Kubernets Cheatsheet¶
Kubernetes ist eine Open-Source-Container-Orchestrationsplattform, die den Einsatz, die Skalierung und das Management von Containeranwendungen automatisiert.
Installation und Inbetriebnahme¶
kubectl Installation¶
```bash
Linux installation¶
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
macOS installation¶
brew install kubectl
Windows installation (PowerShell)¶
curl.exe -LO "https://dl.k8s.io/release/v1.28.0/bin/windows/amd64/kubectl.exe"
Verify installation¶
kubectl version --client ```_
Cluster Setup Optionen¶
```bash
Minikube (local development)¶
curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64 sudo install minikube-linux-amd64 /usr/local/bin/minikube minikube start
Kind (Kubernetes in Docker)¶
curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64 chmod +x ./kind sudo mv ./kind /usr/local/bin/kind kind create cluster
kubeadm (production clusters)¶
sudo apt-get update && sudo apt-get install -y kubeadm kubelet kubectl sudo kubeadm init --pod-network-cidr=10.244.0.0/16 ```_
Konfiguration¶
```bash
Set up kubeconfig¶
mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown \((id -u):\)(id -g) $HOME/.kube/config
View current context¶
kubectl config current-context
List all contexts¶
kubectl config get-contexts
Switch context¶
kubectl config use-context my-cluster
Set default namespace¶
kubectl config set-context --current --namespace=my-namespace ```_
Grundlegende Befehle¶
Informationen zum Thema¶
```bash
Cluster info¶
kubectl cluster-info
Node information¶
kubectl get nodes
kubectl describe node
Cluster version¶
kubectl version
API resources¶
kubectl api-resources
API versions¶
kubectl api-versions ```_
Name und Name¶
```bash
List namespaces¶
kubectl get namespaces kubectl get ns
Create namespace¶
kubectl create namespace my-namespace
Delete namespace¶
kubectl delete namespace my-namespace
Set default namespace¶
kubectl config set-context --current --namespace=my-namespace ```_
Basis-Ressourcenoperationen¶
```bash
Get resources¶
kubectl get pods kubectl get services kubectl get deployments kubectl get all
Describe resources¶
kubectl describe pod
Create resources¶
kubectl create -f manifest.yaml kubectl apply -f manifest.yaml
Delete resources¶
kubectl delete pod
Podest Management¶
Podeste Operationen¶
```bash
List pods¶
kubectl get pods kubectl get pods -o wide kubectl get pods --all-namespaces
Create pod from image¶
kubectl run nginx --image=nginx
Get pod details¶
kubectl describe pod
Get pod logs¶
kubectl logs
Execute commands in pod¶
kubectl exec -it
Port forwarding¶
kubectl port-forward
Copy files¶
kubectl cp
Pod Manifest Beispiel¶
```yaml
pod.yaml¶
apiVersion: v1 kind: Pod metadata: name: nginx-pod labels: app: nginx spec: containers: - name: nginx image: nginx:1.21 ports: - containerPort: 80 env: - name: ENV_VAR value: "production" resources: requests: memory: "64Mi" cpu: "250m" limits: memory: "128Mi" cpu: "500m" ```_
Bereitstellungen¶
Einsatzbereiche¶
```bash
Create deployment¶
kubectl create deployment nginx --image=nginx:1.21
Scale deployment¶
kubectl scale deployment nginx --replicas=3
Update deployment image¶
kubectl set image deployment/nginx nginx=nginx:1.22
Rollout status¶
kubectl rollout status deployment/nginx
Rollout history¶
kubectl rollout history deployment/nginx
Rollback deployment¶
kubectl rollout undo deployment/nginx kubectl rollout undo deployment/nginx --to-revision=2
Delete deployment¶
kubectl delete deployment nginx ```_
Deployment Manifest¶
```yaml
deployment.yaml¶
apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment labels: app: nginx spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.21 ports: - containerPort: 80 resources: requests: memory: "64Mi" cpu: "250m" limits: memory: "128Mi" cpu: "500m" livenessProbe: httpGet: path: / port: 80 initialDelaySeconds: 30 periodSeconds: 10 readinessProbe: httpGet: path: / port: 80 initialDelaySeconds: 5 periodSeconds: 5 ```_
Dienstleistungen¶
Service-Typen und Operationen¶
```bash
Expose deployment as service¶
kubectl expose deployment nginx --port=80 --type=ClusterIP
Create service from manifest¶
kubectl apply -f service.yaml
List services¶
kubectl get services kubectl get svc
Describe service¶
kubectl describe service nginx
Delete service¶
kubectl delete service nginx ```_
Service Manifeste¶
```yaml
ClusterIP Service¶
apiVersion: v1 kind: Service metadata: name: nginx-clusterip spec: selector: app: nginx ports: - protocol: TCP port: 80 targetPort: 80 type: ClusterIP
NodePort Service¶
apiVersion: v1 kind: Service metadata: name: nginx-nodeport spec: selector: app: nginx ports: - protocol: TCP port: 80 targetPort: 80 nodePort: 30080 type: NodePort
LoadBalancer Service¶
apiVersion: v1 kind: Service metadata: name: nginx-loadbalancer spec: selector: app: nginx ports: - protocol: TCP port: 80 targetPort: 80 type: LoadBalancer ```_
ConfigMaps und Geheimnisse¶
ConfigMaßnahmen¶
```bash
Create ConfigMap from literal¶
kubectl create configmap app-config --from-literal=database_url=mysql://localhost:3306
Create ConfigMap from file¶
kubectl create configmap app-config --from-file=config.properties
Create ConfigMap from directory¶
kubectl create configmap app-config --from-file=config/
Get ConfigMap¶
kubectl get configmap app-config -o yaml
Delete ConfigMap¶
kubectl delete configmap app-config ```_
Das Leben in der Welt¶
```yaml
configmap.yaml¶
apiVersion: v1 kind: ConfigMap metadata: name: app-config data: database_url: "mysql://localhost:3306" debug_mode: "true" config.properties: | database.host=localhost database.port=3306 database.name=myapp ```_
Geheime Operationen¶
```bash
Create secret from literal¶
kubectl create secret generic app-secret --from-literal=password=mysecretpassword
Create secret from file¶
kubectl create secret generic app-secret --from-file=ssh-privatekey=~/.ssh/id_rsa
Create TLS secret¶
kubectl create secret tls tls-secret --cert=tls.crt --key=tls.key
Get secret (base64 encoded)¶
kubectl get secret app-secret -o yaml
Decode secret¶
kubectl get secret app-secret -o jsonpath='\\{.data.password\\}'|base64 --decode ```_
Das Geheimnis¶
```yaml
secret.yaml¶
apiVersion: v1 kind: Secret metadata: name: app-secret type: Opaque data: username: YWRtaW4= # base64 encoded 'admin' password: MWYyZDFlMmU2N2Rm # base64 encoded password ```_
Mit ConfigMaps und Secrets in Pods¶
```yaml
pod-with-config.yaml¶
apiVersion: v1 kind: Pod metadata: name: app-pod spec: containers: - name: app image: nginx env: - name: DATABASE_URL valueFrom: configMapKeyRef: name: app-config key: database_url - name: DB_PASSWORD valueFrom: secretKeyRef: name: app-secret key: password volumeMounts: - name: config-volume mountPath: /etc/config - name: secret-volume mountPath: /etc/secrets readOnly: true volumes: - name: config-volume configMap: name: app-config - name: secret-volume secret: secretName: app-secret ```_
Dauerhafte Bände¶
PersistentVolume und PersistentVolumeClaim¶
```yaml
persistent-volume.yaml¶
apiVersion: v1 kind: PersistentVolume metadata: name: pv-storage spec: capacity: storage: 10Gi accessModes: - ReadWriteOnce persistentVolumeReclaimPolicy: Retain storageClassName: manual hostPath: path: /mnt/data
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: pvc-storage spec: accessModes: - ReadWriteOnce resources: requests: storage: 5Gi storageClassName: manual ```_
Verwendung von PVC in Pod¶
```yaml
pod-with-pvc.yaml¶
apiVersion: v1 kind: Pod metadata: name: pod-with-storage spec: containers: - name: app image: nginx volumeMounts: - name: storage mountPath: /usr/share/nginx/html volumes: - name: storage persistentVolumeClaim: claimName: pvc-storage ```_
Fortschritte¶
Ingress Controller Setup¶
```bash
Install NGINX Ingress Controller¶
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/cloud/deploy.yaml
Verify installation¶
kubectl get pods -n ingress-nginx kubectl get services -n ingress-nginx ```_
Ingress Manifest¶
```yaml
ingress.yaml¶
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: app-ingress annotations: nginx.ingress.kubernetes.io/rewrite-target: / nginx.ingress.kubernetes.io/ssl-redirect: "true" spec: tls: - hosts: - myapp.example.com secretName: tls-secret rules: - host: myapp.example.com http: paths: - path: / pathType: Prefix backend: service: name: nginx-service port: number: 80 - path: /api pathType: Prefix backend: service: name: api-service port: number: 8080 ```_
Überwachung und Debugging¶
Ressourcenüberwachung¶
```bash
Resource usage¶
kubectl top nodes kubectl top pods kubectl top pods --containers
Events¶
kubectl get events kubectl get events --sort-by=.metadata.creationTimestamp
Describe for debugging¶
kubectl describe pod
Logs¶
kubectl logs
Fehlerbehebung Befehle¶
```bash
Check pod status¶
kubectl get pods -o wide
Debug pod issues¶
kubectl describe pod
Network debugging¶
kubectl run debug --image=busybox --rm -it -- /bin/sh kubectl run debug --image=nicolaka/netshoot --rm -it -- /bin/bash
DNS debugging¶
kubectl run debug --image=busybox --rm -it -- nslookup kubernetes.default
Check resource quotas¶
kubectl describe resourcequota kubectl describe limitrange ```_
Erweiterte Funktionen¶
Jobs und CronJobs¶
```yaml
job.yaml¶
apiVersion: batch/v1 kind: Job metadata: name: pi-calculation spec: template: spec: containers: - name: pi image: perl command: ["perl", "-Mbignum=bpi", "-wle", "print bpi(2000)"] restartPolicy: Never backoffLimit: 4
cronjob.yaml¶
apiVersion: batch/v1 kind: CronJob metadata: name: backup-job spec: schedule: "0 2 * * *" # Daily at 2 AM jobTemplate: spec: template: spec: containers: - name: backup image: backup-tool command: ["/bin/sh", "-c", "backup-script.sh"] restartPolicy: OnFailure ```_
Daumen¶
```yaml
daemonset.yaml¶
apiVersion: apps/v1 kind: DaemonSet metadata: name: fluentd-daemonset spec: selector: matchLabels: name: fluentd template: metadata: labels: name: fluentd spec: containers: - name: fluentd image: fluentd:v1.14 volumeMounts: - name: varlog mountPath: /var/log - name: varlibdockercontainers mountPath: /var/lib/docker/containers readOnly: true volumes: - name: varlog hostPath: path: /var/log - name: varlibdockercontainers hostPath: path: /var/lib/docker/containers ```_
staatlich Set¶
```yaml
statefulset.yaml¶
apiVersion: apps/v1 kind: StatefulSet metadata: name: mysql-statefulset spec: serviceName: mysql replicas: 3 selector: matchLabels: app: mysql template: metadata: labels: app: mysql spec: containers: - name: mysql image: mysql:8.0 env: - name: MYSQL_ROOT_PASSWORD value: "rootpassword" ports: - containerPort: 3306 volumeMounts: - name: mysql-storage mountPath: /var/lib/mysql volumeClaimTemplates: - metadata: name: mysql-storage spec: accessModes: ["ReadWriteOnce"] resources: requests: storage: 10Gi ```_
Sicherheit¶
RBAC (Role-Based Access Control)¶
```yaml
rbac.yaml¶
apiVersion: v1 kind: ServiceAccount metadata: name: app-service-account
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: pod-reader rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "watch", "list"]
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: read-pods subjects: - kind: ServiceAccount name: app-service-account namespace: default roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io ```_
Netzwerkpolitik¶
```yaml
network-policy.yaml¶
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: \\{\\} policyTypes: - Ingress - Egress
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-nginx spec: podSelector: matchLabels: app: nginx policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: frontend ports: - protocol: TCP port: 80 ```_
Pod Security Standards¶
```yaml
pod-security.yaml¶
apiVersion: v1 kind: Pod metadata: name: secure-pod spec: securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 2000 containers: - name: app image: nginx securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - ALL volumeMounts: - name: tmp mountPath: /tmp - name: cache mountPath: /var/cache/nginx volumes: - name: tmp emptyDir: \\{\\} - name: cache emptyDir: \\{\\} ```_
Helm Package Manager¶
Helm Installation¶
```bash
Install Helm¶
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3|bash
Add repository¶
helm repo add stable https://charts.helm.sh/stable helm repo update
Search charts¶
helm search repo nginx
Install chart¶
helm install my-nginx stable/nginx-ingress
List releases¶
helm list
Upgrade release¶
helm upgrade my-nginx stable/nginx-ingress
Uninstall release¶
helm uninstall my-nginx ```_
Helmdiagramme erstellen¶
```bash
Create new chart¶
helm create my-app
Chart structure¶
my-app/ ├── Chart.yaml ├── values.yaml ├── templates/ │ ├── deployment.yaml │ ├── service.yaml │ └── ingress.yaml └── charts/ ```_
Best Practices¶
Ressourcenmanagement¶
```yaml
Always specify resource requests and limits¶
resources: requests: memory: "64Mi" cpu: "250m" limits: memory: "128Mi" cpu: "500m"
Use appropriate restart policies¶
restartPolicy: Always # For Deployments restartPolicy: OnFailure # For Jobs restartPolicy: Never # For one-time tasks ```_
Gesundheitschecks¶
```yaml
Liveness and readiness probes¶
livenessProbe: httpGet: path: /health port: 8080 initialDelaySeconds: 30 periodSeconds: 10
readinessProbe: httpGet: path: /ready port: 8080 initialDelaySeconds: 5 periodSeconds: 5 ```_
Etiketten und Anmerkungen¶
```yaml
Use consistent labeling¶
metadata: labels: app: myapp version: v1.0.0 component: frontend part-of: myapp-system managed-by: helm annotations: deployment.kubernetes.io/revision: "1" description: "Frontend component of myapp" ```_
Nützliche Befehle Referenz¶
```bash
Quick reference commands¶
kubectl get all # Get all resources
kubectl get pods -o wide # Detailed pod info
kubectl describe pod
Ressourcen¶
- Kubernetes Dokumentation
- [Kubectl Referenz](LINK_5 -%20[Kubernetes%20API%20Referenz](LINK_5 -%20Helm-Dokumentation
- [Kubernetes Community](LINK_5_