kubectl Cheatsheet — 100+ Kubernetes Commands with Pitfalls and YAML Templates

Print the API server URL and the cluster service endpoints (DNS, dashboard if installed).

⚠ Common pitfall: If this hangs, kubeconfig is pointing at a server you cannot reach (VPN down, wrong context). Check `kubectl config current-context` first.

kubectl cluster-info

kubectl cluster-info dump

List all nodes with status, roles, age, version. Add -o wide to see internal/external IP and OS.

kubectl get nodes

kubectl get nodes -o wide

kubectl get nodes --show-labels

Show CPU and memory usage per node (real numbers from metrics-server, not limits).

⚠ Common pitfall: Needs metrics-server installed and Ready. On bare clusters you get `error: Metrics API not available` until you helm install it.

kubectl top nodes

kubectl top nodes --sort-by=memory

Deep view of a node: labels, taints, allocatable resources, conditions, running pods, events.

kubectl describe node ip-10-0-1-23

kubectl describe node | grep -A3 Taints

Mark a node unschedulable — no new pods land there, existing ones keep running.

⚠ Common pitfall: Cordon alone does NOT move workloads off — pair with `drain` before maintenance, then `uncordon` after.

kubectl cordon ip-10-0-1-23

kubectl uncordon ip-10-0-1-23

Evict all pods from a node before maintenance. Respects PodDisruptionBudgets.

⚠ Common pitfall: Daemonsets block drain by default — pass `--ignore-daemonsets`. Local-storage pods need `--delete-emptydir-data` and that DATA IS GONE.

kubectl drain ip-10-0-1-23 --ignore-daemonsets

kubectl drain ip-10-0-1-23 --ignore-daemonsets --delete-emptydir-data --force

Print the kubeconfig context you are currently pointing at (cluster + namespace + user).

⚠ Common pitfall: After a wrong `kubectl delete`, the first question is "which cluster did I just hit?" — wire this into your shell prompt with kubectx or starship.

kubectl config current-context

kubectl config get-contexts

Switch to a different context defined in kubeconfig.

⚠ Common pitfall: For frequent switching, install `kubectx` — `kubectx prod` is shorter than the full command and shows interactive fzf list.

kubectl config use-context prod

kubectx prod

Change the default namespace of the current context so you stop typing -n everywhere.

⚠ Common pitfall: Use `kubens <ns>` for one-line interactive switching. The raw command is annoying to type and easy to forget the `--current`.

kubectl config set-context --current --namespace=staging

kubens staging

Print client and server version. Skew of >1 minor is unsupported.

kubectl version

kubectl version -o json

List every resource type known to the API server with its short name, group, and namespaced flag.

kubectl api-resources

kubectl api-resources --namespaced=true

kubectl api-resources --api-group=apps

Inline docs for any resource and its fields. Drill down with dotted paths.

kubectl explain pod

kubectl explain pod.spec.containers

kubectl explain deployment --recursive

Legacy command showing control-plane component health. Deprecated since 1.19 — replaced by `kubectl get --raw=/livez`.

⚠ Common pitfall: On managed Kubernetes (EKS, GKE, AKS) you cannot see control-plane state — the cloud provider handles it. This will return errors or empty.

kubectl get componentstatuses

kubectl get --raw=/livez?verbose

kubectl get --raw=/readyz?verbose

Print the merged kubeconfig. Add --minify to show only the current context, --flatten to inline cert data.

⚠ Common pitfall: By default certs/tokens are redacted. Add --raw to dump real credentials. Never paste --raw output into a chat or issue.

kubectl config view --minify

kubectl config view --flatten -o yaml

kubectl config view --raw

List every context in kubeconfig with a * marking the active one, plus its cluster, user, and namespace.

kubectl config get-contexts

kubectl config get-contexts -o name

Remove a context entry from kubeconfig. Does not touch the cluster or user entries it referenced.

⚠ Common pitfall: Leaves orphaned cluster/user blocks behind. Run `kubectl config delete-cluster` and `delete-user` too if you want a clean file.

kubectl config delete-context old-prod

kubectl config delete-cluster old-prod

kubectl config delete-user old-prod-admin

Mark a node schedulable again after maintenance. The inverse of cordon.

kubectl uncordon ip-10-0-1-23

kubectl get nodes | grep SchedulingDisabled

Add a taint so only pods with a matching toleration land on the node. Effects: NoSchedule, PreferNoSchedule, NoExecute.

⚠ Common pitfall: NoExecute also evicts already-running pods that lack the toleration. Remove a taint by appending a minus: `key=val:NoSchedule-`.

kubectl taint nodes ip-10-0-1-23 gpu=true:NoSchedule

kubectl taint nodes ip-10-0-1-23 gpu=true:NoSchedule-

kubectl describe node ip-10-0-1-23 | grep Taints

Label a node so pods can target it with nodeSelector or nodeAffinity (e.g. disk=ssd, zone=us-east-1a).

kubectl label nodes ip-10-0-1-23 disk=ssd

kubectl label nodes ip-10-0-1-23 disk-

kubectl get nodes -L disk,zone

List nodes with extra columns: internal/external IP, OS image, kernel version, container runtime.

kubectl get nodes -o wide

kubectl get nodes -o custom-columns=NAME:.metadata.name,RUNTIME:.status.nodeInfo.containerRuntimeVersion

Hit the API server readiness endpoint directly, listing each health check and its status. The modern componentstatuses.

kubectl get --raw=/readyz?verbose

kubectl get --raw=/livez?verbose

kubectl get --raw=/healthz

List every API group/version the server serves (e.g. apps/v1, batch/v1, networking.k8s.io/v1).

⚠ Common pitfall: Use this to confirm whether a deprecated apiVersion (extensions/v1beta1) still exists before an upgrade breaks your manifests.

kubectl api-versions

kubectl api-versions | grep networking

List pods in the current namespace. Most common kubectl command.

kubectl get pods

kubectl get pods -A

kubectl get pods -o wide

kubectl get pods -w

kubectl get pods -l app=web

Get a single pod. Add -o yaml/json for the full spec, or -o jsonpath= for surgical extraction.

kubectl get pod web-7d5 -o yaml

kubectl get pod web-7d5 -o jsonpath="{.status.phase}"

kubectl get pod web-7d5 -o json | jq .status

Human-readable deep view: spec, status, containers, volumes, events. First stop for any pod issue.

⚠ Common pitfall: Events at the bottom are the actual debugging gold — ImagePull errors, FailedScheduling reasons, OOMKilled, liveness/readiness failures all live there.

kubectl describe pod web-7d5

kubectl describe pod web-7d5 | tail -30

Print stdout/stderr of a pod's main container.

⚠ Common pitfall: Multi-container pod? Add `-c <container>` or you get an error. App writing to a file in the container? `logs` is empty. Make 12-factor apps log to stdout.

kubectl logs web-7d5

kubectl logs web-7d5 -c sidecar

kubectl logs -l app=web --tail=50

Stream new log lines as they appear. Like tail -f, but for the container.

kubectl logs -f web-7d5

kubectl logs -f web-7d5 --since=10m

kubectl logs -f deployment/web

Show logs from the previous container instance — the run that just crashed.

⚠ Common pitfall: For CrashLoopBackOff debugging, this is THE command. Without --previous you see the current restart's logs which are empty until it crashes again.

kubectl logs --previous web-7d5

kubectl logs -p -c app web-7d5

Open an interactive shell or run a command inside a running pod.

⚠ Common pitfall: Try `bash` first, fall back to `sh` — alpine has no bash, distroless has no shell at all (use `kubectl debug`). The `--` separates kubectl flags from container args.

kubectl exec -it web-7d5 -- bash

kubectl exec -it web-7d5 -- sh

kubectl exec web-7d5 -- ls /app

kubectl exec -it web-7d5 -c sidecar -- sh

Tunnel a local port to a port inside a pod (or service). Great for poking at a private service from your laptop.

⚠ Common pitfall: Tunnel dies on idle, network flap, or pod restart. For long-running access use a proper bastion or `telepresence`, not port-forward.

kubectl port-forward pod/web-7d5 8080:80

kubectl port-forward svc/web 8080:80

kubectl port-forward deployment/web 8080:80

Copy files between a pod and your local machine. Either side can be the pod.

⚠ Common pitfall: Needs `tar` in the container. Many distroless images have none — bake one in or use a debug ephemeral container.

kubectl cp web-7d5:/var/log/app.log ./app.log

kubectl cp ./fix.patch web-7d5:/tmp/

kubectl cp web-7d5:/data ./data -c sidecar

Attach your terminal to the main process of a running pod. Ctrl-C may kill the container.

⚠ Common pitfall: `attach` is NOT a shell — it joins the existing process. Unless you really need the original TTY, `exec -it ... -- sh` is what you want.

kubectl attach web-7d5

kubectl attach -it web-7d5 -c app

Delete one or more pods. If owned by a controller (Deployment etc.) a replacement spins up.

⚠ Common pitfall: For restarting a deployment, use `rollout restart` — it is the supported primitive. `delete pod` on a stuck Terminating pod needs `--grace-period=0 --force` (and may leak network endpoints).

kubectl delete pod web-7d5

kubectl delete pod web-7d5 --grace-period=0 --force

kubectl delete pods -l app=web

Attach an ephemeral debug container (with curl, ps, tcpdump, whatever) to a running pod — even distroless.

⚠ Common pitfall: Needs Kubernetes ≥1.23 with EphemeralContainers stable. The debug container shares network and PID namespace, NOT the filesystem.

kubectl debug web-7d5 --image=busybox -it

kubectl debug web-7d5 --image=nicolaka/netshoot --target=app

kubectl debug node/ip-10-0-1-23 -it --image=busybox

Create a bare pod from an image. Mostly used as a quick `--rm -it` debug runner.

⚠ Common pitfall: Bare pods are not managed by any controller — they do NOT restart on node failure. Use deployments for anything that should stay up.

kubectl run tmp --rm -it --image=busybox -- sh

kubectl run curl --rm -it --image=curlimages/curl -- curl http://web

kubectl run nginx --image=nginx

Logs from the last duration. Combines well with -f and --tail.

kubectl logs --since=15m web-7d5

kubectl logs --since=1h -f web-7d5

kubectl logs --since-time=2026-05-25T08:00:00Z web-7d5

Show the last N lines. Use --tail=-1 to print all (the default sometimes hides old logs).

kubectl logs --tail=100 web-7d5

kubectl logs --tail=-1 web-7d5 > app.log

Stream logs from every container in the pod at once (app + sidecars), instead of picking one with -c.

⚠ Common pitfall: Lines from different containers interleave with no prefix by default. Add `--prefix` to tag each line with its pod/container name.

kubectl logs --all-containers web-7d5

kubectl logs --all-containers --prefix -l app=web

Prefix every log line with an RFC3339 timestamp from when the container emitted it.

kubectl logs --timestamps web-7d5

kubectl logs --timestamps --since=10m -f web-7d5

Extract exactly the field you want from a pod with a JSONPath expression. Scriptable, no jq needed.

⚠ Common pitfall: Wrap the expression in single quotes and add `range`/`end` to iterate over arrays like containers. A trailing `{"\n"}` adds a newline.

kubectl get pod web-7d5 -o jsonpath='{.status.podIP}'

kubectl get pod web-7d5 -o jsonpath='{range .spec.containers[*]}{.name}{"\t"}{.image}{"\n"}{end}'

kubectl get pods -o jsonpath='{.items[*].metadata.name}'

Dump the environment variables visible inside a running container. Fast way to verify injected config/secrets.

⚠ Common pitfall: This prints decoded secret values in plain text to your terminal/scrollback. Avoid on shared screens or recorded sessions.

kubectl exec web-7d5 -- env

kubectl exec web-7d5 -- env | grep DATABASE

kubectl exec web-7d5 -c app -- printenv LOG_LEVEL

Read the DNS config a pod actually sees. First stop when in-cluster name resolution misbehaves.

⚠ Common pitfall: A wrong `ndots:5` (the default) makes every short name try 5 search-domain suffixes first, causing slow lookups. Compare nameserver against the kube-dns ClusterIP.

kubectl exec web-7d5 -- cat /etc/resolv.conf

kubectl exec web-7d5 -- nslookup kubernetes.default

kubectl get svc -n kube-system kube-dns

Launch a debug pod with host namespaces on a specific node — inspect the node filesystem at /host, run tcpdump, etc.

⚠ Common pitfall: The node root filesystem is mounted at `/host`, not `/`. To chroot into it: `chroot /host`. This needs privileges your RBAC may not grant.

kubectl debug node/ip-10-0-1-23 -it --image=busybox

kubectl debug node/ip-10-0-1-23 -it --image=ubuntu -- chroot /host

Clone a crashing pod into a debuggable copy with a swapped image/command, leaving the original untouched.

⚠ Common pitfall: The copy is a bare pod, not managed by the original controller. Delete it yourself when done or it lingers.

kubectl debug web-7d5 --copy-to=web-debug --set-image=app=busybox -it -- sh

kubectl debug web-7d5 --copy-to=web-debug --container=app -- sleep 1d

List pods ordered by start time — the newest restarts float to the bottom. Spot flapping pods fast.

kubectl get pods --sort-by=.status.startTime

kubectl get pods --sort-by=.status.containerStatuses[0].restartCount

Build a custom table from any fields — name, node, restart count, image — instead of the default columns.

kubectl get pods -o custom-columns=NAME:.metadata.name,NODE:.spec.nodeName,RESTARTS:.status.containerStatuses[0].restartCount

kubectl get pods -o custom-columns=POD:.metadata.name,IMAGE:.spec.containers[*].image

Strip the server-injected noise (managedFields, status, default annotations) so the YAML is re-appliable. Needs the krew `neat` plugin.

⚠ Common pitfall: A raw `get -o yaml` is NOT re-appliable as-is — it carries status and managedFields that `apply` rejects or fights. `neat` (or manual trimming) fixes that.

kubectl get pod web-7d5 -o yaml | kubectl neat

kubectl krew install neat

Imperative one-liner to create a Deployment. Fine for demos; use YAML + apply for real systems.

kubectl create deployment web --image=nginx

kubectl create deployment web --image=nginx --replicas=3 --port=80

List Deployments with desired / current / ready / age. Short name: `deploy`.

kubectl get deployments

kubectl get deploy -A

kubectl get deploy web -o yaml

Change the replica count of a Deployment (or ReplicaSet / StatefulSet). Takes effect immediately.

⚠ Common pitfall: Scaling to 0 is the supported "pause" — pods are gone but the spec is preserved. Scaling back up is instant.

kubectl scale deployment web --replicas=3

kubectl scale deployment web --replicas=0

kubectl scale --replicas=5 -f deployment.yaml

Block and watch a rollout until it succeeds, fails, or times out.

kubectl rollout status deployment/web

kubectl rollout status deployment/web --timeout=2m

Show past revisions of a Deployment. Add --revision=N for the diff of a specific one.

kubectl rollout history deployment/web

kubectl rollout history deployment/web --revision=3

Roll back to the previous revision (or to a specific one with --to-revision).

⚠ Common pitfall: History depth defaults to 10. Once it scrolls off you cannot undo to it — pin critical revisions in git.

kubectl rollout undo deployment/web

kubectl rollout undo deployment/web --to-revision=3

Trigger a rolling restart by bumping a template annotation. The right way to restart a Deployment.

⚠ Common pitfall: Use this instead of `delete pod` — proper rolling update, maxUnavailable honored, zero downtime, undo works. Available for Deployments, StatefulSets, DaemonSets since 1.15.

kubectl rollout restart deployment/web

kubectl rollout restart statefulset/db

kubectl rollout restart daemonset/log-agent

Create a HorizontalPodAutoscaler that scales the Deployment between min and max based on CPU.

⚠ Common pitfall: HPA needs metrics-server. Custom-metric HPA needs an adapter (prometheus-adapter etc.). Without metrics HPA shows `unknown` and never scales.

kubectl autoscale deployment web --min=2 --max=10 --cpu-percent=70

kubectl get hpa

kubectl describe hpa web

List ReplicaSets. Each Deployment revision creates a new ReplicaSet under the hood.

kubectl get rs

kubectl get rs -l app=web

kubectl describe rs web-7d5f44

List StatefulSets — for ordered, stable-network-ID workloads like databases.

⚠ Common pitfall: PVCs created by a StatefulSet are NOT deleted when the STS is deleted — explicit cleanup needed or your data persists forever.

kubectl get sts

kubectl describe sts db

kubectl delete sts db --cascade=orphan

List DaemonSets — pods that run one copy per matching node (log shippers, CNI agents, node exporters).

kubectl get ds

kubectl get ds -A

kubectl rollout restart ds/log-agent

List Jobs (run-to-completion workloads). Add `cronjob` for scheduled ones.

kubectl get jobs

kubectl get cronjobs

kubectl create job manual-job --from=cronjob/backup

Create a Service in front of an existing Deployment (or Pod / RS). One-liner for ClusterIP.

kubectl expose deployment web --port=80 --target-port=8080

kubectl expose deployment web --type=NodePort --port=80

kubectl expose deployment web --type=LoadBalancer --port=80

List HorizontalPodAutoscalers with current / target metric, min, max, age.

kubectl get hpa

kubectl describe hpa web

kubectl delete hpa web

List PodDisruptionBudgets. They cap voluntary disruptions (drains, rolling updates) so SLO is preserved.

⚠ Common pitfall: A PDB with minAvailable=N where current replicas=N causes `drain` to hang forever. Set realistic numbers or scale up before maintenance.

kubectl get pdb

kubectl create pdb web-pdb --selector=app=web --min-available=2

Deep dive on a Deployment: replicas, strategy, current ReplicaSet, events.

kubectl describe deployment web

kubectl describe deploy web | grep -A5 Conditions

Add or change an environment variable on a Deployment, triggering a rolling update. Use KEY- to remove one.

⚠ Common pitfall: Like `set image`, this edits the live spec and drifts from your git YAML. Use `--from=configmap/<cm>` to pull all keys from a ConfigMap at once.

kubectl set env deployment/web LOG_LEVEL=debug

kubectl set env deployment/web LOG_LEVEL-

kubectl set env deployment/web --from=configmap/app-config

Patch CPU/memory requests and limits on a Deployment without editing YAML. Triggers a rolling update.

kubectl set resources deployment/web --limits=cpu=1,memory=512Mi --requests=cpu=200m,memory=256Mi

kubectl set resources deployment/web -c=app --limits=memory=1Gi

Imperatively create a CronJob with a cron schedule. The command after -- becomes the container command.

⚠ Common pitfall: CronJob times are in the kube-controller-manager timezone (usually UTC), not yours, unless you set `spec.timeZone` (stable since 1.27).

kubectl create cronjob backup --image=backup:latest --schedule="0 2 * * *" -- /backup.sh

kubectl create cronjob ping --image=busybox --schedule="*/5 * * * *" -- echo hello

Trigger a CronJob immediately by spawning a one-off Job from its template. Test a backup without waiting for the schedule.

kubectl create job manual-backup --from=cronjob/backup

kubectl get jobs -l job-name=manual-backup

Watch a StatefulSet rollout. Pods update one at a time in reverse ordinal order by default.

⚠ Common pitfall: A StatefulSet with `updateStrategy: OnDelete` will NOT roll out on spec change — you must delete each pod manually for it to recreate with the new spec.

kubectl rollout status statefulset/db

kubectl rollout status sts/db --timeout=5m

Scale a StatefulSet. Pods are added/removed one at a time, in order, respecting readiness.

⚠ Common pitfall: Scaling down does NOT delete the PVCs of removed pods (unless persistentVolumeClaimRetentionPolicy is set, 1.27+). Data sticks around.

kubectl scale statefulset db --replicas=5

kubectl scale sts db --replicas=1

List CronJobs with their schedule, suspend flag, last-scheduled time, and active job count.

⚠ Common pitfall: A CronJob with SUSPEND=True never fires. Resume with `kubectl patch cronjob <cj> -p '{"spec":{"suspend":false}}'`.

kubectl get cronjob

kubectl patch cronjob backup -p '{"spec":{"suspend":true}}'

kubectl get cronjob backup -o jsonpath='{.status.lastScheduleTime}'

Show HPA decision-making: current vs target metrics, recent scaling events, and any "unable to fetch metrics" errors.

⚠ Common pitfall: The Events at the bottom explain WHY the HPA is or is not scaling. `FailedGetResourceMetric` there almost always means metrics-server is down.

kubectl describe hpa web

kubectl get hpa web -o yaml | grep -A10 conditions

Roll a StatefulSet back to its previous revision. Like Deployments, it keeps a revision history.

kubectl rollout undo statefulset/db

kubectl rollout history statefulset/db

List Services with type, cluster IP, external IP, ports, age. Short name: `svc`.

kubectl get svc

kubectl get svc -A

kubectl get svc -o wide

List the actual pod IPs behind a Service. Empty endpoints == broken selector or no ready pods.

⚠ Common pitfall: Service has clusterIP but `curl svc` hangs? `kubectl get endpoints <svc>` is the answer 90% of the time. Empty means the selector matched nothing or readinessProbe is failing.

kubectl get endpoints web

kubectl get endpointslices -l kubernetes.io/service-name=web

Tunnel a local port to a Service. Goes through endpoints, not directly to a pod.

kubectl port-forward svc/web 8080:80

kubectl port-forward svc/db 5432:5432 -n staging

List Ingress resources with hosts, paths, address, ports.

⚠ Common pitfall: An Ingress without an IngressClass annotation (`ingressClassName: nginx`) is invisible to controllers — looks created but nothing serves it.

kubectl get ingress

kubectl describe ingress web

kubectl get ingressclass

List NetworkPolicies that restrict pod-to-pod traffic. No policy = all traffic allowed (default).

⚠ Common pitfall: NetworkPolicy is enforced by the CNI plugin (Calico, Cilium, ...). On a CNI without policy support, NetworkPolicies are silently ignored — verify with `kubectl get ds -n kube-system`.

kubectl get netpol

kubectl describe netpol deny-all

kubectl get netpol -A

Start a local API server proxy on 127.0.0.1:8001 — use to access dashboard / API without auth handling.

kubectl proxy

kubectl proxy --port=9090

curl http://127.0.0.1:8001/api/v1/namespaces

Show an Ingress with its rules, backend services, TLS, and controller-synced events at the bottom.

⚠ Common pitfall: If the ADDRESS column stays empty, no controller has claimed this Ingress — check ingressClassName and that the controller pod is running.

kubectl describe ingress web

kubectl get ingress web -o jsonpath='{.status.loadBalancer.ingress[0].ip}'

List EndpointSlices — the scalable successor to Endpoints (default since 1.21). Each slice holds up to ~100 endpoints.

kubectl get endpointslices

kubectl get endpointslices -l kubernetes.io/service-name=web

kubectl describe endpointslice web-abc12

Pull a single field from a Service — the LoadBalancer external IP/hostname, the NodePort, or the ClusterIP.

⚠ Common pitfall: AWS NLBs publish a hostname, not an IP — read `.status.loadBalancer.ingress[0].hostname`, not `.ip`, or you get an empty string.

kubectl get svc web -o jsonpath='{.status.loadBalancer.ingress[0].hostname}'

kubectl get svc web -o jsonpath='{.spec.clusterIP}'

kubectl get svc web -o jsonpath='{.spec.ports[0].nodePort}'

Imperatively create a ClusterIP Service. Use --tcp=80:8080 to map service port to target port.

⚠ Common pitfall: This creates a Service with NO selector unless you add one afterward — useful for pointing at external endpoints, surprising if you expected pod routing.

kubectl create service clusterip web --tcp=80:8080

kubectl create service nodeport web --tcp=80:8080 --node-port=30080

List installed IngressClasses and which is the default. An Ingress with no class falls back to the default-marked one.

kubectl get ingressclass

kubectl get ingressclass -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.metadata.annotations.ingressclass\.kubernetes\.io/is-default-class}{"\n"}{end}'

Create a ConfigMap from literal key=value pairs. Multiple --from-literal allowed.

kubectl create configmap app-config --from-literal=LOG_LEVEL=info --from-literal=DEBUG=1

kubectl create configmap app-config --from-literal=DATABASE_HOST=db.local

Create a ConfigMap from one file or a whole directory (each file becomes a key).

⚠ Common pitfall: Total size cap is ~1 MB (etcd limit). For larger config use a Secret/ConfigMap projected volume + an init container, or move to a config service.

kubectl create configmap nginx-conf --from-file=./nginx.conf

kubectl create configmap site-conf --from-file=./conf.d/

List ConfigMaps. Short name: `cm`. Add -o yaml to see the data.

kubectl get cm

kubectl get cm app-config -o yaml

kubectl get cm -A

Create a Secret from literal pairs. Values are base64-encoded at rest (NOT encrypted unless KMS is on).

⚠ Common pitfall: Secrets are base64, NOT encryption. Anyone with `get secrets` can decode. Enable encryption-at-rest in apiserver and consider Sealed Secrets / External Secrets for real safety.

kubectl create secret generic db --from-literal=password=s3cret

kubectl create secret generic api --from-literal=token=abc123

Create an imagePullSecret for a private registry. Reference it in pod spec with imagePullSecrets.

kubectl create secret docker-registry ghcr-pull --docker-server=ghcr.io --docker-username=user --docker-password=$TOKEN

kubectl create secret docker-registry ecr-pull --docker-server=123.dkr.ecr.us-east-1.amazonaws.com --docker-username=AWS --docker-password=$(aws ecr get-login-password)

Decode a single Secret value. The classic "what is the actual password in there" lookup.

⚠ Common pitfall: On macOS `base64` needs `-D` (capital), on Linux `-d` (lower). `base64 --decode` works on both.

kubectl get secret db -o jsonpath="{.data.password}" | base64 -d

kubectl get secret api -o json | jq -r ".data.token | @base64d"

List Secrets. Add -o yaml to see (base64-encoded) data.

kubectl get secret

kubectl get secret -A

kubectl get secret db -o yaml

Create a TLS Secret from a cert + key pair. Ingress / webhook configs reference it by name.

kubectl create secret tls web-tls --cert=tls.crt --key=tls.key

kubectl get secret web-tls -o yaml

List PersistentVolumeClaims with status, capacity, access modes, storage class, age.

⚠ Common pitfall: PVC stuck in Pending = no matching PV / StorageClass. `describe pvc` shows the reason. Deleting a PVC may delete the underlying PV depending on reclaim policy.

kubectl get pvc

kubectl get pv

kubectl describe pvc data-db-0

Build a ConfigMap from a .env file — each KEY=VALUE line becomes a key. Different from --from-file (whole file as one key).

⚠ Common pitfall: Lines must be plain KEY=VALUE — no `export`, no quotes-with-spaces parsing, no inline comments after the value. Shell-style .env files often fail.

kubectl create configmap app-env --from-env-file=.env

kubectl create secret generic app-env --from-env-file=.env.production

Read one key out of a ConfigMap directly, no -o yaml + manual scan. Great for shell scripts.

kubectl get configmap app-config -o jsonpath='{.data.LOG_LEVEL}'

kubectl get cm app-config -o jsonpath='{.data}'

Open a Secret in $EDITOR. Values shown are base64 — you must encode new values yourself before saving.

⚠ Common pitfall: Paste plaintext here and the value becomes double-mangled garbage. Use `kubectl create secret ... --dry-run=client -o yaml | kubectl apply -f -` instead to avoid manual base64.

kubectl edit secret db

echo -n "newpass" | base64

Create a Secret where one key holds a file's contents (e.g. an SSH key or kubeconfig). Repeatable for multiple keys.

kubectl create secret generic ssh-key --from-file=id_rsa=/home/me/.ssh/id_rsa

kubectl create secret generic kubeconfig --from-file=config=/home/me/.kube/config

Show a PVC's phase, bound PV, capacity, access mode, and — crucially — the Events explaining why it is Pending.

⚠ Common pitfall: Pending with `no persistent volumes available` means no StorageClass can provision, or you set a storageClassName that does not exist.

kubectl describe pvc data-db-0

kubectl get storageclass

kubectl get pvc -o wide

List StorageClasses and which is default (marked with (default)). PVCs with no storageClassName use the default.

⚠ Common pitfall: No default StorageClass means every PVC without an explicit class stays Pending forever. Many bare clusters ship with none.

kubectl get storageclass

kubectl get sc

kubectl patch storageclass gp2 -p '{"metadata":{"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'

List PersistentVolumes cluster-wide with capacity, access mode, reclaim policy, status, and the claim they are bound to.

⚠ Common pitfall: A PV stuck in Released (not Available) after its PVC was deleted will NOT rebind — reclaimPolicy=Retain keeps the data but blocks reuse until you clear `.spec.claimRef`.

kubectl get pv

kubectl get pv -o custom-columns=NAME:.metadata.name,STATUS:.status.phase,CLAIM:.spec.claimRef.name

kubectl patch pv pv-001 -p '{"spec":{"claimRef":null}}'

List all namespaces with status (Active / Terminating) and age. Short name: `ns`.

kubectl get ns

kubectl create ns staging

kubectl delete ns old-staging

List ServiceAccounts in the current namespace. Every namespace gets a `default` SA.

kubectl get sa

kubectl create sa ci-bot

kubectl get sa default -o yaml

Create a Role granting verbs on resources in the current namespace.

kubectl create role pod-reader --verb=get,list,watch --resource=pods

kubectl create role app-admin --verb=* --resource=deployments,services

Bind a Role to a ServiceAccount, User, or Group within a namespace.

⚠ Common pitfall: Role + RoleBinding are namespaced. For cluster-wide permissions you need ClusterRole + ClusterRoleBinding. Mixing them is a common silent failure.

kubectl create rolebinding ci-pods --role=pod-reader --serviceaccount=ci:ci-bot

kubectl create rolebinding admin-binding --clusterrole=admin --user=alice

Create a cluster-scoped Role. Required for non-namespaced resources (nodes, PVs) or cross-namespace access.

kubectl create clusterrole node-reader --verb=get,list --resource=nodes

kubectl create clusterrolebinding viewer --clusterrole=view --user=alice

Check whether the current user (or --as <name>) is allowed to perform an action. THE RBAC debug command.

⚠ Common pitfall: Add `--list` to dump every permission you have in the namespace. Add `--as system:serviceaccount:ns:sa` to test from a pod's perspective.

kubectl auth can-i delete pods

kubectl auth can-i --list -n staging

kubectl auth can-i get secrets --as system:serviceaccount:default:my-bot

Request a time-bounded bearer token for a ServiceAccount (replaces legacy auto-created Secret tokens since 1.24).

⚠ Common pitfall: Since 1.24 SAs no longer auto-create Secret tokens — old scripts that read `kubectl get secret` for the token return nothing. Switch to `kubectl create token` or define a Secret of type kubernetes.io/service-account-token explicitly.

kubectl create token ci-bot

kubectl create token ci-bot --duration=1h

kubectl create token default -n ci > /tmp/token

Create a new namespace. The minimum unit of isolation in a cluster.

kubectl create ns staging

kubectl create ns prod --dry-run=client -o yaml > ns.yaml

Dump every action the current identity is allowed to perform in a namespace. The fastest "what can I actually do" audit.

kubectl auth can-i --list

kubectl auth can-i --list -n kube-system

kubectl auth can-i --list --as=system:serviceaccount:ci:ci-bot

Print the username, groups, and extra attributes the API server attributes to your current credentials (stable since 1.28).

⚠ Common pitfall: Surprisingly useful when an OIDC/IAM token maps you to a different user than expected — RBAC denials often trace back to the wrong identity here.

kubectl auth whoami

kubectl auth whoami -o yaml

List cluster-wide RoleBindings. The place to audit who has cluster-admin or other powerful ClusterRoles.

⚠ Common pitfall: A binding to the `system:masters` group or `cluster-admin` ClusterRole is full god mode. Grep for these first in any security review.

kubectl get clusterrolebinding

kubectl get clusterrolebinding -o jsonpath='{range .items[?(@.roleRef.name=="cluster-admin")]}{.metadata.name}{"\n"}{end}'

Show exactly which verbs on which resources a ClusterRole grants. Read before binding anyone to it.

kubectl describe clusterrole view

kubectl describe clusterrole edit

kubectl get clusterrole admin -o yaml

Bind a (cluster-scoped) ClusterRole to a ServiceAccount but only within ONE namespace. Common least-privilege pattern.

⚠ Common pitfall: Using --clusterrole with a RoleBinding (not ClusterRoleBinding) scopes those permissions to the binding's namespace only — a deliberate and very useful narrowing.

kubectl create rolebinding ci-edit --clusterrole=edit --serviceaccount=ci:ci-bot -n ci

kubectl create rolebinding read-only --clusterrole=view --user=alice -n staging

Wide listing of all bindings across namespaces, with the subjects (users/SAs/groups) shown in the output.

kubectl get rolebinding,clusterrolebinding -A -o wide

kubectl get clusterrolebinding -o wide | grep alice

CPU + memory usage per pod (real numbers from metrics-server, not requests/limits).

⚠ Common pitfall: Needs metrics-server installed. Without it: `Metrics API not available`. Container-level breakdown: `top pods --containers`.

kubectl top pods

kubectl top pods --sort-by=memory

kubectl top pods --containers -A

List recent cluster events. Add --sort-by to put the newest first.

⚠ Common pitfall: Default sort is by ResourceVersion which is meaningless to humans. ALWAYS add `--sort-by=.lastTimestamp` or `.metadata.creationTimestamp`.

kubectl get events --sort-by=.lastTimestamp

kubectl get events -A --sort-by=.lastTimestamp

kubectl get events --field-selector involvedObject.name=web-7d5

Block until a resource reaches a condition. Great for CI scripts after `apply`.

kubectl wait --for=condition=Ready pod/web-7d5 --timeout=60s

kubectl wait --for=condition=Available deployment/web --timeout=2m

kubectl wait --for=delete pod/old-7d5 --timeout=30s

Watch mode: stream changes to pod state as they happen. Ctrl-C to stop.

kubectl get pods -w

kubectl get pods -w -l app=web

kubectl get pods -w -o wide

Filter pods by status. The classic "find every failed / pending pod" search.

kubectl get pods --field-selector=status.phase=Failed -A

kubectl get pods --field-selector=status.phase=Pending

kubectl get pods --field-selector=spec.nodeName=ip-10-0-1-23

List pods + svc + deploy + rs + statefulset + daemonset in one shot. Good high-level glance.

⚠ Common pitfall: `all` does NOT include configmaps, secrets, ingresses, jobs, PVCs, CRDs — the name is misleading. For "really all", iterate api-resources.

kubectl get all

kubectl get all -A

kubectl get all -n staging -o wide

Break CPU/memory usage down per container within one pod — find which sidecar is the memory hog.

kubectl top pod web-7d5 --containers

kubectl top pod -l app=web --containers --sort-by=memory

Show only Warning-level events (Normal events filtered out) — the actionable problems, not the routine noise.

kubectl get events --field-selector type=Warning --sort-by=.lastTimestamp

kubectl get events -A --field-selector type=Warning --sort-by=.lastTimestamp

Scope events to a single object — see only what happened to this pod/deployment, not the whole namespace.

kubectl get events --field-selector involvedObject.name=web-7d5

kubectl get events --field-selector involvedObject.kind=Deployment,involvedObject.name=web

List every pod scheduled on a specific node, across all namespaces. Essential before draining a node.

kubectl get pods -A -o wide --field-selector spec.nodeName=ip-10-0-1-23

kubectl get pods -A --field-selector spec.nodeName=ip-10-0-1-23 -o name | wc -l

Block until any JSONPath field reaches a value — far more flexible than the built-in condition= waits (1.23+).

kubectl wait --for=jsonpath='{.status.phase}'=Running pod/web-7d5 --timeout=60s

kubectl wait --for=jsonpath='{.status.loadBalancer.ingress}' svc/web --timeout=5m

Stream only future changes (skip the initial full list). Pairs well with scripts that react to new events.

kubectl get pods --watch-only

kubectl get pods --watch-only -o json | jq .status.phase

Rank nodes by CPU (or memory) usage so the hottest node floats to the top. Capacity-planning at a glance.

kubectl top node --sort-by=cpu

kubectl top node --sort-by=memory

Declaratively create or update resources from YAML / JSON. The recommended workflow.

⚠ Common pitfall: Pass `-` to read from stdin: `helm template ... | kubectl apply -f -`. Apply tracks fields via last-applied-configuration annotation — manual `kubectl edit` of those fields can confuse the next apply.

kubectl apply -f deployment.yaml

kubectl apply -f ./k8s/

kubectl apply -f - <<EOF
apiVersion: v1
kind: ConfigMap
...
EOF

Apply a Kustomize overlay. Built-in since 1.14, no separate `kustomize` binary needed.

kubectl apply -k ./overlays/prod

kubectl kustomize ./overlays/prod | kubectl apply -f -

Imperatively create resources from YAML. Fails if the resource already exists.

⚠ Common pitfall: `create` is one-shot; `apply` is idempotent. For anything you re-run (CI/CD, git ops) use `apply`. Use `create` for things that must NOT silently update (Jobs).

kubectl create -f job.yaml

kubectl create -f - <<EOF
...
EOF

Replace a resource with the contents of a YAML — must exist already. --force triggers delete+recreate.

⚠ Common pitfall: `replace --force` causes a brief outage — pod is deleted, then recreated. Avoid for live traffic — use `apply` and rely on rolling update.

kubectl replace -f svc.yaml

kubectl replace --force -f pod.yaml

Apply a partial update to a live resource without editing files. Strategic merge by default.

⚠ Common pitfall: Three merge types: --type=strategic (default, container-aware), --type=merge (RFC 7396), --type=json (RFC 6902 ops). Strategic only works for known core types — use merge for CRDs.

kubectl patch deployment web -p '{"spec":{"replicas":5}}'

kubectl patch pod web -p '{"metadata":{"labels":{"env":"prod"}}}'

kubectl patch deployment web --type=json -p='[{"op":"replace","path":"/spec/replicas","value":3}]'

Open a resource in $EDITOR; on save, the diff is applied. Quick & dirty — use with care.

⚠ Common pitfall: Edits do NOT update your git YAML — production drifts. For anything tracked in git, change the source and apply. Use edit only for quick experiments.

kubectl edit deployment web

KUBE_EDITOR="code -w" kubectl edit cm app-config

Preview what `apply` would change — server-side diff against the live state.

kubectl diff -f deployment.yaml

kubectl diff -k ./overlays/prod

Add, change, or remove (KEY-) a label on a resource. Used by selectors everywhere.

kubectl label pods web-7d5 env=prod

kubectl label pods web-7d5 env-

kubectl label nodes ip-10-0-1-23 disk=ssd

Add / change / remove (KEY-) an annotation. Free-form metadata, not used for selectors.

kubectl annotate pods web-7d5 owner=team-foo

kubectl annotate svc web service.beta.kubernetes.io/aws-load-balancer-type=nlb

Delete all resources defined in a YAML file or directory.

⚠ Common pitfall: `delete -f` of a namespace YAML deletes EVERYTHING in that namespace. Always `diff -f` before delete on prod paths.

kubectl delete -f deployment.yaml

kubectl delete -k ./overlays/staging

Apply using server-side apply — fields are owned by managers, conflicts are surfaced explicitly. Modern replacement for client-side apply.

⚠ Common pitfall: Conflicts (multiple managers touching the same field) abort the apply unless you pass --force-conflicts. Read the conflict report before forcing.

kubectl apply --server-side -f deployment.yaml

kubectl apply --server-side --force-conflicts -f deployment.yaml

Pause / resume a rollout so multiple `set` / `patch` operations land as a single revision.

kubectl rollout pause deployment/web

kubectl set image deployment/web app=nginx:1.27 && kubectl set env deployment/web LOG=info && kubectl rollout resume deployment/web

Update just the image of a container. Triggers a rolling update without editing YAML.

⚠ Common pitfall: `set image` modifies the live spec — drift from your git YAML. For tracked Deployments change the source and apply, not `set`.

kubectl set image deployment/web app=nginx:1.27

kubectl set image deploy/web app=myorg/app@sha256:abc123

Watch a rollout in real time until done. Exits non-zero on failure — perfect for CI gates.

kubectl rollout status deployment/web -w

kubectl apply -f deploy.yaml && kubectl rollout status deployment/web --timeout=3m

Send the manifest to the API server for full validation (admission webhooks, defaulting) without persisting it.

⚠ Common pitfall: --dry-run=server catches admission/webhook rejections that --dry-run=client (local only) misses entirely. Use server-side in CI gates.

kubectl apply -f deployment.yaml --dry-run=server

kubectl apply -f deployment.yaml --dry-run=client -o yaml

Apply a directory AND delete any live object with the matching label that is no longer in the files. GitOps-style sync.

⚠ Common pitfall: Prune is powerful and dangerous — a wrong selector can delete unrelated resources. Always `--dry-run=client` first and pin the label tightly.

kubectl apply -f ./k8s/ --prune -l app=web

kubectl apply -f ./k8s/ --prune -l app=web --dry-run=client

Generate clean YAML from imperative flags without creating anything. The "imperative-to-declarative" bridge.

⚠ Common pitfall: This is the canonical way to scaffold YAML you do not remember by heart: `kubectl create deployment ... --dry-run=client -o yaml > deploy.yaml`, then edit.

kubectl create deployment web --image=nginx --dry-run=client -o yaml > deploy.yaml

kubectl create configmap c --from-literal=k=v --dry-run=client -o yaml

Reveal the managedFields block (hidden by default since 1.21) — see exactly which manager owns which field under server-side apply.

⚠ Common pitfall: When two controllers fight over a field, this block names the culprits. Pair with `kubectl apply --server-side --force-conflicts` to resolve.

kubectl get deployment web -o yaml --show-managed-fields

kubectl get deployment web -o jsonpath='{.metadata.managedFields[*].manager}'

Delete every object of a kind in a namespace. e.g. clear all pods so controllers recreate them fresh.

⚠ Common pitfall: --all is namespace-scoped, NOT cluster-wide — but it still nukes everything of that kind in the namespace. Double-check `-n` before pressing enter.

kubectl delete pods --all -n staging

kubectl delete jobs --all -n batch

kubectl delete pods --all --grace-period=0 --force -n staging

Delete a controller (Deployment/StatefulSet) but leave its child pods running and unmanaged. Rare but handy for migrations.

⚠ Common pitfall: Orphaned pods now have NO controller — no self-healing, no rollout. You must adopt them under a new controller or clean up manually.

kubectl delete deployment web --cascade=orphan

kubectl delete statefulset db --cascade=orphan

Resume a paused Deployment, flushing all the changes made while paused into a single new revision.

kubectl rollout resume deployment/web

kubectl rollout pause deploy/web && kubectl set image deploy/web app=nginx:1.27 && kubectl set resources deploy/web --limits=memory=512Mi && kubectl rollout resume deploy/web

Render a Kustomize overlay to plain YAML on stdout WITHOUT applying. Inspect exactly what apply -k would send.

kubectl kustomize ./overlays/prod

kubectl kustomize ./overlays/prod | kubectl diff -f -

Strip the stale last-applied-configuration annotation so a fresh client-side apply re-establishes field ownership cleanly.

⚠ Common pitfall: Useful when a resource was created with `create` (no annotation) then later `apply`-ed and behaves oddly on field deletion. Or migrate to server-side apply instead.

kubectl annotate deployment web kubectl.kubernetes.io/last-applied-configuration-

kubectl apply --server-side --force-conflicts -f deployment.yaml

Pod cannot pull its image. `describe pod` and read Events — almost always typo in tag, missing imagePullSecret, or registry DNS issue.

⚠ Common pitfall: BackOff is exponential — looks idle but is retrying with growing intervals. After fixing the cause, `kubectl delete pod` to reset the backoff timer immediately.

kubectl describe pod web-7d5 | tail -20

kubectl get events --sort-by=.lastTimestamp -n default

kubectl create secret docker-registry ghcr --docker-server=ghcr.io --docker-username=user --docker-password=$TOKEN

Container starts then exits. `kubectl logs <pod> --previous` shows the actual error. Check Exit Code in describe.

⚠ Common pitfall: Exit codes: 0 = CMD ran to completion (your "server" is not a server), 1 = app threw, 137 = OOMKilled, 143 = SIGTERM not handled fast enough. Each implies a different fix.

kubectl logs web-7d5 --previous

kubectl describe pod web-7d5 | grep -A2 "Last State"

kubectl get pod web-7d5 -o jsonpath="{.status.containerStatuses[*].lastState}"

Kubelet kicked the pod off the node — usually due to node pressure (disk full, memory pressure). Move to a healthier node and add requests/limits.

⚠ Common pitfall: Evicted pods pile up in `kubectl get pods` until cleaned — `kubectl delete pods --field-selector=status.phase=Failed` to bulk reap.

kubectl get pods --field-selector=status.phase=Failed -A

kubectl delete pods --field-selector=status.phase=Failed -A

kubectl describe node ip-10-0-1-23 | grep -A5 Conditions

137 = 128 + SIGKILL(9). Kernel OOM killer reaped the container. Either bump memory limit or fix the leak.

⚠ Common pitfall: Set requests.memory close to typical use, limits.memory at the ceiling you can afford. JVM apps need `-XX:MaxRAMPercentage` or they ignore limits and eventually OOM.

kubectl get pod web-7d5 -o jsonpath="{.status.containerStatuses[*].lastState.terminated.reason}"

kubectl describe pod web-7d5 | grep -A2 "Limits:"

kubectl top pod web-7d5 --containers

No node can satisfy the pod's requests / nodeSelector / taints. `describe pod` shows `FailedScheduling` with the reason.

⚠ Common pitfall: Common reasons: insufficient cpu/memory, no node with the right label, taints not tolerated, no PV available for a PVC. Each needs a different fix.

kubectl describe pod web-7d5 | grep -A5 Events

kubectl get nodes -o custom-columns=NAME:.metadata.name,CPU:.status.allocatable.cpu,MEM:.status.allocatable.memory

kubectl get nodes --show-labels

Pod is stuck in Terminating forever — almost always a finalizer that nothing is processing. Force-delete is the escape hatch.

⚠ Common pitfall: `kubectl delete pod web --grace-period=0 --force` skips graceful shutdown — endpoints may leak briefly. The right long-term fix is removing the finalizer via `kubectl patch`.

kubectl delete pod web-7d5 --grace-period=0 --force

kubectl patch pod web-7d5 -p '{"metadata":{"finalizers":null}}' --type=merge

kubectl get pod web-7d5 -o yaml | grep finalizers -A3

A pod's init container is failing or never finishing. `kubectl logs <pod> -c <init-name>` to see why.

kubectl logs web-7d5 -c wait-for-db

kubectl describe pod web-7d5 | grep -A5 "Init Containers"

A registry DNS variant of ImagePullBackOff. Your cluster DNS cannot resolve the registry hostname.

⚠ Common pitfall: Check `kubectl run dnsutils --rm -it --image=busybox -- nslookup ghcr.io`. If it fails, your CoreDNS or upstream is broken. Private registries often need an in-cluster DNS hostAlias.

kubectl run dnsutils --rm -it --image=busybox -- nslookup ghcr.io

kubectl logs -n kube-system -l k8s-app=kube-dns --tail=50

kubectl get pods -n kube-system -l k8s-app=kube-dns

The container cannot start because a referenced ConfigMap/Secret key is missing. `describe pod` names the exact key.

⚠ Common pitfall: Different from ImagePullBackOff — the image pulled fine. It is a config wiring error: a `secretKeyRef`/`configMapKeyRef` points at a key that does not exist yet.

kubectl describe pod web-7d5 | grep -A3 Events

kubectl get secret db -o jsonpath='{.data}'

kubectl get cm app-config -o jsonpath='{.data}'

Kubelet failed to create the container — often a bad command, missing mount path, or a read-only root fs conflict.

⚠ Common pitfall: Read the message after the reason: "exec: no such file" = wrong command/entrypoint; "mkdir read-only file system" = the container tried to write where it cannot.

kubectl describe pod web-7d5 | grep -A2 "State:"

kubectl get pod web-7d5 -o jsonpath='{.status.containerStatuses[0].state.waiting.message}'

Pod sits in ContainerCreating for minutes — usually a volume that will not mount, or an image still pulling.

⚠ Common pitfall: `FailedMount` in events = PVC not bound or a CSI driver issue. `FailedAttachVolume` on cloud = the EBS/PD volume is still attached to another (dead) node.

kubectl describe pod web-7d5 | grep -A5 Events

kubectl get pvc

kubectl get volumeattachment

The container image was built for a different CPU architecture than the node (e.g. arm64 image on amd64 node).

⚠ Common pitfall: Classic on Apple Silicon — you build locally on arm64 and push to an amd64 cluster. Build multi-arch with `docker buildx build --platform linux/amd64,linux/arm64`.

kubectl logs web-7d5 --previous

kubectl get pod web-7d5 -o jsonpath='{.spec.nodeName}'

kubectl get node ip-10-0-1-23 -o jsonpath='{.status.nodeInfo.architecture}'

Liveness/readiness probe keeps failing so the pod restarts or never gets traffic. The app is not listening on the probe port yet.

⚠ Common pitfall: Common cause: probe `port` does not match the actual listen port, or `initialDelaySeconds` is too short for a slow-booting app. Check the probe spec vs the real port.

kubectl describe pod web-7d5 | grep -A3 -i probe

kubectl get pod web-7d5 -o jsonpath='{.spec.containers[0].readinessProbe}'

kubectl exec web-7d5 -- wget -qO- localhost:8080/healthz

A pod stays Pending because every candidate node has a taint the pod does not tolerate (e.g. a control-plane or GPU node).

⚠ Common pitfall: Add a matching `tolerations` block to the pod spec, or target untainted nodes. Control-plane nodes carry `node-role.kubernetes.io/control-plane:NoSchedule` by default.

kubectl describe pod web-7d5 | grep -A5 Events

kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.spec.taints}{"\n"}{end}'

kubectl exec/logs/port-forward fails to open the streaming connection — usually the kubelet is unreachable from the API server.

⚠ Common pitfall: On managed clusters this often means a security-group/firewall blocks apiserver→kubelet (port 10250), or the node is NotReady. Check node status and the SG rules.

kubectl get node ip-10-0-1-23

kubectl describe node ip-10-0-1-23 | grep -A5 Conditions

kubectl get pods -A --field-selector spec.nodeName=ip-10-0-1-23

A node reports NotReady — kubelet stopped posting status. Pods on it get marked Unknown then evicted after the toleration window.

⚠ Common pitfall: Common causes: kubelet crashed, disk/PID pressure, network partition, or the container runtime died. `describe node` Conditions and `journalctl -u kubelet` on the box tell the story.

kubectl get nodes

kubectl describe node ip-10-0-1-23 | grep -A8 Conditions

kubectl get pods -A -o wide --field-selector spec.nodeName=ip-10-0-1-23

Bare Pod skeleton with resources and a single container. Copy and edit name/image.

⚠ Common pitfall: Bare pods are NOT managed — node failure drops them forever. Prefer Deployment unless you really need a one-off.

apiVersion: v1
kind: Pod
metadata:
  name: web
  labels:
    app: web
spec:
  containers:
  - name: app
    image: nginx:1.27-alpine
    ports:
    - containerPort: 80
    resources:
      requests: { cpu: 100m, memory: 128Mi }
      limits:   { cpu: 500m, memory: 256Mi }

Standard Deployment template with 3 replicas, rolling update strategy, probes, and resources.

⚠ Common pitfall: Missing readinessProbe + a slow-starting app = traffic hits the pod before it is ready = 502s on every rollout. Always add a real readinessProbe.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: web
  labels: { app: web }
spec:
  replicas: 3
  selector:
    matchLabels: { app: web }
  strategy:
    type: RollingUpdate
    rollingUpdate: { maxSurge: 1, maxUnavailable: 0 }
  template:
    metadata:
      labels: { app: web }
    spec:
      containers:
      - name: app
        image: nginx:1.27-alpine
        ports: [{ containerPort: 80 }]
        readinessProbe:
          httpGet: { path: /, port: 80 }
          periodSeconds: 5
        livenessProbe:
          httpGet: { path: /, port: 80 }
          periodSeconds: 30
        resources:
          requests: { cpu: 100m, memory: 128Mi }
          limits:   { cpu: 500m, memory: 256Mi }

ClusterIP Service in front of a Deployment selected by label.

⚠ Common pitfall: targetPort can be a name (e.g. "http") matching a containerPort name — safer than a number when ports change between versions.

apiVersion: v1
kind: Service
metadata:
  name: web
spec:
  type: ClusterIP
  selector: { app: web }
  ports:
  - name: http
    port: 80
    targetPort: 80

A ConfigMap plus a Deployment snippet showing how to inject all its keys as env vars.

⚠ Common pitfall: ConfigMap changes do NOT auto-restart pods. After editing, `kubectl rollout restart deployment/<name>` to pick up the new values.

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  LOG_LEVEL: info
  DATABASE_HOST: db.local
---
# In your Deployment template.spec.containers[0]:
envFrom:
- configMapRef:
    name: app-config

Ingress routing a host + path to a Service. Uses the nginx IngressClass.

⚠ Common pitfall: Without `ingressClassName: nginx` (or matching annotation) no controller picks it up — it sits there looking created but does nothing.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: web
spec:
  ingressClassName: nginx
  rules:
  - host: web.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: web
            port:
              number: 80

A CronJob skeleton with schedule, concurrency policy, history limits, and a single-container job template.

⚠ Common pitfall: Without `concurrencyPolicy: Forbid` a slow job can overlap with the next scheduled run. Without history limits, completed Jobs pile up forever.

apiVersion: batch/v1
kind: CronJob
metadata:
  name: backup
spec:
  schedule: "0 2 * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 3
  failedJobsHistoryLimit: 1
  jobTemplate:
    spec:
      backoffLimit: 2
      template:
        spec:
          restartPolicy: Never
          containers:
          - name: backup
            image: backup:1.0
            command: ["/backup.sh"]

A run-to-completion Job with parallelism, completions, a backoff limit, and an activeDeadline timeout.

⚠ Common pitfall: restartPolicy MUST be Never or OnFailure for a Job (Always is rejected). backoffLimit caps total retries before the Job is marked Failed.

apiVersion: batch/v1
kind: Job
metadata:
  name: migrate
spec:
  completions: 1
  parallelism: 1
  backoffLimit: 3
  activeDeadlineSeconds: 600
  template:
    spec:
      restartPolicy: Never
      containers:
      - name: migrate
        image: migrate:1.0
        command: ["/run-migration.sh"]

An autoscaling/v2 HPA targeting CPU and memory utilization, with explicit min/max and a scale-down stabilization window.

⚠ Common pitfall: autoscaling/v2 (not v2beta2) is stable since 1.23. Multiple metrics mean the HPA scales on whichever demands the MOST replicas. Needs metrics-server.

apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: web
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: web
  minReplicas: 2
  maxReplicas: 10
  behavior:
    scaleDown:
      stabilizationWindowSeconds: 300
  metrics:
  - type: Resource
    resource:
      name: cpu
      target: { type: Utilization, averageUtilization: 70 }
  - type: Resource
    resource:
      name: memory
      target: { type: Utilization, averageUtilization: 80 }

A PVC requesting storage from a named StorageClass with an access mode. Mount it in a pod via volumes + volumeMounts.

⚠ Common pitfall: ReadWriteOnce binds to ONE node at a time — two pods on different nodes cannot share it. For shared access you need ReadWriteMany and a backing store that supports it (NFS, EFS, CephFS).

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: data
spec:
  accessModes: ["ReadWriteOnce"]
  storageClassName: gp3
  resources:
    requests:
      storage: 10Gi

A default-deny-ingress policy plus an allow rule that only lets pods labeled role=frontend reach this app on port 8080.

⚠ Common pitfall: NetworkPolicies are additive (allow-only) and require a CNI that enforces them. An empty `podSelector: {}` with no ingress rules = deny ALL ingress to the namespace.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
spec:
  podSelector: {}
  policyTypes: ["Ingress"]
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend
spec:
  podSelector:
    matchLabels: { app: web }
  policyTypes: ["Ingress"]
  ingress:
  - from:
    - podSelector:
        matchLabels: { role: frontend }
    ports:
    - protocol: TCP
      port: 8080

A ServiceAccount, a namespaced Role granting pod read access, and a RoleBinding wiring them together. Least-privilege starter.

⚠ Common pitfall: The RoleBinding subject `kind: ServiceAccount` needs the SA's namespace in `subjects[].namespace`, or the binding silently grants nothing.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: pod-reader
  namespace: app
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
  namespace: app
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pod-reader
  namespace: app
subjects:
- kind: ServiceAccount
  name: pod-reader
  namespace: app
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io