GETTING STARTED

  • will start running 1 or more instances of a container image on your cluster.
  • expose will load balance traffic across the running instances, and can create a HA proxy for accessing the containers from outside the cluster.

Once your workloads are running, you can use the commands in the WORKING WITH APPS section to inspect them.


create

Create a pod based on the JSON passed into stdin

  1. cat pod.json | kubectl create -f -

Edit the data in registry.yaml in JSON then create the resource using the edited data

  1. kubectl create -f registry.yaml --edit -o json

Create a resource from a file or from stdin.

JSON and YAML formats are accepted.

$ kubectl create -f FILENAME

Flags


Create a cluster role named “pod-reader” that allows user to perform “get”, “watch” and “list” on pods

  1. kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods

Create a cluster role named “pod-reader” with ResourceName specified

  1. kubectl create clusterrole pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod

Create a cluster role named “foo” with API Group specified

  1. kubectl create clusterrole foo --verb=get,list,watch --resource=rs.apps

Create a cluster role named “foo” with SubResource specified

  1. kubectl create clusterrole foo --verb=get,list,watch --resource=pods,pods/status

Create a cluster role name “foo” with NonResourceURL specified

  1. kubectl create clusterrole "foo" --verb=get --non-resource-url=/logs/*

Create a cluster role name “monitoring” with AggregationRule specified

  1. kubectl create clusterrole monitoring --aggregation-rule="rbac.example.com/aggregate-to-monitoring=true"

Create a cluster role.

Usage

$ kubectl create clusterrole NAME --verb=verb --resource=resource.group [--resource-name=resourcename] [--dry-run=server|client|none]

Flags

NameShorthandDefaultUsage
aggregation-ruleAn aggregation label selector for combining ClusterRoles.
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
field-managerkubectl-createName of the manager used to track field ownership.
non-resource-url[]A partial url that user should have access to.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
resource[]Resource that the rule applies to
resource-name[]Resource in the white list that the rule applies to, repeat this flag for multiple items
save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].
validatestrictMust be one of: strict (or true), warn, ignore (or false).
“true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
“warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
“false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.
verb[]Verb that applies to the resources contained in the rule

clusterrolebinding

Create a cluster role binding for user1, user2, and group1 using the cluster-admin cluster role

  1. kubectl create clusterrolebinding cluster-admin --clusterrole=cluster-admin --user=user1 --user=user2 --group=group1

Create a cluster role binding for a particular cluster role.

Usage

$ kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none]

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
clusterroleClusterRole this ClusterRoleBinding should reference
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
field-managerkubectl-createName of the manager used to track field ownership.
group[]Groups to bind to the clusterrole. The flag can be repeated to add multiple groups.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
serviceaccount[]Service accounts to bind to the clusterrole, in the format <namespace>:<name>. The flag can be repeated to add multiple service accounts.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].
validatestrictMust be one of: strict (or true), warn, ignore (or false).
“true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
“warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
“false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.

configmap

Create a new config map named my-config based on folder bar

  1. kubectl create configmap my-config --from-file=path/to/bar

Create a new config map named my-config with specified keys instead of file basenames on disk

  1. kubectl create configmap my-config --from-file=key1=/path/to/bar/file1.txt --from-file=key2=/path/to/bar/file2.txt

Create a new config map named my-config with key1=config1 and key2=config2

  1. kubectl create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2

Create a new config map named my-config from the key=value pairs in the file

  1. kubectl create configmap my-config --from-file=path/to/bar

Create a new config map named my-config from an env file

  1. kubectl create configmap my-config --from-env-file=path/to/foo.env --from-env-file=path/to/bar.env

Create a config map based on a file, directory, or specified literal value.

A single config map may package one or more key/value pairs.

When creating a config map based on a file, the key will default to the basename of the file, and the value will default to the file content. If the basename is an invalid key, you may specify an alternate key.

When creating a config map based on a directory, each file whose basename is a valid key in the directory will be packaged into the config map. Any directory entries except regular files are ignored (e.g. subdirectories, symlinks, devices, pipes, etc).

Usage

$ kubectl create configmap NAME [--from-file=[key=]source] [--from-literal=key1=value1] [--dry-run=server|client|none]

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
append-hashfalseAppend a hash of the configmap to its name.
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
field-managerkubectl-createName of the manager used to track field ownership.
from-env-file[]Specify the path to a file to read lines of key=val pairs to create a configmap.
from-file[]Key file can be specified using its file path, in which case file basename will be used as configmap key, or optionally with a key and file path, in which case the given key will be used. Specifying a directory will iterate each named file in the directory whose basename is a valid configmap key.
from-literal[]Specify a key and literal value to insert in configmap (i.e. mykey=somevalue)
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].
validatestrictMust be one of: strict (or true), warn, ignore (or false).
“true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
“warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
“false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.

cronjob

Create a cron job

  1. kubectl create cronjob my-job --image=busybox --schedule="*/1 * * * *"

Create a cron job with a command

  1. kubectl create cronjob my-job --image=busybox --schedule="*/1 * * * *" -- date

Create a cron job with the specified name.

Usage

$ kubectl create cronjob NAME --image=image --schedule='0/5 * * * ?' -- [COMMAND] [args...]

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
field-managerkubectl-createName of the manager used to track field ownership.
imageImage name to run.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
restartjob’s restart policy. supported values: OnFailure, Never
save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
scheduleA schedule in the Cron format the job should be run with.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].
validatestrictMust be one of: strict (or true), warn, ignore (or false).
“true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
“warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
“false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.

deployment

Create a deployment named my-dep that runs the busybox image

  1. kubectl create deployment my-dep --image=busybox

Create a deployment with a command

  1. kubectl create deployment my-dep --image=busybox -- date

Create a deployment named my-dep that runs the nginx image with 3 replicas

  1. kubectl create deployment my-dep --image=nginx --replicas=3

Create a deployment named my-dep that runs the busybox image and expose port 5701

  1. kubectl create deployment my-dep --image=busybox --port=5701

Create a deployment with the specified name.

Usage

$ kubectl create deployment NAME --image=image -- [COMMAND] [args...]

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
field-managerkubectl-createName of the manager used to track field ownership.
image[]Image names to run.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
port-1The port that this container exposes.
replicasr1Number of replicas to create. Default is 1.
save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].
validatestrictMust be one of: strict (or true), warn, ignore (or false).
“true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
“warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
“false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.

ingress

Create a single ingress called ‘simple’ that directs requests to foo.com/bar to svc # svc1:8080 with a tls secret “my-cert”

  1. kubectl create ingress simple --rule="foo.com/bar=svc1:8080,tls=my-cert"

Create a catch all ingress of “/path” pointing to service svc:port and Ingress Class as “otheringress”

  1. kubectl create ingress catch-all --class=otheringress --rule="/path=svc:port"

Create an ingress with two annotations: ingress.annotation1 and ingress.annotations2

  1. kubectl create ingress annotated --class=default --rule="foo.com/bar=svc:port" \
  2. --annotation ingress.annotation1=foo \
  3. --annotation ingress.annotation2=bla

Create an ingress with the same host and multiple paths

  1. kubectl create ingress multipath --class=default \
  2. --rule="foo.com/=svc:port" \
  3. --rule="foo.com/admin/=svcadmin:portadmin"

Create an ingress with multiple hosts and the pathType as Prefix

  1. kubectl create ingress ingress1 --class=default \
  2. --rule="foo.com/path*=svc:8080" \
  3. --rule="bar.com/admin*=svc2:http"

Create an ingress with TLS enabled using the default ingress certificate and different path types

  1. kubectl create ingress ingtls --class=default \
  2. --rule="foo.com/=svc:https,tls" \
  3. --rule="foo.com/path/subpath*=othersvc:8080"

Create an ingress with TLS enabled using a specific secret and pathType as Prefix

  1. kubectl create ingress ingsecret --class=default \
  2. --rule="foo.com/*=svc:8080,tls=secret1"

Create an ingress with a default backend

  1. kubectl create ingress ingdefault --class=default \
  2. --default-backend=defaultsvc:http \
  3. --rule="foo.com/*=svc:8080,tls=secret1"

Create an ingress with the specified name.

Usage

$ kubectl create ingress NAME --rule=host/path=service:port[,tls[=secret]]

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
annotation[]Annotation to insert in the ingress object, in the format annotation=value
classIngress Class to be used
default-backendDefault service for backend, in format of svcname:port
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
field-managerkubectl-createName of the manager used to track field ownership.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
rule[]Rule in format host/path=service:port[,tls=secretname]. Paths containing the leading character ‘*’ are considered pathType=Prefix. tls argument is optional.
save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].
validatestrictMust be one of: strict (or true), warn, ignore (or false).
“true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
“warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
“false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.

job

Create a job

  1. kubectl create job my-job --image=busybox

Create a job with a command

  1. kubectl create job my-job --image=busybox -- date

Create a job from a cron job named “a-cronjob”

  1. kubectl create job test-job --from=cronjob/a-cronjob

Create a job with the specified name.

Usage

$ kubectl create job NAME --image=image [--from=cronjob/name] -- [COMMAND] [args...]

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
field-managerkubectl-createName of the manager used to track field ownership.
fromThe name of the resource to create a Job from (only cronjob is supported).
imageImage name to run.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].
validatestrictMust be one of: strict (or true), warn, ignore (or false).
“true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
“warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
“false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.

namespace

Create a new namespace named my-namespace

  1. kubectl create namespace my-namespace

Create a namespace with the specified name.

Usage

$ kubectl create namespace NAME [--dry-run=server|client|none]

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
field-managerkubectl-createName of the manager used to track field ownership.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].
validatestrictMust be one of: strict (or true), warn, ignore (or false).
“true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
“warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
“false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.

poddisruptionbudget

Create a pod disruption budget named my-pdb that will select all pods with the app=rails label # and require at least one of them being available at any point in time

  1. kubectl create poddisruptionbudget my-pdb --selector=app=rails --min-available=1

Create a pod disruption budget named my-pdb that will select all pods with the app=nginx label # and require at least half of the pods selected to be available at any point in time

  1. kubectl create pdb my-pdb --selector=app=nginx --min-available=50%

Create a pod disruption budget with the specified name, selector, and desired minimum available pods.

Usage

$ kubectl create poddisruptionbudget NAME --selector=SELECTOR --min-available=N [--dry-run=server|client|none]

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
field-managerkubectl-createName of the manager used to track field ownership.
max-unavailableThe maximum number or percentage of unavailable pods this budget requires.
min-availableThe minimum number or percentage of available pods this budget requires.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
selectorA label selector to use for this budget. Only equality-based selector requirements are supported.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].
validatestrictMust be one of: strict (or true), warn, ignore (or false).
“true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
“warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
“false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.

priorityclass

Create a priority class named high-priority

  1. kubectl create priorityclass high-priority --value=1000 --description="high priority"

Create a priority class named default-priority that is considered as the global default priority

  1. kubectl create priorityclass default-priority --value=1000 --global-default=true --description="default priority"

Create a priority class named high-priority that cannot preempt pods with lower priority

  1. kubectl create priorityclass high-priority --value=1000 --description="high priority" --preemption-policy="Never"

Create a priority class with the specified name, value, globalDefault and description.

Usage

$ kubectl create priorityclass NAME --value=VALUE --global-default=BOOL [--dry-run=server|client|none]

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
descriptiondescription is an arbitrary string that usually provides guidelines on when this priority class should be used.
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
field-managerkubectl-createName of the manager used to track field ownership.
global-defaultfalseglobal-default specifies whether this PriorityClass should be considered as the default priority.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
preemption-policyPreemptLowerPrioritypreemption-policy is the policy for preempting pods with lower priority.
save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].
validatestrictMust be one of: strict (or true), warn, ignore (or false).
“true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
“warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
“false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.
value0the value of this priority class.

quota

Create a new resource quota named my-quota

  1. kubectl create quota my-quota --hard=cpu=1,memory=1G,pods=2,services=3,replicationcontrollers=2,resourcequotas=1,secrets=5,persistentvolumeclaims=10

Create a new resource quota named best-effort

  1. kubectl create quota best-effort --hard=pods=100 --scopes=BestEffort

Create a resource quota with the specified name, hard limits, and optional scopes.

Usage

$ kubectl create quota NAME [--hard=key1=value1,key2=value2] [--scopes=Scope1,Scope2] [--dry-run=server|client|none]

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
field-managerkubectl-createName of the manager used to track field ownership.
hardA comma-delimited set of resource=quantity pairs that define a hard limit.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
scopesA comma-delimited set of quota scopes that must all match each object tracked by the quota.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].
validatestrictMust be one of: strict (or true), warn, ignore (or false).
“true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
“warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
“false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.

role

Create a role named “pod-reader” that allows user to perform “get”, “watch” and “list” on pods

  1. kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods

Create a role named “pod-reader” with ResourceName specified

  1. kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod

Create a role named “foo” with API Group specified

  1. kubectl create role foo --verb=get,list,watch --resource=rs.apps

Create a role named “foo” with SubResource specified

  1. kubectl create role foo --verb=get,list,watch --resource=pods,pods/status

Create a role with single rule.

Usage

$ kubectl create role NAME --verb=verb --resource=resource.group/subresource [--resource-name=resourcename] [--dry-run=server|client|none]

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
field-managerkubectl-createName of the manager used to track field ownership.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
resource[]Resource that the rule applies to
resource-name[]Resource in the white list that the rule applies to, repeat this flag for multiple items
save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].
validatestrictMust be one of: strict (or true), warn, ignore (or false).
“true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
“warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
“false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.
verb[]Verb that applies to the resources contained in the rule

rolebinding

Create a role binding for user1, user2, and group1 using the admin cluster role

  1. kubectl create rolebinding admin --clusterrole=admin --user=user1 --user=user2 --group=group1

Create a role binding for a particular role or cluster role.

Usage

$ kubectl create rolebinding NAME --clusterrole=NAME|--role=NAME [--user=username] [--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none]

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
clusterroleClusterRole this RoleBinding should reference
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
field-managerkubectl-createName of the manager used to track field ownership.
group[]Groups to bind to the role. The flag can be repeated to add multiple groups.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
roleRole this RoleBinding should reference
save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
serviceaccount[]Service accounts to bind to the role, in the format <namespace>:<name>. The flag can be repeated to add multiple service accounts.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].
validatestrictMust be one of: strict (or true), warn, ignore (or false).
“true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
“warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
“false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.

secret

Create a secret using specified subcommand.

Usage

$ kubectl create secret


secret docker-registry

If you don’t already have a .dockercfg file, you can create a dockercfg secret directly by using:

  1. kubectl create secret docker-registry my-secret --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL

Create a new secret named my-secret from ~/.docker/config.json

  1. kubectl create secret docker-registry my-secret --from-file=.dockerconfigjson=path/to/.docker/config.json

Create a new secret for use with Docker registries.

Dockercfg secrets are used to authenticate against Docker registries.

When using the Docker command line to push images, you can authenticate to a given registry by running: ‘$ docker login DOCKER_REGISTRY_SERVER —username=DOCKER_USER —password=DOCKER_PASSWORD —email=DOCKER_EMAIL’.

That produces a ~/.dockercfg file that is used by subsequent ‘docker push’ and ‘docker pull’ commands to authenticate to the registry. The email address is optional.

When creating applications, you may have a Docker registry that requires authentication. In order for the nodes to pull images on your behalf, they must have the credentials. You can provide this information by creating a dockercfg secret and attaching it to your service account.

Usage

$ kubectl create docker-registry NAME --docker-username=user --docker-password=password --docker-email=email [--docker-server=string] [--from-file=[key=]source] [--dry-run=server|client|none]

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
append-hashfalseAppend a hash of the secret to its name.
docker-emailEmail for Docker registry
docker-passwordPassword for Docker registry authentication
docker-serverServer location for Docker registry
docker-usernameUsername for Docker registry authentication
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
field-managerkubectl-createName of the manager used to track field ownership.
from-file[]Key files can be specified using their file path, in which case a default name will be given to them, or optionally with a name and file path, in which case the given name will be used. Specifying a directory will iterate each named file in the directory that is a valid secret key.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
validatestrictMust be one of: strict (or true), warn, ignore (or false).
“true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
“warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
“false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.

secret generic

Create a new secret named my-secret with keys for each file in folder bar

  1. kubectl create secret generic my-secret --from-file=path/to/bar

Create a new secret named my-secret with specified keys instead of names on disk

  1. kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-file=ssh-publickey=path/to/id_rsa.pub

Create a new secret named my-secret with key1=supersecret and key2=topsecret

  1. kubectl create secret generic my-secret --from-literal=key1=supersecret --from-literal=key2=topsecret

Create a new secret named my-secret using a combination of a file and a literal

  1. kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-literal=passphrase=topsecret

Create a new secret named my-secret from env files

  1. kubectl create secret generic my-secret --from-env-file=path/to/foo.env --from-env-file=path/to/bar.env

Create a secret based on a file, directory, or specified literal value.

A single secret may package one or more key/value pairs.

When creating a secret based on a file, the key will default to the basename of the file, and the value will default to the file content. If the basename is an invalid key or you wish to chose your own, you may specify an alternate key.

When creating a secret based on a directory, each file whose basename is a valid key in the directory will be packaged into the secret. Any directory entries except regular files are ignored (e.g. subdirectories, symlinks, devices, pipes, etc).

Usage

$ kubectl create generic NAME [--type=string] [--from-file=[key=]source] [--from-literal=key1=value1] [--dry-run=server|client|none]

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
append-hashfalseAppend a hash of the secret to its name.
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
field-managerkubectl-createName of the manager used to track field ownership.
from-env-file[]Specify the path to a file to read lines of key=val pairs to create a secret.
from-file[]Key files can be specified using their file path, in which case a default name will be given to them, or optionally with a name and file path, in which case the given name will be used. Specifying a directory will iterate each named file in the directory that is a valid secret key.
from-literal[]Specify a key and literal value to insert in secret (i.e. mykey=somevalue)
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
typeThe type of secret to create
validatestrictMust be one of: strict (or true), warn, ignore (or false).
“true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
“warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
“false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.

secret tls

Create a new TLS secret named tls-secret with the given key pair

  1. kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/to/tls.key

Create a TLS secret from the given public/private key pair.

The public/private key pair must exist beforehand. The public key certificate must be .PEM encoded and match the given private key.

Usage

$ kubectl create tls NAME --cert=path/to/cert/file --key=path/to/key/file [--dry-run=server|client|none]

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
append-hashfalseAppend a hash of the secret to its name.
certPath to PEM encoded public key certificate.
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
field-managerkubectl-createName of the manager used to track field ownership.
keyPath to private key associated with given certificate.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
validatestrictMust be one of: strict (or true), warn, ignore (or false).
“true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
“warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
“false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.

service

Create a service using a specified subcommand.

Usage

$ kubectl create service


service clusterip

Create a new ClusterIP service named my-cs

  1. kubectl create service clusterip my-cs --tcp=5678:8080

Create a new ClusterIP service named my-cs (in headless mode)

  1. kubectl create service clusterip my-cs --clusterip="None"

Create a ClusterIP service with the specified name.

Usage

$ kubectl create clusterip NAME [--tcp=<port>:<targetPort>] [--dry-run=server|client|none]

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
clusteripAssign your own ClusterIP or set to ‘None’ for a ‘headless’ service (no loadbalancing).
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
field-managerkubectl-createName of the manager used to track field ownership.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
tcp[]Port pairs can be specified as ‘<port>:<targetPort>’.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
validatestrictMust be one of: strict (or true), warn, ignore (or false).
“true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
“warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
“false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.

service externalname

Create a new ExternalName service named my-ns

  1. kubectl create service externalname my-ns --external-name bar.com

Create an ExternalName service with the specified name.

ExternalName service references to an external DNS address instead of only pods, which will allow application authors to reference services that exist off platform, on other clusters, or locally.

Usage

$ kubectl create externalname NAME --external-name external.name [--dry-run=server|client|none]

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
external-nameExternal name of service
field-managerkubectl-createName of the manager used to track field ownership.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
tcp[]Port pairs can be specified as ‘<port>:<targetPort>’.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
validatestrictMust be one of: strict (or true), warn, ignore (or false).
“true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
“warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
“false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.

service loadbalancer

Create a new LoadBalancer service named my-lbs

  1. kubectl create service loadbalancer my-lbs --tcp=5678:8080

Create a LoadBalancer service with the specified name.

Usage

$ kubectl create loadbalancer NAME [--tcp=port:targetPort] [--dry-run=server|client|none]

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
field-managerkubectl-createName of the manager used to track field ownership.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
tcp[]Port pairs can be specified as ‘<port>:<targetPort>’.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
validatestrictMust be one of: strict (or true), warn, ignore (or false).
“true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
“warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
“false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.

Create a new NodePort service named my-ns

  1. kubectl create service nodeport my-ns --tcp=5678:8080

Create a NodePort service with the specified name.

Usage

$ kubectl create nodeport NAME [--tcp=port:targetPort] [--dry-run=server|client|none]

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
field-managerkubectl-createName of the manager used to track field ownership.
node-port0Port used to expose the service on each node in a cluster.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
tcp[]Port pairs can be specified as ‘<port>:<targetPort>’.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
validatestrictMust be one of: strict (or true), warn, ignore (or false).
“true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
“warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
“false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.

serviceaccount

Create a new service account named my-service-account

  1. kubectl create serviceaccount my-service-account

Create a service account with the specified name.

Usage

$ kubectl create serviceaccount NAME [--dry-run=server|client|none]

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
field-managerkubectl-createName of the manager used to track field ownership.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
validatestrictMust be one of: strict (or true), warn, ignore (or false).
“true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
“warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
“false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.

token

Request a token to authenticate to the kube-apiserver as the service account “myapp” in the current namespace

  1. kubectl create token myapp

Request a token for a service account in a custom namespace

  1. kubectl create token myapp --namespace myns

Request a token with a custom expiration

  1. kubectl create token myapp --duration 10m

Request a token with a custom audience

  1. kubectl create token myapp --audience https://example.com

Request a token bound to an instance of a Secret object

  1. kubectl create token myapp --bound-object-kind Secret --bound-object-name mysecret

Request a token bound to an instance of a Secret object with a specific uid

  1. kubectl create token myapp --bound-object-kind Secret --bound-object-name mysecret --bound-object-uid 0d4691ed-659b-4935-a832-355f77ee47cc

Request a service account token.

Usage

$ kubectl create token SERVICE_ACCOUNT_NAME

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
audience[]Audience of the requested token. If unset, defaults to requesting a token for use with the Kubernetes API server. May be repeated to request a token valid for multiple audiences.
bound-object-kindKind of an object to bind the token to. Supported kinds are Pod, Secret. If set, —bound-object-name must be provided.
bound-object-nameName of an object to bind the token to. The token will expire when the object is deleted. Requires —bound-object-kind.
bound-object-uidUID of an object to bind the token to. Requires —bound-object-kind and —bound-object-name. If unset, the UID of the existing object is used.
duration0sRequested lifetime of the issued token. The server may return a token with a longer or shorter lifetime.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].

get

List all pods in ps output format

  1. kubectl get pods

List all pods in ps output format with more information (such as node name)

  1. kubectl get pods -o wide

List a single replication controller with specified NAME in ps output format

  1. kubectl get replicationcontroller web

List deployments in JSON output format, in the “v1” version of the “apps” API group

  1. kubectl get deployments.v1.apps -o json

List a single pod in JSON output format

  1. kubectl get -o json pod web-pod-13je7

List a pod identified by type and name specified in “pod.yaml” in JSON output format

  1. kubectl get -f pod.yaml -o json

List resources from a directory with kustomization.yaml - e.g. dir/kustomization.yaml

  1. kubectl get -k dir/

Return only the phase value of the specified pod

  1. kubectl get -o template pod/web-pod-13je7 --template={{.status.phase}}

List resource information in custom columns

  1. kubectl get pod test-pod -o custom-columns=CONTAINER:.spec.containers[0].name,IMAGE:.spec.containers[0].image

List all replication controllers and services together in ps output format

  1. kubectl get rc,services

List one or more resources by their type and names

  1. kubectl get rc/web service/frontend pods/web-pod-13je7

List status subresource for a single pod.

  1. kubectl get pod web-pod-13je7 --subresource status

Display one or many resources.

Prints a table of the most important information about the specified resources. You can filter the list using a label selector and the —selector flag. If the desired resource type is namespaced you will only see results in your current namespace unless you pass —all-namespaces.

By specifying the output as ‘template’ and providing a Go template as the value of the —template flag, you can filter the attributes of the fetched resources.

Use “kubectl api-resources” for a complete list of supported resources.

Usage

$ kubectl get [(-o|--output=)json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file|custom-columns|custom-columns-file|wide] (TYPE[.VERSION][.GROUP] [NAME | -l label] | TYPE[.VERSION][.GROUP]/NAME ...) [flags]

Flags

NameShorthandDefaultUsage
all-namespacesAfalseIf present, list the requested object(s) across all namespaces. Namespace in current context is ignored even if specified with —namespace.
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
chunk-size500Return large lists in chunks rather than all at once. Pass 0 to disable. This flag is beta and may change in the future.
field-selectorSelector (field query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. —field-selector key1=value1,key2=value2). The server only supports a limited number of field queries per type.
filenamef[]Filename, directory, or URL to files identifying the resource to get from a server.
ignore-not-foundfalseIf the requested object does not exist the command will return exit code 0.
kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
label-columnsL[]Accepts a comma separated list of labels that are going to be presented as columns. Names are case-sensitive. You can also use multiple flag options like -L label1 -L label2…
no-headersfalseWhen using the default or custom-column output format, don’t print headers (default print headers).
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file, custom-columns, custom-columns-file, wide). See custom columns [https://kubernetes.io/docs/reference/kubectl/#custom-columns], golang template [] and jsonpath template [https://kubernetes.io/docs/reference/kubectl/jsonpath/].
output-watch-eventsfalseOutput watch event objects when —watch or —watch-only is used. Existing objects are output as initial ADDED events.
rawRaw URI to request from the server. Uses the transport specified by the kubeconfig file.
recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.
server-printtrueIf true, have the server return the appropriate table output. Supports extension APIs and CRDs.
show-kindfalseIf present, list the resource type for the requested object(s).
show-labelsfalseWhen printing, show all labels as the last column (default hide labels column)
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
sort-byIf non-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. ‘{.metadata.name}’). The field in the API resource specified by this JSONPath expression must be an integer or a string.
subresourceIf specified, gets the subresource of the requested object. Must be one of [status scale]. This flag is alpha and may change in the future.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].
use-openapi-print-columnsfalseIf true, use x-kubernetes-print-column metadata (if present) from the OpenAPI schema for displaying a resource.
watchwfalseAfter listing/getting the requested object, watch for changes.
watch-onlyfalseWatch for changes to the requested object(s), without listing/getting first.

run

Start a nginx pod

  1. kubectl run nginx --image=nginx

Start a hazelcast pod and let the container expose port 5701

  1. kubectl run hazelcast --image=hazelcast/hazelcast --port=5701

Start a hazelcast pod and set environment variables “DNS_DOMAIN=cluster” and “POD_NAMESPACE=default” in the container

  1. kubectl run hazelcast --image=hazelcast/hazelcast --env="DNS_DOMAIN=cluster" --env="POD_NAMESPACE=default"

Start a hazelcast pod and set labels “app=hazelcast” and “env=prod” in the container

  1. kubectl run hazelcast --image=hazelcast/hazelcast --labels="app=hazelcast,env=prod"

Dry run; print the corresponding API objects without creating them

  1. kubectl run nginx --image=nginx --dry-run=client

Start a nginx pod, but overload the spec with a partial set of values parsed from JSON

  1. kubectl run nginx --image=nginx --overrides='{ "apiVersion": "v1", "spec": { ... } }'

Start a busybox pod and keep it in the foreground, don’t restart it if it exits

  1. kubectl run -i -t busybox --image=busybox --restart=Never

Start the nginx pod using the default command, but use custom arguments (arg1 .. argN) for that command

  1. kubectl run nginx --image=nginx -- <arg1> <arg2> ... <argN>

Start the nginx pod using a different command and custom arguments

  1. kubectl run nginx --image=nginx --command -- <cmd> <arg1> ... <argN>

Create and run a particular image in a pod.

Usage

$ kubectl run NAME --image=image [--env="key=value"] [--port=port] [--dry-run=server|client] [--overrides=inline-json] [--command] -- [COMMAND] [args...]

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
annotations[]Annotations to apply to the pod.
attachfalseIf true, wait for the Pod to start running, and then attach to the Pod as if ‘kubectl attach …’ were called. Default false, unless ‘-i/—stdin’ is set, in which case the default is true. With ‘—restart=Never’ the exit code of the container process is returned.
commandfalseIf true and extra arguments are present, use them as the ‘command’ field in the container, rather than the ‘args’ field which is the default.
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
env[]Environment variables to set in the container.
exposefalseIf true, create a ClusterIP service associated with the pod. Requires —port.
field-managerkubectl-runName of the manager used to track field ownership.
imageThe image for the container to run.
image-pull-policyThe image pull policy for the container. If left empty, this value will not be specified by the client and defaulted by the server.
labelslComma separated labels to apply to the pod. Will override previous values.
leave-stdin-openfalseIf the pod is started in interactive mode or with stdin, leave stdin open after the first attach completes. By default, stdin will be closed after the first attach completes.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
override-typemergeThe method used to override the generated object: json, merge, or strategic.
overridesAn inline JSON override for the generated object. If this is non-empty, it is used to override the generated object. Requires that the object supply a valid apiVersion field.
pod-running-timeout1m0sThe length of time (like 5s, 2m, or 3h, higher than zero) to wait until at least one pod is running
portThe port that this container exposes.
privilegedfalseIf true, run the container in privileged mode.
quietqfalseIf true, suppress prompt messages.
recordfalseRecord current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists.
restartAlwaysThe restart policy for this Pod. Legal values [Always, OnFailure, Never].
rmfalseIf true, delete the pod after it exits. Only valid when attaching to the container, e.g. with ‘—attach’ or with ‘-i/—stdin’.
save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
stdinifalseKeep stdin open on the container in the pod, even if nothing is attached.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].
ttytfalseAllocate a TTY for the container in the pod.

expose

Create a service for a replicated nginx, which serves on port 80 and connects to the containers on port 8000

  1. kubectl expose rc nginx --port=80 --target-port=8000

Create a service for a replication controller identified by type and name specified in “nginx-controller.yaml”, which serves on port 80 and connects to the containers on port 8000

  1. kubectl expose -f nginx-controller.yaml --port=80 --target-port=8000

Create a service for a pod valid-pod, which serves on port 444 with the name “frontend”

  1. kubectl expose pod valid-pod --port=444 --name=frontend

Create a second service based on the above service, exposing the container port 8443 as port 443 with the name “nginx-https”

  1. kubectl expose service nginx --port=443 --target-port=8443 --name=nginx-https

Create a service for a replicated streaming application on port 4100 balancing UDP traffic and named ‘video-stream’.

  1. kubectl expose rc streamer --port=4100 --protocol=UDP --name=video-stream

Create a service for a replicated nginx using replica set, which serves on port 80 and connects to the containers on port 8000

  1. kubectl expose rs nginx --port=80 --target-port=8000

Create a service for an nginx deployment, which serves on port 80 and connects to the containers on port 8000

  1. kubectl expose deployment nginx --port=80 --target-port=8000

Expose a resource as a new Kubernetes service.

Looks up a deployment, service, replica set, replication controller or pod by name and uses the selector for that resource as the selector for a new service on the specified port. A deployment or replica set will be exposed as a service only if its selector is convertible to a selector that service supports, i.e. when the selector contains only the matchLabels component. Note that if no port is specified via —port and the exposed resource has multiple ports, all will be re-used by the new service. Also if no labels are specified, the new service will re-use the labels from the resource it exposes.

Possible resources include (case insensitive):

pod (po), service (svc), replicationcontroller (rc), deployment (deploy), replicaset (rs)

Usage

$ kubectl expose (-f FILENAME | TYPE NAME) [--port=port] [--protocol=TCP|UDP|SCTP] [--target-port=number-or-name] [--name=name] [--external-ip=external-ip-of-service] [--type=type]

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
cluster-ipClusterIP to be assigned to the service. Leave empty to auto-allocate, or set to ‘None’ to create a headless service.
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
external-ipAdditional external IP address (not managed by Kubernetes) to accept for the service. If this IP is routed to a node, the service can be accessed by this IP in addition to its generated service IP.
field-managerkubectl-exposeName of the manager used to track field ownership.
filenamef[]Filename, directory, or URL to files identifying the resource to expose a service
kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
labelslLabels to apply to the service created by this call.
load-balancer-ipIP to assign to the LoadBalancer. If empty, an ephemeral IP will be created and used (cloud-provider specific).
nameThe name for the newly created object.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
override-typemergeThe method used to override the generated object: json, merge, or strategic.
overridesAn inline JSON override for the generated object. If this is non-empty, it is used to override the generated object. Requires that the object supply a valid apiVersion field.
portThe port that the service should serve on. Copied from the resource being exposed, if unspecified
protocolThe network protocol for the service to be created. Default is ‘TCP’.
recordfalseRecord current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists.
recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
selectorA label selector to use for this service. Only equality-based selector requirements are supported. If empty (the default) infer the selector from the replication controller or replica set.)
session-affinityIf non-empty, set the session affinity for the service to this; legal values: ‘None’, ‘ClientIP’
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
target-portName or number for the port on the container that the service should direct traffic to. Optional.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].
typeType for this service: ClusterIP, NodePort, LoadBalancer, or ExternalName. Default is ‘ClusterIP’.

delete

Delete a pod using the type and name specified in pod.json

  1. kubectl delete -f ./pod.json

Delete resources from a directory containing kustomization.yaml - e.g. dir/kustomization.yaml

  1. kubectl delete -k dir

Delete resources from all files that end with ‘.json’ - i.e. expand wildcard characters in file names

  1. kubectl delete -f '*.json'

Delete a pod based on the type and name in the JSON passed into stdin

  1. cat pod.json | kubectl delete -f -

Delete pods and services with same names “baz” and “foo”

  1. kubectl delete pod,service baz foo

Delete pods and services with label name=myLabel

  1. kubectl delete pods,services -l name=myLabel

Delete a pod with minimal delay

  1. kubectl delete pod foo --now

Force delete a pod on a dead node

  1. kubectl delete pod foo --force

Delete all pods

  1. kubectl delete pods --all

Delete resources by file names, stdin, resources and names, or by resources and label selector.

JSON and YAML formats are accepted. Only one type of argument may be specified: file names, resources and names, or resources and label selector.

Some resources, such as pods, support graceful deletion. These resources define a default period before they are forcibly terminated (the grace period) but you may override that value with the —grace-period flag, or pass —now to set a grace-period of 1. Because these resources often represent entities in the cluster, deletion may not be acknowledged immediately. If the node hosting a pod is down or cannot reach the API server, termination may take significantly longer than the grace period. To force delete a resource, you must specify the —force flag. Note: only a subset of resources support graceful deletion. In absence of the support, the —grace-period flag is ignored.

IMPORTANT: Force deleting pods does not wait for confirmation that the pod’s processes have been terminated, which can leave those processes running until the node detects the deletion and completes graceful deletion. If your processes use shared storage or talk to a remote API and depend on the name of the pod to identify themselves, force deleting those pods may result in multiple processes running on different machines using the same identification which may lead to data corruption or inconsistency. Only force delete pods when you are sure the pod is terminated, or if your application can tolerate multiple copies of the same pod running at once. Also, if you force delete pods, the scheduler may place new pods on those nodes before the node has released those resources and causing those pods to be evicted immediately.

Note that the delete command does NOT do resource version checks, so if someone submits an update to a resource right when you submit a delete, their update will be lost along with the rest of the resource.

After a CustomResourceDefinition is deleted, invalidation of discovery cache may take up to 6 hours. If you don’t want to wait, you might want to run “kubectl api-resources” to refresh the discovery cache.

Usage

$ kubectl delete ([-f FILENAME] | [-k DIRECTORY] | TYPE [(NAME | -l label | --all)])

Flags

NameShorthandDefaultUsage
allfalseDelete all resources, in the namespace of the specified resource types.
all-namespacesAfalseIf present, list the requested object(s) across all namespaces. Namespace in current context is ignored even if specified with —namespace.
cascadebackgroundMust be “background”, “orphan”, or “foreground”. Selects the deletion cascading strategy for the dependents (e.g. Pods created by a ReplicationController). Defaults to background.
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
field-selectorSelector (field query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. —field-selector key1=value1,key2=value2). The server only supports a limited number of field queries per type.
filenamef[]containing the resource to delete.
forcefalseIf true, immediately remove resources from API and bypass graceful deletion. Note that immediate deletion of some resources may result in inconsistency or data loss and requires confirmation.
grace-period-1Period of time in seconds given to the resource to terminate gracefully. Ignored if negative. Set to 1 for immediate shutdown. Can only be set to 0 when —force is true (force deletion).
ignore-not-foundfalseTreat “resource not found” as a successful delete. Defaults to “true” when —all is specified.
kustomizekProcess a kustomization directory. This flag can’t be used together with -f or -R.
nowfalseIf true, resources are signaled for immediate shutdown (same as —grace-period=1).
outputoOutput mode. Use “-o name” for shorter output (resource/name).
rawRaw URI to DELETE to the server. Uses the transport specified by the kubeconfig file.
recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.
timeout0sThe length of time to wait before giving up on a delete, zero means determine a timeout from the size of the object
waittrueIf true, wait for resources to be gone before returning. This waits for finalizers.

APP MANAGEMENT

This section contains commands for creating, updating, deleting, and viewing your workloads in a Kubernetes cluster.


apply

Apply the configuration in pod.json to a pod

  1. kubectl apply -f ./pod.json

Apply resources from a directory containing kustomization.yaml - e.g. dir/kustomization.yaml

  1. kubectl apply -k dir/

Apply the JSON passed into stdin to a pod

  1. cat pod.json | kubectl apply -f -

Apply the configuration from all files that end with ‘.json’ - i.e. expand wildcard characters in file names

  1. kubectl apply -f '*.json'

Note: —prune is still in Alpha # Apply the configuration in manifest.yaml that matches label app=nginx and delete all other resources that are not in the file and match label app=nginx

  1. kubectl apply --prune -f manifest.yaml -l app=nginx

Apply the configuration in manifest.yaml and delete all the other config maps that are not in the file

  1. kubectl apply --prune -f manifest.yaml --all --prune-whitelist=core/v1/ConfigMap

Apply a configuration to a resource by file name or stdin. The resource name must be specified. This resource will be created if it doesn’t exist yet. To use ‘apply’, always create the resource initially with either ‘apply’ or ‘create —save-config’.

JSON and YAML formats are accepted.

Alpha Disclaimer: the —prune functionality is not yet complete. Do not use unless you are aware of what the current state is. See .

Usage

$ kubectl apply (-f FILENAME | -k DIRECTORY)

Flags


edit-last-applied

Edit the last-applied-configuration annotations by type/name in YAML

  1. kubectl apply edit-last-applied deployment/nginx

Edit the last-applied-configuration annotations by file in JSON

  1. kubectl apply edit-last-applied -f deploy.yaml -o json

Edit the latest last-applied-configuration annotations of resources from the default editor.

The edit-last-applied command allows you to directly edit any API resource you can retrieve via the command-line tools. It will open the editor defined by your KUBE_EDITOR, or EDITOR environment variables, or fall back to ‘vi’ for Linux or ‘notepad’ for Windows. You can edit multiple objects, although changes are applied one at a time. The command accepts file names as well as command-line arguments, although the files you point to must be previously saved versions of resources.

The default format is YAML. To edit in JSON, specify “-o json”.

The flag —windows-line-endings can be used to force Windows line endings, otherwise the default for your operating system will be used.

In the event an error occurs while updating, a temporary file will be created on disk that contains your unapplied changes. The most common error when updating a resource is another editor changing the resource on the server. When this occurs, you will have to apply your changes to the newer version of the resource, or update your temporary saved copy to include the latest resource version.

Usage

$ kubectl apply edit-last-applied (RESOURCE/NAME | -f FILENAME)

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
field-managerkubectl-client-side-applyName of the manager used to track field ownership.
filenamef[]Filename, directory, or URL to files to use to edit the resource
kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
recordfalseRecord current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists.
recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].
validatestrictMust be one of: strict (or true), warn, ignore (or false).
“true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
“warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
“false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.
windows-line-endingsfalseDefaults to the line ending native to your platform.

set-last-applied

Set the last-applied-configuration of a resource to match the contents of a file

  1. kubectl apply set-last-applied -f deploy.yaml

Execute set-last-applied against each configuration file in a directory

  1. kubectl apply set-last-applied -f path/

Set the last-applied-configuration of a resource to match the contents of a file; will create the annotation if it does not already exist

  1. kubectl apply set-last-applied -f deploy.yaml --create-annotation=true

Set the latest last-applied-configuration annotations by setting it to match the contents of a file. This results in the last-applied-configuration being updated as though ‘kubectl apply -f ‘ was run, without updating any other parts of the object.

Usage

$ kubectl apply set-last-applied -f FILENAME

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
create-annotationfalseWill create ‘last-applied-configuration’ annotations if current objects doesn’t have one
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
filenamef[]Filename, directory, or URL to files that contains the last-applied-configuration annotations
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].

view-last-applied

View the last-applied-configuration annotations by type/name in YAML

View the last-applied-configuration annotations by file in JSON

  1. kubectl apply view-last-applied -f deploy.yaml -o json

View the latest last-applied-configuration annotations by type/name or file.

The default output will be printed to stdout in YAML format. You can use the -o option to change the output format.

Usage

$ kubectl apply view-last-applied (TYPE [NAME | -l label] | TYPE/NAME | -f FILENAME)

NameShorthandDefaultUsage
allfalseSelect all resources in the namespace of the specified resource types
filenamef[]Filename, directory, or URL to files that contains the last-applied-configuration annotations
kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
outputoyamlOutput format. Must be one of (yaml, json)
recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.

annotate

Update a pod identified by type and name in “pod.json”

  1. kubectl annotate -f pod.json description='my frontend'

Update pod ‘foo’ with the annotation ‘description’ and the value ‘my frontend running nginx’, overwriting any existing value

  1. kubectl annotate --overwrite pods foo description='my frontend running nginx'

Update all pods in the namespace

  1. kubectl annotate pods --all description='my frontend running nginx'

Update pod ‘foo’ only if the resource is unchanged from version 1

  1. kubectl annotate pods foo description='my frontend running nginx' --resource-version=1

Update pod ‘foo’ by removing an annotation named ‘description’ if it exists # Does not require the —overwrite flag

  1. kubectl annotate pods foo description-

Update the annotations on one or more resources.

All Kubernetes objects support the ability to store additional data with the object as annotations. Annotations are key/value pairs that can be larger than labels and include arbitrary string values such as structured JSON. Tools and system extensions may use annotations to store their own data.

Attempting to set an annotation that already exists will fail unless —overwrite is set. If —resource-version is specified and does not match the current resource version on the server the command will fail.

Use “kubectl api-resources” for a complete list of supported resources.

Usage

$ kubectl annotate [--overwrite] (-f FILENAME | TYPE NAME) KEY_1=VAL_1 ... KEY_N=VAL_N [--resource-version=version]

Flags

NameShorthandDefaultUsage
allfalseSelect all resources, in the namespace of the specified resource types.
all-namespacesAfalseIf true, check the specified action in all namespaces.
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
field-managerkubectl-annotateName of the manager used to track field ownership.
field-selectorSelector (field query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. —field-selector key1=value1,key2=value2). The server only supports a limited number of field queries per type.
filenamef[]Filename, directory, or URL to files identifying the resource to update the annotation
kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
listfalseIf true, display the annotations for a given resource.
localfalseIf true, annotation will NOT contact api-server but run locally.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
overwritefalseIf true, allow annotations to be overwritten, otherwise reject annotation updates that overwrite existing annotations.
recordfalseRecord current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists.
recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
resource-versionIf non-empty, the annotation update will only succeed if this is the current resource-version for the object. Only valid when specifying a single resource.
selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].

autoscale

Auto scale a deployment “foo”, with the number of pods between 2 and 10, no target CPU utilization specified so a default autoscaling policy will be used

  1. kubectl autoscale deployment foo --min=2 --max=10

Auto scale a replication controller “foo”, with the number of pods between 1 and 5, target CPU utilization at 80%

  1. kubectl autoscale rc foo --max=5 --cpu-percent=80

Creates an autoscaler that automatically chooses and sets the number of pods that run in a Kubernetes cluster.

Looks up a deployment, replica set, stateful set, or replication controller by name and creates an autoscaler that uses the given resource as a reference. An autoscaler can automatically increase or decrease number of pods deployed within the system as needed.

Usage

$ kubectl autoscale (-f FILENAME | TYPE NAME | TYPE/NAME) [--min=MINPODS] --max=MAXPODS [--cpu-percent=CPU]

Flags

NameShorthandDefaultUsage
allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
cpu-percent-1The target average CPU utilization (represented as a percent of requested CPU) over all the pods. If it’s not specified or negative, a default autoscaling policy will be used.
dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
field-managerkubectl-autoscaleName of the manager used to track field ownership.
filenamef[]Filename, directory, or URL to files identifying the resource to autoscale.
kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
max-1The upper limit for the number of pods that can be set by the autoscaler. Required.
min-1The lower limit for the number of pods that can be set by the autoscaler. If it’s not specified or negative, the server will apply a default value.
nameThe name for the newly created object. If not specified, the name of the input resource will be used.
outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
recordfalseRecord current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists.
recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].

debug

  1. kubectl debug mypod -it --image=busybox

Create a debug container named debugger using a custom automated debugging image. # (requires the EphemeralContainers feature to be enabled in the cluster)

  1. kubectl debug --image=myproj/debug-tools -c debugger mypod

Create a copy of mypod adding a debug container and attach to it

  1. kubectl debug mypod -it --image=busybox --copy-to=my-debugger

Create a copy of mypod changing the command of mycontainer

  1. kubectl debug mypod -it --copy-to=my-debugger --container=mycontainer -- sh

Create a copy of mypod changing all container images to busybox

  1. kubectl debug mypod --copy-to=my-debugger --set-image=*=busybox

Create a copy of mypod adding a debug container and changing container images

  1. kubectl debug mypod -it --copy-to=my-debugger --image=debian --set-image=app=app:debug,sidecar=sidecar:debug

Create an interactive debugging session on a node and immediately attach to it. # The container will run in the host namespaces and the host’s filesystem will be mounted at /host

  1. kubectl debug node/mynode -it --image=busybox

Debug cluster resources using interactive debugging containers.

‘debug’ provides automation for common debugging tasks for cluster objects identified by resource and name. Pods will be used by default if no resource is specified.

The action taken by ‘debug’ varies depending on what resource is specified. Supported actions include:

Workload: Create a copy of an existing pod with certain attributes changed, for example changing the image tag to a new version. Workload: Add an ephemeral container to an already running pod, for example to add debugging utilities without restarting the pod.
* Node: Create a new pod that runs in the node’s host namespaces and can access the node’s filesystem.

Usage

$ kubectl debug (POD | TYPE[[.VERSION].GROUP]/NAME) [ -- COMMAND [args...] ]

Flags

NameShorthandDefaultUsage
arguments-onlyfalseIf specified, everything after — will be passed to the new container as Args instead of Command.
attachfalseIf true, wait for the container to start running, and then attach as if ‘kubectl attach …’ were called. Default false, unless ‘-i/—stdin’ is set, in which case the default is true.
containercContainer name to use for debug container.
copy-toCreate a copy of the target Pod with this name.
env[]Environment variables to set in the container.
imageContainer image to use for debug container.
image-pull-policyThe image pull policy for the container. If left empty, this value will not be specified by the client and defaulted by the server.
quietqfalseIf true, suppress informational messages.
replacefalseWhen used with ‘—copy-to’, delete the original Pod.
same-nodefalseWhen used with ‘—copy-to’, schedule the copy of target Pod on the same node.
set-image[]When used with ‘—copy-to’, a list of name=image pairs for changing container images, similar to how ‘kubectl set image’ works.
share-processestrueWhen used with ‘—copy-to’, enable process namespace sharing in the copy.
stdinifalseKeep stdin open on the container(s) in the pod, even if nothing is attached.
targetWhen using an ephemeral container, target processes in this container name.
ttytfalseAllocate a TTY for the debugging container.

diff

Diff resources included in pod.json

  1. kubectl diff -f pod.json

Diff file read from stdin

  1. cat service.yaml | kubectl diff -f -

Diff configurations specified by file name or stdin between the current online configuration, and the configuration as it would be if applied.

The output is always YAML.

KUBECTL_EXTERNAL_DIFF environment variable can be used to select your own diff command. Users can use external commands with params too, example: KUBECTL_EXTERNAL_DIFF=”colordiff -N -u”

By default, the “diff” command available in your path will be run with the “-u” (unified diff) and “-N” (treat absent files as empty) options.

Exit status: 0 No differences were found. 1 Differences were found. >1 Kubectl or diff failed with an error.

Note: KUBECTL_EXTERNAL_DIFF, if used, is expected to follow that convention.

Usage

$ kubectl diff -f FILENAME

Flags

NameShorthandDefaultUsage
field-managerkubectl-client-side-applyName of the manager used to track field ownership.
filenamef[]Filename, directory, or URL to files contains the configuration to diff
force-conflictsfalseIf true, server-side apply will force the changes against conflicts.
kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
prunefalseInclude resources that would be deleted by pruning. Can be used with -l and default shows all resources would be pruned
prune-allowlist[]Overwrite the default whitelist with <group/version/kind> for —prune
recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.
server-sidefalseIf true, apply runs in the server instead of the client.
show-managed-fieldsfalseIf true, include managed fields in the diff.

edit

Edit the service named ‘registry’

  1. kubectl edit svc/registry

Use an alternative editor

    Edit the job ‘myjob’ in JSON using the v1 API format

    1. kubectl edit job.v1.batch/myjob -o json

    Edit the deployment ‘mydeployment’ in YAML and save the modified config in its annotation

    1. kubectl edit deployment/mydeployment -o yaml --save-config

    Edit the deployment/mydeployment’s status subresource

    1. kubectl edit deployment mydeployment --subresource='status'

    Edit a resource from the default editor.

    The edit command allows you to directly edit any API resource you can retrieve via the command-line tools. It will open the editor defined by your KUBE_EDITOR, or EDITOR environment variables, or fall back to ‘vi’ for Linux or ‘notepad’ for Windows. You can edit multiple objects, although changes are applied one at a time. The command accepts file names as well as command-line arguments, although the files you point to must be previously saved versions of resources.

    Editing is done with the API version used to fetch the resource. To edit using a specific API version, fully-qualify the resource, version, and group.

    The default format is YAML. To edit in JSON, specify “-o json”.

    The flag —windows-line-endings can be used to force Windows line endings, otherwise the default for your operating system will be used.

    In the event an error occurs while updating, a temporary file will be created on disk that contains your unapplied changes. The most common error when updating a resource is another editor changing the resource on the server. When this occurs, you will have to apply your changes to the newer version of the resource, or update your temporary saved copy to include the latest resource version.

    Usage

    $ kubectl edit (RESOURCE/NAME | -f FILENAME)

    Flags

    NameShorthandDefaultUsage
    allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
    field-managerkubectl-editName of the manager used to track field ownership.
    filenamef[]Filename, directory, or URL to files to use to edit the resource
    kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
    outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
    output-patchfalseOutput the patch if the resource is edited.
    recordfalseRecord current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists.
    recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
    save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
    show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
    subresourceIf specified, edit will operate on the subresource of the requested object. Must be one of [status]. This flag is alpha and may change in the future.
    templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
    validatestrictMust be one of: strict (or true), warn, ignore (or false).
    “true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
    “warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
    “false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.
    windows-line-endingsfalseDefaults to the line ending native to your platform.

    kustomize

    Build the current working directory

    1. kubectl kustomize

    Build some shared configuration directory

    1. kubectl kustomize /home/config/production

    Build from github

    1. kubectl kustomize https://github.com/kubernetes-sigs/kustomize.git/examples/helloWorld?ref=v1.0.6

    Build a set of KRM resources using a ‘kustomization.yaml’ file. The DIR argument must be a path to a directory containing ‘kustomization.yaml’, or a git repository URL with a path suffix specifying same with respect to the repository root. If DIR is omitted, ‘.’ is assumed.

    Usage

    $ kubectl kustomize DIR

    Flags

    NameShorthandDefaultUsage
    as-current-userfalseuse the uid and gid of the command executor to run the function in the container
    enable-alpha-pluginsfalseenable kustomize plugins
    enable-helmfalseEnable use of the Helm chart inflator generator.
    enable-managedby-labelfalseenable adding app.kubernetes.io/managed-by
    enve[]a list of environment variables to be used by functions
    helm-commandhelmhelm command (path to executable)
    load-restrictorLoadRestrictionsRootOnlyif set to ‘LoadRestrictionsNone’, local kustomizations may load files from outside their root. This does, however, break the relocatability of the kustomization.
    mount[]a list of storage options read from the filesystem
    networkfalseenable network access for functions that declare it
    network-namebridgethe docker network to run the container in
    outputoIf specified, write output to this path.
    reorderlegacyReorder the resources just before output. Use ‘legacy’ to apply a legacy reordering (Namespaces first, Webhooks last, etc). Use ‘none’ to suppress a final reordering.

    label

    Update pod ‘foo’ with the label ‘unhealthy’ and the value ‘true’

    1. kubectl label pods foo unhealthy=true

    Update pod ‘foo’ with the label ‘status’ and the value ‘unhealthy’, overwriting any existing value

    1. kubectl label --overwrite pods foo status=unhealthy

    Update all pods in the namespace

    1. kubectl label pods --all status=unhealthy

    Update a pod identified by the type and name in “pod.json”

    1. kubectl label -f pod.json status=unhealthy

    Update pod ‘foo’ only if the resource is unchanged from version 1

    1. kubectl label pods foo status=unhealthy --resource-version=1

    Update pod ‘foo’ by removing a label named ‘bar’ if it exists # Does not require the —overwrite flag

    1. kubectl label pods foo bar-

    Update the labels on a resource.

    A label key and value must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to 63 characters each. Optionally, the key can begin with a DNS subdomain prefix and a single ‘/‘, like example.com/my-app.
    If —overwrite is true, then existing labels can be overwritten, otherwise attempting to overwrite a label will result in an error. If —resource-version is specified, then updates will use this resource version, otherwise the existing resource-version will be used.

    Usage

    $ kubectl label [--overwrite] (-f FILENAME | TYPE NAME) KEY_1=VAL_1 ... KEY_N=VAL_N [--resource-version=version]

    Flags

    NameShorthandDefaultUsage
    allfalseSelect all resources, in the namespace of the specified resource types
    all-namespacesAfalseIf true, check the specified action in all namespaces.
    allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
    dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
    field-managerkubectl-labelName of the manager used to track field ownership.
    field-selectorSelector (field query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. —field-selector key1=value1,key2=value2). The server only supports a limited number of field queries per type.
    filenamef[]Filename, directory, or URL to files identifying the resource to update the labels
    kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
    listfalseIf true, display the labels for a given resource.
    localfalseIf true, label will NOT contact api-server but run locally.
    outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
    overwritefalseIf true, allow labels to be overwritten, otherwise reject label updates that overwrite existing labels.
    recordfalseRecord current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists.
    recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
    resource-versionIf non-empty, the labels update will only succeed if this is the current resource-version for the object. Only valid when specifying a single resource.
    selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.
    show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
    templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].

    patch

    Partially update a node using a strategic merge patch, specifying the patch as JSON

    1. kubectl patch node k8s-node-1 -p '{"spec":{"unschedulable":true}}'

    Partially update a node using a strategic merge patch, specifying the patch as YAML

    1. kubectl patch node k8s-node-1 -p $'spec:\n unschedulable: true'

    Partially update a node identified by the type and name specified in “node.json” using strategic merge patch

    1. kubectl patch -f node.json -p '{"spec":{"unschedulable":true}}'

    Update a container’s image; spec.containers[*].name is required because it’s a merge key

    1. kubectl patch pod valid-pod -p '{"spec":{"containers":[{"name":"kubernetes-serve-hostname","image":"new image"}]}}'

    Update a container’s image using a JSON patch with positional arrays

    1. kubectl patch pod valid-pod --type='json' -p='[{"op": "replace", "path": "/spec/containers/0/image", "value":"new image"}]'

    Update a deployment’s replicas through the scale subresource using a merge patch.

    1. kubectl patch deployment nginx-deployment --subresource='scale' --type='merge' -p '{"spec":{"replicas":2}}'

    Update fields of a resource using strategic merge patch, a JSON merge patch, or a JSON patch.

    JSON and YAML formats are accepted.

    Usage

    $ kubectl patch (-f FILENAME | TYPE NAME) [-p PATCH|--patch-file FILE]

    Flags

    NameShorthandDefaultUsage
    allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
    dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
    field-managerkubectl-patchName of the manager used to track field ownership.
    filenamef[]Filename, directory, or URL to files identifying the resource to update
    kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
    localfalseIf true, patch will operate on the content of the file, not the server-side resource.
    outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
    patchpThe patch to be applied to the resource JSON file.
    patch-fileA file containing a patch to be applied to the resource.
    recordfalseRecord current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists.
    recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
    show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
    subresourceIf specified, patch will operate on the subresource of the requested object. Must be one of [status scale]. This flag is alpha and may change in the future.
    templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].
    typestrategicThe type of patch being provided; one of [json merge strategic]

    replace

    Replace a pod using the data in pod.json

    1. kubectl replace -f ./pod.json

    Replace a pod based on the JSON passed into stdin

    1. cat pod.json | kubectl replace -f -

    Update a single-container pod’s image version (tag) to v4

    1. kubectl get pod mypod -o yaml | sed 's/\(image: myimage\):.*$/\1:v4/' | kubectl replace -f -

    Force replace, delete and then re-create the resource

    1. kubectl replace --force -f ./pod.json

    Replace a resource by file name or stdin.

    JSON and YAML formats are accepted. If replacing an existing resource, the complete resource spec must be provided. This can be obtained by

    $ kubectl get TYPE NAME -o yaml

    Usage

    $ kubectl replace -f FILENAME

    Flags

    NameShorthandDefaultUsage
    allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
    cascadebackgroundMust be “background”, “orphan”, or “foreground”. Selects the deletion cascading strategy for the dependents (e.g. Pods created by a ReplicationController). Defaults to background.
    dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
    field-managerkubectl-replaceName of the manager used to track field ownership.
    filenamef[]The files that contain the configurations to replace.
    forcefalseIf true, immediately remove resources from API and bypass graceful deletion. Note that immediate deletion of some resources may result in inconsistency or data loss and requires confirmation.
    grace-period-1Period of time in seconds given to the resource to terminate gracefully. Ignored if negative. Set to 1 for immediate shutdown. Can only be set to 0 when —force is true (force deletion).
    kustomizekProcess a kustomization directory. This flag can’t be used together with -f or -R.
    outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
    rawRaw URI to PUT to the server. Uses the transport specified by the kubeconfig file.
    recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
    save-configfalseIf true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
    show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
    subresourceIf specified, replace will operate on the subresource of the requested object. Must be one of [status scale]. This flag is alpha and may change in the future.
    templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].
    timeout0sThe length of time to wait before giving up on a delete, zero means determine a timeout from the size of the object
    validatestrictMust be one of: strict (or true), warn, ignore (or false).
    “true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
    “warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
    “false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.
    waitfalseIf true, wait for resources to be gone before returning. This waits for finalizers.

    rollout

    Rollback to the previous deployment

    1. kubectl rollout undo deployment/abc

    Check the rollout status of a daemonset

    1. kubectl rollout status daemonset/foo

    Restart a deployment

    1. kubectl rollout restart deployment/abc

    Restart deployments with the app=nginx label

    1. kubectl rollout restart deployment --selector=app=nginx

    Manage the rollout of one or many resources.

    Valid resource types include:

    deployments daemonsets
    * statefulsets

    Usage

    $ kubectl rollout SUBCOMMAND


    history

    View the rollout history of a deployment

    1. kubectl rollout history deployment/abc

    View the details of daemonset revision 3

    1. kubectl rollout history daemonset/abc --revision=3

    View previous rollout revisions and configurations.

    Usage

    $ kubectl rollout history (TYPE NAME | TYPE/NAME) [flags]

    Flags

    NameShorthandDefaultUsage
    allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
    filenamef[]Filename, directory, or URL to files identifying the resource to get from a server.
    kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
    outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
    recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
    revision0See the details, including podTemplate of the revision specified
    selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.
    show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
    templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].

    pause

    Mark the nginx deployment as paused # Any current state of the deployment will continue its function; new updates # to the deployment will not have an effect as long as the deployment is paused

    1. kubectl rollout pause deployment/nginx

    Mark the provided resource as paused.

    Paused resources will not be reconciled by a controller. Use “kubectl rollout resume” to resume a paused resource. Currently only deployments support being paused.

    Usage

    $ kubectl rollout pause RESOURCE

    Flags

    NameShorthandDefaultUsage
    allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
    field-managerkubectl-rolloutName of the manager used to track field ownership.
    filenamef[]Filename, directory, or URL to files identifying the resource to get from a server.
    kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
    outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
    recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
    selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.
    show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
    templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].

    restart

    Restart a deployment

    1. kubectl rollout restart deployment/nginx

    Restart a daemon set

    1. kubectl rollout restart daemonset/abc

    Restart deployments with the app=nginx label

    1. kubectl rollout restart deployment --selector=app=nginx

    Restart a resource.

    Resource rollout will be restarted.

    Usage

    $ kubectl rollout restart RESOURCE

    Flags

    NameShorthandDefaultUsage
    allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
    field-managerkubectl-rolloutName of the manager used to track field ownership.
    filenamef[]Filename, directory, or URL to files identifying the resource to get from a server.
    kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
    outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
    recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
    selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.
    show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
    templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].

    resume

    Resume an already paused deployment

    1. kubectl rollout resume deployment/nginx

    Resume a paused resource.

    Paused resources will not be reconciled by a controller. By resuming a resource, we allow it to be reconciled again. Currently only deployments support being resumed.

    Usage

    $ kubectl rollout resume RESOURCE

    Flags

    NameShorthandDefaultUsage
    allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
    field-managerkubectl-rolloutName of the manager used to track field ownership.
    filenamef[]Filename, directory, or URL to files identifying the resource to get from a server.
    kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
    outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
    recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
    selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.
    show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
    templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].

    status

    Watch the rollout status of a deployment

    1. kubectl rollout status deployment/nginx

    Show the status of the rollout.

    By default ‘rollout status’ will watch the status of the latest rollout until it’s done. If you don’t want to wait for the rollout to finish then you can use —watch=false. Note that if a new rollout starts in-between, then ‘rollout status’ will continue watching the latest revision. If you want to pin to a specific revision and abort if it is rolled over by another revision, use —revision=N where N is the revision you need to watch for.

    Usage

    $ kubectl rollout status (TYPE NAME | TYPE/NAME) [flags]

    Flags

    NameShorthandDefaultUsage
    filenamef[]Filename, directory, or URL to files identifying the resource to get from a server.
    kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
    recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
    revision0Pin to a specific revision for showing its status. Defaults to 0 (last revision).
    selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.
    timeout0sThe length of time to wait before ending watch, zero means never. Any other values should contain a corresponding time unit (e.g. 1s, 2m, 3h).
    watchwtrueWatch the status of the rollout until it’s done.

    undo

    Roll back to the previous deployment

    1. kubectl rollout undo deployment/abc

    Roll back to daemonset revision 3

    1. kubectl rollout undo daemonset/abc --to-revision=3

    Roll back to the previous deployment with dry-run

    1. kubectl rollout undo --dry-run=server deployment/abc

    Roll back to a previous rollout.

    Usage

    $ kubectl rollout undo (TYPE NAME | TYPE/NAME) [flags]

    Flags

    NameShorthandDefaultUsage
    allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
    dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
    filenamef[]Filename, directory, or URL to files identifying the resource to get from a server.
    kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
    outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
    recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
    selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.
    show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
    templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
    to-revision0The revision to rollback to. Default to 0 (last revision).

    scale

    Scale a replica set named ‘foo’ to 3

    1. kubectl scale --replicas=3 rs/foo

    Scale a resource identified by type and name specified in “foo.yaml” to 3

    1. kubectl scale --replicas=3 -f foo.yaml

    If the deployment named mysql’s current size is 2, scale mysql to 3

    1. kubectl scale --current-replicas=2 --replicas=3 deployment/mysql

    Scale multiple replication controllers

    1. kubectl scale --replicas=5 rc/foo rc/bar rc/baz

    Scale stateful set named ‘web’ to 3

    1. kubectl scale --replicas=3 statefulset/web

    Set a new size for a deployment, replica set, replication controller, or stateful set.

    Scale also allows users to specify one or more preconditions for the scale action.

    If —current-replicas or —resource-version is specified, it is validated before the scale is attempted, and it is guaranteed that the precondition holds true when the scale is sent to the server.

    Usage

    $ kubectl scale [--resource-version=version] [--current-replicas=count] --replicas=COUNT (-f FILENAME | TYPE NAME)

    Flags

    NameShorthandDefaultUsage
    allfalseSelect all resources in the namespace of the specified resource types
    allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
    current-replicas-1Precondition for current size. Requires that the current size of the resource match this value in order to scale. -1 (default) for no condition.
    dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
    filenamef[]Filename, directory, or URL to files identifying the resource to set a new size
    kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
    outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
    recordfalseRecord current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists.
    recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
    replicas0The new desired number of replicas. Required.
    resource-versionPrecondition for resource version. Requires that the current resource version match this value in order to scale.
    selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.
    show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
    templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
    timeout0sThe length of time to wait before giving up on a scale operation, zero means don’t wait. Any other values should contain a corresponding time unit (e.g. 1s, 2m, 3h).

    set

    Configure application resources.

    These commands help you make changes to existing application resources.

    Usage

    $ kubectl set SUBCOMMAND


    env

    Update deployment ‘registry’ with a new environment variable

    1. kubectl set env deployment/registry STORAGE_DIR=/local

    List the environment variables defined on a deployments ‘sample-build’

    1. kubectl set env deployment/sample-build --list

    List the environment variables defined on all pods

    1. kubectl set env pods --all --list

    Output modified deployment in YAML, and does not alter the object on the server

    1. kubectl set env deployment/sample-build STORAGE_DIR=/data -o yaml

    Update all containers in all replication controllers in the project to have ENV=prod

    1. kubectl set env rc --all ENV=prod

    Import environment from a secret

    1. kubectl set env --from=secret/mysecret deployment/myapp

    Import environment from a config map with a prefix

    1. kubectl set env --from=configmap/myconfigmap --prefix=MYSQL_ deployment/myapp

    Import specific keys from a config map

    1. kubectl set env --keys=my-example-key --from=configmap/myconfigmap deployment/myapp

    Remove the environment variable ENV from container ‘c1’ in all deployment configs

    1. kubectl set env deployments --all --containers="c1" ENV-

    Remove the environment variable ENV from a deployment definition on disk and # update the deployment config on the server

    1. kubectl set env -f deploy.json ENV-

    Set some of the local shell environment into a deployment config on the server

    1. env | grep RAILS_ | kubectl set env -e - deployment/registry

    Update environment variables on a pod template.

    List environment variable definitions in one or more pods, pod templates. Add, update, or remove container environment variable definitions in one or more pod templates (within replication controllers or deployment configurations). View or modify the environment variable definitions on all containers in the specified pods or pod templates, or just those that match a wildcard.

    If “—env -“ is passed, environment variables can be read from STDIN using the standard env syntax.

    Possible resources include (case insensitive):

    pod (po), replicationcontroller (rc), deployment (deploy), daemonset (ds), statefulset (sts), cronjob (cj), replicaset (rs)

    Usage

    $ kubectl set env RESOURCE/NAME KEY_1=VAL_1 ... KEY_N=VAL_N

    Flags

    NameShorthandDefaultUsage
    allfalseIf true, select all resources in the namespace of the specified resource types
    allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
    containersc*The names of containers in the selected pod templates to change - may use wildcards
    dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
    enve[]Specify a key-value pair for an environment variable to set into each container.
    field-managerkubectl-setName of the manager used to track field ownership.
    filenamef[]Filename, directory, or URL to files the resource to update the env
    fromThe name of a resource from which to inject environment variables
    keys[]Comma-separated list of keys to import from specified resource
    kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
    listfalseIf true, display the environment and any changes in the standard format. this flag will removed when we have kubectl view env.
    localfalseIf true, set env will NOT contact api-server but run locally.
    outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
    overwritetrueIf true, allow environment to be overwritten, otherwise reject updates that overwrite existing environment.
    prefixPrefix to append to variable names
    recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
    resolvefalseIf true, show secret or configmap references when listing variables
    selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.
    show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
    templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].

    image

    Set a deployment’s nginx container image to ‘nginx:1.9.1’, and its busybox container image to ‘busybox’

    1. kubectl set image deployment/nginx busybox=busybox nginx=nginx:1.9.1

    Update all deployments’ and rc’s nginx container’s image to ‘nginx:1.9.1’

    1. kubectl set image deployments,rc nginx=nginx:1.9.1 --all

    Update image of all containers of daemonset abc to ‘nginx:1.9.1’

    1. kubectl set image daemonset abc *=nginx:1.9.1

    Print result (in yaml format) of updating nginx container image from local file, without hitting the server

    1. kubectl set image -f path/to/file.yaml nginx=nginx:1.9.1 --local -o yaml

    Update existing container image(s) of resources.

    Possible resources include (case insensitive):

    pod (po), replicationcontroller (rc), deployment (deploy), daemonset (ds), statefulset (sts), cronjob (cj), replicaset (rs)

    Usage

    $ kubectl set image (-f FILENAME | TYPE NAME) CONTAINER_NAME_1=CONTAINER_IMAGE_1 ... CONTAINER_NAME_N=CONTAINER_IMAGE_N

    Flags

    NameShorthandDefaultUsage
    allfalseSelect all resources, in the namespace of the specified resource types
    allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
    dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
    field-managerkubectl-setName of the manager used to track field ownership.
    filenamef[]Filename, directory, or URL to files identifying the resource to get from a server.
    kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
    localfalseIf true, set image will NOT contact api-server but run locally.
    outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
    recordfalseRecord current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists.
    recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
    selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.
    show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
    templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].

    resources

    Set a deployments nginx container cpu limits to “200m” and memory to “512Mi”

    1. kubectl set resources deployment nginx -c=nginx --limits=cpu=200m,memory=512Mi

    Set the resource request and limits for all containers in nginx

    1. kubectl set resources deployment nginx --limits=cpu=200m,memory=512Mi --requests=cpu=100m,memory=256Mi

    Remove the resource requests for resources on containers in nginx

    1. kubectl set resources deployment nginx --limits=cpu=0,memory=0 --requests=cpu=0,memory=0

    Print the result (in yaml format) of updating nginx container limits from a local, without hitting the server

    1. kubectl set resources -f path/to/file.yaml --limits=cpu=200m,memory=512Mi --local -o yaml

    Specify compute resource requirements (CPU, memory) for any resource that defines a pod template. If a pod is successfully scheduled, it is guaranteed the amount of resource requested, but may burst up to its specified limits.

    For each compute resource, if a limit is specified and a request is omitted, the request will default to the limit.

    Possible resources include (case insensitive): Use “kubectl api-resources” for a complete list of supported resources..

    Usage

    $ kubectl set resources (-f FILENAME | TYPE NAME) ([--limits=LIMITS & --requests=REQUESTS]

    Flags

    NameShorthandDefaultUsage
    allfalseSelect all resources, in the namespace of the specified resource types
    allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
    containersc*The names of containers in the selected pod templates to change, all containers are selected by default - may use wildcards
    dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
    field-managerkubectl-setName of the manager used to track field ownership.
    filenamef[]Filename, directory, or URL to files identifying the resource to get from a server.
    kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
    limitsThe resource requirement requests for this container. For example, ‘cpu=100m,memory=256Mi’. Note that server side components may assign requests depending on the server configuration, such as limit ranges.
    localfalseIf true, set resources will NOT contact api-server but run locally.
    outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
    recordfalseRecord current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists.
    recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
    requestsThe resource requirement requests for this container. For example, ‘cpu=100m,memory=256Mi’. Note that server side components may assign requests depending on the server configuration, such as limit ranges.
    selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.
    show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
    templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].

    selector

    Set the labels and selector before creating a deployment/service pair

    1. kubectl create service clusterip my-svc --clusterip="None" -o yaml --dry-run=client | kubectl set selector --local -f - 'environment=qa' -o yaml | kubectl create -f -
    2. kubectl create deployment my-dep -o yaml --dry-run=client | kubectl label --local -f - environment=qa -o yaml | kubectl create -f -

    Set the selector on a resource. Note that the new selector will overwrite the old selector if the resource had one prior to the invocation of ‘set selector’.

    A selector must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to 63 characters. If —resource-version is specified, then updates will use this resource version, otherwise the existing resource-version will be used. Note: currently selectors can only be set on Service objects.

    Usage

    $ kubectl set selector (-f FILENAME | TYPE NAME) EXPRESSIONS [--resource-version=version]

    Flags

    NameShorthandDefaultUsage
    allfalseSelect all resources in the namespace of the specified resource types
    allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
    dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
    field-managerkubectl-setName of the manager used to track field ownership.
    filenamef[]identifying the resource.
    localfalseIf true, annotation will NOT contact api-server but run locally.
    outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
    recordfalseRecord current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists.
    recursiveRtrueProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
    resource-versionIf non-empty, the selectors update will only succeed if this is the current resource-version for the object. Only valid when specifying a single resource.
    show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
    templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].

    serviceaccount

    Set deployment nginx-deployment’s service account to serviceaccount1

    1. kubectl set serviceaccount deployment nginx-deployment serviceaccount1

    Print the result (in YAML format) of updated nginx deployment with the service account from local file, without hitting the API server

    1. kubectl set sa -f nginx-deployment.yaml serviceaccount1 --local --dry-run=client -o yaml

    Update the service account of pod template resources.

    Possible resources (case insensitive) can be:

    replicationcontroller (rc), deployment (deploy), daemonset (ds), job, replicaset (rs), statefulset

    Usage

    $ kubectl set serviceaccount (-f FILENAME | TYPE NAME) SERVICE_ACCOUNT

    Flags

    NameShorthandDefaultUsage
    allfalseSelect all resources, in the namespace of the specified resource types
    allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
    dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
    field-managerkubectl-setName of the manager used to track field ownership.
    filenamef[]Filename, directory, or URL to files identifying the resource to get from a server.
    kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
    localfalseIf true, set serviceaccount will NOT contact api-server but run locally.
    outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
    recordfalseRecord current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists.
    recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
    show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
    templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].

    subject

    Update a cluster role binding for serviceaccount1

    1. kubectl set subject clusterrolebinding admin --serviceaccount=namespace:serviceaccount1

    Update a role binding for user1, user2, and group1

    1. kubectl set subject rolebinding admin --user=user1 --user=user2 --group=group1

    Print the result (in YAML format) of updating rolebinding subjects from a local, without hitting the server

    1. kubectl create rolebinding admin --role=admin --user=admin -o yaml --dry-run=client | kubectl set subject --local -f - --user=foo -o yaml

    Update the user, group, or service account in a role binding or cluster role binding.

    Usage

    $ kubectl set subject (-f FILENAME | TYPE NAME) [--user=username] [--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none]

    Flags

    NameShorthandDefaultUsage
    allfalseSelect all resources, in the namespace of the specified resource types
    allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
    dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
    field-managerkubectl-setName of the manager used to track field ownership.
    filenamef[]Filename, directory, or URL to files the resource to update the subjects
    group[]Groups to bind to the role
    kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
    localfalseIf true, set subject will NOT contact api-server but run locally.
    outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
    recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
    selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.
    serviceaccount[]Service accounts to bind to the role
    show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
    templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].

    wait

    Wait for the pod “busybox1” to contain the status condition of type “Ready”

    1. kubectl wait --for=condition=Ready pod/busybox1

    The default value of status condition is true; you can wait for other targets after an equal delimiter (compared after Unicode simple case folding, which is a more general form of case-insensitivity):

    1. kubectl wait --for=condition=Ready=false pod/busybox1

    Wait for the pod “busybox1” to contain the status phase to be “Running”.

    1. kubectl wait --for=jsonpath='{.status.phase}'=Running pod/busybox1

    Wait for the pod “busybox1” to be deleted, with a timeout of 60s, after having issued the “delete” command

    1. kubectl delete pod/busybox1
    2. kubectl wait --for=delete pod/busybox1 --timeout=60s

    Experimental: Wait for a specific condition on one or many resources.

    The command takes multiple resources and waits until the specified condition is seen in the Status field of every given resource.

    Alternatively, the command can wait for the given set of resources to be deleted by providing the “delete” keyword as the value to the —for flag.

    A successful message will be printed to stdout indicating when the specified condition has been met. You can use -o option to change to output destination.

    Usage

    $ kubectl wait ([-f FILENAME] | resource.group/resource.name | resource.group [(-l label | --all)]) [--for=delete|--for condition=available|--for=jsonpath='{}'=value]

    Flags

    NameShorthandDefaultUsage
    allfalseSelect all resources in the namespace of the specified resource types
    all-namespacesAfalseIf present, list the requested object(s) across all namespaces. Namespace in current context is ignored even if specified with —namespace.
    allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
    field-selectorSelector (field query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. —field-selector key1=value1,key2=value2). The server only supports a limited number of field queries per type.
    filenamef[]identifying the resource.
    forThe condition to wait on: [delete|condition=condition-name[=condition-value]|jsonpath=’{JSONPath expression}’=JSONPath Condition]. The default condition-value is true. Condition values are compared after Unicode simple case folding, which is a more general form of case-insensitivity.
    localfalseIf true, annotation will NOT contact api-server but run locally.
    outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
    recursiveRtrueProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
    selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2)
    show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
    templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
    timeout30sThe length of time to wait before giving up. Zero means check once and don’t wait, negative means wait for a week.

    WORKING WITH APPS

    This section contains commands for inspecting and debugging your applications.

    • logs will print the logs from the specified pod + container.
    • exec can be used to get an interactive shell on a pod + container.
    • describe will print debug information about the given resource.

    attach

    Get output from running pod mypod; use the ‘kubectl.kubernetes.io/default-container’ annotation # for selecting the container to be attached or the first container in the pod will be chosen

    1. kubectl attach mypod

    Get output from ruby-container from pod mypod

    1. kubectl attach mypod -c ruby-container

    Switch to raw terminal mode; sends stdin to ‘bash’ in ruby-container from pod mypod # and sends stdout/stderr from ‘bash’ back to the client

    1. kubectl attach mypod -c ruby-container -i -t

    Get output from the first pod of a replica set named nginx

    1. kubectl attach rs/nginx

    Attach to a process that is already running inside an existing container.

    Usage

    $ kubectl attach (POD | TYPE/NAME) -c CONTAINER

    Flags


    auth

    Inspect authorization

    Usage

    $ kubectl auth


    can-i

    Check to see if I can create pods in any namespace

    1. kubectl auth can-i create pods --all-namespaces

    Check to see if I can list deployments in my current namespace

    1. kubectl auth can-i list deployments.apps

    Check to see if I can do everything in my current namespace (“*“ means all)

    1. kubectl auth can-i '*' '*'

    Check to see if I can get the job named “bar” in namespace “foo”

    1. kubectl auth can-i list jobs.batch/bar -n foo

    Check to see if I can read pod logs

    1. kubectl auth can-i get pods --subresource=log

    Check to see if I can access the URL /logs/

    1. kubectl auth can-i get /logs/

    List all allowed actions in namespace “foo”

    1. kubectl auth can-i --list --namespace=foo

    Check whether an action is allowed.

    VERB is a logical Kubernetes API verb like ‘get’, ‘list’, ‘watch’, ‘delete’, etc. TYPE is a Kubernetes resource. Shortcuts and groups will be resolved. NONRESOURCEURL is a partial URL that starts with “/“. NAME is the name of a particular Kubernetes resource. This command pairs nicely with impersonation. See —as global flag.

    Usage

    $ kubectl auth can-i VERB [TYPE | TYPE/NAME | NONRESOURCEURL]

    Flags

    NameShorthandDefaultUsage
    all-namespacesAfalseIf true, check the specified action in all namespaces.
    listfalseIf true, prints all allowed actions.
    no-headersfalseIf true, prints allowed actions without headers
    quietqfalseIf true, suppress output and just return the exit code.
    subresourceSubResource such as pod/log or deployment/scale

    reconcile

    Reconcile RBAC resources from a file

    1. kubectl auth reconcile -f my-rbac-rules.yaml

    Reconciles rules for RBAC role, role binding, cluster role, and cluster role binding objects.

    Missing objects are created, and the containing namespace is created for namespaced objects, if required.

    Existing roles are updated to include the permissions in the input objects, and remove extra permissions if —remove-extra-permissions is specified.

    Existing bindings are updated to include the subjects in the input objects, and remove extra subjects if —remove-extra-subjects is specified.

    This is preferred to ‘apply’ for RBAC resources so that semantically-aware merging of rules and subjects is done.

    Usage

    $ kubectl auth reconcile -f FILENAME

    Flags

    NameShorthandDefaultUsage
    allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
    dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
    filenamef[]Filename, directory, or URL to files identifying the resource to reconcile.
    kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
    outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
    recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
    remove-extra-permissionsfalseIf true, removes extra permissions added to roles
    remove-extra-subjectsfalseIf true, removes extra subjects added to rolebindings
    show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
    templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [].

    cp

    !!!Important Note!!! # Requires that the ‘tar’ binary is present in your container # image. If ‘tar’ is not present, ‘kubectl cp’ will fail. # # For advanced use cases, such as symlinks, wildcard expansion or # file mode preservation, consider using ‘kubectl exec’. # Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace

    1. tar cf - /tmp/foo | kubectl exec -i -n <some-namespace> <some-pod> -- tar xf - -C /tmp/bar

    Copy /tmp/foo from a remote pod to /tmp/bar locally

    1. kubectl exec -n <some-namespace> <some-pod> -- tar cf - /tmp/foo | tar xf - -C /tmp/bar

    Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod in the default namespace

    1. kubectl cp /tmp/foo_dir <some-pod>:/tmp/bar_dir

    Copy /tmp/foo local file to /tmp/bar in a remote pod in a specific container

    1. kubectl cp /tmp/foo <some-pod>:/tmp/bar -c <specific-container>

    Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace

    1. kubectl cp /tmp/foo <some-namespace>/<some-pod>:/tmp/bar

    Copy /tmp/foo from a remote pod to /tmp/bar locally

    1. kubectl cp <some-namespace>/<some-pod>:/tmp/foo /tmp/bar

    Copy files and directories to and from containers.

    Usage

    $ kubectl cp <file-spec-src> <file-spec-dest>

    Flags

    NameShorthandDefaultUsage
    containercContainer name. If omitted, use the kubectl.kubernetes.io/default-container annotation for selecting the container to be attached or the first container in the pod will be chosen
    no-preservefalseThe copied file/directory’s ownership and permissions will not be preserved in the container
    retries0Set number of retries to complete a copy operation from a container. Specify 0 to disable or any negative value for infinite retrying. The default is 0 (no retry).

    describe

    Describe a node

    1. kubectl describe nodes kubernetes-node-emt8.c.myproject.internal

    Describe a pod

    1. kubectl describe pods/nginx

    Describe a pod identified by type and name in “pod.json”

    1. kubectl describe -f pod.json

    Describe all pods

    1. kubectl describe pods

    Describe pods by label name=myLabel

    1. kubectl describe po -l name=myLabel

    Describe all pods managed by the ‘frontend’ replication controller # (rc-created pods get the name of the rc as a prefix in the pod name)

    1. kubectl describe pods frontend

    Show details of a specific resource or group of resources.

    Print a detailed description of the selected resources, including related resources such as events or controllers. You may select a single object by name, all objects of that type, provide a name prefix, or label selector. For example:

    $ kubectl describe TYPE NAME_PREFIX

    will first check for an exact match on TYPE and NAME_PREFIX. If no such resource exists, it will output details for every resource that has a name prefixed with NAME_PREFIX.

    Use “kubectl api-resources” for a complete list of supported resources.

    Usage

    $ kubectl describe (-f FILENAME | TYPE [NAME_PREFIX | -l label] | TYPE/NAME)

    Flags

    NameShorthandDefaultUsage
    all-namespacesAfalseIf present, list the requested object(s) across all namespaces. Namespace in current context is ignored even if specified with —namespace.
    chunk-size500Return large lists in chunks rather than all at once. Pass 0 to disable. This flag is beta and may change in the future.
    filenamef[]Filename, directory, or URL to files containing the resource to describe
    kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
    recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
    selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.
    show-eventstrueIf true, display events related to the described object.

    exec

    Get output from running the ‘date’ command from pod mypod, using the first container by default

    1. kubectl exec mypod -- date

    Switch to raw terminal mode; sends stdin to ‘bash’ in ruby-container from pod mypod # and sends stdout/stderr from ‘bash’ back to the client

    1. kubectl exec mypod -c ruby-container -i -t -- bash -il

    List contents of /usr from the first container of pod mypod and sort by modification time # If the command you want to execute in the pod has any flags in common (e.g. -i), # you must use two dashes (—) to separate your command’s flags/arguments # Also note, do not surround your command and its flags/arguments with quotes # unless that is how you would execute it normally (i.e., do ls -t /usr, not “ls -t /usr”)

    1. kubectl exec mypod -i -t -- ls -t /usr

    Get output from running ‘date’ command from the first pod of the deployment mydeployment, using the first container by default

    1. kubectl exec deploy/mydeployment -- date

    Get output from running ‘date’ command from the first pod of the service myservice, using the first container by default

    1. kubectl exec svc/myservice -- date

    Execute a command in a container.

    Usage

    $ kubectl exec (POD | TYPE/NAME) [-c CONTAINER] [flags] -- COMMAND [args...]

    Flags

    NameShorthandDefaultUsage
    containercContainer name. If omitted, use the kubectl.kubernetes.io/default-container annotation for selecting the container to be attached or the first container in the pod will be chosen
    filenamef[]to use to exec into the resource
    pod-running-timeout1m0sThe length of time (like 5s, 2m, or 3h, higher than zero) to wait until at least one pod is running
    quietqfalseOnly print output from the remote session
    stdinifalsePass stdin to the container
    ttytfalseStdin is a TTY

    logs

    Return snapshot logs from pod nginx with only one container

    Return snapshot logs from pod nginx with multi containers

    1. kubectl logs nginx --all-containers=true

    Return snapshot logs from all containers in pods defined by label app=nginx

    1. kubectl logs -l app=nginx --all-containers=true

    Return snapshot of previous terminated ruby container logs from pod web-1

    1. kubectl logs -p -c ruby web-1

    Begin streaming the logs of the ruby container in pod web-1

    1. kubectl logs -f -c ruby web-1

    Begin streaming the logs from all containers in pods defined by label app=nginx

    1. kubectl logs -f -l app=nginx --all-containers=true

    Display only the most recent 20 lines of output in pod nginx

    1. kubectl logs --tail=20 nginx

    Show all logs from pod nginx written in the last hour

    1. kubectl logs --since=1h nginx

    Show logs from a kubelet with an expired serving certificate

    1. kubectl logs --insecure-skip-tls-verify-backend nginx
    1. kubectl logs job/hello

    Return snapshot logs from container nginx-1 of a deployment named nginx

    1. kubectl logs deployment/nginx -c nginx-1

    Print the logs for a container in a pod or specified resource. If the pod has only one container, the container name is optional.

    Usage

    $ kubectl logs [-f] [-p] (POD | TYPE/NAME) [-c CONTAINER]

    NameShorthandDefaultUsage
    all-containersfalseGet all containers’ logs in the pod(s).
    containercPrint the logs of this container
    followffalseSpecify if the logs should be streamed.
    ignore-errorsfalseIf watching / following pod logs, allow for any errors that occur to be non-fatal
    insecure-skip-tls-verify-backendfalseSkip verifying the identity of the kubelet that logs are requested from. In theory, an attacker could provide invalid log content back. You might want to use this if your kubelet serving certificates have expired.
    limit-bytes0Maximum bytes of logs to return. Defaults to no limit.
    max-log-requests5Specify maximum number of concurrent logs to follow when using by a selector. Defaults to 5.
    pod-running-timeout20sThe length of time (like 5s, 2m, or 3h, higher than zero) to wait until at least one pod is running
    prefixfalsePrefix each log line with the log source (pod name and container name)
    previouspfalseIf true, print the logs for the previous instance of the container in a pod if it exists.
    selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.
    since0sOnly return logs newer than a relative duration like 5s, 2m, or 3h. Defaults to all logs. Only one of since-time / since may be used.
    since-timeOnly return logs after a specific date (RFC3339). Defaults to all logs. Only one of since-time / since may be used.
    tail-1Lines of recent log file to display. Defaults to -1 with no selector, showing all log lines otherwise 10, if a selector is provided.
    timestampsfalseInclude timestamps on each line in the log output

    port-forward

    Listen on ports 5000 and 6000 locally, forwarding data to/from ports 5000 and 6000 in the pod

    1. kubectl port-forward pod/mypod 5000 6000

    Listen on ports 5000 and 6000 locally, forwarding data to/from ports 5000 and 6000 in a pod selected by the deployment

    1. kubectl port-forward deployment/mydeployment 5000 6000

    Listen on port 8443 locally, forwarding to the targetPort of the service’s port named “https” in a pod selected by the service

    1. kubectl port-forward service/myservice 8443:https

    Listen on port 8888 locally, forwarding to 5000 in the pod

    1. kubectl port-forward pod/mypod 8888:5000

    Listen on port 8888 on all addresses, forwarding to 5000 in the pod

    1. kubectl port-forward --address 0.0.0.0 pod/mypod 8888:5000

    Listen on port 8888 on localhost and selected IP, forwarding to 5000 in the pod

    1. kubectl port-forward --address localhost,10.19.21.23 pod/mypod 8888:5000

    Listen on a random port locally, forwarding to 5000 in the pod

    1. kubectl port-forward pod/mypod :5000

    Forward one or more local ports to a pod.

    Use resource type/name such as deployment/mydeployment to select a pod. Resource type defaults to ‘pod’ if omitted.

    If there are multiple pods matching the criteria, a pod will be selected automatically. The forwarding session ends when the selected pod terminates, and a rerun of the command is needed to resume forwarding.

    Usage

    $ kubectl port-forward TYPE/NAME [options] [LOCAL_PORT:]REMOTE_PORT [...[LOCAL_PORT_N:]REMOTE_PORT_N]

    Flags

    NameShorthandDefaultUsage
    address[localhost]Addresses to listen on (comma separated). Only accepts IP addresses or localhost as a value. When localhost is supplied, kubectl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these addresses are available to bind.
    pod-running-timeout1m0sThe length of time (like 5s, 2m, or 3h, higher than zero) to wait until at least one pod is running

    proxy

    To proxy all of the Kubernetes API and nothing else

    1. kubectl proxy --api-prefix=/

    To proxy only part of the Kubernetes API and also some static files # You can get pods info with ‘curl localhost:8001/api/v1/pods’

    1. kubectl proxy --www=/my/files --www-prefix=/static/ --api-prefix=/api/

    To proxy the entire Kubernetes API at a different root # You can get pods info with ‘curl localhost:8001/custom/api/v1/pods’

    1. kubectl proxy --api-prefix=/custom/

    Run a proxy to the Kubernetes API server on port 8011, serving static content from ./local/www/

    1. kubectl proxy --port=8011 --www=./local/www/

    Run a proxy to the Kubernetes API server on an arbitrary local port # The chosen port for the server will be output to stdout

    1. kubectl proxy --port=0

    Run a proxy to the Kubernetes API server, changing the API prefix to k8s-api # This makes e.g. the pods API available at localhost:8001/k8s-api/v1/pods/

    1. kubectl proxy --api-prefix=/k8s-api

    Creates a proxy server or application-level gateway between localhost and the Kubernetes API server. It also allows serving static content over specified HTTP path. All incoming data enters through one port and gets forwarded to the remote Kubernetes API server port, except for the path matching the static content path.

    Usage

    $ kubectl proxy [--port=PORT] [--www=static-dir] [--www-prefix=prefix] [--api-prefix=prefix]

    Flags

    NameShorthandDefaultUsage
    accept-hosts^localhost$,^127.0.0.1$,^[::1]$Regular expression for hosts that the proxy should accept.
    accept-paths^.*Regular expression for paths that the proxy should accept.
    address127.0.0.1The IP address on which to serve on.
    api-prefix/Prefix to serve the proxied API under.
    append-server-pathfalseIf true, enables automatic path appending of the kube context server path to each request.
    disable-filterfalseIf true, disable request filtering in the proxy. This is dangerous, and can leave you vulnerable to XSRF attacks, when used with an accessible port.
    keepalive0skeepalive specifies the keep-alive period for an active network connection. Set to 0 to disable keepalive.
    portp8001The port on which to run the proxy. Set to 0 to pick a random port.
    reject-methods^$Regular expression for HTTP methods that the proxy should reject (example —reject-methods=’POST,PUT,PATCH’).
    reject-paths^/api/./pods/./exec,^/api/./pods/./attachRegular expression for paths that the proxy should reject. Paths specified here will be rejected even accepted by —accept-paths.
    unix-socketuUnix socket on which to run the proxy.
    wwwwAlso serve static files from the given directory under the specified prefix.
    www-prefixP/static/Prefix to serve static files under, if static file directory is specified.

    top

    Display Resource (CPU/Memory) usage.

    The top command allows you to see the resource consumption for nodes or pods.

    This command requires Metrics Server to be correctly configured and working on the server.

    Usage

    $ kubectl top


    node

    Show metrics for all nodes

    1. kubectl top node

    Show metrics for a given node

    1. kubectl top node NODE_NAME

    Display resource (CPU/memory) usage of nodes.

    The top-node command allows you to see the resource consumption of nodes.

    Usage

    $ kubectl top node [NAME | -l label]

    Flags

    NameShorthandDefaultUsage
    no-headersfalseIf present, print output without headers
    selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.
    show-capacityfalsePrint node resources based on Capacity instead of Allocatable(default) of the nodes.
    sort-byIf non-empty, sort nodes list using specified field. The field can be either ‘cpu’ or ‘memory’.
    use-protocol-bufferstrueEnables using protocol-buffers to access Metrics API.

    Show metrics for all pods in the default namespace

    1. kubectl top pod

    Show metrics for all pods in the given namespace

    1. kubectl top pod --namespace=NAMESPACE

    Show metrics for a given pod and its containers

    1. kubectl top pod POD_NAME --containers

    Show metrics for the pods defined by label name=myLabel

    1. kubectl top pod -l name=myLabel

    Display resource (CPU/memory) usage of pods.

    The ‘top pod’ command allows you to see the resource consumption of pods.

    Due to the metrics pipeline delay, they may be unavailable for a few minutes since pod creation.

    Usage

    $ kubectl top pod [NAME | -l label]

    Flags

    NameShorthandDefaultUsage
    all-namespacesAfalseIf present, list the requested object(s) across all namespaces. Namespace in current context is ignored even if specified with —namespace.
    containersfalseIf present, print usage of containers within a pod.
    field-selectorSelector (field query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. —field-selector key1=value1,key2=value2). The server only supports a limited number of field queries per type.
    no-headersfalseIf present, print output without headers.
    selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.
    sort-byIf non-empty, sort pods list using specified field. The field can be either ‘cpu’ or ‘memory’.
    sumfalsePrint the sum of the resource usage
    use-protocol-bufferstrueEnables using protocol-buffers to access Metrics API.

    CLUSTER MANAGEMENT


    api-versions

    Print the supported API versions

    1. kubectl api-versions

    Print the supported API versions on the server, in the form of “group/version”.

    Usage

    $ kubectl api-versions


    certificate

    Modify certificate resources.

    Usage

    $ kubectl certificate SUBCOMMAND


    approve

    Approve CSR ‘csr-sqgzp’

    1. kubectl certificate approve csr-sqgzp

    Approve a certificate signing request.

    kubectl certificate approve allows a cluster admin to approve a certificate signing request (CSR). This action tells a certificate signing controller to issue a certificate to the requestor with the attributes requested in the CSR.

    SECURITY NOTICE: Depending on the requested attributes, the issued certificate can potentially grant a requester access to cluster resources or to authenticate as a requested identity. Before approving a CSR, ensure you understand what the signed certificate can do.

    Usage

    $ kubectl certificate approve (-f FILENAME | NAME)

    Flags

    NameShorthandDefaultUsage
    allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
    filenamef[]Filename, directory, or URL to files identifying the resource to update
    forcefalseUpdate the CSR even if it is already approved.
    kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
    outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
    recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
    show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
    templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].

    deny

    Deny CSR ‘csr-sqgzp’

    1. kubectl certificate deny csr-sqgzp

    Deny a certificate signing request.

    kubectl certificate deny allows a cluster admin to deny a certificate signing request (CSR). This action tells a certificate signing controller to not to issue a certificate to the requestor.

    Usage

    $ kubectl certificate deny (-f FILENAME | NAME)

    Flags

    NameShorthandDefaultUsage
    allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
    filenamef[]Filename, directory, or URL to files identifying the resource to update
    forcefalseUpdate the CSR even if it is already denied.
    kustomizekProcess the kustomization directory. This flag can’t be used together with -f or -R.
    outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
    recursiveRfalseProcess the directory used in -f, —filename recursively. Useful when you want to manage related manifests organized within the same directory.
    show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
    templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].

    cluster-info

    Print the address of the control plane and cluster services

    1. kubectl cluster-info

    Display addresses of the control plane and services with label kubernetes.io/cluster-service=true. To further debug and diagnose cluster problems, use ‘kubectl cluster-info dump’.

    Usage

    $ kubectl cluster-info


    dump

    Dump current cluster state to stdout

    1. kubectl cluster-info dump

    Dump current cluster state to /path/to/cluster-state

    1. kubectl cluster-info dump --output-directory=/path/to/cluster-state

    Dump all namespaces to stdout

    1. kubectl cluster-info dump --all-namespaces

    Dump a set of namespaces to /path/to/cluster-state

    1. kubectl cluster-info dump --namespaces default,kube-system --output-directory=/path/to/cluster-state

    Dump cluster information out suitable for debugging and diagnosing cluster problems. By default, dumps everything to stdout. You can optionally specify a directory with —output-directory. If you specify a directory, Kubernetes will build a set of files in that directory. By default, only dumps things in the current namespace and ‘kube-system’ namespace, but you can switch to a different namespace with the —namespaces flag, or specify —all-namespaces to dump all namespaces.

    The command also dumps the logs of all of the pods in the cluster; these logs are dumped into different directories based on namespace and pod name.

    Usage

    $ kubectl cluster-info dump

    Flags

    NameShorthandDefaultUsage
    all-namespacesAfalseIf true, dump all namespaces. If true, —namespaces is ignored.
    allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
    namespaces[]A comma separated list of namespaces to dump.
    outputojsonOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
    output-directoryWhere to output the files. If empty or ‘-‘ uses stdout, otherwise creates a directory hierarchy in that directory
    pod-running-timeout20sThe length of time (like 5s, 2m, or 3h, higher than zero) to wait until at least one pod is running
    show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
    templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].

    cordon

    Mark node “foo” as unschedulable

    1. kubectl cordon foo

    Mark node as unschedulable.

    Usage

    $ kubectl cordon NODE

    Flags

    NameShorthandDefaultUsage
    dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
    selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.

    drain

    Drain node “foo”, even if there are pods not managed by a replication controller, replica set, job, daemon set or stateful set on it

    1. kubectl drain foo --force

    As above, but abort if there are pods not managed by a replication controller, replica set, job, daemon set or stateful set, and use a grace period of 15 minutes

    1. kubectl drain foo --grace-period=900

    Drain node in preparation for maintenance.

    The given node will be marked unschedulable to prevent new pods from arriving. ‘drain’ evicts the pods if the API server supports . Otherwise, it will use normal DELETE to delete the pods. The ‘drain’ evicts or deletes all pods except mirror pods (which cannot be deleted through the API server). If there are daemon set-managed pods, drain will not proceed without —ignore-daemonsets, and regardless it will not delete any daemon set-managed pods, because those pods would be immediately replaced by the daemon set controller, which ignores unschedulable markings. If there are any pods that are neither mirror pods nor managed by a replication controller, replica set, daemon set, stateful set, or job, then drain will not delete any pods unless you use —force. —force will also allow deletion to proceed if the managing resource of one or more pods is missing.

    ‘drain’ waits for graceful termination. You should not operate on the machine until the command completes.

    When you are ready to put the node back into service, use kubectl uncordon, which will make the node schedulable again.

    https://kubernetes.io/images/docs/kubectl_drain.svg

    Usage

    $ kubectl drain NODE

    Flags

    NameShorthandDefaultUsage
    chunk-size500Return large lists in chunks rather than all at once. Pass 0 to disable. This flag is beta and may change in the future.
    delete-emptydir-datafalseContinue even if there are pods using emptyDir (local data that will be deleted when the node is drained).
    delete-local-datafalseContinue even if there are pods using emptyDir (local data that will be deleted when the node is drained).
    disable-evictionfalseForce drain to use delete, even if eviction is supported. This will bypass checking PodDisruptionBudgets, use with caution.
    dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
    forcefalseContinue even if there are pods that do not declare a controller.
    grace-period-1Period of time in seconds given to each pod to terminate gracefully. If negative, the default value specified in the pod will be used.
    ignore-daemonsetsfalseIgnore DaemonSet-managed pods.
    pod-selectorLabel selector to filter pods on the node
    selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.
    skip-wait-for-delete-timeout0If pod DeletionTimestamp older than N seconds, skip waiting for the pod. Seconds must be greater than 0 to skip.
    timeout0sThe length of time to wait before giving up, zero means infinite

    taint

    Update node ‘foo’ with a taint with key ‘dedicated’ and value ‘special-user’ and effect ‘NoSchedule’ # If a taint with that key and effect already exists, its value is replaced as specified

    1. kubectl taint nodes foo dedicated=special-user:NoSchedule

    Remove from node ‘foo’ the taint with key ‘dedicated’ and effect ‘NoSchedule’ if one exists

    1. kubectl taint nodes foo dedicated:NoSchedule-

    Remove from node ‘foo’ all the taints with key ‘dedicated’

    1. kubectl taint nodes foo dedicated-

    Add a taint with key ‘dedicated’ on nodes having label mylabel=X

    1. kubectl taint node -l myLabel=X dedicated=foo:PreferNoSchedule

    Add to node ‘foo’ a taint with key ‘bar’ and no value

    1. kubectl taint nodes foo bar:NoSchedule

    Update the taints on one or more nodes.

    A taint consists of a key, value, and effect. As an argument here, it is expressed as key=value:effect. The key must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to 253 characters.
    Optionally, the key can begin with a DNS subdomain prefix and a single ‘/‘, like example.com/my-app. The value is optional. If given, it must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to 63 characters.
    The effect must be NoSchedule, PreferNoSchedule or NoExecute. Currently taint can only apply to node.

    Usage

    $ kubectl taint NODE NAME KEY_1=VAL_1:TAINT_EFFECT_1 ... KEY_N=VAL_N:TAINT_EFFECT_N

    Flags

    NameShorthandDefaultUsage
    allfalseSelect all nodes in the cluster
    allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
    dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
    field-managerkubectl-taintName of the manager used to track field ownership.
    outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
    overwritefalseIf true, allow taints to be overwritten, otherwise reject taint updates that overwrite existing taints.
    selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.
    show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
    templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
    validatestrictMust be one of: strict (or true), warn, ignore (or false).
    “true” or “strict” will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
    “warn” will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as “ignore” otherwise.
    “false” or “ignore” will not perform any schema validation, silently dropping any unknown or duplicate fields.

    uncordon

    Mark node “foo” as schedulable

    1. kubectl uncordon foo

    Mark node as schedulable.

    Usage

    $ kubectl uncordon NODE

    Flags

    NameShorthandDefaultUsage
    dry-runnoneMust be “none”, “server”, or “client”. If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource.
    selectorlSelector (label query) to filter on, supports ‘=’, ‘==’, and ‘!=’.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints.

    KUBECTL SETTINGS AND USAGE


    alpha

    These commands correspond to alpha features that are not enabled in Kubernetes clusters by default.

    Usage

    $ kubectl alpha


    events

    List recent events in the default namespace.

    1. kubectl alpha events

    List recent events in all namespaces.

    1. kubectl alpha events --all-namespaces

    List recent events for the specified pod, then wait for more events and list them as they arrive.

    1. kubectl alpha events --for pod/web-pod-13je7 --watch

    List recent events in given format. Supported ones, apart from default, are json and yaml.

    1. kubectl alpha events -oyaml

    List recent only events in given event types

    1. kubectl alpha events --types=Warning,Normal

    Experimental: Display events

    Prints a table of the most important information about events. You can request events for a namespace, for all namespace, or filtered to only those pertaining to a specified resource.

    Usage

    $ kubectl alpha events [(-o|--output=)json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file] [--for TYPE/NAME] [--watch] [--event=Normal,Warning]

    Flags

    NameShorthandDefaultUsage
    all-namespacesAfalseIf present, list the requested object(s) across all namespaces. Namespace in current context is ignored even if specified with —namespace.
    allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
    chunk-size500Return large lists in chunks rather than all at once. Pass 0 to disable. This flag is beta and may change in the future.
    forFilter events to only those pertaining to the specified resource.
    no-headersfalseWhen using the default output format, don’t print headers.
    outputoOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
    show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
    templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
    types[]Output only events of given types.
    watchwfalseAfter listing the requested events, watch for more events.

    api-resources

    Print the supported API resources

    1. kubectl api-resources

    Print the supported API resources with more information

    1. kubectl api-resources -o wide

    Print the supported API resources sorted by a column

    1. kubectl api-resources --sort-by=name

    Print the supported namespaced resources

    1. kubectl api-resources --namespaced=true

    Print the supported non-namespaced resources

    1. kubectl api-resources --namespaced=false

    Print the supported API resources with a specific APIGroup

    1. kubectl api-resources --api-group=rbac.authorization.k8s.io

    Print the supported API resources on the server.

    Usage

    $ kubectl api-resources

    Flags

    NameShorthandDefaultUsage
    api-groupLimit to resources in the specified API group.
    cachedfalseUse the cached list of resources if available.
    namespacedtrueIf false, non-namespaced resources will be returned, otherwise returning namespaced resources by default.
    no-headersfalseWhen using the default or custom-column output format, don’t print headers (default print headers).
    outputoOutput format. One of: (wide, name).
    sort-byIf non-empty, sort list of resources using specified field. The field can be either ‘name’ or ‘kind’.
    verbs[]Limit to resources that support the specified verbs.

    completion

    Installing bash completion on macOS using homebrew ## If running Bash 3.2 included with macOS

    1. brew install bash-completion

    or, if running Bash 4.1+

    1. brew install bash-completion@2

    If kubectl is installed via homebrew, this should start working immediately ## If you’ve installed via other means, you may need add the completion to your completion directory

    1. kubectl completion bash > $(brew --prefix)/etc/bash_completion.d/kubectl

    Installing bash completion on Linux ## If bash-completion is not installed on Linux, install the ‘bash-completion’ package ## via your distribution’s package manager. ## Load the kubectl completion code for bash into the current shell

    1. source <(kubectl completion bash)

    Write bash completion code to a file and source it from .bash_profile

    1. kubectl completion bash > ~/.kube/completion.bash.inc
    2. printf "

    Kubectl shell completion

    1. source '$HOME/.kube/completion.bash.inc'
    2. " >> $HOME/.bash_profile
    3. source $HOME/.bash_profile

    Load the kubectl completion code for zsh[1] into the current shell

    1. source <(kubectl completion zsh)

    Set the kubectl completion code for zsh[1] to autoload on startup

    1. kubectl completion zsh > "${fpath[1]}/_kubectl"

    Load the kubectl completion code for fish[2] into the current shell

    1. kubectl completion fish | source

    To load completions for each session, execute once:

    1. kubectl completion fish > ~/.config/fish/completions/kubectl.fish

    Load the kubectl completion code for powershell into the current shell

    1. kubectl completion powershell | Out-String | Invoke-Expression

    Set kubectl completion code for powershell to run on startup ## Save completion code to a script and execute in the profile

    1. kubectl completion powershell > $HOME\.kube\completion.ps1
    2. Add-Content $PROFILE "$HOME\.kube\completion.ps1"

    Execute completion code in the profile

    1. Add-Content $PROFILE "if (Get-Command kubectl -ErrorAction SilentlyContinue) {
    2. kubectl completion powershell | Out-String | Invoke-Expression
    3. }"

    Add completion code directly to the $PROFILE script

    1. kubectl completion powershell >> $PROFILE

    Output shell completion code for the specified shell (bash, zsh, fish, or powershell). The shell code must be evaluated to provide interactive completion of kubectl commands. This can be done by sourcing it from the .bash_profile.

    Detailed instructions on how to do this are available here:

    for macOS:

    for linux:
    https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#enable-shell-autocompletion

    for windows:

    Note for zsh users: [1] zsh completions are only supported in versions of zsh >= 5.2.

    Usage

    $ kubectl completion SHELL


    config

    Modify kubeconfig files using subcommands like “kubectl config set current-context my-context”

    The loading order follows these rules:

    1. If the —kubeconfig flag is set, then only that file is loaded. The flag may only be set once and no merging takes place.
    2. If $KUBECONFIG environment variable is set, then it is used as a list of paths (normal path delimiting rules for your system). These paths are merged. When a value is modified, it is modified in the file that defines the stanza. When a value is created, it is created in the first file that exists. If no files in the chain exist, then it creates the last file in the list.
    3. Otherwise, ${HOME}/.kube/config is used and no merging takes place.

    Usage

    $ kubectl config SUBCOMMAND


    current-context

    Display the current-context

    1. kubectl config current-context

    Display the current-context.

    Usage

    $ kubectl config current-context


    delete-cluster

    Delete the minikube cluster

    1. kubectl config delete-cluster minikube

    Delete the specified cluster from the kubeconfig.

    Usage

    $ kubectl config delete-cluster NAME


    delete-context

    Delete the context for the minikube cluster

    1. kubectl config delete-context minikube

    Delete the specified context from the kubeconfig.

    Usage

    $ kubectl config delete-context NAME


    delete-user

    Delete the minikube user

    1. kubectl config delete-user minikube

    Delete the specified user from the kubeconfig.

    Usage

    $ kubectl config delete-user NAME


    get-clusters

    List the clusters that kubectl knows about

    1. kubectl config get-clusters

    Display clusters defined in the kubeconfig.

    Usage

    $ kubectl config get-clusters


    get-contexts

    List all the contexts in your kubeconfig file

    1. kubectl config get-contexts

    Describe one context in your kubeconfig file

    1. kubectl config get-contexts my-context

    Display one or many contexts from the kubeconfig file.

    Usage

    $ kubectl config get-contexts [(-o|--output=)name)]

    Flags

    NameShorthandDefaultUsage
    no-headersfalseWhen using the default or custom-column output format, don’t print headers (default print headers).
    outputoOutput format. One of: (name).

    get-users

    List the users that kubectl knows about

    1. kubectl config get-users

    Display users defined in the kubeconfig.

    Usage

    $ kubectl config get-users


    rename-context

    Rename the context ‘old-name’ to ‘new-name’ in your kubeconfig file

    1. kubectl config rename-context old-name new-name

    Renames a context from the kubeconfig file.

    CONTEXT_NAME is the context name that you want to change.

    NEW_NAME is the new name you want to set.

    Note: If the context being renamed is the ‘current-context’, this field will also be updated.

    Usage

    $ kubectl config rename-context CONTEXT_NAME NEW_NAME


    set

    Set the server field on the my-cluster cluster to

    1. kubectl config set clusters.my-cluster.server https://1.2.3.4

    Set the certificate-authority-data field on the my-cluster cluster

    1. kubectl config set clusters.my-cluster.certificate-authority-data $(echo "cert_data_here" | base64 -i -)

    Set the cluster field in the my-context context to my-cluster

    1. kubectl config set contexts.my-context.cluster my-cluster

    Set the client-key-data field in the cluster-admin user using —set-raw-bytes option

    1. kubectl config set users.cluster-admin.client-key-data cert_data_here --set-raw-bytes=true

    Set an individual value in a kubeconfig file.

    PROPERTY_NAME is a dot delimited name where each token represents either an attribute name or a map key. Map keys may not contain dots.

    PROPERTY_VALUE is the new value you want to set. Binary fields such as ‘certificate-authority-data’ expect a base64 encoded string unless the —set-raw-bytes flag is used.

    Specifying an attribute name that already exists will merge new fields on top of existing values.

    Usage

    $ kubectl config set PROPERTY_NAME PROPERTY_VALUE

    Flags

    NameShorthandDefaultUsage
    set-raw-bytesfalseWhen writing a []byte PROPERTY_VALUE, write the given string directly without base64 decoding.

    set-cluster

    Set only the server field on the e2e cluster entry without touching other values

    1. kubectl config set-cluster e2e --server=https://1.2.3.4

    Embed certificate authority data for the e2e cluster entry

    1. kubectl config set-cluster e2e --embed-certs --certificate-authority=~/.kube/e2e/kubernetes.ca.crt

    Disable cert checking for the e2e cluster entry

    1. kubectl config set-cluster e2e --insecure-skip-tls-verify=true

    Set custom TLS server name to use for validation for the e2e cluster entry

    1. kubectl config set-cluster e2e --tls-server-name=my-cluster-name

    Set proxy url for the e2e cluster entry

    1. kubectl config set-cluster e2e --proxy-url=https://1.2.3.4

    Set a cluster entry in kubeconfig.

    Specifying a name that already exists will merge new fields on top of existing values for those fields.

    Usage

    $ kubectl config set-cluster NAME [--server=server] [--certificate-authority=path/to/certificate/authority] [--insecure-skip-tls-verify=true] [--tls-server-name=example.com]

    Flags

    NameShorthandDefaultUsage
    embed-certsfalseembed-certs for the cluster entry in kubeconfig
    proxy-urlproxy-url for the cluster entry in kubeconfig

    set-context

    Set the user field on the gce context entry without touching other values

    1. kubectl config set-context gce --user=cluster-admin

    Set a context entry in kubeconfig.

    Specifying a name that already exists will merge new fields on top of existing values for those fields.

    Usage

    $ kubectl config set-context [NAME | --current] [--cluster=cluster_nickname] [--user=user_nickname] [--namespace=namespace]

    Flags

    NameShorthandDefaultUsage
    currentfalseModify the current context

    set-credentials

    Set only the “client-key” field on the “cluster-admin” # entry, without touching other values

    1. kubectl config set-credentials cluster-admin --client-key=~/.kube/admin.key

    Set basic auth for the “cluster-admin” entry

    1. kubectl config set-credentials cluster-admin --username=admin --password=uXFGweU9l35qcif

    Embed client certificate data in the “cluster-admin” entry

    1. kubectl config set-credentials cluster-admin --client-certificate=~/.kube/admin.crt --embed-certs=true

    Enable the Google Compute Platform auth provider for the “cluster-admin” entry

    1. kubectl config set-credentials cluster-admin --auth-provider=gcp

    Enable the OpenID Connect auth provider for the “cluster-admin” entry with additional args

    1. kubectl config set-credentials cluster-admin --auth-provider=oidc --auth-provider-arg=client-id=foo --auth-provider-arg=client-secret=bar

    Remove the “client-secret” config value for the OpenID Connect auth provider for the “cluster-admin” entry

    1. kubectl config set-credentials cluster-admin --auth-provider=oidc --auth-provider-arg=client-secret-

    Enable new exec auth plugin for the “cluster-admin” entry

    1. kubectl config set-credentials cluster-admin --exec-command=/path/to/the/executable --exec-api-version=client.authentication.k8s.io/v1beta1

    Define new exec auth plugin args for the “cluster-admin” entry

    1. kubectl config set-credentials cluster-admin --exec-arg=arg1 --exec-arg=arg2

    Create or update exec auth plugin environment variables for the “cluster-admin” entry

    1. kubectl config set-credentials cluster-admin --exec-env=key1=val1 --exec-env=key2=val2

    Remove exec auth plugin environment variables for the “cluster-admin” entry

    1. kubectl config set-credentials cluster-admin --exec-env=var-to-remove-

    Set a user entry in kubeconfig.

    Specifying a name that already exists will merge new fields on top of existing values.

    Client-certificate flags: —client-certificate=certfile —client-key=keyfile

    Bearer token flags: —token=bearer_token

    Basic auth flags: —username=basic_user —password=basic_password

    Bearer token and basic auth are mutually exclusive.

    Usage

    $ kubectl config set-credentials NAME [--client-certificate=path/to/certfile] [--client-key=path/to/keyfile] [--token=bearer_token] [--username=basic_user] [--password=basic_password] [--auth-provider=provider_name] [--auth-provider-arg=key=value] [--exec-command=exec_command] [--exec-api-version=exec_api_version] [--exec-arg=arg] [--exec-env=key=value]

    Flags

    NameShorthandDefaultUsage
    auth-providerAuth provider for the user entry in kubeconfig
    auth-provider-arg[]‘key=value’ arguments for the auth provider
    embed-certsfalseEmbed client cert/key for the user entry in kubeconfig
    exec-api-versionAPI version of the exec credential plugin for the user entry in kubeconfig
    exec-arg[]New arguments for the exec credential plugin command for the user entry in kubeconfig
    exec-commandCommand for the exec credential plugin for the user entry in kubeconfig
    exec-env[]‘key=value’ environment values for the exec credential plugin

    unset

    Unset the current-context

    1. kubectl config unset current-context

    Unset namespace in foo context

    1. kubectl config unset contexts.foo.namespace

    Unset an individual value in a kubeconfig file.

    PROPERTY_NAME is a dot delimited name where each token represents either an attribute name or a map key. Map keys may not contain dots.

    Usage

    $ kubectl config unset PROPERTY_NAME


    use-context

    Use the context for the minikube cluster

    1. kubectl config use-context minikube

    Set the current-context in a kubeconfig file.

    Usage

    $ kubectl config use-context CONTEXT_NAME


    view

    Show merged kubeconfig settings

    1. kubectl config view

    Show merged kubeconfig settings and raw certificate data

    1. kubectl config view --raw

    Get the password for the e2e user

    1. kubectl config view -o jsonpath='{.users[?(@.name == "e2e")].user.password}'

    Display merged kubeconfig settings or a specified kubeconfig file.

    You can use —output jsonpath={…} to extract specific values using a jsonpath expression.

    Usage

    $ kubectl config view

    Flags

    NameShorthandDefaultUsage
    allow-missing-template-keystrueIf true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
    flattenfalseFlatten the resulting kubeconfig file into self-contained output (useful for creating portable kubeconfig files)
    mergetrueMerge the full hierarchy of kubeconfig files
    minifyfalseRemove all information not used by current-context from the output
    outputoyamlOutput format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file).
    rawfalseDisplay raw byte data
    show-managed-fieldsfalseIf true, keep the managedFields when printing objects in JSON or YAML format.
    templateTemplate string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].

    explain

    Get the documentation of the resource and its fields

    1. kubectl explain pods

    Get the documentation of a specific field of a resource

    1. kubectl explain pods.spec.containers

    List the fields for supported resources.

    This command describes the fields associated with each supported API resource. Fields are identified via a simple JSONPath identifier:

    <type>.<fieldName>[.<fieldName>]

    Add the —recursive flag to display all of the fields at once without descriptions. Information about each field is retrieved from the server in OpenAPI format.

    Use “kubectl api-resources” for a complete list of supported resources.

    Usage

    $ kubectl explain RESOURCE

    Flags

    NameShorthandDefaultUsage
    api-versionGet different explanations for particular API version (API group/version)
    recursivefalsePrint the fields of fields (Currently only 1 level deep)

    options

    Print flags inherited by all commands

    1. kubectl options

    Print the list of flags inherited by all commands

    Usage

    $ kubectl options


    plugin

    Provides utilities for interacting with plugins.

    Plugins provide extended functionality that is not part of the major command-line distribution. Please refer to the documentation and examples for more information about how write your own plugins.

    The easiest way to discover and install plugins is via the kubernetes sub-project krew. To install krew, visit

    Usage

    $ kubectl plugin [flags]


    list

    List all available plugin files on a user’s PATH.

    Available plugin files are those that are: - executable - anywhere on the user’s PATH - begin with “kubectl-“

    Usage

    $ kubectl plugin list

    Flags


    version

    Print the client and server versions for the current context

      Print the client and server version information for the current context.

      Usage

      $ kubectl version

      Flags

      NameShorthandDefaultUsage
      clientfalseIf true, shows client version only (no server required).
      outputoOne of ‘yaml’ or ‘json’.
      shortfalseIf true, print just the version number.