Kubectl随记:修订间差异
来自三线的随记
小无编辑摘要 |
小无编辑摘要 |
||
(未显示同一用户的22个中间版本) | |||
第1行: | 第1行: | ||
=== kubectl set default editor === | |||
export KUBE_EDITOR=/usr/bin/vim | |||
===kubectl completion bash not working 排障随记=== | ===kubectl completion bash not working 排障随记=== | ||
需要已经安装 bash-completion | |||
如果提示 <code>_get_comp_words_by_ref: command not found</code> 错误的话,需要执行 | |||
source /usr/share/bash-completion/bash_completion | |||
执行命令 <code>set</code> 看一下当前环境的相关配置有没有kube相关项 | |||
set | grep -i kube | set | grep -i kube | ||
没有的话需要执行 | |||
source <(kubectl completion bash) | source <(kubectl completion bash) | ||
正常的话,打开 kubectl debug | 正常的话,打开 kubectl debug | ||
第16行: | 第22行: | ||
根据debug file里面的记录去排查出错点 | 根据debug file里面的记录去排查出错点 | ||
=== use kubectl to get all api resource types === | |||
kubectl api-resources -o name --cached --request-timeout=5s --verbs=get | |||
kubectl api-resources --api-group=networking.k8s.io | |||
==== get groupVersion when a resource exists in multiple api groups ==== | |||
==== explain api-resource with sprcific api version ==== | |||
kubectl api-resources --api-group=networking.k8s.io -v8 2>&1| grep ingress | |||
kubectl explain ingress --api-version="networking.k8s.io/v1beta1" | |||
=== get service account token faster / 一条命令结合jsonpath揭秘base64处理后的secret === | |||
kubectl get secret sa-secret -o jsonpath={.data.token} | base64 -d | |||
=== Check k8s account privilege / k8s 对象权限相关 === | |||
kubectl options: | |||
--as=: Username to impersonate for the operation | |||
--as-group=[]: Group to impersonate for the operation, this flag can be repeated to specify multiple groups. | |||
假设有名为registry-test的serviceAccount位于kube-system,这时候我们要测试他的RBAC权限,可以使用如下命令 | |||
kubectl --as "system:serviceaccount:kube-system:registry-test" get serviceaccount | |||
Usage: kubectl auth can-i VERB [TYPE | TYPE/NAME | NONRESOURCEURL] [options] | |||
# Check to see if I can do everything in my current namespace ("*" means all) | |||
kubectl auth can-i '*' '*' | |||
[root@node-a ~]# kubectl --as "system:serviceaccount:kube-system:registry-test" auth can-i list pods | |||
yes | |||
PS: 在RBAC定义中(例如role / clusterrole)对 <code>resources</code> 的 <code>pods/*</code> 声明不会对诸如 <code>pods/exec pods/log pods/status</code> 等资源授权起效果 | |||
原因: [[K8s-rbac关于子资源授权的一些记录]] | |||
===kubectl get resources with custom column / 利用custom-columns自定义输出字段 (语法相对go-template简单)=== | |||
=====通过custom-columns只输出pod所在租户,pod名字和pod uid===== | |||
kubectl get pods -o custom-columns='namespace:metadata.namespace,pod:metadata.name,uid:metadata.uid' | |||
=====通过custom-columns只输出namespace名字和ns annotation中定义的node selector===== | |||
kubectl | kubectl get namespaces -o custom-columns="NAMESPACE:.metadata.name, NODE_SELECTOR:.metadata.annotations.scheduler\.alpha\.kubernetes\.io/node-selector" | ||
[[分类:K8s]] | |||
===Get node info order by node ip address / 根据ip地址排序获取节点信息=== | |||
kubectl get nodes -owide --sort-by status.addresses[0].address | |||
===Get pods order by running node name / 根据pod运行节点排序获取pod信息=== | |||
kubectl get pods -owide --sort-by .spec.nodeName | |||
kubectl get pods -owide --sort-by spec.nodeName | |||
===Get pod order by pod create time / 根据pod创建时间排序获取pod=== | |||
kubectl get pods -n efk-system --sort-by status.startTime | |||
kubectl get pods -n efk-system --sort-by status.startTime| grep filebeat | |||
kubectl get pods -n efk-system --sort-by status.startTime| grep filebeat|tac | |||
===kubectl get resources with go-template / 利用go-template自定义输出(功能扩展性高度自由,但是有一定的编码调试成本)=== | |||
====Deployments - image / 只获取deployment名字和image==== | |||
<nowiki>kubectl get deployments -o go-template --template '{{range .items}}{{.metadata.name}}{{" -- "}}{{range .spec.template.spec.containers}}{{.image}}{{" "}}{{end}}{{"\n"}}{{end}}'</nowiki> | |||
稍微格式化输出,输出deployment名字 + container名字 + 对应的image | |||
kubectl get deployments.apps -o go-template --template '<nowiki>{{range .items}}</nowiki><nowiki>{{printf "%-30s " .metadata.name}}</nowiki><nowiki>{{range .spec.template.spec.containers}}</nowiki><nowiki>{{.name}}</nowiki><nowiki>{{":"}}</nowiki><nowiki>{{.image}}</nowiki><nowiki>{{" "}}</nowiki><nowiki>{{end}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki>' | |||
====Pods - image / 只获取pod名字和image==== | |||
<nowiki>kubectl get pods -o go-template --template '{{range .items}}{{.metadata.name}}{{" -- "}}{{range .spec.containers}}{{.image}}{{end}}{{"\n"}}{{end}}'</nowiki> | |||
====Get the ip address of the specified node / 只获取节点名字和对应的Internal IP地址==== | |||
<nowiki>kubectl get nodes -l kubernetes.io/hostname=nodename -o go-template --template '{{range .items}}{{range .status.addresses}}{{ if eq .type "InternalIP" }}{{.address}}{{end}}{{end}}{{end}}{{"\n"}}'</nowiki> | |||
====Get node taints / 只获取节点名字和taints==== | |||
<nowiki>kubectl get nodes -o go-template --template '{{range .items}}{{.metadata.name}}{{":\n"}}{{range .spec.taints}}{{.key}}{{"="}}{{.value}}{{":"}}{{.effect}}{{" "}}{{end}}{{"\n\n"}}{{end}}'</nowiki> | |||
<nowiki>kubectl get nodes -l kubernetes.io/hostname=nodename -o go-template --template '{{range .items}}{{.metadata.name}}{{":\n"}}{{range .spec.taints}}{{.key}}{{"="}}{{.value}}{{":"}}{{.effect}}{{" "}}{{end}}{{"\n\n"}}{{end}}'</nowiki> | |||
==== Get node labels and format output / 只获取节点名字和labels并格式化输出 ==== | |||
kubectl get node -o go-template --template '<nowiki>{{range .items}}</nowiki><nowiki>{{.metadata.name}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{range $key, $value := .metadata.labels}}</nowiki><nowiki>{{"\t\t"}}</nowiki><nowiki>{{$key}}</nowiki><nowiki>{{":"}}</nowiki><nowiki>{{$value}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki>' | |||
==== 获取namespace名字和ns annotation中定义的node selector ==== | |||
kubectl get namespaces -o go-template='<nowiki>{{range .items}}</nowiki><nowiki>{{.metadata.name}}</nowiki><nowiki>{{" "}}</nowiki><nowiki>{{index .metadata.annotations "scheduler.alpha.kubernetes.io/node-selector" -}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki>' | |||
===== 稍微处理一下,格式化对齐输出 ===== | |||
kubectl get namespaces -o go-template='<nowiki>{{range .items}}</nowiki><nowiki>{{printf "%-30s " .metadata.name}}</nowiki><nowiki>{{if index .metadata.annotations "scheduler.alpha.kubernetes.io/node-selector"}}</nowiki><nowiki>{{index .metadata.annotations "scheduler.alpha.kubernetes.io/node-selector"}}</nowiki><nowiki>{{else}}</nowiki> <nowiki>{{end}}</nowiki><nowiki>{{"\n"}}</nowiki><nowiki>{{end}}</nowiki>' | |||
===kubectl get event filter by pod name / 根据对象进行过滤获取k8s事件=== | |||
kubectl get event -n kube-system --field-selector involvedObject.name=${pod_name} | |||
===kubectl get event sort by lastTime / 根据事件最后触发时间进行排序=== | |||
kubectl get event -n kube-system --sort-by=.lastTimestamp | |||
[[分类:K8s]] |
2024年4月19日 (五) 15:52的最新版本
kubectl set default editor
export KUBE_EDITOR=/usr/bin/vim
kubectl completion bash not working 排障随记
需要已经安装 bash-completion
如果提示 _get_comp_words_by_ref: command not found
错误的话,需要执行
source /usr/share/bash-completion/bash_completion
执行命令 set
看一下当前环境的相关配置有没有kube相关项
set | grep -i kube
没有的话需要执行
source <(kubectl completion bash)
正常的话,打开 kubectl debug
__kubectl_debug() { if [[ -n ${BASH_COMP_DEBUG_FILE} ]]; then echo "$*" >> "${BASH_COMP_DEBUG_FILE}" fi }
export BASH_COMP_DEBUG_FILE=****
根据debug file里面的记录去排查出错点
use kubectl to get all api resource types
kubectl api-resources -o name --cached --request-timeout=5s --verbs=get
kubectl api-resources --api-group=networking.k8s.io
get groupVersion when a resource exists in multiple api groups
explain api-resource with sprcific api version
kubectl api-resources --api-group=networking.k8s.io -v8 2>&1| grep ingress
kubectl explain ingress --api-version="networking.k8s.io/v1beta1"
get service account token faster / 一条命令结合jsonpath揭秘base64处理后的secret
kubectl get secret sa-secret -o jsonpath={.data.token} | base64 -d
Check k8s account privilege / k8s 对象权限相关
kubectl options: --as=: Username to impersonate for the operation --as-group=[]: Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
假设有名为registry-test的serviceAccount位于kube-system,这时候我们要测试他的RBAC权限,可以使用如下命令
kubectl --as "system:serviceaccount:kube-system:registry-test" get serviceaccount
Usage: kubectl auth can-i VERB [TYPE | TYPE/NAME | NONRESOURCEURL] [options] # Check to see if I can do everything in my current namespace ("*" means all) kubectl auth can-i '*' '*'
[root@node-a ~]# kubectl --as "system:serviceaccount:kube-system:registry-test" auth can-i list pods yes
PS: 在RBAC定义中(例如role / clusterrole)对 resources
的 pods/*
声明不会对诸如 pods/exec pods/log pods/status
等资源授权起效果
kubectl get resources with custom column / 利用custom-columns自定义输出字段 (语法相对go-template简单)
通过custom-columns只输出pod所在租户,pod名字和pod uid
kubectl get pods -o custom-columns='namespace:metadata.namespace,pod:metadata.name,uid:metadata.uid'
通过custom-columns只输出namespace名字和ns annotation中定义的node selector
kubectl get namespaces -o custom-columns="NAMESPACE:.metadata.name, NODE_SELECTOR:.metadata.annotations.scheduler\.alpha\.kubernetes\.io/node-selector"
Get node info order by node ip address / 根据ip地址排序获取节点信息
kubectl get nodes -owide --sort-by status.addresses[0].address
Get pods order by running node name / 根据pod运行节点排序获取pod信息
kubectl get pods -owide --sort-by .spec.nodeName
kubectl get pods -owide --sort-by spec.nodeName
Get pod order by pod create time / 根据pod创建时间排序获取pod
kubectl get pods -n efk-system --sort-by status.startTime
kubectl get pods -n efk-system --sort-by status.startTime| grep filebeat
kubectl get pods -n efk-system --sort-by status.startTime| grep filebeat|tac
kubectl get resources with go-template / 利用go-template自定义输出(功能扩展性高度自由,但是有一定的编码调试成本)
Deployments - image / 只获取deployment名字和image
kubectl get deployments -o go-template --template '{{range .items}}{{.metadata.name}}{{" -- "}}{{range .spec.template.spec.containers}}{{.image}}{{" "}}{{end}}{{"\n"}}{{end}}'
稍微格式化输出,输出deployment名字 + container名字 + 对应的image
kubectl get deployments.apps -o go-template --template '{{range .items}}{{printf "%-30s " .metadata.name}}{{range .spec.template.spec.containers}}{{.name}}{{":"}}{{.image}}{{" "}}{{end}}{{"\n"}}{{end}}'
Pods - image / 只获取pod名字和image
kubectl get pods -o go-template --template '{{range .items}}{{.metadata.name}}{{" -- "}}{{range .spec.containers}}{{.image}}{{end}}{{"\n"}}{{end}}'
Get the ip address of the specified node / 只获取节点名字和对应的Internal IP地址
kubectl get nodes -l kubernetes.io/hostname=nodename -o go-template --template '{{range .items}}{{range .status.addresses}}{{ if eq .type "InternalIP" }}{{.address}}{{end}}{{end}}{{end}}{{"\n"}}'
Get node taints / 只获取节点名字和taints
kubectl get nodes -o go-template --template '{{range .items}}{{.metadata.name}}{{":\n"}}{{range .spec.taints}}{{.key}}{{"="}}{{.value}}{{":"}}{{.effect}}{{" "}}{{end}}{{"\n\n"}}{{end}}'
kubectl get nodes -l kubernetes.io/hostname=nodename -o go-template --template '{{range .items}}{{.metadata.name}}{{":\n"}}{{range .spec.taints}}{{.key}}{{"="}}{{.value}}{{":"}}{{.effect}}{{" "}}{{end}}{{"\n\n"}}{{end}}'
Get node labels and format output / 只获取节点名字和labels并格式化输出
kubectl get node -o go-template --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{range $key, $value := .metadata.labels}}{{"\t\t"}}{{$key}}{{":"}}{{$value}}{{"\n"}}{{end}}{{"\n"}}{{end}}'
获取namespace名字和ns annotation中定义的node selector
kubectl get namespaces -o go-template='{{range .items}}{{.metadata.name}}{{" "}}{{index .metadata.annotations "scheduler.alpha.kubernetes.io/node-selector" -}}{{"\n"}}{{end}}'
稍微处理一下,格式化对齐输出
kubectl get namespaces -o go-template='{{range .items}}{{printf "%-30s " .metadata.name}}{{if index .metadata.annotations "scheduler.alpha.kubernetes.io/node-selector"}}{{index .metadata.annotations "scheduler.alpha.kubernetes.io/node-selector"}}{{else}} {{end}}{{"\n"}}{{end}}'
kubectl get event filter by pod name / 根据对象进行过滤获取k8s事件
kubectl get event -n kube-system --field-selector involvedObject.name=${pod_name}
kubectl get event sort by lastTime / 根据事件最后触发时间进行排序
kubectl get event -n kube-system --sort-by=.lastTimestamp