Kubernetes Cheatsheet

Kubectl

List all applications and services

kubectl get all

Resource: https://coreos.com/tectonic/docs/latest/tutorials/sandbox/deleting-deployment.html#:~:text=Go to Workloads > Deployments.,Go to Routing > Services.

List all pods

kubectl get pods

Delete a pod

kubectl delete pod <pod name>

Resource: https://www.fairwinds.com/blog/how-to-create-view-and-destroy-a-pod-in-kubernetes

List all nodes

kubectl get nodes

Get more information about a node

kubectl describe nodes <node name>

List all containers

kubectl get pods --all-namespaces -o=custom-columns=NameSpace:.metadata.namespace,NAME:.metadata.name,CONTAINERS:.spec.containers[*].name

Resource: https://serverfault.com/questions/873490/how-to-list-all-containers-in-kubernetes

By namespace

kubectl get pods -n <namespace>

Get information about all deployments

kubectl describe deployments

Get information about a deployment

kubectl describe deployment nginx-deployment

Get shell in container

kubectl exec -it <container name> bash

Secrets

Get a list of secrets

kubectl get secrets

View a secret

kubectl get secret <secret name> -o json | jq .

For example, to view the contents of a secret called db-user-pass:

kubectl get secret db-user-pass -o json | jq .

You can also opt to output in yaml as well:

kubectl get secret <secret name> -o yaml

Once you've done this, take the base64 encoded output and decode it to get the secret.

Resource: https://kubernetes.io/docs/concepts/configuration/secret/

List all services

kubectl get services

Get names of services

kubectl get services --sort-by=.metadata.name

Resource: https://kubernetes.io/docs/reference/kubectl/cheatsheet/

Get Pod IP Address

kubectl get pods -l app=<app name> -o yaml |grep podIP

Get more information about a pod

kubectl describe pod <pod name>

Resource: https://stackoverflow.com/questions/34848422/how-to-debug-imagepullbackoff

Delete an application

Find the deployment and service beforehand:

kubectl delete deployment.apps/<name> service/<name>

For example, for a service and deployment called 'app':

kubectl delete deployment.apps/app service/app

Resource: https://coreos.com/tectonic/docs/latest/tutorials/sandbox/deleting-deployment.html#:~:text=Go to Workloads > Deployments.,Go to Routing > Services.

Alternatively, you could just run this in the directory with all of the files:

kubectl delete -k ./

Resource: https://kubernetes.io/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume/

Get external IP addresses of all nodes

kubectl get nodes -o jsonpath='{.items[*].status.addresses[?(@.type=="ExternalIP")].address}'

Resource: https://kubernetes.io/docs/reference/kubectl/cheatsheet/

Get all container images

kubectl get pods --all-namespaces -o=jsonpath="{..image}

Get all container images filtered by pod label

kubectl get pods --all-namespaces -o=jsonpath="{..image}" -l app=<name>

For example, for a label with the app name 'nginx' created with this tutorial:

kubectl get pods --all-namespaces -o=jsonpath="{..image}" -l app=nginx

Resource: https://kubernetes.io/docs/tasks/access-application-cluster/list-all-running-container-images/#list-container-images-filtering-by-pod-label

Troubleshooting

This will sort the output for you as well based on when something was created:

kubectl get events --all-namespaces  --sort-by='.metadata.creationTimestamp'

Alternatively, you can just run:

kubectl get events

Resources:
https://serverfault.com/questions/728727/kubernetes-stuck-on-containercreating
https://stackoverflow.com/questions/36377784/pod-in-kubernetes-always-in-pending-state

Check for insecure kubelet API access

From the host

curl -k https://localhost:10250/pods

Remotely

curl -k https://<target system running kub>:10250/pods

Resource: https://sysdig.com/blog/kubernetes-security-kubelet-etcd/

Kubernetes config file location

env |grep KUBECONFIG

Secure kubelet API access

Use the information from the kubernetes config file to get the location of the certificate-authority, the client-certificate, and the client-key. Alternatively, you can also run ps aux |grep kubelet and look at the command line parameters that are set.

Once you have this, you can run the following from the kubernetes host:

curl --cacert <path> --key <path> --cert <path> -k https://localhost:10250/pods | jq .

For example:

curl --cacert /etc/kubernetes/pki/ca.crt --key /etc/kubernetes/pki/apiserver-kubelet-client.key --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt -k https://localhost:10250/pods | jq .

Resources:
https://sysdig.com/blog/kubernetes-security-kubelet-etcd/
https://medium.com/@netscylla/kubernetes-or-kuberpwn-586c687d5459

Default network access policies

If network policies are defined, the Kubernetes default policy is allow. Subsequently, you can talk to networked assets from within a container. To test this, exec into a container:

kubectl exec -it <container name> sh

Once inside, you can try things like querying the AWS metadata service (or another networked resource):

wget -O - -q http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance/

If this works, you can ascertain that an attacker that gains access to a running container gains unfettered network access.

Resolution

Specify network access configurations that minimize ingress and egress access for each pod.

Resources:
https://medium.com/@reuvenharrison/an-introduction-to-kubernetes-network-policies-for-security-people-ba92dd4c809d

Service Port forwarding

This will forward the service on 8443 of <service name> to localhost:1234

kubectl port-forward service/<service name> 1234:8443 -n <namespace>

Set cluster

kubectl config use-context <cluster> 

Get list of everything a service account can do

kubectl auth can-i --list

Use local image

Add this line to your pod yaml file:

imagePullPolicy: Never

Resource: https://stackoverflow.com/questions/55392014/kubectl-get-pods-shows-errimagepull

Run docker in docker

This is a very bad thing to do from a security standpoint, but when you need it, this is how you do it:

apiVersion: v1
kind: Pod
metadata:
  name: test-pd
spec:
  containers:
  - image: dev
    imagePullPolicy: Never
    name: dev
    volumeMounts:
    - name: docker-sock-volume
      mountPath: "/var/run/docker.sock"
  volumes:
  - name: docker-sock-volume
    hostPath:
      # location on host
      path: /var/run/docker.sock

Resources:
https://stackoverflow.com/questions/56462126/how-to-add-v-var-run-docker-sock-var-run-docker-sock-when-running-container
https://devops.stackexchange.com/questions/2506/docker-in-kubernetes-deployment