Kubectl随记:修订间差异

来自三线的随记
无编辑摘要
无编辑摘要
 
(未显示同一用户的22个中间版本)
第1行: 第1行:
=== kubectl set default editor ===
export  KUBE_EDITOR=/usr/bin/vim
===kubectl completion bash not working 排障随记===
===kubectl completion bash not working 排障随记===
现执行命令 set 看一下当前环境的相关配置有没有kube相关项
需要已经安装 bash-completion
 
如果提示  <code>_get_comp_words_by_ref: command not found</code> 错误的话,需要执行
source /usr/share/bash-completion/bash_completion
执行命令 <code>set</code> 看一下当前环境的相关配置有没有kube相关项
  set | grep -i kube
  set | grep -i kube
没有的话
没有的话需要执行
  source <(kubectl completion bash)
  source <(kubectl completion bash)


正常的话,打开 kubectl debug
正常的话,打开 kubectl debug
第16行: 第22行:
根据debug file里面的记录去排查出错点
根据debug file里面的记录去排查出错点


=== use kubectl to get all api resource types ===
kubectl api-resources  -o name --cached --request-timeout=5s --verbs=get
kubectl api-resources --api-group=networking.k8s.io
==== get groupVersion when a resource exists in multiple api groups ====
==== explain api-resource with sprcific api version ====
kubectl api-resources --api-group=networking.k8s.io -v8 2>&1| grep ingress
kubectl explain ingress --api-version="networking.k8s.io/v1beta1"
=== get service account token faster / 一条命令结合jsonpath揭秘base64处理后的secret ===
kubectl get secret sa-secret -o jsonpath={.data.token} | base64 -d
=== Check k8s account privilege / k8s 对象权限相关 ===
kubectl options:
    --as=: Username to impersonate for the operation
    --as-group=[]: Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
假设有名为registry-test的serviceAccount位于kube-system,这时候我们要测试他的RBAC权限,可以使用如下命令
kubectl --as "system:serviceaccount:kube-system:registry-test" get serviceaccount
Usage: kubectl auth can-i VERB [TYPE | TYPE/NAME | NONRESOURCEURL] [options]
# Check to see if I can do everything in my current namespace ("*" means all)
kubectl auth can-i '*' '*'
[root@node-a ~]# kubectl --as "system:serviceaccount:kube-system:registry-test" auth can-i list pods
yes
PS: 在RBAC定义中(例如role / clusterrole)对 <code>resources</code> 的 <code>pods/*</code> 声明不会对诸如 <code>pods/exec pods/log pods/status</code> 等资源授权起效果
原因: [[K8s-rbac关于子资源授权的一些记录]]
===kubectl get resources with custom column / 利用custom-columns自定义输出字段 (语法相对go-template简单)===
=====通过custom-columns只输出pod所在租户,pod名字和pod uid=====
kubectl get pods -o custom-columns='namespace:metadata.namespace,pod:metadata.name,uid:metadata.uid'


ps: use kubectl to get all api resource types
=====通过custom-columns只输出namespace名字和ns annotation中定义的node selector=====
  kubectl api-resources  -o name --cached --request-timeout=5s --verbs=get
kubectl get namespaces -o custom-columns="NAMESPACE:.metadata.name, NODE_SELECTOR:.metadata.annotations.scheduler\.alpha\.kubernetes\.io/node-selector"
[[分类:K8s]]
 
===Get node info order by node ip address / 根据ip地址排序获取节点信息===
kubectl get nodes -owide --sort-by status.addresses[0].address
 
===Get pods order by running node name / 根据pod运行节点排序获取pod信息===
kubectl get pods -owide --sort-by .spec.nodeName
 
kubectl get pods -owide --sort-by spec.nodeName
===Get pod order  by pod create time / 根据pod创建时间排序获取pod===
kubectl get pods -n efk-system --sort-by status.startTime
 
kubectl get pods -n efk-system --sort-by status.startTime| grep filebeat
 
  kubectl get pods -n efk-system --sort-by status.startTime| grep filebeat|tac
 
 
===kubectl get resources with go-template / 利用go-template自定义输出(功能扩展性高度自由,但是有一定的编码调试成本)===
 
====Deployments - image / 只获取deployment名字和image====
<nowiki>kubectl get deployments -o go-template --template '{{range .items}}{{.metadata.name}}{{" -- "}}{{range .spec.template.spec.containers}}{{.image}}{{" "}}{{end}}{{"\n"}}{{end}}'</nowiki>
稍微格式化输出,输出deployment名字 + container名字 + 对应的image
kubectl get deployments.apps -o go-template --template '<nowiki>{{range .items}}</nowiki><nowiki>{{printf "%-30s " .metadata.name}}</nowiki><nowiki>{{range .spec.template.spec.containers}}</nowiki><nowiki>{{.name}}</nowiki><nowiki>{{":"}}</nowiki><nowiki>{{.image}}</nowiki><nowiki>{{" "}}</nowiki><nowiki>{{end}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki>'
 
====Pods - image / 只获取pod名字和image====
<nowiki>kubectl get pods -o go-template --template '{{range .items}}{{.metadata.name}}{{" -- "}}{{range .spec.containers}}{{.image}}{{end}}{{"\n"}}{{end}}'</nowiki>
====Get the ip address of the specified node / 只获取节点名字和对应的Internal IP地址====
<nowiki>kubectl get nodes -l kubernetes.io/hostname=nodename -o go-template --template '{{range .items}}{{range .status.addresses}}{{ if eq .type "InternalIP" }}{{.address}}{{end}}{{end}}{{end}}{{"\n"}}'</nowiki>
====Get node taints / 只获取节点名字和taints====
<nowiki>kubectl get nodes  -o go-template --template '{{range .items}}{{.metadata.name}}{{":\n"}}{{range .spec.taints}}{{.key}}{{"="}}{{.value}}{{":"}}{{.effect}}{{" "}}{{end}}{{"\n\n"}}{{end}}'</nowiki>
 
<nowiki>kubectl get nodes -l kubernetes.io/hostname=nodename -o go-template --template '{{range .items}}{{.metadata.name}}{{":\n"}}{{range .spec.taints}}{{.key}}{{"="}}{{.value}}{{":"}}{{.effect}}{{" "}}{{end}}{{"\n\n"}}{{end}}'</nowiki>
 
==== Get node labels and format output / 只获取节点名字和labels并格式化输出 ====
kubectl get node -o go-template --template '<nowiki>{{range .items}}</nowiki><nowiki>{{.metadata.name}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{range $key, $value := .metadata.labels}}</nowiki><nowiki>{{"\t\t"}}</nowiki><nowiki>{{$key}}</nowiki><nowiki>{{":"}}</nowiki><nowiki>{{$value}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki>'
 
==== 获取namespace名字和ns annotation中定义的node selector ====
  kubectl get namespaces -o go-template='<nowiki>{{range .items}}</nowiki><nowiki>{{.metadata.name}}</nowiki><nowiki>{{" "}}</nowiki><nowiki>{{index .metadata.annotations "scheduler.alpha.kubernetes.io/node-selector" -}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki>'
 
===== 稍微处理一下,格式化对齐输出 =====
kubectl get namespaces -o go-template='<nowiki>{{range .items}}</nowiki><nowiki>{{printf "%-30s " .metadata.name}}</nowiki><nowiki>{{if index .metadata.annotations "scheduler.alpha.kubernetes.io/node-selector"}}</nowiki><nowiki>{{index .metadata.annotations "scheduler.alpha.kubernetes.io/node-selector"}}</nowiki><nowiki>{{else}}</nowiki> <nowiki>{{end}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki>'
 
===kubectl get event filter by pod name / 根据对象进行过滤获取k8s事件===
kubectl get event -n kube-system --field-selector involvedObject.name=${pod_name}
 
===kubectl get event sort by lastTime / 根据事件最后触发时间进行排序===
kubectl get event -n kube-system --sort-by=.lastTimestamp
[[分类:K8s]]

2024年4月19日 (五) 15:52的最新版本

kubectl set default editor

export  KUBE_EDITOR=/usr/bin/vim

kubectl completion bash not working 排障随记

需要已经安装 bash-completion

如果提示 _get_comp_words_by_ref: command not found 错误的话,需要执行

source /usr/share/bash-completion/bash_completion

执行命令 set 看一下当前环境的相关配置有没有kube相关项

set | grep -i kube

没有的话需要执行

source <(kubectl completion bash)

正常的话,打开 kubectl debug

__kubectl_debug() {
   if [[ -n ${BASH_COMP_DEBUG_FILE} ]]; then
       echo "$*" >> "${BASH_COMP_DEBUG_FILE}"
   fi
}
export BASH_COMP_DEBUG_FILE=****

根据debug file里面的记录去排查出错点

use kubectl to get all api resource types

kubectl api-resources  -o name --cached --request-timeout=5s --verbs=get
kubectl api-resources --api-group=networking.k8s.io

get groupVersion when a resource exists in multiple api groups

explain api-resource with sprcific api version

kubectl api-resources --api-group=networking.k8s.io -v8 2>&1| grep ingress
kubectl explain ingress --api-version="networking.k8s.io/v1beta1"

get service account token faster / 一条命令结合jsonpath揭秘base64处理后的secret

kubectl get secret sa-secret -o jsonpath={.data.token} | base64 -d

Check k8s account privilege / k8s 对象权限相关

kubectl options:
    --as=: Username to impersonate for the operation
    --as-group=[]: Group to impersonate for the operation, this flag can be repeated to specify multiple groups.

假设有名为registry-test的serviceAccount位于kube-system,这时候我们要测试他的RBAC权限,可以使用如下命令

kubectl --as "system:serviceaccount:kube-system:registry-test" get serviceaccount
Usage: kubectl auth can-i VERB [TYPE | TYPE/NAME | NONRESOURCEURL] [options]

# Check to see if I can do everything in my current namespace ("*" means all)
kubectl auth can-i '*' '*'
[root@node-a ~]# kubectl --as "system:serviceaccount:kube-system:registry-test" auth can-i list pods
yes

PS: 在RBAC定义中(例如role / clusterrole)对 resourcespods/* 声明不会对诸如 pods/exec pods/log pods/status 等资源授权起效果

原因: K8s-rbac关于子资源授权的一些记录

kubectl get resources with custom column / 利用custom-columns自定义输出字段 (语法相对go-template简单)

通过custom-columns只输出pod所在租户,pod名字和pod uid
kubectl get pods -o custom-columns='namespace:metadata.namespace,pod:metadata.name,uid:metadata.uid'
通过custom-columns只输出namespace名字和ns annotation中定义的node selector
kubectl get namespaces -o custom-columns="NAMESPACE:.metadata.name, NODE_SELECTOR:.metadata.annotations.scheduler\.alpha\.kubernetes\.io/node-selector"

Get node info order by node ip address / 根据ip地址排序获取节点信息

kubectl get nodes -owide --sort-by status.addresses[0].address

Get pods order by running node name / 根据pod运行节点排序获取pod信息

kubectl get pods -owide --sort-by .spec.nodeName
kubectl get pods -owide --sort-by spec.nodeName

Get pod order by pod create time / 根据pod创建时间排序获取pod

kubectl get pods -n efk-system --sort-by status.startTime
kubectl get pods -n efk-system --sort-by status.startTime| grep filebeat
kubectl get pods -n efk-system --sort-by status.startTime| grep filebeat|tac


kubectl get resources with go-template / 利用go-template自定义输出(功能扩展性高度自由,但是有一定的编码调试成本)

Deployments - image / 只获取deployment名字和image

kubectl get deployments -o go-template --template '{{range .items}}{{.metadata.name}}{{" -- "}}{{range .spec.template.spec.containers}}{{.image}}{{" "}}{{end}}{{"\n"}}{{end}}'

稍微格式化输出,输出deployment名字 + container名字 + 对应的image

kubectl get deployments.apps -o go-template --template '{{range .items}}{{printf "%-30s " .metadata.name}}{{range .spec.template.spec.containers}}{{.name}}{{":"}}{{.image}}{{" "}}{{end}}{{"\n"}}{{end}}'

Pods - image / 只获取pod名字和image

kubectl get pods -o go-template --template '{{range .items}}{{.metadata.name}}{{" -- "}}{{range .spec.containers}}{{.image}}{{end}}{{"\n"}}{{end}}'

Get the ip address of the specified node / 只获取节点名字和对应的Internal IP地址

kubectl get nodes -l kubernetes.io/hostname=nodename -o go-template --template '{{range .items}}{{range .status.addresses}}{{ if eq .type "InternalIP" }}{{.address}}{{end}}{{end}}{{end}}{{"\n"}}'

Get node taints / 只获取节点名字和taints

kubectl get nodes  -o go-template --template '{{range .items}}{{.metadata.name}}{{":\n"}}{{range .spec.taints}}{{.key}}{{"="}}{{.value}}{{":"}}{{.effect}}{{" "}}{{end}}{{"\n\n"}}{{end}}'
kubectl get nodes -l kubernetes.io/hostname=nodename -o go-template --template '{{range .items}}{{.metadata.name}}{{":\n"}}{{range .spec.taints}}{{.key}}{{"="}}{{.value}}{{":"}}{{.effect}}{{" "}}{{end}}{{"\n\n"}}{{end}}'

Get node labels and format output / 只获取节点名字和labels并格式化输出

kubectl get node -o go-template --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{range $key, $value := .metadata.labels}}{{"\t\t"}}{{$key}}{{":"}}{{$value}}{{"\n"}}{{end}}{{"\n"}}{{end}}'

获取namespace名字和ns annotation中定义的node selector

kubectl get namespaces -o go-template='{{range .items}}{{.metadata.name}}{{" "}}{{index .metadata.annotations "scheduler.alpha.kubernetes.io/node-selector" -}}{{"\n"}}{{end}}'
稍微处理一下,格式化对齐输出
kubectl get namespaces -o go-template='{{range .items}}{{printf "%-30s " .metadata.name}}{{if index .metadata.annotations "scheduler.alpha.kubernetes.io/node-selector"}}{{index .metadata.annotations "scheduler.alpha.kubernetes.io/node-selector"}}{{else}} {{end}}{{"\n"}}{{end}}'

kubectl get event filter by pod name / 根据对象进行过滤获取k8s事件

kubectl get event -n kube-system --field-selector involvedObject.name=${pod_name}

kubectl get event sort by lastTime / 根据事件最后触发时间进行排序

kubectl get event -n kube-system --sort-by=.lastTimestamp