One CKA/CKAD/CKS requirement: Mastering Kubectl
Kubectl is the first tool that every Kubernetes operator will have to use to interact with the cluster. This post aims to share some guidelines on it.
9 min read
Today, Kubernetes is the most popular container orchestration tool for managing and scaling containerized infrastructure.
As an SRE, DevOps, Sys Admin, developer or whatever the name of your role position, if you have to manage, operate or just read Kubernetes resources, you will probably need to understand some basic principles like the Kubectl command line.
The purpose of this article is to share some guidelines to master the Kubectl command line tool. Mastering Kubectl is important in the learning path to get certified on Kubernetes, (developer, administrator and security) as the certifications rely on Kubectl commands, so some tips provided in this guide can help you during your certification.
What is Kubectl?
As every cluster management tool, Kubernetes comes with a default command line tool to manage the resources: Kubectl for Kube Control.
Kubectl is the default entrypoint to create, update, read and delete (CRUD) every Kubernetes resource. Basically, it allows you to perform every possible Kubernetes operation.
Kubectl is a command line tool that can be installed almost everywhere (Linux, Mac OS, Windows, etc) to interact with the only entrypoint of a Kubernetes cluster, the API server.
Kubernetes is based on a HTTP REST API. This means that every Kubernetes operation is exposed as an API endpoint and can be executed by an HTTP request to this endpoint. Kubectl’s responsibility is to create and format the POST request sent to the Kubernetes API Server.
The first thing to do after the installation of Kubectl is to configure the auto-completion to interact with the Kubernetes resources in an easier way. The auto-completion will allow you to easily find an action, a resource name, a namespace name, etc, making your command line (CLI) operation more productive. Kubectl can generate automatically the auto-completion script for the desired environment:
Once the Kubectl is installed and the auto-completion configured, the next step is to get a kubeconfig file to reach a remote Kubernetes cluster.
What is a Kubeconfig file?
Authentication is required on a Kubernetes cluster to operate the resources. The authentication process requires a running Kubernetes API server to authenticate to and a config file containing a series of information to connect to the remote cluster. In order to easily switch between multiple clusters and/or multiple users, a Kubeconfig file was defined.
This file can contain a series of authentication mechanisms combined to cluster connection information. This combination introduced a new concept called a Kubernetes context. A context groups access parameters under a convenient name to easily access a remote Kubernetes cluster via Kubectl.
By default, Kubectl looks for a file named config in the home directory of the current user (for example $HOME/.kube) but this setting can be overwritten by setting the KUBECONFIG environment variable or by setting the --kubeconfig flag to the Kubectl command line. Thanks to the context concept and on the opposite of the flag, the KUBECONFIG environment variable can hold a list of kubeconfig files (delimited by a colon on Linux/Mac, a semicolon on Windows) to easily access multiple clusters for example.
How to extend Kubectl functionalities?
Kubectl is like Kubernetes, modular and extensible. Kubectl can do almost everything an operator will require but under some circumstances, it would be easier to add a new “feature” to the command line. Kubectl can be extended with external plugins adding new sub-commands and custom features not included in the main distribution of Kubectl.
The number of plugins keeps increasing (currently more than 140 plugins), to easily manage their installation, the Kubernetes community has developed an extension to the Kubectl command line named: Krew.
Once Krew is installed, it can be used as every package manager to discover, manage and install Kubectl plugins:
Top 10 Kubectl plugins
As mentioned previously, the number of plugins keeps increasing to improve our Kubectl productivity. Here is a list of 10 plugins that you should be aware of:
- Kubectx / Kubens is probably the most important plugin and the first one to install. Moving from a context to another one, from a namespace to another one are probably the most used commands. This plugin makes it easier to switch between context and namespace with Kubectl.
- Kail is THE plugin required to troubleshoot any issues on a Kubernetes cluster. It can tail the logs of multiple pods based on the service name, the replica set, the deployment, etc… Be more productive by tailing all the logs in one terminal window to quickly identify potential issues.
- Kube-score aims to improve the security and the reliability of the Kubernetes workload by performing static code analysis of Kubernetes objects definition. Perfect for a CI/CD pipeline before applying the resources.
- Ksniff, everything is in the name, this plugin utilizes Tcpdump and Wireshark to start a remote capture on any pod in a Kubernetes cluster. Definitely a plugin required to troubleshoot any Container Network Interface (CNI) issue.
- Kubectl tree explores ownership relationships between Kubernetes objects to optimize the display of information, making it more human readable. This plugin reduces the number of commands required to identify the parent / child relationship of Kubernetes resources.
- Kubepug is the perfect pre-upgrade Kubernetes cluster checker. This command line downloads the information of the newer Kubernetes version and compares it to the current workload to identify updates required by the potential new deprecations. Definitely something that needs to be run before an upgrade.
- Kubectl-cost is a command line way to get access to the Kubernetes cost allocation metrics via the Kubecost APIs. It obviously requires the deployment of Kubecost inside the Kubernetes cluster to get access to the information. It is especially interesting in production to profile the resource consumption of each live workload.
- Popeye is a good Kubernetes cluster sanitizer. It scans live resources and reports potential resource issues and misconfigurations. Combined with metric-server, it can also recommend resource allocations to optimize the workload. This utility is nice to have to ensure that the best practices of a Kubernetes cluster management are applied.
- Starboard is another Aqua security project that aims to unify the security in a Kubernetes environment. This toolkit integrates security tools to identify and report the risks that relate to different resources in a Kubernetes-native way. It is a perfect tool to add to CI/CD pipelines to run vulnerability scanners, workload auditors, and configuration benchmark tests.
- Kubectl-debug is a fantastic project to easily troubleshoot any running pod. This plugin creates a new container inside the pod with all the tools required to debug a potential issue without requiring pre-installation or update of the running pod.
This is a non-exhaustive list of existing plugins developed by the community. Maybe none of the available plugins will fit with your needs. In this case, you have the option to develop your own module.
Aliases for smart lazy guys
An alias is a short name that the shell translates into another longer name or command. Aliases allow you to define new commands by substituting a string for the first token of a simple command. It usually helps to work faster in the command line by reducing the number of characters needed to run even a simple command like Kubectl.
Once again, the Kubernetes community did a great job to develop a simple project to easily add to your shell a ton of aliases to be more productive with Kubectl. This project is named kubectl-aliases and it basically provides a shell script that has to be configured in the bashrc file to add the aliases. Here is a small sample of the available aliases:
The goal of the CNCF certifications is to put you in context where you have to solve 24 questions. Those questions can be of different kinds, from the extraction of simple information from an existing resource to the management of a cluster.
The first important thing to keep in mind during the exam is that you will have only 6 clusters for 24 questions. That means you will have a Kubernetes context for each question. The context will determine on which cluster you have to get information or solve an issue. So that’s why it is important to understand the concept of context in a Kubernetes world and don't forget to change the context at the beginning of each new question.
The exam is based on a web terminal so obviously, the only thing that you will have is Kubectl and that’s why it is important to master the command line. Saving time is important during any exam to focus on toughest questions or to double-check that you answered the question and did what it needs to, etc... so you have to be comfortable with the command line. One thing you can do to be faster is to configure the auto-completion as mention in the beginning of this article, or you can even configured aliases if you are familiar with them but don't waste too many time on it, whatever you chose, you have to be comfortable with it, you don't need to make the exam more complicated.
A good practice in this kind of exam is to not directly apply all the changes. Kubectl comes with the --dry-run option to preview the object that would be sent to the cluster, without actually sending it. This is a best practice during the exam to validate the changes before applying something wrong and potentially impact the others questions.
Last tips, the exam will ask you to get information from existing resources and create new ones. It is highly recommended understanding the process of extraction of information from existing Kubernetes resources in a YAML file for many reasons. The main one is that developing a YAML file takes time and is subject to error, extracting information and updating it to answer a question is better and faster. Exporting information requires you to follow a file naming convention to keep them and quickly identify each file you may use as a template to quickly answer another question without having to overwrite the original file.
Here is a quick command that can be run to easily combine two recommendation, preview and save Kubectl outputs:
Taking a couple of minutes to set up your environment before starting the exam can save you time.
Kubectl is probably the command line tool most used to operate a Kubernetes cluster. It is an efficient and easy to understand tool that everyone interested in the Kubernetes certifications need to master.
But on a daily basis, Kubectl is potentially not the most productive tool to use and that’s why some projects gravitating around Kubectl have emerged like Lens, an amazing open source IDE to manage a Kubernetes cluster, K9s, a terminal based UI to make it easier to navigate, observe and manage any applications on a Kubernetes cluster.
This is just two projects on a long list, feel free to share your favorite tool in the comments!
For more information on Kubectl:
- Kubectl oveview
- Kubectl CheatSheet
- Organizing Cluster Access Using kubeconfig Files
- Krew Website
- Krew plugin list
- Awesome Kubectl plugins
- Mastering Kubeconfig file
About the authors
Hicham Bouissoumer - Site Reliability Engineer (SRE) - DevOps
Nicolas Giron - Site Reliability Engineer (SRE) - DevOps