Skip to Content
32 CheatsheetsK8sKubectl Commands Cheatsheet

kubectl Commands - Complete Cheatsheet

Practice these commands with your GKE cluster: nginx-1 deployment with 3 replicas

1. Cluster Information Commands

Command 1: Check cluster info

kubectl cluster-info

Command 2: Check versions

kubectl version

Command 3: View config

kubectl config view

Command 4: List API resources

kubectl api-resources

Command 5: List API versions

kubectl api-versions

Command 6: List everything

kubectl get all --all-namespaces

2. Pod Commands

Command 7: List pods

kubectl get pod

Command 8: List pods with details

kubectl get pod -o wide

Command 9: Describe a pod (use your actual pod name)

kubectl describe pod nginx-1-xxxxx

Command 10: Get pod logs

kubectl logs nginx-1-xxxxx

Command 11: Follow pod logs (stream)

kubectl logs -f nginx-1-xxxxx

Command 12: Last 20 lines of logs

kubectl logs --tail=20 nginx-1-xxxxx

Command 13: Logs from last hour

kubectl logs --since=1h nginx-1-xxxxx

Command 14: Get shell in pod

kubectl exec -it nginx-1-xxxxx -- /bin/bash

Command 15: Run command in pod

kubectl exec nginx-1-xxxxx -- ls /usr/share/nginx/html

Command 16: Top pods (resource usage)

kubectl top pod

Command 17: Delete a pod

kubectl delete pod nginx-1-xxxxx

3. Deployment Commands

Command 18: List deployments

kubectl get deployment

Command 19: Describe deployment

kubectl describe deployment nginx-1

Command 20: Get deployment YAML

kubectl get deployment nginx-1 -o yaml

Command 21: Edit deployment (opens editor)

kubectl edit deployment nginx-1

Command 22: Scale deployment

kubectl scale deployment nginx-1 --replicas=5

Command 23: Check rollout status

kubectl rollout status deployment nginx-1

Command 24: Rollout history

kubectl rollout history deployment nginx-1

Command 25: Create deployment

kubectl create deployment test-app --image=nginx:latest

Command 26: Delete deployment

kubectl delete deployment test-app

4. Service Commands

Command 27: List services

kubectl get services

Command 28: Describe service

kubectl describe services nginx-1

Command 29: Expose deployment as LoadBalancer

kubectl expose deployment nginx-1 --port=80 --type=LoadBalancer

Command 30: Expose deployment as ClusterIP

kubectl expose deployment nginx-1 --port=80 --type=ClusterIP --name=nginx-internal

Command 31: Edit service

kubectl edit services nginx-1

Command 32: Delete service

kubectl delete service nginx-1

5. Events Commands

Command 33: Get all events

kubectl get events

Command 34: Get events sorted by time

kubectl get events --sort-by='.lastTimestamp'

Command 35: Get only warnings

kubectl get events --field-selector type=Warning

Command 36: Exclude pod events

kubectl get events --field-selector involvedObject.kind!=Pod

6. Namespace Commands

Command 37: List namespaces

kubectl get namespace

Command 38: Create namespace

kubectl create namespace dev

Command 39: Describe namespace

kubectl describe namespace default

Command 40: Delete namespace

kubectl delete namespace dev

Command 41: Get pods in specific namespace

kubectl get pods -n kube-system

Command 42: Get all resources in namespace

kubectl get all -n default

7. Node Commands

Command 43: List nodes

kubectl get node

Command 44: Describe node

kubectl describe node

Command 45: Top nodes (resource usage)

kubectl top node

Command 46: See pods on specific node

kubectl get pods -o wide --all-namespaces

Command 47: Mark node unschedulable

kubectl cordon <node_name>

Command 48: Mark node schedulable

kubectl uncordon <node_name>

8. YAML/Manifest Commands

Command 49: Apply YAML file

kubectl apply -f manifest.yaml

Command 50: Create from YAML

kubectl create -f manifest.yaml

Command 51: Delete using YAML

kubectl delete -f manifest.yaml

Command 52: Apply all YAML in directory

kubectl apply -f ./k8s/

9. ConfigMap & Secret Commands

Command 53: Create configmap from literal

kubectl create configmap my-config --from-literal=key1=value1 --from-literal=key2=value2

Command 54: List configmaps

kubectl get configmap

Command 55: Describe configmap

kubectl describe configmap my-config

Command 56: Create secret

kubectl create secret generic my-secret --from-literal=password=mysecretpass

Command 57: List secrets

kubectl get secrets

Command 58: Describe secret

kubectl describe secrets my-secret

10. Advanced Commands

Command 59: Port forward to pod

kubectl port-forward nginx-1-xxxxx 8080:80

Command 60: Port forward to service

kubectl port-forward service/nginx-1 8080:80

Command 61: Run temporary debug pod

kubectl run debug --image=busybox:latest --rm -it -- sh

Command 62: Create pod imperatively

kubectl run test-pod --image=nginx:latest --port=80

Command 63: Watch resources (live updates)

kubectl get pods -w

Command 64: Get resource as JSON

kubectl get pod nginx-1-xxxxx -o json

Command 65: Get specific field using JSONPath

kubectl get pods -o jsonpath='{.items[*].metadata.name}'

11. Daemonsets

Command 66: List daemonsets

kubectl get daemonset

Command 67: Describe daemonset

kubectl describe daemonset <daemonset_name>

Command 68: Edit daemonset

kubectl edit daemonset <daemonset_name>

Command 69: Delete daemonset

kubectl delete daemonset <daemonset_name>

12. ReplicaSets

Command 70: List replicasets

kubectl get replicasets

Command 71: Describe replicaset

kubectl describe replicasets <replicaset_name>

Command 72: Scale replicaset

kubectl scale --replicas=3 replicaset/<replicaset_name>

13. StatefulSets

Command 73: List statefulsets

kubectl get statefulset

Command 74: Describe statefulset

kubectl describe statefulset <statefulset_name>

Command 75: Delete statefulset (keep pods)

kubectl delete statefulset/<statefulset_name> --cascade=false

14. Service Accounts

Command 76: List service accounts

kubectl get serviceaccounts

Command 77: Describe service account

kubectl describe serviceaccounts <sa_name>

Command 78: Delete service account

kubectl delete serviceaccount <sa_name>

15. Labels & Annotations

Command 79: Add label to pod

kubectl label pod <pod_name> environment=production

Command 80: Add label to node

kubectl label node <node_name> disktype=ssd

Command 81: Remove label from pod

kubectl label pod <pod_name> environment-

Command 82: Add annotation to pod

kubectl annotate pod <pod_name> description="My web app"

Command 83: Get pods by label

kubectl get pods -l environment=production

Command 84: Get pods with multiple label selectors

kubectl get pods -l 'environment in (production,staging)'

16. Resource Management

Command 85: Set resource requests/limits

kubectl set resources deployment nginx-1 --limits=cpu=200m,memory=512Mi --requests=cpu=100m,memory=256Mi

Command 86: Get pod resource usage

kubectl top pod --containers

Command 87: Get node resource allocation

kubectl describe nodes | grep Allocated -A 5

17. Rollout Management

Command 88: Pause rollout

kubectl rollout pause deployment nginx-1

Command 89: Resume rollout

kubectl rollout resume deployment nginx-1

Command 90: Undo rollout (rollback)

kubectl rollout undo deployment nginx-1

Command 91: Rollback to specific revision

kubectl rollout undo deployment nginx-1 --to-revision=2

Command 92: Restart deployment (rolling restart)

kubectl rollout restart deployment nginx-1

18. Context & Configuration

Command 93: Get current context

kubectl config current-context

Command 94: List all contexts

kubectl config get-contexts

Command 95: Switch context

kubectl config use-context <context_name>

Command 96: Set namespace for current context

kubectl config set-context --current --namespace=dev

Command 97: View kubeconfig

kubectl config view

19. Copying Files

Command 98: Copy file from pod to local

kubectl cp <pod_name>:/path/to/file /local/path

Command 99: Copy file from local to pod

kubectl cp /local/path <pod_name>:/path/to/file

20. Drain & Maintenance

Command 100: Drain node (evict all pods)

kubectl drain <node_name> --ignore-daemonsets --delete-emptydir-data

Command 101: Drain node with force

kubectl drain <node_name> --ignore-daemonsets --delete-emptydir-data --force

Command 102: Taint a node

kubectl taint nodes <node_name> key=value:NoSchedule

Command 103: Remove taint from node

kubectl taint nodes <node_name> key=value:NoSchedule-

Command 104: Update node labels

kubectl label nodes <node_name> disktype=ssd

21. RBAC (Role-Based Access Control)

Command 105: List roles

kubectl get roles

Command 106: List cluster roles

kubectl get clusterroles

Command 107: Describe role

kubectl describe role <role_name>

Command 108: List role bindings

kubectl get rolebindings

Command 109: List cluster role bindings

kubectl get clusterrolebindings

Command 110: Create role

kubectl create role pod-reader --verb=get,list,watch --resource=pods

Command 111: Create cluster role

kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods

Command 112: Create role binding

kubectl create rolebinding read-pods --role=pod-reader --user=jane

Command 113: Create cluster role binding

kubectl create clusterrolebinding read-pods --clusterrole=pod-reader --user=jane

Command 114: Check if user can perform action (auth check)

kubectl auth can-i create pods

Command 115: Check permissions for specific user

kubectl auth can-i create pods --as=jane

Command 116: Check permissions in namespace

kubectl auth can-i create pods --as=jane -n dev

Command 117: List all permissions for current user

kubectl auth can-i --list

22. PersistentVolumes & Claims

Command 118: List persistent volumes

kubectl get pv

Command 119: List persistent volume claims

kubectl get pvc

Command 120: Describe PV

kubectl describe pv <pv_name>

Command 121: Describe PVC

kubectl describe pvc <pvc_name>

Command 122: Create PVC from YAML

kubectl apply -f pvc.yaml

Command 123: Delete PVC

kubectl delete pvc <pvc_name>

Command 124: Get PVC with capacity info

kubectl get pvc -o custom-columns=NAME:.metadata.name,CAPACITY:.spec.resources.requests.storage,STATUS:.status.phase

23. Jobs & CronJobs

Command 125: List jobs

kubectl get jobs

Command 126: List cronjobs

kubectl get cronjobs

Command 127: Create job from image

kubectl create job test-job --image=busybox -- echo "Hello"

Command 128: Create cronjob

kubectl create cronjob test-cron --image=busybox --schedule="*/5 * * * *" -- echo "Hello"

Command 129: Describe job

kubectl describe job <job_name>

Command 130: Get job logs

kubectl logs job/<job_name>

Command 131: Delete completed jobs

kubectl delete jobs --field-selector status.successful=1

Command 132: Suspend cronjob

kubectl patch cronjob <cronjob_name> -p '{"spec":{"suspend":true}}'

Command 133: Resume cronjob

kubectl patch cronjob <cronjob_name> -p '{"spec":{"suspend":false}}'

Command 134: Trigger cronjob manually

kubectl create job --from=cronjob/<cronjob_name> <job_name>

24. Ingress Resources

Command 135: List ingress resources

kubectl get ingress

Command 136: Describe ingress

kubectl describe ingress <ingress_name>

Command 137: Get ingress with endpoints

kubectl get ingress -o wide

Command 138: Edit ingress

kubectl edit ingress <ingress_name>

Command 139: Create ingress

kubectl create ingress simple --rule="foo.com/bar=svc:8080"

Command 140: Get ingress class

kubectl get ingressclass

25. NetworkPolicy

Command 141: List network policies

kubectl get networkpolicy

Command 142: Describe network policy

kubectl describe networkpolicy <policy_name>

Command 143: Delete network policy

kubectl delete networkpolicy <policy_name>

26. HorizontalPodAutoscaler (HPA)

Command 144: List HPAs

kubectl get hpa

Command 145: Create HPA

kubectl autoscale deployment nginx-1 --cpu-percent=50 --min=1 --max=10

Command 146: Describe HPA

kubectl describe hpa <hpa_name>

Command 147: Delete HPA

kubectl delete hpa <hpa_name>

Command 148: Get HPA with targets

kubectl get hpa -w

27. ResourceQuota & LimitRange

Command 149: List resource quotas

kubectl get resourcequota

Command 150: Describe resource quota

kubectl describe resourcequota <quota_name>

Command 151: Create resource quota

kubectl create quota my-quota --hard=cpu=1,memory=1G,pods=2

Command 152: List limit ranges

kubectl get limitrange

Command 153: Describe limit range

kubectl describe limitrange <limitrange_name>

28. PodDisruptionBudget

Command 154: List pod disruption budgets

kubectl get pdb

Command 155: Describe PDB

kubectl describe pdb <pdb_name>

Command 156: Create PDB

kubectl create pdb my-pdb --selector=app=nginx --min-available=2

29. Advanced Debugging (kubectl debug)

Command 157: Debug pod with ephemeral container

kubectl debug <pod_name> -it --image=busybox

Command 158: Debug by creating copy of pod

kubectl debug <pod_name> -it --copy-to=debug-pod --container=myapp

Command 159: Debug node with privileged container

kubectl debug node/<node_name> -it --image=ubuntu

Command 160: Debug with different image

kubectl debug <pod_name> -it --image=busybox --target=<container_name>

Command 161: Debug CrashLoopBackOff pod

kubectl debug <pod_name> -it --copy-to=debug-pod -- sh

30. Advanced Output & Formatting

Command 162: Custom columns output

kubectl get pods -o custom-columns=NAME:.metadata.name,STATUS:.status.phase,NODE:.spec.nodeName

Command 163: JSONPath with sorting

kubectl get pods --sort-by=.metadata.creationTimestamp

Command 164: JSONPath for specific field

kubectl get pods -o jsonpath='{.items[0].spec.containers[0].image}'

Command 165: Get pod IPs

kubectl get pods -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.status.podIP}{"\n"}{end}'

Command 166: Show resource limits

kubectl get pods -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.spec.containers[*].resources.limits.memory}{"\n"}{end}'

Command 167: Get all container images

kubectl get pods -A -o jsonpath='{range .items[*]}{.spec.containers[*].image}{"\n"}{end}' | sort -u

31. Patch & Update Commands

Command 168: Patch resource with strategic merge

kubectl patch deployment nginx-1 -p '{"spec":{"replicas":5}}'

Command 169: Patch with JSON patch

kubectl patch pod <pod_name> --type='json' -p='[{"op":"replace","path":"/spec/containers/0/image","value":"nginx:1.21"}]'

Command 170: Update image

kubectl set image deployment/nginx-1 nginx=nginx:1.21

Command 171: Set environment variable

kubectl set env deployment/nginx-1 ENV=production

Command 172: Set service account

kubectl set serviceaccount deployment nginx-1 myserviceaccount

32. Diff & Apply

Command 173: Diff before applying

kubectl diff -f manifest.yaml

Command 174: Apply with server-side apply

kubectl apply --server-side -f manifest.yaml

Command 175: Apply and record change

kubectl apply -f manifest.yaml --record

Command 176: Prune resources

kubectl apply -f manifest.yaml --prune -l app=myapp

33. Kustomize Integration

Command 177: Apply kustomization

kubectl apply -k ./kustomize/overlays/production

Command 178: View kustomize output

kubectl kustomize ./kustomize/overlays/production

Command 179: Diff kustomize changes

kubectl diff -k ./kustomize/overlays/production

34. Wait & Conditions

Command 180: Wait for deployment rollout

kubectl wait --for=condition=available --timeout=300s deployment/nginx-1

Command 181: Wait for pod ready

kubectl wait --for=condition=ready pod -l app=nginx

Command 182: Wait for job completion

kubectl wait --for=condition=complete --timeout=600s job/my-job

Command 183: Wait for pod deletion

kubectl wait --for=delete pod/<pod_name> --timeout=60s

35. Explain & Documentation

Command 184: Explain resource

kubectl explain pod

Command 185: Explain nested field

kubectl explain pod.spec.containers

Command 186: Explain with examples

kubectl explain deployment --recursive

36. API Resources & Discovery

Command 187: Get API resources in specific group

kubectl api-resources --api-group=apps

Command 188: Get namespaced resources only

kubectl api-resources --namespaced=true

Command 189: Get cluster-scoped resources

kubectl api-resources --namespaced=false

Command 190: Get resources by verb

kubectl api-resources --verbs=list,get

37. Certificate Management

Command 191: Get certificate signing requests

kubectl get csr

Command 192: Approve CSR

kubectl certificate approve <csr_name>

Command 193: Deny CSR

kubectl certificate deny <csr_name>

38. Plugin & Extensions

Command 194: List kubectl plugins

kubectl plugin list

Command 195: Get kubectl version with client/server details

kubectl version --short

39. Performance & Benchmarking

Command 196: Top pods sorted by CPU

kubectl top pods --sort-by=cpu

Command 197: Top pods sorted by memory

kubectl top pods --sort-by=memory

Command 198: Top nodes with details

kubectl top nodes --sort-by=memory

Command 199: Get all pods resource usage across namespaces

kubectl top pods -A --sort-by=memory

Command 200: Check container resource usage

kubectl top pod <pod_name> --containers

Common Flags & Options

Output formats:

  • -o wide - Additional columns
  • -o yaml - YAML format
  • -o json - JSON format
  • -o jsonpath - Custom output using JSONPath
  • -o name - Only resource names

Common flags:

  • -n <namespace> - Specify namespace
  • --all-namespaces or -A - All namespaces
  • -l key=value - Filter by label
  • -w or --watch - Watch for changes
  • --dry-run=client -o yaml - Generate YAML without creating
  • -f <file> - Specify file
  • --force - Force operation
  • --grace-period=0 - Immediate deletion

Quick Reference

Get Information

kubectl get <resource>                    # List resources
kubectl get <resource> <name>             # Get specific resource
kubectl get <resource> -o wide            # More details
kubectl describe <resource> <name>        # Detailed info
kubectl logs <pod>                        # Container logs
kubectl top <resource>                    # Resource usage

Create/Update/Delete

kubectl create <resource>                 # Create resource
kubectl apply -f <file>                   # Create/update from file
kubectl edit <resource> <name>            # Edit resource
kubectl delete <resource> <name>          # Delete resource
kubectl replace -f <file>                 # Replace resource

Run & Execute

kubectl run <name> --image=<image>        # Create pod
kubectl exec <pod> -- <command>           # Execute command
kubectl exec -it <pod> -- /bin/bash       # Interactive shell
kubectl port-forward <pod> <local>:<pod>  # Forward port

Scale & Rollout

kubectl scale <resource> --replicas=<n>   # Scale resource
kubectl rollout status <resource>         # Check rollout
kubectl rollout history <resource>        # Rollout history
kubectl rollout undo <resource>           # Rollback

Practice Tips

  1. Start with basic get/describe commands to understand your cluster
  2. Practice on your GKE nginx-1 deployment - it’s safe to experiment
  3. Use --dry-run=client -o yaml to see what commands would create without actually creating
  4. Always check with kubectl get before deleting to avoid mistakes
  5. Use kubectl explain <resource> to learn about resource fields
  6. Combine with grep/awk for powerful filtering: kubectl get pods | grep Running
  7. Master JSONPath - incredibly powerful for scripting and automation
  8. Use kubectl diff before applying changes to production
  9. Practice debugging with ephemeral containers using kubectl debug
  10. Learn RBAC inside out - critical for security interviews
  11. Understand the difference between imperative and declarative approaches
  12. Practice writing complete manifests from scratch, not just using generators
  13. Set up aliases to speed up your workflow
  14. Use contexts effectively to manage multiple clusters
  15. Learn to read events and logs - essential for troubleshooting

Resource Shortcuts

Standard Shortcuts

  • po = pods
  • deploy = deployments
  • svc = services
  • ns = namespaces
  • no = nodes
  • cm = configmaps
  • sa = serviceaccounts
  • rs = replicasets
  • ds = daemonsets
  • sts = statefulsets
  • ing = ingress
  • pv = persistentvolumes
  • pvc = persistentvolumeclaims
  • hpa = horizontalpodautoscaler
  • netpol = networkpolicies
  • pdb = poddisruptionbudgets
  • cj = cronjobs

Example: kubectl get po = kubectl get pods

Additional Shortcuts

  • csr = certificatesigningrequests
  • quota = resourcequotas
  • limits = limitranges
  • ep = endpoints
  • ev = events

Using Multiple Shortcuts

kubectl get po,svc,ing,cm -n production

Interview Q&A Scenarios

Scenario 1: Pod stuck in Pending state

# Check pod events
kubectl describe pod <pod_name>
 
# Check node resources
kubectl top nodes
 
# Check if nodes are schedulable
kubectl get nodes
 
# Check if there are taints on nodes
kubectl describe node <node_name> | grep Taints
 
# Check resource quotas
kubectl get resourcequota -n <namespace>
 
# Check PVC status if using volumes
kubectl get pvc

Scenario 2: Pod in CrashLoopBackOff

# Check logs
kubectl logs <pod_name>
kubectl logs <pod_name> --previous  # Logs from crashed container
 
# Describe pod for events
kubectl describe pod <pod_name>
 
# Debug with ephemeral container
kubectl debug <pod_name> -it --image=busybox
 
# Check liveness/readiness probes
kubectl get pod <pod_name> -o yaml | grep -A 10 livenessProbe
 
# Copy pod and change command to debug
kubectl debug <pod_name> --copy-to=debug-pod -it -- sh

Scenario 3: Service not reachable

# Check service endpoints
kubectl get endpoints <service_name>
kubectl describe svc <service_name>
 
# Check if pods match service selector
kubectl get pods -l app=myapp
kubectl get svc <service_name> -o yaml | grep selector
 
# Test from within cluster
kubectl run test --rm -it --image=busybox -- wget -O- <service_name>:<port>
 
# Check network policies
kubectl get networkpolicy
 
# Check DNS resolution
kubectl run test --rm -it --image=busybox -- nslookup <service_name>

Scenario 4: Node running out of resources

# Check node resources
kubectl top nodes
kubectl describe node <node_name> | grep -A 5 Allocated
 
# Find resource-heavy pods
kubectl top pods -A --sort-by=memory
 
# Check for evicted pods
kubectl get pods -A | grep Evicted
 
# Drain and cordon node
kubectl cordon <node_name>
kubectl drain <node_name> --ignore-daemonsets --delete-emptydir-data
 
# Scale down deployments if needed
kubectl scale deployment <name> --replicas=2

Scenario 5: Deployment not rolling out

# Check rollout status
kubectl rollout status deployment <name>
 
# Check rollout history
kubectl rollout history deployment <name>
 
# Check replica sets
kubectl get rs
 
# Describe deployment
kubectl describe deployment <name>
 
# Check pod template hash mismatch
kubectl get pods --show-labels
 
# Pause and resume rollout
kubectl rollout pause deployment <name>
kubectl rollout resume deployment <name>

Scenario 6: High cluster costs - need to optimize

# Find pods without resource limits
kubectl get pods -A -o json | jq '.items[] | select(.spec.containers[].resources.limits == null) | .metadata.name'
 
# Check resource usage vs requests
kubectl top pods -A
kubectl get pods -A -o custom-columns=NAME:.metadata.name,CPU_REQ:.spec.containers[*].resources.requests.cpu,MEM_REQ:.spec.containers[*].resources.requests.memory
 
# Find unused PVCs
kubectl get pvc -A --no-headers | while read ns name rest; do 
  kubectl get pods -n $ns -o json | jq -e ".items[].spec.volumes[]?.persistentVolumeClaim.claimName == \"$name\"" > /dev/null || echo "$ns/$name"
done
 
# Check for over-provisioned resources
kubectl top pods -A --sort-by=memory | head -20

Kubernetes Best Practices

Pod Design Best Practices

  1. Always set resource requests and limits
resources:
  requests:
    memory: "64Mi"
    cpu: "250m"
  limits:
    memory: "128Mi"
    cpu: "500m"
  1. Use liveness and readiness probes
livenessProbe:
  httpGet:
    path: /healthz
    port: 8080
  initialDelaySeconds: 30
  periodSeconds: 10
 
readinessProbe:
  httpGet:
    path: /ready
    port: 8080
  initialDelaySeconds: 5
  periodSeconds: 5
  1. Use meaningful labels and selectors
metadata:
  labels:
    app: myapp
    tier: frontend
    environment: production
    version: v1.2.3
  1. Don’t use latest tag for images
# Bad
image: nginx:latest
 
# Good
image: nginx:1.21.6
  1. Use namespaces for isolation
kubectl create namespace production
kubectl create namespace staging
kubectl create namespace development

Security Best Practices

  1. Never run as root
securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  fsGroup: 2000
  1. Use read-only root filesystem
securityContext:
  readOnlyRootFilesystem: true
  1. Drop unnecessary capabilities
securityContext:
  capabilities:
    drop:
      - ALL
    add:
      - NET_BIND_SERVICE
  1. Use network policies
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  1. Use RBAC with least privilege
# Create role with minimal permissions
kubectl create role pod-reader --verb=get,list --resource=pods
 
# Bind to specific user
kubectl create rolebinding read-pods --role=pod-reader --user=jane
  1. Scan images for vulnerabilities
# Use tools like trivy, aqua, snyk
trivy image nginx:1.21
  1. Use secrets for sensitive data
# Don't use ConfigMaps for sensitive data
kubectl create secret generic db-secret --from-literal=password=supersecret
 
# Mount as environment variable or volume
  1. Enable Pod Security Standards
apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

Deployment Best Practices

  1. Use Deployments, not bare Pods
# Good - self-healing, rolling updates
kubectl create deployment myapp --image=nginx:1.21
 
# Bad - no self-healing
kubectl run myapp --image=nginx:1.21
  1. Configure proper rollout strategy
spec:
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
  1. Use Pod Disruption Budgets
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: myapp-pdb
spec:
  minAvailable: 2
  selector:
    matchLabels:
      app: myapp
  1. Set up HPA for auto-scaling
kubectl autoscale deployment myapp --cpu-percent=70 --min=2 --max=10
  1. Use anti-affinity for HA
affinity:
  podAntiAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
    - labelSelector:
        matchExpressions:
        - key: app
          operator: In
          values:
          - myapp
      topologyKey: "kubernetes.io/hostname"

Resource Management Best Practices

  1. Set ResourceQuotas per namespace
apiVersion: v1
kind: ResourceQuota
metadata:
  name: compute-quota
spec:
  hard:
    requests.cpu: "10"
    requests.memory: 20Gi
    limits.cpu: "20"
    limits.memory: 40Gi
  1. Use LimitRanges for defaults
apiVersion: v1
kind: LimitRange
metadata:
  name: mem-limit-range
spec:
  limits:
  - default:
      memory: 512Mi
      cpu: 500m
    defaultRequest:
      memory: 256Mi
      cpu: 250m
    type: Container
  1. Monitor resource usage
kubectl top nodes
kubectl top pods -A --sort-by=memory

Operations Best Practices

  1. Always use labels for organization
  2. Use health checks - liveness and readiness probes
  3. Implement proper logging - centralized logging solution
  4. Use GitOps - Argo CD, Flux
  5. Regular backups - etcd snapshots, velero
  6. Monitor everything - Prometheus, Grafana
  7. Use admission controllers - OPA, Kyverno
  8. Document resources - annotations, README
  9. Version everything - Git commit hashes in labels
  10. Test in staging first - never test in production

Common Pitfalls & Solutions

Pitfall 1: Not setting resource requests/limits

Problem: Pod scheduling issues, resource starvation, node crashes
Solution: Always set requests and limits

resources:
  requests:
    cpu: "100m"
    memory: "128Mi"
  limits:
    cpu: "500m"
    memory: "512Mi"

Pitfall 2: Using latest tag

Problem: Unpredictable deployments, version conflicts
Solution: Use specific version tags

# Bad
image: nginx:latest
 
# Good
image: nginx:1.21.6-alpine

Pitfall 3: No health checks

Problem: Traffic sent to unhealthy pods
Solution: Always configure probes

livenessProbe:
  httpGet:
    path: /healthz
    port: 8080
readinessProbe:
  httpGet:
    path: /ready
    port: 8080

Pitfall 4: Running as root

Problem: Security vulnerability
Solution: Run as non-root user

securityContext:
  runAsNonRoot: true
  runAsUser: 1000

Pitfall 5: No resource quotas

Problem: One namespace consumes all cluster resources
Solution: Set ResourceQuotas per namespace

Pitfall 6: Forgetting to set DNS policy

Problem: Pod cannot resolve DNS
Solution: Check dnsPolicy and dnsConfig

Pitfall 7: Not using namespaces

Problem: All resources in default namespace, no isolation
Solution: Use namespaces for environments and teams

Pitfall 8: Imperative vs Declarative confusion

Problem: Configuration drift, hard to track changes
Solution: Use declarative YAML files in Git

# Bad - imperative, no history
kubectl create deployment myapp --image=nginx
 
# Good - declarative, version controlled
kubectl apply -f deployment.yaml

Pitfall 9: No Pod Disruption Budget

Problem: Maintenance takes down too many pods
Solution: Create PDB

apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: myapp-pdb
spec:
  minAvailable: 1
  selector:
    matchLabels:
      app: myapp

Pitfall 10: Not understanding networking

Problem: Service discovery failures
Solution: Understand ClusterIP, NodePort, LoadBalancer, and DNS

Key Differences (Interview Questions)

Deployment vs StatefulSet vs DaemonSet

FeatureDeploymentStatefulSetDaemonSet
Pod IdentityRandomStable, orderedPer node
ReplicasUser definedUser definedOne per node
StorageEphemeral or shared PVStable PVC per podTypically host paths
Use CaseStateless appsDatabases, queuesMonitoring, logging
Pod NamesRandom suffixOrdered (0, 1, 2)Node-based
ScalingUp/down freelyOrdered scaleAuto (node count)
UpdatesRollingOrdered rollingRolling per node

Service Types

TypePurposeWhen to Use
ClusterIPInternal onlyMicroservices communication
NodePortExternal via node IPDevelopment, testing
LoadBalancerExternal via cloud LBProduction external access
ExternalNameDNS aliasExternal service proxy

ConfigMap vs Secret

FeatureConfigMapSecret
PurposeConfigurationSensitive data
EncodingPlain textBase64
EncryptionNoYes (with encryption at rest)
Size Limit1MB1MB
Use CaseApp configPasswords, tokens, keys

Probe Types

ProbePurposeWhen Checked
livenessProbeIs container alive?Running
readinessProbeCan container serve traffic?Always
startupProbeHas container started?Startup only

Key Difference:

  • Liveness failure → Container restarted
  • Readiness failure → Removed from service endpoints
  • Startup failure → After threshold, triggers liveness

kubectl apply vs create vs replace

CommandBehaviorUse Case
createCreates new resource, fails if existsOne-time creation
applyCreates or updates (declarative)GitOps, updates
replaceDeletes and recreatesForce update
# create - fails if exists
kubectl create -f deployment.yaml
 
# apply - creates or updates (preferred)
kubectl apply -f deployment.yaml
 
# replace - deletes then creates
kubectl replace -f deployment.yaml --force

Requests vs Limits

ResourceRequestsLimits
CPUGuaranteedThrottled if exceeded
MemoryGuaranteedKilled (OOMKilled) if exceeded
SchedulingUsed for node selectionNot used

Best Practice:

  • Requests: What container needs minimum
  • Limits: Maximum container can use

Taint vs Toleration

  • Taint: Applied to nodes to repel pods
  • Toleration: Applied to pods to allow scheduling on tainted nodes
# Taint node
kubectl taint nodes node1 key=value:NoSchedule
 
# Pod must have toleration to schedule on node1
tolerations:
- key: "key"
  operator: "Equal"
  value: "value"
  effect: "NoSchedule"

Affinity vs Anti-Affinity

  • Affinity: Schedule pods together
  • Anti-Affinity: Keep pods apart (HA)

ClusterRole vs Role

FeatureRoleClusterRole
ScopeNamespaceCluster-wide
ResourcesNamespacedAll resources
Use CaseNamespace accessCluster admins

Production-Ready Deployment Example

apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp
  namespace: production
  labels:
    app: myapp
    version: v1.2.3
    tier: frontend
  annotations:
    description: "My production application"
    git-commit: "abc123def456"
spec:
  replicas: 3
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
  selector:
    matchLabels:
      app: myapp
  template:
    metadata:
      labels:
        app: myapp
        version: v1.2.3
        tier: frontend
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "9090"
    spec:
      # Security
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        fsGroup: 2000
        seccompProfile:
          type: RuntimeDefault
      
      # Service Account
      serviceAccountName: myapp-sa
      
      # Anti-affinity for HA
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app
                  operator: In
                  values:
                  - myapp
              topologyKey: kubernetes.io/hostname
      
      # Containers
      containers:
      - name: myapp
        image: myregistry.io/myapp:1.2.3
        imagePullPolicy: IfNotPresent
        
        # Ports
        ports:
        - name: http
          containerPort: 8080
          protocol: TCP
        - name: metrics
          containerPort: 9090
          protocol: TCP
        
        # Environment
        env:
        - name: ENV
          value: "production"
        - name: DB_HOST
          valueFrom:
            configMapKeyRef:
              name: myapp-config
              key: db_host
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: myapp-secret
              key: db_password
        
        # Resources
        resources:
          requests:
            cpu: "250m"
            memory: "256Mi"
          limits:
            cpu: "1000m"
            memory: "512Mi"
        
        # Health Checks
        livenessProbe:
          httpGet:
            path: /healthz
            port: 8080
          initialDelaySeconds: 30
          periodSeconds: 10
          timeoutSeconds: 5
          failureThreshold: 3
        
        readinessProbe:
          httpGet:
            path: /ready
            port: 8080
          initialDelaySeconds: 5
          periodSeconds: 5
          timeoutSeconds: 3
          failureThreshold: 3
        
        startupProbe:
          httpGet:
            path: /startup
            port: 8080
          initialDelaySeconds: 0
          periodSeconds: 10
          timeoutSeconds: 3
          failureThreshold: 30
        
        # Volume Mounts
        volumeMounts:
        - name: config
          mountPath: /config
          readOnly: true
        - name: cache
          mountPath: /cache
        
        # Security
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          capabilities:
            drop:
            - ALL
      
      # Volumes
      volumes:
      - name: config
        configMap:
          name: myapp-config
      - name: cache
        emptyDir:
          sizeLimit: 500Mi
      
      # Image Pull Secrets
      imagePullSecrets:
      - name: registry-secret
---
apiVersion: v1
kind: Service
metadata:
  name: myapp
  namespace: production
  labels:
    app: myapp
spec:
  type: ClusterIP
  selector:
    app: myapp
  ports:
  - name: http
    port: 80
    targetPort: 8080
    protocol: TCP
  sessionAffinity: None
---
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: myapp
  namespace: production
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: myapp
  minReplicas: 3
  maxReplicas: 10
  metrics:
  - type: Resource
    resource:
      name: cpu
      target:
        type: Utilization
        averageUtilization: 70
  - type: Resource
    resource:
      name: memory
      target:
        type: Utilization
        averageUtilization: 80
  behavior:
    scaleDown:
      stabilizationWindowSeconds: 300
      policies:
      - type: Percent
        value: 50
        periodSeconds: 15
    scaleUp:
      stabilizationWindowSeconds: 0
      policies:
      - type: Percent
        value: 100
        periodSeconds: 15
      - type: Pods
        value: 4
        periodSeconds: 15
      selectPolicy: Max
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: myapp-pdb
  namespace: production
spec:
  minAvailable: 2
  selector:
    matchLabels:
      app: myapp
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: myapp-netpol
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: myapp
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: production
    - podSelector:
        matchLabels:
          tier: frontend
    ports:
    - protocol: TCP
      port: 8080
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: database
    ports:
    - protocol: TCP
      port: 5432
  - to:
    - namespaceSelector: {}
    ports:
    - protocol: TCP
      port: 53
    - protocol: UDP
      port: 53

Quick Command Combinations

Get all resources in namespace

kubectl get all,cm,secret,ing,pvc -n production

Delete all resources with label

kubectl delete all -l app=myapp

Get all images in use

kubectl get pods -A -o jsonpath='{range .items[*]}{.spec.containers[*].image}{"\n"}{end}' | sort -u

Get pods not running

kubectl get pods -A --field-selector=status.phase!=Running

Restart all pods in deployment

kubectl rollout restart deployment myapp

Export all resources to YAML

kubectl get all -o yaml > all-resources.yaml

Find which pods are using most memory

kubectl top pods -A --sort-by=memory | head -20

Get pod distribution across nodes

kubectl get pods -o wide --all-namespaces | awk '{print $8}' | sort | uniq -c

Check all failed pods

kubectl get pods -A --field-selector=status.phase=Failed

Force delete stuck pod

kubectl delete pod <pod_name> --grace-period=0 --force

Get all pods with their QoS class

kubectl get pods -o custom-columns=NAME:.metadata.name,QOS:.status.qosClass

Useful kubectl Aliases

Add these to your ~/.bashrc or ~/.zshrc:

alias k='kubectl'
alias kgp='kubectl get pods'
alias kgs='kubectl get svc'
alias kgd='kubectl get deployment'
alias kgn='kubectl get nodes'
alias kdp='kubectl describe pod'
alias kds='kubectl describe svc'
alias kdd='kubectl describe deployment'
alias kl='kubectl logs'
alias klf='kubectl logs -f'
alias kex='kubectl exec -it'
alias kctx='kubectl config current-context'
alias kns='kubectl config set-context --current --namespace'
alias kga='kubectl get all'
alias kgaa='kubectl get all --all-namespaces'
alias kdel='kubectl delete'
alias kapp='kubectl apply -f'
alias keti='kubectl exec -ti'
alias kcuc='kubectl config use-context'
alias kcgc='kubectl config get-contexts'

Current Deployment: nginx-1 (3 replicas)

Interview Topics Covered: ✅ 200 kubectl commands across 39 categories
✅ RBAC (Roles, RoleBindings, ClusterRoles)
✅ PersistentVolumes & PersistentVolumeClaims
✅ Jobs & CronJobs management
✅ Ingress resources
✅ NetworkPolicy for security
✅ HorizontalPodAutoscaler (HPA)
✅ ResourceQuotas & LimitRanges
✅ PodDisruptionBudgets for HA
✅ kubectl debug (modern debugging)
✅ Advanced JSONPath & custom columns
✅ Patch & update strategies
✅ kubectl diff for change preview
✅ Kustomize integration
✅ Wait conditions & timeouts
✅ Certificate management
✅ Performance benchmarking
✅ Interview Q&A scenarios (6 real-world problems)
✅ Kubernetes best practices (pod design, security, deployment, operations)
✅ Common pitfalls & solutions (10 critical mistakes)
✅ Key differences (Deployment vs StatefulSet, Service types, probes, etc.)
✅ Production-ready complete example (Deployment + Service + HPA + PDB + NetworkPolicy)
✅ Useful kubectl aliases

Modern Kubernetes Features (1.25-1.29):

  • kubectl debug with ephemeral containers
  • Server-side apply
  • Pod Security Standards
  • HPA v2 with custom metrics
  • PodDisruptionBudget v1
  • NetworkPolicy improvements
  • Advanced scheduling (affinity, topology spread)
  • Resource management & QoS classes
Last updated on
Helm CheatsheetKustomize Cheatsheet