Kubernetes (K8s)

kubectl Essentials

kubectl get pods -A -o wide

List all pods across ALL namespaces with extra info (node, IP). Default shows only current namespace.

Example: kubectl get pods -n production -o wide --sort-by=.status.startTime

kubectl describe pod <name>

Detailed pod info — events, conditions, container statuses. First tool for debugging crashes.

Example: kubectl describe pod api-7d4b9c -n production

kubectl logs -f --tail=100

Stream logs from a pod container. Use -c to specify container in multi-container pods.

Example: kubectl logs -f deployment/api -c app --tail=200

kubectl exec -it pod -- bash

Open an interactive shell inside a running container for debugging.

Example: kubectl exec -it pod/api-xyz -n prod -- /bin/sh

kubectl apply -f file.yaml

Declaratively create or update any K8s resource from a YAML manifest.

Example: kubectl apply -f ./k8s/ --dry-run=server // validate first

kubectl rollout undo deploy

One-command rollback to previous deployment revision — instant recovery from bad deploys.

Example: kubectl rollout undo deployment/api --to-revision=3

Core Resources

Pod

Smallest deployable unit. Contains one or more containers sharing network & storage.

Example: spec.containers[].resources.requests/limits — always set these!

Deployment

Manages ReplicaSet lifecycle — declarative updates, rollback, scaling, rolling updates.

Example: kubectl scale deployment/api --replicas=5

StatefulSet

Like Deployment but for stateful apps — stable pod names, ordered updates, persistent storage.

Example: StatefulSet: postgres-0, postgres-1 ... (predictable DNS names)

DaemonSet

Ensures a copy of a pod runs on every node — perfect for logging agents, monitoring, VPNs.

Example: DaemonSet: fluentd, node-exporter, datadog-agent

Job / CronJob

Run-to-completion workload / scheduled recurring job (cron syntax).

Example: schedule: "0 2 * * *" // run at 2AM daily

HorizontalPodAutoscaler

Automatically scale replicas based on CPU/memory metrics or custom metrics.

Example: kubectl autoscale deploy api --cpu-percent=70 --min=2 --max=20

Networking

ClusterIP (default)

Internal-only service — accessible only within the cluster via stable DNS name.

Example: my-svc.namespace.svc.cluster.local:80 // internal DNS

NodePort

Exposes service on a port on every node's IP (30000-32767 range). Dev/testing use.

Example: nodePort: 31000 // accessible at NodeIP:31000

LoadBalancer

Provisions a cloud load balancer (ELB/GCP LB) with a public IP. For production ingress.

Example: type: LoadBalancer // cloud provider creates external IP

Ingress + IngressClass

HTTP/HTTPS routing rules: hostname/path → service. Requires an Ingress Controller (nginx etc).

Example: rules: - host: api.example.com http.paths.backend.service.name: api-svc

NetworkPolicy

Firewall rules for pod-to-pod traffic. Default-deny all then whitelist — zero-trust networking.

Example: podSelector: matchLabels: {app: db} // restrict who can reach database pods

kubectl port-forward

Tunnel a local port to a pod/service port without exposing it externally.

Example: kubectl port-forward svc/postgres 5432:5432 -n prod

Config, Secrets & RBAC

ConfigMap

Store non-sensitive config as key-value pairs. Mount as env vars or files in pods.

Example: kubectl create configmap app-config --from-file=config.env

Secret (base64)

Like ConfigMap but base64-encoded and access-controlled. Always use Sealed Secrets or Vault in prod.

Example: kubectl create secret generic db-creds --from-literal=password=secret

ServiceAccount + RBAC

Identity for pods. RBAC binds roles (verbs on resources) to ServiceAccounts/users.

Example: Role → RoleBinding (namespaced); ClusterRole → ClusterRoleBinding (global)

PodSecurityContext

Run containers as non-root, read-only filesystem, drop capabilities — defense in depth.

Example: securityContext: runAsNonRoot: true readOnlyRootFilesystem: true

Resource Requests & Limits

Requests = guaranteed minimum. Limits = maximum cap. Always set both to avoid OOM kills and CPU throttling.

Example: resources: requests: {cpu: 100m, memory: 128Mi} limits: {cpu: 500m, memory: 512Mi}

LimitRange / ResourceQuota

LimitRange sets default resource constraints per pod. ResourceQuota caps total usage per namespace.

Example: ResourceQuota: hard: pods: "50" requests.cpu: "10" limits.memory: 20Gi

Storage & Volumes

PersistentVolume (PV)

Cluster-level storage resource — provisioned by admin or dynamically via StorageClass.

Example: spec.capacity.storage: 10Gi accessModes: [ReadWriteOnce]

PersistentVolumeClaim (PVC)

Pod's request for storage — K8s binds it to a matching PV automatically.

Example: volumeClaimTemplates in StatefulSet gives each pod its own PVC

StorageClass

Dynamic PV provisioner — defines storage backend (SSD, HDD, cloud disk type).

Example: storageClassName: gp3 // AWS EBS SSD in EKS

emptyDir / hostPath

emptyDir: ephemeral pod-lifetime volume. hostPath: mounts a node directory (security risk).

Example: emptyDir: {} // scratch space or cache between containers in a pod

Health Probes & Scheduling

livenessProbe

K8s restarts container if this fails — use for detecting deadlocks, not slow startup.

Example: livenessProbe: httpGet: {path: /health, port: 8080} initialDelaySeconds: 30

readinessProbe

Removes pod from Service endpoints if fails — prevents traffic to unhealthy pods during startup.

Example: readinessProbe: httpGet: {path: /ready, port: 8080} periodSeconds: 5

startupProbe

Delays liveness checks for slow-starting apps — avoids premature restarts during startup.

Example: startupProbe: failureThreshold: 30 periodSeconds: 10 // up to 5min startup

nodeSelector / Affinity

Schedule pods on specific nodes (simple label match / advanced rules with required/preferred).

Example: affinity.nodeAffinity.requiredDuringScheduling: matchExpressions

Taints & Tolerations

Taints repel pods from nodes. Tolerations allow pods to be scheduled on tainted nodes.

Example: tolerations: [{key: "gpu", operator: "Exists", effect: "NoSchedule"}]

PodDisruptionBudget (PDB)

Guarantee minimum available pods during voluntary disruptions (upgrades, draining nodes).

Example: minAvailable: 2 // K8s won't drain a node if it would break this