resources will NOT contact api-server but run locally. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
record | false | Record current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
requests | The resource requirement requests for this container. For example, 'cpu=100m,memory=256Mi'. Note that server side components may assign requests depending on the server configuration, such as limit ranges. | ||
selector | l | Selector (label query) to filter on, not including uninitialized ones,supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
set the labels and selector before creating a deployment/service pair.
kubectl create service clusterip my-svc --clusterip="None" -o yaml --dry-run=client | kubectl set selector --local -f - 'environment=qa' -o yaml | kubectl create -f -
kubectl create deployment my-dep -o yaml --dry-run=client | kubectl label --local -f - environment=qa -o yaml | kubectl create -f -
Set the selector on a resource. Note that the new selector will overwrite the old selector if the resource had one prior to the invocation of 'set selector'.
A selector must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to 63 characters. If --resource-version is specified, then updates will use this resource version, otherwise the existing resource-version will be used. Note: currently selectors can only be set on Service objects.
$ kubectl set selector (-f FILENAME | TYPE NAME) EXPRESSIONS [--resource-version=version]
Name | Shorthand | Default | Usage |
---|---|---|---|
all | false | Select all resources in the namespace of the specified resource types | |
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-set | Name of the manager used to track field ownership. | |
filename | f | [] | identifying the resource. |
local | false | If true, annotation will NOT contact api-server but run locally. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
record | false | Record current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists. | |
recursive | R | true | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
resource-version | If non-empty, the selectors update will only succeed if this is the current resource-version for the object. Only valid when specifying a single resource. | ||
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
Set Deployment nginx-deployment's ServiceAccount to serviceaccount1
kubectl set serviceaccount deployment nginx-deployment serviceaccount1
Print the result (in yaml format) of updated nginx deployment with serviceaccount from local file, without hitting apiserver
kubectl set sa -f nginx-deployment.yaml serviceaccount1 --local --dry-run=client -o yaml
Update ServiceAccount of pod template resources.
Possible resources (case insensitive) can be:
replicationcontroller (rc), deployment (deploy), daemonset (ds), job, replicaset (rs), statefulset
$ kubectl set serviceaccount (-f FILENAME | TYPE NAME) SERVICE_ACCOUNT
Name | Shorthand | Default | Usage |
---|---|---|---|
all | false | Select all resources, including uninitialized ones, in the namespace of the specified resource types | |
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-set | Name of the manager used to track field ownership. | |
filename | f | [] | Filename, directory, or URL to files identifying the resource to get from a server. |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
local | false | If true, set serviceaccount will NOT contact api-server but run locally. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
record | false | Record current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
Update a ClusterRoleBinding for serviceaccount1
kubectl set subject clusterrolebinding admin --serviceaccount=namespace:serviceaccount1
Update a RoleBinding for user1, user2, and group1
kubectl set subject rolebinding admin --user=user1 --user=user2 --group=group1
Print the result (in yaml format) of updating rolebinding subjects from a local, without hitting the server
kubectl create rolebinding admin --role=admin --user=admin -o yaml --dry-run=client | kubectl set subject --local -f - --user=foo -o yaml
Update User, Group or ServiceAccount in a RoleBinding/ClusterRoleBinding.
$ kubectl set subject (-f FILENAME | TYPE NAME) [--user=username] [--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none]
Name | Shorthand | Default | Usage |
---|---|---|---|
all | false | Select all resources, including uninitialized ones, in the namespace of the specified resource types | |
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-set | Name of the manager used to track field ownership. | |
filename | f | [] | Filename, directory, or URL to files the resource to update the subjects |
group | [] | Groups to bind to the role | |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
local | false | If true, set subject will NOT contact api-server but run locally. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
selector | l | Selector (label query) to filter on, not including uninitialized ones, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) | |
serviceaccount | [] | Service accounts to bind to the role | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
Wait for the pod "busybox1" to contain the status condition of type "Ready".
kubectl wait --for=condition=Ready pod/busybox1
Wait for the pod "busybox1" to be deleted, with a timeout of 60s, after having issued the "delete" command.
kubectl delete pod/busybox1
kubectl wait --for=delete pod/busybox1 --timeout=60s
Experimental: Wait for a specific condition on one or many resources.
The command takes multiple resources and waits until the specified condition is seen in the Status field of every given resource.
Alternatively, the command can wait for the given set of resources to be deleted by providing the "delete" keyword as the value to the --for flag.
A successful message will be printed to stdout indicating when the specified condition has been met. One can use -o option to change to output destination.
$ kubectl wait ([-f FILENAME] | resource.group/resource.name | resource.group [(-l label | --all)]) [--for=delete|--for condition=available]
Name | Shorthand | Default | Usage |
---|---|---|---|
all | false | Select all resources in the namespace of the specified resource types | |
all-namespaces | A | false | If present, list the requested object(s) across all namespaces. Namespace in current context is ignored even if specified with --namespace. |
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
field-selector | Selector (field query) to filter on, supports '=', '==', and '!='.(e.g. --field-selector key1=value1,key2=value2). The server only supports a limited number of field queries per type. | ||
filename | f | [] | identifying the resource. |
for | The condition to wait on: [delete|condition=condition-name]. | ||
local | false | If true, annotation will NOT contact api-server but run locally. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
recursive | R | true | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
selector | l | Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
timeout | 30s | The length of time to wait before giving up. Zero means check once and don't wait, negative means wait for a week. |
This section contains commands for inspecting and debugging your applications.
logs
will print the logs from the specified pod + container.exec
can be used to get an interactive shell on a pod + container.describe
will print debug information about the given resource.Get output from running pod mypod, using the first container by default
kubectl attach mypod
Get output from ruby-container from pod mypod
kubectl attach mypod -c ruby-container
Switch to raw terminal mode, sends stdin to 'bash' in ruby-container from pod mypod # and sends stdout/stderr from 'bash' back to the client
kubectl attach mypod -c ruby-container -i -t
Get output from the first pod of a ReplicaSet named nginx
kubectl attach rs/nginx
Attach to a process that is already running inside an existing container.
$ kubectl attach (POD | TYPE/NAME) -c CONTAINER
Name | Shorthand | Default | Usage |
---|---|---|---|
container | c | Container name. If omitted, the first container in the pod will be chosen | |
pod-running-timeout | 1m0s | The length of time (like 5s, 2m, or 3h, higher than zero) to wait until at least one pod is running | |
stdin | i | false | Pass stdin to the container |
tty | t | false | Stdin is a TTY |
Inspect authorization
$ kubectl auth
Check to see if I can create pods in any namespace
kubectl auth can-i create pods --all-namespaces
Check to see if I can list deployments in my current namespace
kubectl auth can-i list deployments.apps
Check to see if I can do everything in my current namespace ("*" means all)
kubectl auth can-i '*' '*'
Check to see if I can get the job named "bar" in namespace "foo"
kubectl auth can-i list jobs.batch/bar -n foo
Check to see if I can read pod logs
kubectl auth can-i get pods --subresource=log
Check to see if I can access the URL /logs/
kubectl auth can-i get /logs/
List all allowed actions in namespace "foo"
kubectl auth can-i --list --namespace=foo
Check whether an action is allowed.
VERB is a logical Kubernetes API verb like 'get', 'list', 'watch', 'delete', etc. TYPE is a Kubernetes resource. Shortcuts and groups will be resolved. NONRESOURCEURL is a partial URL starts with "/". NAME is the name of a particular Kubernetes resource.
$ kubectl auth can-i VERB [TYPE | TYPE/NAME | NONRESOURCEURL]
Name | Shorthand | Default | Usage |
---|---|---|---|
all-namespaces | A | false | If true, check the specified action in all namespaces. |
list | false | If true, prints all allowed actions. | |
no-headers | false | If true, prints allowed actions without headers | |
quiet | q | false | If true, suppress output and just return the exit code. |
subresource | SubResource such as pod/log or deployment/scale |
Reconcile rbac resources from a file
kubectl auth reconcile -f my-rbac-rules.yaml
Reconciles rules for RBAC Role, RoleBinding, ClusterRole, and ClusterRole binding objects.
Missing objects are created, and the containing namespace is created for namespaced objects, if required.
Existing roles are updated to include the permissions in the input objects, and remove extra permissions if --remove-extra-permissions is specified.
Existing bindings are updated to include the subjects in the input objects, and remove extra subjects if --remove-extra-subjects is specified.
This is preferred to 'apply' for RBAC resources so that semantically-aware merging of rules and subjects is done.
$ kubectl auth reconcile -f FILENAME
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
filename | f | [] | Filename, directory, or URL to files identifying the resource to reconcile. |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
remove-extra-permissions | false | If true, removes extra permissions added to roles | |
remove-extra-subjects | false | If true, removes extra subjects added to rolebindings | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
!!!Important Note!!! # Requires that the 'tar' binary is present in your container # image. If 'tar' is not present, 'kubectl cp' will fail. # # For advanced use cases, such as symlinks, wildcard expansion or # file mode preservation consider using 'kubectl exec'. # Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace
tar cf - /tmp/foo | kubectl exec -i -n <some-namespace> <some-pod> -- tar xf - -C /tmp/bar
Copy /tmp/foo from a remote pod to /tmp/bar locally
kubectl exec -n <some-namespace> <some-pod> -- tar cf - /tmp/foo | tar xf - -C /tmp/bar
Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod in the default namespace
kubectl cp /tmp/foo_dir <some-pod>:/tmp/bar_dir
Copy /tmp/foo local file to /tmp/bar in a remote pod in a specific container
kubectl cp /tmp/foo <some-pod>:/tmp/bar -c <specific-container>
Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace
kubectl cp /tmp/foo <some-namespace>/<some-pod>:/tmp/bar
Copy /tmp/foo from a remote pod to /tmp/bar locally
kubectl cp <some-namespace>/<some-pod>:/tmp/foo /tmp/bar
Copy files and directories to and from containers.
$ kubectl cp <file-spec-src> <file-spec-dest>
Name | Shorthand | Default | Usage |
---|---|---|---|
container | c | Container name. If omitted, the first container in the pod will be chosen | |
no-preserve | false | The copied file/directory's ownership and permissions will not be preserved in the container |
Describe a node
kubectl describe nodes kubernetes-node-emt8.c.myproject.internal
Describe a pod
kubectl describe pods/nginx
Describe a pod identified by type and name in "pod.json"
kubectl describe -f pod.json
Describe all pods
kubectl describe pods
Describe pods by label name=myLabel
kubectl describe po -l name=myLabel
Describe all pods managed by the 'frontend' replication controller (rc-created pods # get the name of the rc as a prefix in the pod the name).
kubectl describe pods frontend
Show details of a specific resource or group of resources
Print a detailed description of the selected resources, including related resources such as events or controllers. You may select a single object by name, all objects of that type, provide a name prefix, or label selector. For example:
$ kubectl describe TYPE NAME_PREFIX
will first check for an exact match on TYPE and NAME_PREFIX. If no such resource exists, it will output details for every resource that has a name prefixed with NAME_PREFIX.
Use "kubectl api-resources" for a complete list of supported resources.
$ kubectl describe (-f FILENAME | TYPE [NAME_PREFIX | -l label] | TYPE/NAME)
Name | Shorthand | Default | Usage |
---|---|---|---|
all-namespaces | A | false | If present, list the requested object(s) across all namespaces. Namespace in current context is ignored even if specified with --namespace. |
filename | f | [] | Filename, directory, or URL to files containing the resource to describe |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
selector | l | Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) | |
show-events | true | If true, display events related to the described object. |
Get output from running 'date' command from pod mypod, using the first container by default
kubectl exec mypod -- date
Get output from running 'date' command in ruby-container from pod mypod
kubectl exec mypod -c ruby-container -- date
Switch to raw terminal mode, sends stdin to 'bash' in ruby-container from pod mypod # and sends stdout/stderr from 'bash' back to the client
kubectl exec mypod -c ruby-container -i -t -- bash -il
List contents of /usr from the first container of pod mypod and sort by modification time. # If the command you want to execute in the pod has any flags in common (e.g. -i), # you must use two dashes (--) to separate your command's flags/arguments. # Also note, do not surround your command and its flags/arguments with quotes # unless that is how you would execute it normally (i.e., do ls -t /usr, not "ls -t /usr").
kubectl exec mypod -i -t -- ls -t /usr
Get output from running 'date' command from the first pod of the deployment mydeployment, using the first container by default
kubectl exec deploy/mydeployment -- date
Get output from running 'date' command from the first pod of the service myservice, using the first container by default
kubectl exec svc/myservice -- date
Execute a command in a container.
$ kubectl exec (POD | TYPE/NAME) [-c CONTAINER] [flags] -- COMMAND [args...]
Name | Shorthand | Default | Usage |
---|---|---|---|
container | c | Container name. If omitted, the first container in the pod will be chosen | |
filename | f | [] | to use to exec into the resource |
pod-running-timeout | 1m0s | The length of time (like 5s, 2m, or 3h, higher than zero) to wait until at least one pod is running | |
stdin | i | false | Pass stdin to the container |
tty | t | false | Stdin is a TTY |
Return snapshot logs from pod nginx with only one container
kubectl logs nginx
Return snapshot logs from pod nginx with multi containers
kubectl logs nginx --all-containers=true
Return snapshot logs from all containers in pods defined by label app=nginx
kubectl logs -lapp=nginx --all-containers=true
Return snapshot of previous terminated ruby container logs from pod web-1
kubectl logs -p -c ruby web-1
Begin streaming the logs of the ruby container in pod web-1
kubectl logs -f -c ruby web-1
Begin streaming the logs from all containers in pods defined by label app=nginx
kubectl logs -f -lapp=nginx --all-containers=true
Display only the most recent 20 lines of output in pod nginx
kubectl logs --tail=20 nginx
Show all logs from pod nginx written in the last hour
kubectl logs --since=1h nginx
Show logs from a kubelet with an expired serving certificate
kubectl logs --insecure-skip-tls-verify-backend nginx
Return snapshot logs from first container of a job named hello
kubectl logs job/hello
Return snapshot logs from container nginx-1 of a deployment named nginx
kubectl logs deployment/nginx -c nginx-1
Print the logs for a container in a pod or specified resource. If the pod has only one container, the container name is optional.
$ kubectl logs [-f] [-p] (POD | TYPE/NAME) [-c CONTAINER]
Name | Shorthand | Default | Usage |
---|---|---|---|
all-containers | false | Get all containers' logs in the pod(s). | |
container | c | Print the logs of this container | |
follow | f | false | Specify if the logs should be streamed. |
ignore-errors | false | If watching / following pod logs, allow for any errors that occur to be non-fatal | |
insecure-skip-tls-verify-backend | false | Skip verifying the identity of the kubelet that logs are requested from. In theory, an attacker could provide invalid log content back. You might want to use this if your kubelet serving certificates have expired. | |
limit-bytes | 0 | Maximum bytes of logs to return. Defaults to no limit. | |
max-log-requests | 5 | Specify maximum number of concurrent logs to follow when using by a selector. Defaults to 5. | |
pod-running-timeout | 20s | The length of time (like 5s, 2m, or 3h, higher than zero) to wait until at least one pod is running | |
prefix | false | Prefix each log line with the log source (pod name and container name) | |
previous | p | false | If true, print the logs for the previous instance of the container in a pod if it exists. |
selector | l | Selector (label query) to filter on. | |
since | 0s | Only return logs newer than a relative duration like 5s, 2m, or 3h. Defaults to all logs. Only one of since-time / since may be used. | |
since-time | Only return logs after a specific date (RFC3339). Defaults to all logs. Only one of since-time / since may be used. | ||
tail | -1 | Lines of recent log file to display. Defaults to -1 with no selector, showing all log lines otherwise 10, if a selector is provided. | |
timestamps | false | Include timestamps on each line in the log output |
Listen on ports 5000 and 6000 locally, forwarding data to/from ports 5000 and 6000 in the pod
kubectl port-forward pod/mypod 5000 6000
Listen on ports 5000 and 6000 locally, forwarding data to/from ports 5000 and 6000 in a pod selected by the deployment
kubectl port-forward deployment/mydeployment 5000 6000
Listen on ports 5000 and 6000 locally, forwarding data to/from ports 5000 and 6000 in a pod selected by the service
kubectl port-forward service/myservice 5000 6000
Listen on port 8888 locally, forwarding to 5000 in the pod
kubectl port-forward pod/mypod 8888:5000
Listen on port 8888 on all addresses, forwarding to 5000 in the pod
kubectl port-forward --address 0.0.0.0 pod/mypod 8888:5000
Listen on port 8888 on localhost and selected IP, forwarding to 5000 in the pod
kubectl port-forward --address localhost,10.19.21.23 pod/mypod 8888:5000
Listen on a random port locally, forwarding to 5000 in the pod
kubectl port-forward pod/mypod :5000
Forward one or more local ports to a pod. This command requires the node to have 'socat' installed.
Use resource type/name such as deployment/mydeployment to select a pod. Resource type defaults to 'pod' if omitted.
If there are multiple pods matching the criteria, a pod will be selected automatically. The forwarding session ends when the selected pod terminates, and rerun of the command is needed to resume forwarding.
$ kubectl port-forward TYPE/NAME [options] [LOCAL_PORT:]REMOTE_PORT [...[LOCAL_PORT_N:]REMOTE_PORT_N]
Name | Shorthand | Default | Usage |
---|---|---|---|
address | [localhost] | Addresses to listen on (comma separated). Only accepts IP addresses or localhost as a value. When localhost is supplied, kubectl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these addresses are available to bind. | |
pod-running-timeout | 1m0s | The length of time (like 5s, 2m, or 3h, higher than zero) to wait until at least one pod is running |
To proxy all of the kubernetes api and nothing else, use:
$ kubectl proxy --api-prefix=/
To proxy only part of the kubernetes api and also some static files:
$ kubectl proxy --www=/my/files --www-prefix=/static/ --api-prefix=/api/
The above lets you 'curl localhost:8001/api/v1/pods'. # To proxy the entire kubernetes api at a different root, use:
$ kubectl proxy --api-prefix=/custom/
The above lets you 'curl localhost:8001/custom/api/v1/pods' # Run a proxy to kubernetes apiserver on port 8011, serving static content from ./local/www/
kubectl proxy --port=8011 --www=./local/www/
Run a proxy to kubernetes apiserver on an arbitrary local port. # The chosen port for the server will be output to stdout.
kubectl proxy --port=0
Run a proxy to kubernetes apiserver, changing the api prefix to k8s-api # This makes e.g. the pods api available at localhost:8001/k8s-api/v1/pods/
kubectl proxy --api-prefix=/k8s-api
Creates a proxy server or application-level gateway between localhost and the Kubernetes API Server. It also allows serving static content over specified HTTP path. All incoming data enters through one port and gets forwarded to the remote kubernetes API Server port, except for the path matching the static content path.
$ kubectl proxy [--port=PORT] [--www=static-dir] [--www-prefix=prefix] [--api-prefix=prefix]
Name | Shorthand | Default | Usage |
---|---|---|---|
accept-hosts | ^localhost$,^127.0.0.1$,^[::1]$ | Regular expression for hosts that the proxy should accept. | |
accept-paths | ^.* | Regular expression for paths that the proxy should accept. | |
address | 127.0.0.1 | The IP address on which to serve on. | |
api-prefix | / | Prefix to serve the proxied API under. | |
disable-filter | false | If true, disable request filtering in the proxy. This is dangerous, and can leave you vulnerable to XSRF attacks, when used with an accessible port. | |
keepalive | 0s | keepalive specifies the keep-alive period for an active network connection. Set to 0 to disable keepalive. | |
port | p | 8001 | The port on which to run the proxy. Set to 0 to pick a random port. |
reject-methods | ^$ | Regular expression for HTTP methods that the proxy should reject (example --reject-methods='POST,PUT,PATCH'). | |
reject-paths | ^/api/./pods/./exec,^/api/./pods/./attach | Regular expression for paths that the proxy should reject. Paths specified here will be rejected even accepted by --accept-paths. | |
unix-socket | u | Unix socket on which to run the proxy. | |
www | w | Also serve static files from the given directory under the specified prefix. | |
www-prefix | P | /static/ | Prefix to serve static files under, if static file directory is specified. |
Display Resource (CPU/Memory/Storage) usage.
The top command allows you to see the resource consumption for nodes or pods.
This command requires Metrics Server to be correctly configured and working on the server.
$ kubectl top
Show metrics for all nodes
kubectl top node
Show metrics for a given node
kubectl top node NODE_NAME
Display Resource (CPU/Memory/Storage) usage of nodes.
The top-node command allows you to see the resource consumption of nodes.
$ kubectl top node [NAME | -l label]
Name | Shorthand | Default | Usage |
---|---|---|---|
heapster-namespace | kube-system | Namespace Heapster service is located in | |
heapster-port | Port name in service to use | ||
heapster-scheme | http | Scheme (http or https) to connect to Heapster as | |
heapster-service | heapster | Name of Heapster service | |
no-headers | false | If present, print output without headers | |
selector | l | Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) | |
sort-by | If non-empty, sort nodes list using specified field. The field can be either 'cpu' or 'memory'. |
Show metrics for all pods in the default namespace
kubectl top pod
Show metrics for all pods in the given namespace
kubectl top pod --namespace=NAMESPACE
Show metrics for a given pod and its containers
kubectl top pod POD_NAME --containers
Show metrics for the pods defined by label name=myLabel
kubectl top pod -l name=myLabel
Display Resource (CPU/Memory/Storage) usage of pods.
The 'top pod' command allows you to see the resource consumption of pods.
Due to the metrics pipeline delay, they may be unavailable for a few minutes since pod creation.
$ kubectl top pod [NAME | -l label]
Name | Shorthand | Default | Usage |
---|---|---|---|
all-namespaces | A | false | If present, list the requested object(s) across all namespaces. Namespace in current context is ignored even if specified with --namespace. |
containers | false | If present, print usage of containers within a pod. | |
no-headers | false | If present, print output without headers. | |
selector | l | Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) | |
sort-by | If non-empty, sort pods list using specified field. The field can be either 'cpu' or 'memory'. |
Print the supported API versions
kubectl api-versions
Print the supported API versions on the server, in the form of "group/version"
$ kubectl api-versions
Modify certificate resources.
$ kubectl certificate SUBCOMMAND
Approve a certificate signing request.
kubectl certificate approve allows a cluster admin to approve a certificate signing request (CSR). This action tells a certificate signing controller to issue a certificate to the requestor with the attributes requested in the CSR.
SECURITY NOTICE: Depending on the requested attributes, the issued certificate can potentially grant a requester access to cluster resources or to authenticate as a requested identity. Before approving a CSR, ensure you understand what the signed certificate can do.
$ kubectl certificate approve (-f FILENAME | NAME)
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
filename | f | [] | Filename, directory, or URL to files identifying the resource to update |
force | false | Update the CSR even if it is already approved. | |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
Deny a certificate signing request.
kubectl certificate deny allows a cluster admin to deny a certificate signing request (CSR). This action tells a certificate signing controller to not to issue a certificate to the requestor.
$ kubectl certificate deny (-f FILENAME | NAME)
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
filename | f | [] | Filename, directory, or URL to files identifying the resource to update |
force | false | Update the CSR even if it is already denied. | |
kustomize | k | Process the kustomization directory. This flag can't be used together with -f or -R. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
recursive | R | false | Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
Print the address of the master and cluster services
kubectl cluster-info
Display addresses of the master and services with label kubernetes.io/cluster-service=true To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
$ kubectl cluster-info
Dump current cluster state to stdout
kubectl cluster-info dump
Dump current cluster state to /path/to/cluster-state
kubectl cluster-info dump --output-directory=/path/to/cluster-state
Dump all namespaces to stdout
kubectl cluster-info dump --all-namespaces
Dump a set of namespaces to /path/to/cluster-state
kubectl cluster-info dump --namespaces default,kube-system --output-directory=/path/to/cluster-state
Dumps cluster info out suitable for debugging and diagnosing cluster problems. By default, dumps everything to stdout. You can optionally specify a directory with --output-directory. If you specify a directory, kubernetes will build a set of files in that directory. By default only dumps things in the 'kube-system' namespace, but you can switch to a different namespace with the --namespaces flag, or specify --all-namespaces to dump all namespaces.
The command also dumps the logs of all of the pods in the cluster, these logs are dumped into different directories based on namespace and pod name.
$ kubectl cluster-info dump
Name | Shorthand | Default | Usage |
---|---|---|---|
all-namespaces | A | false | If true, dump all namespaces. If true, --namespaces is ignored. |
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
namespaces | [] | A comma separated list of namespaces to dump. | |
output | o | json | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. |
output-directory | Where to output the files. If empty or '-' uses stdout, otherwise creates a directory hierarchy in that directory | ||
pod-running-timeout | 20s | The length of time (like 5s, 2m, or 3h, higher than zero) to wait until at least one pod is running | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
Mark node "foo" as unschedulable.
kubectl cordon foo
Mark node as unschedulable.
$ kubectl cordon NODE
Name | Shorthand | Default | Usage |
---|---|---|---|
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
selector | l | Selector (label query) to filter on |
Drain node "foo", even if there are pods not managed by a ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet on it.
$ kubectl drain foo --force
As above, but abort if there are pods not managed by a ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet, and use a grace period of 15 minutes.
$ kubectl drain foo --grace-period=900
Drain node in preparation for maintenance.
The given node will be marked unschedulable to prevent new pods from arriving. 'drain' evicts the pods if the APIServer supports http://kubernetes.io/docs/admin/disruptions/ . Otherwise, it will use normal DELETE to delete the pods. The 'drain' evicts or deletes all pods except mirror pods (which cannot be deleted through the API server). If there are DaemonSet-managed pods, drain will not proceed without --ignore-daemonsets, and regardless it will not delete any DaemonSet-managed pods, because those pods would be immediately replaced by the DaemonSet controller, which ignores unschedulable markings. If there are any pods that are neither mirror pods nor managed by ReplicationController, ReplicaSet, DaemonSet, StatefulSet or Job, then drain will not delete any pods unless you use --force. --force will also allow deletion to proceed if the managing resource of one or more pods is missing.
'drain' waits for graceful termination. You should not operate on the machine until the command completes.
When you are ready to put the node back into service, use kubectl uncordon, which will make the node schedulable again.
http://kubernetes.io/images/docs/kubectl_drain.svg
$ kubectl drain NODE
Name | Shorthand | Default | Usage |
---|---|---|---|
delete-local-data | false | Continue even if there are pods using emptyDir (local data that will be deleted when the node is drained). | |
disable-eviction | false | Force drain to use delete, even if eviction is supported. This will bypass checking PodDisruptionBudgets, use with caution. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
force | false | Continue even if there are pods not managed by a ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet. | |
grace-period | -1 | Period of time in seconds given to each pod to terminate gracefully. If negative, the default value specified in the pod will be used. | |
ignore-daemonsets | false | Ignore DaemonSet-managed pods. | |
pod-selector | Label selector to filter pods on the node | ||
selector | l | Selector (label query) to filter on | |
skip-wait-for-delete-timeout | 0 | If pod DeletionTimestamp older than N seconds, skip waiting for the pod. Seconds must be greater than 0 to skip. | |
timeout | 0s | The length of time to wait before giving up, zero means infinite |
Update node 'foo' with a taint with key 'dedicated' and value 'special-user' and effect 'NoSchedule'. # If a taint with that key and effect already exists, its value is replaced as specified.
kubectl taint nodes foo dedicated=special-user:NoSchedule
Remove from node 'foo' the taint with key 'dedicated' and effect 'NoSchedule' if one exists.
kubectl taint nodes foo dedicated:NoSchedule-
Remove from node 'foo' all the taints with key 'dedicated'
kubectl taint nodes foo dedicated-
Add a taint with key 'dedicated' on nodes having label mylabel=X
kubectl taint node -l myLabel=X dedicated=foo:PreferNoSchedule
Add to node 'foo' a taint with key 'bar' and no value
kubectl taint nodes foo bar:NoSchedule
Update the taints on one or more nodes.
$ kubectl taint NODE NAME KEY_1=VAL_1:TAINT_EFFECT_1 ... KEY_N=VAL_N:TAINT_EFFECT_N
Name | Shorthand | Default | Usage |
---|---|---|---|
all | false | Select all nodes in the cluster | |
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
field-manager | kubectl-taint | Name of the manager used to track field ownership. | |
output | o | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. | |
overwrite | false | If true, allow taints to be overwritten, otherwise reject taint updates that overwrite existing taints. | |
selector | l | Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. | ||
validate | true | If true, use a schema to validate the input before sending it |
Mark node "foo" as schedulable.
$ kubectl uncordon foo
Mark node as schedulable.
$ kubectl uncordon NODE
Name | Shorthand | Default | Usage |
---|---|---|---|
dry-run | none | Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. | |
selector | l | Selector (label query) to filter on |
These commands correspond to alpha features that are not enabled in Kubernetes clusters by default.
$ kubectl alpha
Create an interactive debugging session in pod mypod and immediately attach to it. # (requires the EphemeralContainers feature to be enabled in the cluster)
kubectl alpha debug mypod -it --image=busybox
Create a debug container named debugger using a custom automated debugging image. # (requires the EphemeralContainers feature to be enabled in the cluster)
kubectl alpha debug --image=myproj/debug-tools -c debugger mypod
Create a debug container as a copy of the original Pod and attach to it
kubectl alpha debug mypod -it --image=busybox --copy-to=my-debugger
Create a copy of mypod named my-debugger with my-container's image changed to busybox
kubectl alpha debug mypod --image=busybox --container=my-container --copy-to=my-debugger -- sleep 1d
Create an interactive debugging session on a node and immediately attach to it. # The container will run in the host namespaces and the host's filesystem will be mounted at /host
kubectl alpha debug node/mynode -it --image=busybox
Debug cluster resources using interactive debugging containers.
'debug' provides automation for common debugging tasks for cluster objects identified by resource and name. Pods will be used by default if resource is not specified.
The action taken by 'debug' varies depending on what resource is specified. Supported actions include:
Node: Create a new pod that runs in the node's host namespaces and can access the node's filesystem.
Alpha disclaimer: command line flags may change
$ kubectl alpha debug NAME --image=image [ -- COMMAND [args...] ]
Name | Shorthand | Default | Usage |
---|---|---|---|
arguments-only | false | If specified, everything after -- will be passed to the new container as Args instead of Command. | |
attach | false | If true, wait for the container to start running, and then attach as if 'kubectl attach ...' were called. Default false, unless '-i/--stdin' is set, in which case the default is true. | |
container | c | Container name to use for debug container. | |
copy-to | Create a copy of the target Pod with this name. | ||
env | [] | Environment variables to set in the container. | |
image | Container image to use for debug container. | ||
image-pull-policy | IfNotPresent | The image pull policy for the container. | |
quiet | false | If true, suppress informational messages. | |
replace | false | When used with '--copy-to', delete the original Pod | |
same-node | false | When used with '--copy-to', schedule the copy of target Pod on the same node. | |
share-processes | true | When used with '--copy-to', enable process namespace sharing in the copy. | |
stdin | i | false | Keep stdin open on the container(s) in the pod, even if nothing is attached. |
target | When debugging a pod, target processes in this container name. | ||
tty | t | false | Allocate a TTY for the debugging container. |
Print the supported API Resources
kubectl api-resources
Print the supported API Resources with more information
kubectl api-resources -o wide
Print the supported API Resources sorted by a column
kubectl api-resources --sort-by=name
Print the supported namespaced resources
kubectl api-resources --namespaced=true
Print the supported non-namespaced resources
kubectl api-resources --namespaced=false
Print the supported API Resources with specific APIGroup
kubectl api-resources --api-group=extensions
Print the supported API resources on the server
$ kubectl api-resources
Name | Shorthand | Default | Usage |
---|---|---|---|
api-group | Limit to resources in the specified API group. | ||
cached | false | Use the cached list of resources if available. | |
namespaced | true | If false, non-namespaced resources will be returned, otherwise returning namespaced resources by default. | |
no-headers | false | When using the default or custom-column output format, don't print headers (default print headers). | |
output | o | Output format. One of: wide|name. | |
sort-by | If non-empty, sort list of resources using specified field. The field can be either 'name' or 'kind'. | ||
verbs | [] | Limit to resources that support the specified verbs. |
Installing bash completion on macOS using homebrew ## If running Bash 3.2 included with macOS
brew install bash-completion
or, if running Bash 4.1+
brew install bash-completion@2
If kubectl is installed via homebrew, this should start working immediately. ## If you've installed via other means, you may need add the completion to your completion directory
kubectl completion bash > $(brew --prefix)/etc/bash_completion.d/kubectl
Installing bash completion on Linux ## If bash-completion is not installed on Linux, please install the 'bash-completion' package ## via your distribution's package manager. ## Load the kubectl completion code for bash into the current shell
source <(kubectl completion bash)
Write bash completion code to a file and source if from .bash_profile
kubectl completion bash > ~/.kube/completion.bash.inc
printf "
Kubectl shell completion
source '$HOME/.kube/completion.bash.inc'
" >> $HOME/.bash_profile
source $HOME/.bash_profile
Load the kubectl completion code for zsh[1] into the current shell
source <(kubectl completion zsh)
Set the kubectl completion code for zsh[1] to autoload on startup
kubectl completion zsh > "${fpath[1]}/_kubectl"
Output shell completion code for the specified shell (bash or zsh). The shell code must be evaluated to provide interactive completion of kubectl commands. This can be done by sourcing it from the .bash_profile.
Detailed instructions on how to do this are available here: https://kubernetes.io/docs/tasks/tools/install-kubectl/#enabling-shell-autocompletion
Note for zsh users: [1] zsh completions are only supported in versions of zsh >= 5.2
$ kubectl completion SHELL
Modify kubeconfig files using subcommands like "kubectl config set current-context my-context"
The loading order follows these rules:
$ kubectl config SUBCOMMAND
Display the current-context
kubectl config current-context
Displays the current-context
$ kubectl config current-context
Delete the minikube cluster
kubectl config delete-cluster minikube
Delete the specified cluster from the kubeconfig
$ kubectl config delete-cluster NAME
Delete the context for the minikube cluster
kubectl config delete-context minikube
Delete the specified context from the kubeconfig
$ kubectl config delete-context NAME
List the clusters kubectl knows about
kubectl config get-clusters
Display clusters defined in the kubeconfig.
$ kubectl config get-clusters
List all the contexts in your kubeconfig file
kubectl config get-contexts
Describe one context in your kubeconfig file.
kubectl config get-contexts my-context
Displays one or many contexts from the kubeconfig file.
$ kubectl config get-contexts [(-o|--output=)name)]
Name | Shorthand | Default | Usage |
---|---|---|---|
no-headers | false | When using the default or custom-column output format, don't print headers (default print headers). | |
output | o | Output format. One of: name |
Rename the context 'old-name' to 'new-name' in your kubeconfig file
kubectl config rename-context old-name new-name
Renames a context from the kubeconfig file.
CONTEXT_NAME is the context name that you wish to change.
NEW_NAME is the new name you wish to set.
Note: In case the context being renamed is the 'current-context', this field will also be updated.
$ kubectl config rename-context CONTEXT_NAME NEW_NAME
Set server field on the my-cluster cluster to https://1.2.3.4
kubectl config set clusters.my-cluster.server https://1.2.3.4
Set certificate-authority-data field on the my-cluster cluster.
kubectl config set clusters.my-cluster.certificate-authority-data $(echo "cert_data_here" | base64 -i -)
Set cluster field in the my-context context to my-cluster.
kubectl config set contexts.my-context.cluster my-cluster
Set client-key-data field in the cluster-admin user using --set-raw-bytes option.
kubectl config set users.cluster-admin.client-key-data cert_data_here --set-raw-bytes=true
Sets an individual value in a kubeconfig file
PROPERTY_NAME is a dot delimited name where each token represents either an attribute name or a map key. Map keys may not contain dots.
PROPERTY_VALUE is the new value you wish to set. Binary fields such as 'certificate-authority-data' expect a base64 encoded string unless the --set-raw-bytes flag is used.
Specifying a attribute name that already exists will merge new fields on top of existing values.
$ kubectl config set PROPERTY_NAME PROPERTY_VALUE
Name | Shorthand | Default | Usage |
---|---|---|---|
set-raw-bytes | false | When writing a []byte PROPERTY_VALUE, write the given string directly without base64 decoding. |
Set only the server field on the e2e cluster entry without touching other values.
kubectl config set-cluster e2e --server=https://1.2.3.4
Embed certificate authority data for the e2e cluster entry
kubectl config set-cluster e2e --embed-certs --certificate-authority=~/.kube/e2e/kubernetes.ca.crt
Disable cert checking for the dev cluster entry
kubectl config set-cluster e2e --insecure-skip-tls-verify=true
Set custom TLS server name to use for validation for the e2e cluster entry
kubectl config set-cluster e2e --tls-server-name=my-cluster-name
Sets a cluster entry in kubeconfig.
Specifying a name that already exists will merge new fields on top of existing values for those fields.
$ kubectl config set-cluster NAME [--server=server] [--certificate-authority=path/to/certificate/authority] [--insecure-skip-tls-verify=true] [--tls-server-name=example.com]
Name | Shorthand | Default | Usage |
---|---|---|---|
embed-certs | false | embed-certs for the cluster entry in kubeconfig |
Set the user field on the gce context entry without touching other values
kubectl config set-context gce --user=cluster-admin
Sets a context entry in kubeconfig
Specifying a name that already exists will merge new fields on top of existing values for those fields.
$ kubectl config set-context [NAME | --current] [--cluster=cluster_nickname] [--user=user_nickname] [--namespace=namespace]
Name | Shorthand | Default | Usage |
---|---|---|---|
current | false | Modify the current context |
Set only the "client-key" field on the "cluster-admin" # entry, without touching other values:
kubectl config set-credentials cluster-admin --client-key=~/.kube/admin.key
Set basic auth for the "cluster-admin" entry
kubectl config set-credentials cluster-admin --username=admin --password=uXFGweU9l35qcif
Embed client certificate data in the "cluster-admin" entry
kubectl config set-credentials cluster-admin --client-certificate=~/.kube/admin.crt --embed-certs=true
Enable the Google Compute Platform auth provider for the "cluster-admin" entry
kubectl config set-credentials cluster-admin --auth-provider=gcp
Enable the OpenID Connect auth provider for the "cluster-admin" entry with additional args
kubectl config set-credentials cluster-admin --auth-provider=oidc --auth-provider-arg=client-id=foo --auth-provider-arg=client-secret=bar
Remove the "client-secret" config value for the OpenID Connect auth provider for the "cluster-admin" entry
kubectl config set-credentials cluster-admin --auth-provider=oidc --auth-provider-arg=client-secret-
Enable new exec auth plugin for the "cluster-admin" entry
kubectl config set-credentials cluster-admin --exec-command=/path/to/the/executable --exec-api-version=client.authentication.k8s.io/v1beta1
Define new exec auth plugin args for the "cluster-admin" entry
kubectl config set-credentials cluster-admin --exec-arg=arg1 --exec-arg=arg2
Create or update exec auth plugin environment variables for the "cluster-admin" entry
kubectl config set-credentials cluster-admin --exec-env=key1=val1 --exec-env=key2=val2
Remove exec auth plugin environment variables for the "cluster-admin" entry
kubectl config set-credentials cluster-admin --exec-env=var-to-remove-
Sets a user entry in kubeconfig
Specifying a name that already exists will merge new fields on top of existing values.
Client-certificate flags: --client-certificate=certfile --client-key=keyfile
Bearer token flags: --token=bearer_token
Basic auth flags: --username=basic_user --password=basic_password
Bearer token and basic auth are mutually exclusive.
$ kubectl config set-credentials NAME [--client-certificate=path/to/certfile] [--client-key=path/to/keyfile] [--token=bearer_token] [--username=basic_user] [--password=basic_password] [--auth-provider=provider_name] [--auth-provider-arg=key=value] [--exec-command=exec_command] [--exec-api-version=exec_api_version] [--exec-arg=arg] [--exec-env=key=value]
Name | Shorthand | Default | Usage |
---|---|---|---|
auth-provider | Auth provider for the user entry in kubeconfig | ||
auth-provider-arg | [] | 'key=value' arguments for the auth provider | |
embed-certs | false | Embed client cert/key for the user entry in kubeconfig | |
exec-api-version | API version of the exec credential plugin for the user entry in kubeconfig | ||
exec-arg | [] | New arguments for the exec credential plugin command for the user entry in kubeconfig | |
exec-command | Command for the exec credential plugin for the user entry in kubeconfig | ||
exec-env | [] | 'key=value' environment values for the exec credential plugin |
Unset the current-context.
kubectl config unset current-context
Unset namespace in foo context.
kubectl config unset contexts.foo.namespace
Unsets an individual value in a kubeconfig file
PROPERTY_NAME is a dot delimited name where each token represents either an attribute name or a map key. Map keys may not contain dots.
$ kubectl config unset PROPERTY_NAME
Use the context for the minikube cluster
kubectl config use-context minikube
Sets the current-context in a kubeconfig file
$ kubectl config use-context CONTEXT_NAME
Show merged kubeconfig settings.
kubectl config view
Show merged kubeconfig settings and raw certificate data.
kubectl config view --raw
Get the password for the e2e user
kubectl config view -o jsonpath='{.users[?(@.name == "e2e")].user.password}'
Display merged kubeconfig settings or a specified kubeconfig file.
You can use --output jsonpath={...} to extract specific values using a jsonpath expression.
$ kubectl config view
Name | Shorthand | Default | Usage |
---|---|---|---|
allow-missing-template-keys | true | If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. | |
flatten | false | Flatten the resulting kubeconfig file into self-contained output (useful for creating portable kubeconfig files) | |
merge | true | Merge the full hierarchy of kubeconfig files | |
minify | false | Remove all information not used by current-context from the output | |
output | o | yaml | Output format. One of: json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. |
raw | false | Display raw byte data | |
template | Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
Get the documentation of the resource and its fields
kubectl explain pods
Get the documentation of a specific field of a resource
kubectl explain pods.spec.containers
List the fields for supported resources
This command describes the fields associated with each supported API resource. Fields are identified via a simple JSONPath identifier:
<type>.<fieldName>[.<fieldName>]
Add the --recursive flag to display all of the fields at once without descriptions. Information about each field is retrieved from the server in OpenAPI format.
Use "kubectl api-resources" for a complete list of supported resources.
$ kubectl explain RESOURCE
Name | Shorthand | Default | Usage |
---|---|---|---|
api-version | Get different explanations for particular API version | ||
recursive | false | Print the fields of fields (Currently only 1 level deep) |
Print flags inherited by all commands
kubectl options
Print the list of flags inherited by all commands
$ kubectl options
Provides utilities for interacting with plugins.
Plugins provide extended functionality that is not part of the major command-line distribution. Please refer to the documentation and examples for more information about how write your own plugins.
The easiest way to discover and install plugins is via the kubernetes sub-project krew. To install krew, visit https://github.com/kubernetes-sigs/krew/#installation
$ kubectl plugin [flags]
List all available plugin files on a user's PATH.
Available plugin files are those that are: - executable - anywhere on the user's PATH - begin with "kubectl-"
$ kubectl plugin list
Name | Shorthand | Default | Usage |
---|---|---|---|
name-only | false | If true, display only the binary name of each plugin, rather than its full path |
Print the client and server versions for the current context
kubectl version
Print the client and server version information for the current context
$ kubectl version
Name | Shorthand | Default | Usage |
---|---|---|---|
client | false | If true, shows client version only (no server required). | |
output | o | One of 'yaml' or 'json'. | |
short | false | If true, print just the version number. |