Home Blog Knowledge About

Kubernetes Cheat Sheet

  1. Basics
    1. Port forward to local machine
    2. Run bash or other command within a pod
    3. Set container name
  2. Stuff on Azure Kubernetes Service (AKS)
    1. Login
    2. Rotate certs
    3. Refresh Service Principal
  3. Stuff with helm
    1. Certmananger: Restart Certificate Request

Basics

Port forward to local machine

You can use this to access a port within a running pod from your local machine. First port is local, second is remote.

kubectl port-forward mongo-75f59d57f4-4nd6q 28015:27017

Run bash or other command within a pod

kubectl exec -it grafana-9b8fc4d95-gp85f -- bash

… sometimes there is no bash , try sh in that case.

Set container name

This is handy if you need to hotfix a wrong image or are testing things with different images and don’t want to change the deployment all the time via kubectl apply -f

kubectl set image deployment/deployment001 deploymen001=myacr.azurecr.io/deployment001:tag

Stuff on Azure Kubernetes Service (AKS)

Login

Use Kubernetes on Azure (to merge current scope into .kubeconfig in default user directory).

  az login
  az account set --subscription 
  az aks get-credentials --resource-group  --name

To put it into a seperate file (e.g. for creating a Service Connection in Devops) use this command:

  az aks get-credentials --resource-group  --name  --file env.config.txt

Rotate certs

With the following error

C:\Users\sbki>kubectl get pods
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time 2022-11-15T13:44:21+01:00 is after 2022-04-21T12:52:13Z

do this to fix it

az aks rotate-certs --resource-group  --name

Refresh Service Principal

Sometimes the service principal can expire, if you assigned it yourself to AKS - in this case the UI in Azure portal might not be able to show info on running workloads.

Do this to fix it.

az aks show --resource-group  --name  --query servicePrincipalProfile.clientId -o tsv 

az aks update-credentials --resource-group  --name  --reset-service-principal --service-principal "" --client-secret ""

Stuff with helm

Certmananger: Restart Certificate Request

Sometimes it happens that a certificate request hangs. Then it looks something like this:

C:\Users\sbki>kubectl get certificaterequests
NAME                APPROVED   DENIED   READY   ISSUER                REQUESTOR                                         AGE
tls-secret2-9jxr2   True                False   letsencrypt-grafana   system:serviceaccount:cert-manager:cert-manager   125m

To restart a certificate request, first find the secret which contains the certificate (e.g. tls-secret)

C:\Users\sbki>kubectl get secrets
NAME                     TYPE                                  DATA   AGE
tls-secret               kubernetes.io/tls                     2      2s

Then delete the secret

C:\Users\sbki>kubectl delete secret tls-secret
secret "tls-secret" deleted

Finally, the certificate request should now be restarted, when it worked, the status must be READY = true:

C:\Users\sbki>kubectl get certificaterequests
NAME                APPROVED   DENIED   READY   ISSUER                REQUESTOR                                         AGE
tls-secret-pdqdq    True                True    letsencrypt-prod      system:serviceaccount:cert-manager:cert-manager   13s

basti-sk.com, since 2014 • Legal Notice

Fair web analytics Access your usage data