Skip to content

Admin

https://kubernetes.io/docs/reference/kubectl/cheatsheet/

Create Admin service account and kubeconfig out of it

kubectl create serviceaccount cluster-admin -n kube-system
kubectl create clusterrolebinding cluster:admin --clusterrole=cluster-admin --serviceaccount=kube-system:cluster-admin
TOKEN_NAME=$(kg sa -n kube-system cluster-admin -o jsonpath='{.secrets[0].name}')
TOKEN=$(kgsec -n kube-system $TOKEN_NAME -o jsonpath='{.data.token}'| base64 --decode)
kubectl config  set-credentials cluster-admin --token=$TOKEN --kubeconfig <kubeconfig_file>

Create kubeconfig using service account

kubectl create serviceaccount cluster-admin -n kube-system
kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: cluster-admin
  namespace: kube-system
  annotations:
    kubernetes.io/service-account.name: cluster-admin
type: kubernetes.io/service-account-token
EOF
kubectl create token cluster-admin -n kube-system # for Kubernetes 1.25 and above
kubectl create clusterrolebinding cluster:admin --clusterrole=cluster-admin --serviceaccount=kube-system:cluster-admin
export TOKEN_NAME=$(kubectl get sa -n kube-system cluster-admin -o jsonpath='{.metadata.name}')
export TOKEN=$(kubectl get secret -n kube-system $TOKEN_NAME -o jsonpath='{.data.token}'| base64 --decode)
export CURRENT_CONTEXT=$(kubectl config current-context)
export CLUSTER_NAME=$(echo ${CURRENT_CONTEXT} | awk -F/ '{print $2}')
export CLUSTER_CA=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CONTEXT}'''"}}"{{with index .cluster "certificate-authority-data" }}{{.}}{{end}}"{{ end }}{{ end }}')
export CLUSTER_SERVER=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CONTEXT}'''"}}{{ .cluster.server }}{{end}}{{ end }}')



cat << EOF > $CLUSTER_NAME
apiVersion: v1
clusters:
  - cluster:
      certificate-authority-data: ${CLUSTER_CA}
      server: ${CLUSTER_SERVER}
    name: ${CLUSTER_NAME}
contexts:
  - context:
      cluster: ${CLUSTER_NAME}
      user: cluster-admin
    name: ${CLUSTER_NAME}
current-context: ${CLUSTER_NAME}
kind: Config
preferences: {}
users:
  - name: cluster-admin
    user:
      token: ${TOKEN}
EOF

To get access to worker node's shell

$ kubectl get nodes
NAME    STATUS   ROLES    AGE    VERSION
t470s   Ready    <none>   149d   v1.25.6

$ kubectl debug node/t470s -it --image alpine
Creating debugging pod node-debugger-t470s-2sdxd with container debugger on node t470s.
If you don't see a command prompt, try pressing enter.
/ #

Once inside the shell, the nodes '/' folder is mounted as /host Make /host as /

/ # df
Filesystem           1K-blocks      Used Available Use% Mounted on
overlay              239261308  27621172 199413476  12% /
tmpfs                    65536         0     65536   0% /dev
/dev/nvme0n1p5       239261308  27621172 199413476  12% /host
udev                  10080456         0  10080456   0% /host/dev
tmpfs                 10115776         0  10115776   0% /host/dev/shm
tmpfs                  2023156      3340   2019816   0% /host/run
tmpfs                     5120         4      5116   0% /host/run/lock
tmpfs                  2023156      3340   2019816   0% /host/run/snapd/ns
tmpfs                  2023152      2416   2020736   0% /host/run/user/1002
tmpfs                  2023152        72   2023080   0% /host/run/user/125
/dev/loop1                 128       128         0 100% /host/snap/bare/5

change the '/' to /host using the chroot command

chroot /host

Now, you can view the logs, and even run systemctl commands in the host system

To view the Kubernetes configuration:

$ kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: REDACTED
    server: https://192.168.11.10:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

To view the Kubernetes server events

$ kubectl get events
LAST SEEN   FIRST SEEN   COUNT     NAME                                                    KIND         SUBOBJECT                              TYPE      REASON                  SOURCE                  MESSAGE
44m         44m          1         kubernetes-bootcamp-5d7f968ccb-bwqxz.151009afc58ae19f   Pod                                                 Normal    Scheduled               default-scheduler       Successfully assigned kubernetes-bootcamp-5d7f968ccb-bwqxz to k8s-node1
44m         44m          1         kubernetes-bootcamp-5d7f968ccb-bwqxz.151009afd26f11ec   Pod                                                 Normal    SuccessfulMountVolume   kubelet, k8s-node1      MountVolume.SetUp succeeded for volume "default-token-fzcmd"
44m         44m          1         kubernetes-bootcamp-5d7f968ccb-bwqxz.151009afe896caac   Pod          spec.containers{kubernetes-bootcamp}   Normal    Pulled                  kubelet, k8s-node1      Container image "docker.io/jocatalin/kubernetes-bootcamp:v1" already present on machine
44m         44m          1         kubernetes-bootcamp-5d7f968ccb-bwqxz.151009afea59f2e7   Pod          spec.containers{kubernetes-bootcamp}   Normal    Created                 kubelet, k8s-node1      Created container
44m         44m          1         kubernetes-bootcamp-5d7f968ccb-bwqxz.151009aff1576040   Pod          spec.containers{kubernetes-bootcamp}   Normal    Started                 kubelet, k8s-node1      Started container


$ kubectl cluster-info
Kubernetes master is running at https://192.168.11.10:6443
KubeDNS is running at https://192.168.11.10:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

To register a Docker registry:

kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
where:

  • <your-registry-server> is your Private Docker Registry FQDN. (https://index.docker.io/v1/ for DockerHub)
  • <your-name> is your Docker username.
  • <your-pword> is your Docker password.
  • <your-email> is your Docker email.

To register a GCR registry using the Json credential (for the service account)

kubectl create secret docker-registry gcr-phc-sb \
          --docker-server=https://gcr.io \
          --docker-username=_json_key \
          --docker-password="$(cat ~/Desktop/phc-shared-sb-001-fa237d9e-d41f32bb2bc8.json)" \
          --namespace=jeeva-test \
          --docker-email="jeevandk@science.roche.com"

kubectl  patch serviceaccount default \
    --namespace=jeeva-test \
    -p '{"imagePullSecrets": [{"name": "gcr-phc-sb"}]}'

kubectl create secret docker-registry gcr-phc-sb \
          --docker-server=https://gcr.io \
          --docker-username=_json_key \
          --docker-password="$(cat ~/Desktop/phc-shared-sb-001-fa237d9e-d41f32bb2bc8.json)" \
          --docker-email="jeevandk@science.roche.com"


kubectl  patch serviceaccount default \
    -p '{"imagePullSecrets": [{"name": "gcr-phc-sb"}]}'


kubectl get secret gcr-phc-sb --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode



gcr.io/phc-shared-sb-001-fa237d9e/jkailasam/nginx



apiVersion: v1
kind: Pod
metadata:
  name: jeeva-test
spec:
  containers:
  - name: jeeva-test-container
    image: gcr.io/phc-shared-sb-001-fa237d9e/jkailasam/nginx
  imagePullSecrets:
  - name: gcr-phc-sb