Finding out the Kubernetes object that uses the Kubernetes secret - kubernetes

I want to know the Object(Deployment/Statefulset/..) which is using a secret. Is there a way to find this out from a secret? Is there a tool in Kubernetes community to do this?

Seems like there is nothing built in, but you can use kubectl in conjuction with jq to figure it out. Here is the example for deployments
kubectl get deployment -o json | jq '.items[] | select(.spec.template.spec.volumes[]? | .secret.secretName=="<secret name>") | .metadata.name'

You can use this command to show the labels of the Object(Deployment/Statefulset) that matches the labels of the Secret
The Pods for example
kubectl get pods [pod_name] --show-labels
or
To get the label of the Secrets
kubectl describe secrets [secret_name]
kubectl get secrets

Related

Find out all the pods that are using default service account

We have a k8s cluster with 10 workers. we run hundreds of pods in the cluster. we want to avoid running pods with default service account.
Need to find out the pods that are running with default service account. am able to find the number of pods using default service account with grep command but also need the pod name and the image it is using. Let us know your thoughts
In Case if you want to use just kubectl without jq :
needed to print both namespace and the pod name
kubectl get pods --all-namespaces -o jsonpath='{range .items[?(#.spec.serviceAccountName == "default")]}{.metadata.namespace} {.metadata.name}{"\n"}{end}' 2>/dev/null
i have added 2>/dev/null to avoid printing whole json template in case if no field was found
I used the below command to identify the pods from each namespace that is using default service account
kubectl get pods --all-namespaces -o json | jq '.items[] | select(.spec.serviceAccountName?=="default") | "\(.metadata.namespace) \(.metadata.name)"' | cut -d'"' -f2 | sort
if you are using k9s you can also :pod then e the pod to see which service account it is associated with

Is there a way to list all resources created by a specific operator and their status?

I use config connector https://cloud.google.com/config-connector/docs/overview
I create gcp resources with CRDs that config connector provides:
kind: IAMServiceAccount
kind: StorageBucket
etc
Now what I'd really like is to be able to get a simple list of each resource and its status (if it was created successfully or not). Where each resource is a single line that's something like: kind, name, status, etc
Is there a way with kubectl to get a list of all resources that were created by an operator like this? I suppose I could manually label all these resources and try to select with a label but I really don't want to do that
Edit
Per the comment I could do this, but curious if there is a less unwieldy command
kubectl get crds --selector cnrm.cloud.google.com/managed-by-kcc=true \
-o=jsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}' | xargs -n 1 \
kubectl get -Ao jsonpath='{range .items[*]}{" Kind: "}{#.kind}{"Name: "}{#.metadata.name}{" Status: "}{#.status.conditions[].status}{" Reason: "}{#.status.conditions[].reason}{"\n"}{end}' --ignore-not-found
I've made a bit of research on this topic and I found 2 possible solutions to retrieve all the resources that were created by config-connector:
$ kubectl api-resources way
$ kubectl get-all/ketall way with labels (please see the explanation as it's not installed by default)
The discussion that is referencing similar issue can be found here:
Github.com: Kubernetes: kubectl: Issue 151
$ kubectl api-resources
As pointed in the comment I made you can use the following expression:
kubectl get crds --selector cnrm.cloud.google.com/managed-by-kcc=true -o=jsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}' | xargs -n 1 kubectl get --ignore-not-found
Dissecting this solution:
kubectl get crds --selector cnrm.cloud.google.com/managed-by-kcc=true
retrieve the Customer Resource Definitions that have a matching selector
-o=jsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}'
use the jsonpath to retrieve only the value stored in .metadata.name key (get the name of the crd)
| xargs -n 1 kubectl get
pipe the output to the xargs and use each CRD retrieved from previous command to run $ kubectl get <RESOURCE>
--ignore-not-found
do not display a message about missing resource
This command could also be altered to suit the specific needs as it's shown in the question.
A side note!
Similar command is referenced in the github link I pasted above:
Github.com: Kubernetes: kubectl: Issues 151: Comment 402003022
$ kubectl get-all/ketall
Above commands can be used to retrieve all of the resources in the cluster. They are not available in default kubectl and they need additional configuration.
More reference about the installation can be found in this github page:
Github.com: Corneliusweig: Ketall
Using the approach described in the official Kubernetes documentation:
Labels are intended to be used to specify identifying attributes of objects
Kubernetes.io: Docs: Concepts: Overview: Working with objects: Labels
You can label those resources created by config connector (I know that you would like to avoid it) and look for this resources like:
$ kubectl get-all -l look=here
NAME NAMESPACE AGE
storagebucket.storage.cnrm.cloud.google.com/config-connector-bucket config-connector 135m
storagebucket.storage.cnrm.cloud.google.com/config-connector-bucket-test config-connector 13s
This resources have the .metadata.labels.look=here added to it's definitions.
Additional resources:
Cloud.google.com: Config Connector: Docs: How to: Getting Started
Thenewstack.io: Tutorial use google config connector to manage a gcp cloud sql database
There is also a way suggested in GCP config-connector docs:
kubectl get gcp
from https://cloud.google.com/config-connector/docs/how-to/monitoring-your-resources#listing_all_resources

List all the kubernetes resources related to a helm deployment or chart

I deployed a helm chart using helm install and after this I want to see if the pods/services/cms related to just this deployment have come up or failed. Is there a way to see this?
Using kubectl get pods and greping for the name works but it does not show the services and other resources that got deployed when this helm chart is deployed.
helm get manifest RELEASE_NAME
helm get all RELEASE_NAME
https://helm.sh/docs/helm/helm_get_manifest/
If you are using Helm3:
To list all resources managed by the helm, use label selector with label app.kubernetes.io/managed-by=Helm:
$ kubectl get all --all-namespaces -l='app.kubernetes.io/managed-by=Helm'
To list all resources managed by the helm and part of a specific release: (edit release-name)
kubectl get all --all-namespaces -l='app.kubernetes.io/managed-by=Helm,app.kubernetes.io/instance=release-name'
Update:
Labels key may vary over time, follow the official documentation for the latest labels.
I couldn't find anywhere that gave me what I wanted, so I wrote this one-liner using yq. It prints out all objects in Kind/name format. You might get some blank space if any manifests are nothing but comments.
helm get manifest $RELEASE_NAME | yq -N eval '[.kind, .metadata.name] | join("/")' - | sort
Published here: https://gist.github.com/bioshazard/e478d118fba9e26314bffebb88df1e33
By issuing:
kubectl get all -n <namespace> | grep ...
You will only query for the following resources:
pod
service
daemonset
deployment
replicaset
statefulset
job
cronjobs
I encourage you to follow this article for more explanation:
Studytonight.com: How to list all resources in a Kubernetes namespace
Using the example from the above link you can query the API for all resources by issuing:
kubectl api-resources --verbs=list --namespaced -o name | xargs -n 1 kubectl get --show-kind -l LABEL=VALUE --ignore-not-found -o name
This command will query the API for all the resources types in the cluster and then query for each of the resources separately by label.
You can create resources in a Helm chart with labels and then query the API by specifying: -l LABEL=VALUE.
EXAMPLE
Assuming that you provisioned following Helm chart
$ helm install awesome-nginx stable/nginx-ingress
This Chart is deprecated but it's only for example purposes.
You can query the API for all resources with:
kubectl api-resources --verbs=list -o name | xargs -n 1 kubectl get --show-kind -l release=awesome-nginx --ignore-not-found -o name
where:
LABEL <- release
VALUE <- awesome-nginx (release name)
After that you should be able to see:
endpoints/awesome-nginx-nginx-ingress-controller
endpoints/awesome-nginx-nginx-ingress-default-backend
pod/awesome-nginx-nginx-ingress-controller-86b9c7d9c7-wwr8f
pod/awesome-nginx-nginx-ingress-default-backend-6979c95c78-xn9h2
serviceaccount/awesome-nginx-nginx-ingress
serviceaccount/awesome-nginx-nginx-ingress-backend
service/awesome-nginx-nginx-ingress-controller
service/awesome-nginx-nginx-ingress-default-backend
deployment.apps/awesome-nginx-nginx-ingress-controller
deployment.apps/awesome-nginx-nginx-ingress-default-backend
replicaset.apps/awesome-nginx-nginx-ingress-controller-86b9c7d9c7
replicaset.apps/awesome-nginx-nginx-ingress-default-backend-6979c95c78
podmetrics.metrics.k8s.io/awesome-nginx-nginx-ingress-controller-86b9c7d9c7-wwr8f
podmetrics.metrics.k8s.io/awesome-nginx-nginx-ingress-default-backend-6979c95c78-xn9h2
rolebinding.rbac.authorization.k8s.io/awesome-nginx-nginx-ingress
role.rbac.authorization.k8s.io/awesome-nginx-nginx-ingress
You can modify the output by changing the -o parameter.
Additional resources:
Github.com: Kubectl get all does not list all resources in a namespace #151
Stackoverflow.com: Questions: Listing all resources in a namespace
$ helm get manifest RELEASE-NAME
helm status RELEASE_NAME
This command shows the status of a named release. The status consists
of:
last deployment time
k8s namespace in which the release lives
state of the release (can be: unknown, deployed, uninstalled, superseded, failed, uninstalling, pending-install, pending-upgrade or
pending-rollback)
list of resources that this release consists of, sorted by kind
details on last test suite run, if applicable
additional notes provided by the chart
Usage: helm status RELEASE_NAME [flags]
Official docs
Also note that helm place some known labels/annotations on resource it manages, see here. You can use it with kubectl get ... -l ...
kubectl get all -n <namespace> | grep <helm chart keyword, ex: kibana, elasticsearch>
Should list all resources created by helm chart in a particular namespace

Kubernetes kubectl get secrets by type?

I want to run kubectl and get all the secrets of type = X. Is this possible?
I.e if I want to get all secrets where type=tls
something like kubectl get secrets --type=tls?
How about field-selector:
$ kubectl get secrets --field-selector type=kubernetes.io/tls
You can do it jsonpath. Something like this:
$ kubectl get secret -o=jsonpath='{range .items[*]}{.metadata.name} {.type}{"\n"}{end}' | grep -i tls
For example, to get all the type Opaque secrets:
$ kubectl get secret -o=jsonpath='{range .items[*]}{.metadata.name} {.type}{"\n"}{end}' | grep Opaque
dummy-secret Opaque
mysecretdelete Opaque
Update:
Now you can do this with the --field-selector option in kubectl:
$ kubectl get secrets --field-selector type=kubernetes.io/tls
$ kubectl get secret --field-selector type=kubernetes.io/service-account-token
The accepted answer certainly works, but I was interested in finding a grep-less solution. Here's my contribution.
$ kubectl get secret -o=jsonpath='{.items[?(#.type=="Opaque")].metadata.name}'
dummy-secret mysecretdelete

How do I get the External IP of a Kubernetes service as a raw value?

I am running an application with GKE. It works fine but I can not figure out how to get the external IP of the service in a machine readable format.
So i am searching a gcloud or kubectl command that gives me only the external IP or a url of the format http://192.168.0.2:80 so that I can cut out the IP.
You can use the jsonpath output type to get the data directly without needing the additional jq to process the json:
kubectl get services \
--namespace ingress-nginx \
nginx-ingress-controller \
--output jsonpath='{.status.loadBalancer.ingress[0].ip}'
NOTE
Be sure to replace the namespace and service name, respectively, with yours.
Maybe not GKE as my clusters are on AWS, but I assume logic will be similar. When you kubectl get svc you can select output format and it will show more then just the "normal" get. For me, with ELB based services to het LB hostname it's enough to run ie. kubectl -n kube-system get svc cluster-nginx-ingress-controller -o json | jq .status.loadBalancer.ingress.hostname
In my case 'kubectl get services' returns array of items, but not just one service.
So then such jsonpath works fine to me:
kubectl get services -l component=controller,app=nginx-ingress -o jsonpath="{.items[0].status.loadBalancer.ingress[0].ip}"
...and yet another way... This will list all the "load-balancer" services
kubectl get services --all-namespaces -o json | jq -r '.items[] | { name: .metadata.name, ns: .metadata.namespace, ip: .status.loadBalancer?|.ingress[]?|.ip }'
Depending on the networkPlugin used by your cluster services/pods may be exposed directly on external-ip. But this will also find an Ingress controllers run in the cluster.
To get the external-ip on GCP i can use:
kubectl get services --namespace=<your-namespace> -o jsonpath="{.items[0].status.loadBalancer.ingress[0].ip}"
The answers above do not provide the output the user asked. The correct command would be:
kubectl -n $namespace get svc $ingressServiceName -o json | jq -r .status.loadBalancer.ingress[].hostname
All previous solutions don't work any more for me (on GCP).
To get the IP:
kubectl get ingress <YOUR_INGRESS_NAME> -o jsonpath="{.status.loadBalancer.ingress[0].ip}"
To get the host-name:
kubectl get ingress <YOUR_INGRESS_NAME> -o jsonpath="{.spec.rules[0].host}"
Type
minikube tunnel
or
kubectl cluster-info
You can get the public exposed IP of your relevant service.