First contact with kubectl

• Introduction
• kubectl get
  • Exercise
• Obtaining machine-readable output
  • Exercise
• (Ab)using kubectl and jq
  • Exercise
• Exploring types and definitions
• Introspection vs. documentation
• Type names
• Viewing details
• kubectl describe
  • Exercise
• Services
  • Exercise
• ClusterIP services
  • Exercise
• Listing running containers
  • Exercise
• Namespaces
  • Exercise
• Accessing namespaces
  • Exercise
• What are all these control plane pods?
• Scoping another namespace
  • Exercise
• Namespaces and other kubectl commands
• What about kube-public?
  • Exercise
• Exploring kube-public
  • Exercise
• Accessing cluster-info
  • Exercise
• Retrieving kubeconfig
  • Exercise
• What about kube-node-lease?

Introduction

• kubectl is (almost) the only tool we'll need to talk to Kubernetes

• It is a rich CLI tool around the Kubernetes API

  (Everything you can do with kubectl, you can do directly with the API)

• On our machines, there is a ~/.kube/config file with:

  • the Kubernetes API address

  • the path to our TLS certificates used to authenticate

• You can also use the --kubeconfig flag to pass a config file

• Or directly --server, --user, etc.

• kubectl can be pronounced "Cube C T L", "Cube cuttle", "Cube cuddle"...

kubectl get

• Let's look at our Node resources with kubectl get!

Exercise

• Look at the composition of our cluster:

kubectl get node

• These commands are equivalent:

kubectl get no
kubectl get node
kubectl get nodes

Obtaining machine-readable output

• kubectl get can output JSON, YAML, or be directly formatted

Exercise

• Give us more info about the nodes:

kubectl get nodes -o wide

• Let's have some YAML:

kubectl get no -o yaml

See that kind: List at the end? It's the type of our result!

(Ab)using kubectl and jq

• It's super easy to build custom reports

Exercise

• Show the capacity of all our nodes as a stream of JSON objects:

kubectl get nodes -o json | jq ".items[] | {name:.metadata.name} + .status.capacity"

Exploring types and definitions

• We can list all available resource types by running kubectl api-resources
  (In Kubernetes 1.10 and prior, this command used to be kubectl get)

• We can view the definition for a resource type with:

  kubectl explain type
  

• We can view the definition of a field in a resource, for instance:

  kubectl explain node.spec
  

• Or get the full definition of all fields and sub-fields:

  kubectl explain node --recursive
  

Introspection vs. documentation

• We can access the same information by reading the API documentation

• The API documentation is usually easier to read, but:

  • it won't show custom types (like Custom Resource Definitions)

  • we need to make sure that we look at the correct version

• kubectl api-resources and kubectl explain perform introspection

  (they communicate with the API server and obtain the exact type definitions)

Type names

• The most common resource names have three forms:

  • singular (e.g. node, service, deployment)

  • plural (e.g. nodes, services, deployments)

  • short (e.g. no, svc, deploy)

• Some resources do not have a short names

• Endpoints only have a plural form

  (because even a single Endpoints resource is actually a list of endpoints)

Viewing details

• We can use kubectl get -o yaml to see all available details

• However, YAML output is often simultaneously too much and not enough

• For instance, kubectl get node node1 -o yaml is:

  • too much information (e.g.: list of images available on this node)

  • not enough information (e.g.: doesn't show pods running on this node)

  • difficult to read for a human operator

• For a comprehensive overview, we can use kubectl describe instead

kubectl describe

• kubectl describe needs a resource type and (optionally) a resource name

• It is possible to provide a resource name prefix

  (all matching objects will be displayed)

• kubectl describe will retrieve some extra information about the resource

Exercise

• Look at the information available for node1 with one of the following commands:

  kubectl describe node/node1
  kubectl describe node node1
  

(We should notice a bunch of control plane pods.)

Services

• A service is a stable endpoint to connect to "something"

  (In the initial proposal, they were called "portals")

Exercise

• List the services on our cluster with one of these commands:

  kubectl get services
  kubectl get svc
  

There is already one service on our cluster: the Kubernetes API itself.

ClusterIP services

• A ClusterIP service is internal, available from the cluster only

• This is useful for introspection from within containers

Exercise

• Try to connect to the API:

  curl -k https://`10.96.0.1`
  

  • -k is used to skip certificate verification

  • Make sure to replace 10.96.0.1 with the CLUSTER-IP shown by kubectl get svc

The error that we see is expected: the Kubernetes API requires authentication.

Listing running containers

• Containers are manipulated through pods

• A pod is a group of containers:

  • running together (on the same node)

  • sharing resources (RAM, CPU; but also network, volumes)

Exercise

• List pods on our cluster:

  kubectl get pods
  

Where are the pods that we saw just a moment earlier?!?

Namespaces

• Namespaces allow us to segregate resources

Exercise

• List the namespaces on our cluster with one of these commands:

  kubectl get namespaces
  kubectl get namespace
  kubectl get ns
  

  You know what ... This kube-system thing looks suspicious.

In fact, I'm pretty sure it showed up earlier, when we did:

kubectl describe node node1

Accessing namespaces

• By default, kubectl uses the default namespace

• We can see resources in all namespaces with --all-namespaces

Exercise

• List the pods in all namespaces:

  kubectl get pods --all-namespaces
  

• Since Kubernetes 1.14, we can also use -A as a shorter version:

  kubectl get pods -A
  

Here are our system pods!

What are all these control plane pods?

• etcd is our etcd server

• kube-apiserver is the API server

• kube-controller-manager and kube-scheduler are other control plane components

• coredns provides DNS-based service discovery (replacing kube-dns as of 1.11)

• kube-proxy is the (per-node) component managing port mappings and such

• weave is the (per-node) component managing the network overlay

• the READY column indicates the number of containers in each pod

  (1 for most pods, but weave has 2, for instance)

Scoping another namespace

• We can also look at a different namespace (other than default)

Exercise

• List only the pods in the kube-system namespace:

  kubectl get pods --namespace=kube-system
  kubectl get pods -n kube-system
  

Namespaces and other kubectl commands

• We can use -n/--namespace with almost every kubectl command

• Example:

  • kubectl create --namespace=X to create something in namespace X

• We can use -A/--all-namespaces with most commands that manipulate multiple objects

• Examples:

  • kubectl delete can delete resources across multiple namespaces

  • kubectl label can add/remove/update labels across multiple namespaces

What about kube-public?

Exercise

• List the pods in the kube-public namespace:

  kubectl -n kube-public get pods
  

Nothing!

kube-public is created by kubeadm & used for security bootstrapping.

Exploring kube-public

• The only interesting object in kube-public is a ConfigMap named cluster-info

Exercise

• List ConfigMap objects:

  kubectl -n kube-public get configmaps
  

• Inspect cluster-info:

  kubectl -n kube-public get configmap cluster-info -o yaml
  

Note the selfLink URI: /api/v1/namespaces/kube-public/configmaps/cluster-info

We can use that!

Accessing cluster-info

• Earlier, when trying to access the API server, we got a Forbidden message

• But cluster-info is readable by everyone (even without authentication)

Exercise

• Retrieve cluster-info:

  curl -k https://10.96.0.1/api/v1/namespaces/kube-public/configmaps/cluster-info
  

• We were able to access cluster-info (without auth)

• It contains a kubeconfig file

Retrieving kubeconfig

• We can easily extract the kubeconfig file from this ConfigMap

Exercise

• Display the content of kubeconfig:

    curl -sk https://10.96.0.1/api/v1/namespaces/kube-public/configmaps/cluster-info \
         | jq -r .data.kubeconfig
  

• This file holds the canonical address of the API server, and the public key of the CA

• This file does not hold client keys or tokens

• This is not sensitive information, but allows us to establish trust

What about kube-node-lease?

• Starting with Kubernetes 1.14, there is a kube-node-lease namespace

  (or in Kubernetes 1.13 if the NodeLease feature gate is enabled)

• That namespace contains one Lease object per node

• Node leases are a new way to implement node heartbeats

  (i.e. node regularly pinging the control plane to say "I'm alive!")

• For more details, see KEP-0009 or the node controller documentation