I can use kubectl to see to which subjects a cluster role is applied, eg:
kubectl get clusterrolebindings system:node --all-namespaces -o json
{
"apiVersion": "rbac.authorization.k8s.io/v1beta1",
"kind": "ClusterRoleBinding",
....
....
"subjects": [
{
"apiGroup": "rbac.authorization.k8s.io",
"kind": "Group",
"name": "system:nodes"
}
]
}
I would like to get this info the other way around, eg: I want to list all policies applied to the "system:nodes" subject.
How can I do that?
There is no API for the reverse index. You can look up bindings and filter on ones containing the expected subject. For example, using bash, jq, and kubectl:
# $1 is kind (User, Group, ServiceAccount)
# $2 is name ("system:nodes", etc)
# $3 is namespace (optional, only applies to kind=ServiceAccount)
function getRoles() {
local kind="${1}"
local name="${2}"
local namespace="${3:-}"
kubectl get clusterrolebinding -o json | jq -r "
.items[]
|
select(
.subjects[]?
|
select(
.kind == \"${kind}\"
and
.name == \"${name}\"
and
(if .namespace then .namespace else \"\" end) == \"${namespace}\"
)
)
|
(.roleRef.kind + \"/\" + .roleRef.name)
"
}
$ getRoles Group system:authenticated
ClusterRole/system:basic-user
ClusterRole/system:discovery
$ getRoles ServiceAccount attachdetach-controller kube-system
ClusterRole/system:controller:attachdetach-controller
Related
I would like to select, and list the crds which are containing the "v1beta1" in the
.spec.versions.*.name
The versions part of the crd object looks similar like this
"versions": [
{
"name": "v1alpha2",
"served": true,
"storage": true,
"subresources": {
"status": {}
},
"name": "v1beta1"
"served": true,
"storage": true,
"subresources": {
"status": {}
}
}
]
I tried some different queries like the following, but no success.
$ kubectl get crd -ojson | jq -r '.items[] | map(select(.spec.versions[] | contains("v1beta1"))).metadata.name'
jq: error (at <stdin>:250345): Cannot index string with string "spec"
Jsonpath solution would be also great. I tried something like this without success.
$ kubectl get crd -ojsonpath="{range .items.*.spec.versions.*}{.name[?(#=='v1beta1')].metadata.name}{'\n'}{end}"
Could someone help me please?
This will show the name using jsonpath: kubectl get crd -o jsonpath='{range .items[?(#.spec.versions[].name=="v1beta1")].metadata}{.name}{"\n"}'
You could base a jq solution on:
.spec.versions[] | select(.name | contains("v1beta1"))
or similar, e.g.
.spec.versions[] | select(.name | startswith("v1beta1"))
How to select SUSPEND=False cronjob?
--selector can't be used as suspend is not added in the labels.
By using a JSONPath expression and passing it via the --output=jsonpath= option to kubectl I was able to select only cronjobs which are unsuspended and print their names as follows:
kubectl get cronjob --output=jsonpath='{range .items[?(.spec.suspend==false)]}{.metadata.name}{"\n"}{end}'
In order yo invert the selection you can simply filter on spec.suspend==true instead of false, i.e.:
kubectl get cronjob --output=jsonpath='{range .items[?(.spec.suspend==true)]}{.metadata.name}{"\n"}{end}'
For explicitness you can additionally pass the --no-headers like so, even though the former command already does not print any headers:
kubectl get cronjob --no-headers --output=jsonpath='{range .items[?(.spec.suspend==false)]}{.metadata.name}{"\n"}{end}'
Last but not least you can combine the commands above with Kubernetes selector expressions; for example:
kubectl get cronjob --selector=sometagkey==sometagvalue --no-headers --output=jsonpath='{range .items[?(.spec.suspend==false)]}{.metadata.name}{"\n"}{end}'
you can't select spec.suspend on a kubectl filter.
You could make your own jq filter
(this is just an example and could be a lot cleaner)
k get cronjob --output=json |
jq -c 'select( .items[].spec.suspend == false)' |
jq '.items[] | .metadata.name + " " + .spec.schedule + " "
+ (.spec.suspend|tostring) + " " + .spec.active'
Or if you don't mind a little golang
// Look at https://github.com/kubernetes/client-go/blob/master/examples/out-of-cluster-client-configuration/main.go
// for the other parameters (like using current kubectl context).
func getCronsBySuspend(clientset *kubernetes.Clientset, namespace string) {
cjs, err := clientset.BatchV1().CronJobs(namespace).List(context.TODO(), metav1.ListOptions{})
if err != nil {
panic(err.Error())
}
var c []string
for _, cron := range cjs.Items {
if *cron.Spec.Suspend == false {
c = append(c, cron.Name)
}
}
fmt.Printf("%v", c)
}
Sometimes, I want to explore all deployments/daemonsets which mount specific configmap/secret.
Is there any way can achieve this by kubectl?
You need to have jq to do such a complex queries.
Here you go:
kubectl get -o json deploy,daemonset | jq '[.items[] | . as $parent | .spec.template.spec.volumes[]? | select(.configMap != null) | {kind:$parent.kind, name:$parent.metadata.name, configMap:.configMap.name}]'
The jq command de-constructed:
[ // output as array
.items[] // iterate over root key 'items'
|
. as $parent // store the current entry as $parent to refer to it later
|
.spec.template.spec.volumes[]? // iterate over its volumes (the ? to prevent error if there is no volume
|
select(.configMap != null) // select only those volumes with configMap key
|
{kind:$parent.kind, name:$parent.metadata.name, configMap:.configMap.name} // now construct the output using $parent's kind and name and the configMap's name
]
Example output:
[
{
"kind": "Deployment",
"name": "telemetry-agent",
"configMap": "telemetry-config-map"
},
{
"kind": "DaemonSet",
"name": "fluent-bit",
"configMap": "fluent-bit"
},
{
"kind": "DaemonSet",
"name": "telegraf",
"configMap": "telegraf"
}
]
N.B. If you want to find specific configMap, just replace the select() clause .configMap != null to .configMap.name == "specific-configmap". Also, feel free to add --all-namespaces to the kubectl get command if you want to query from all namespaces
I want to access limits.memory variable returned by get command in k8s
kubectl get resourcequota default -n 103000-p4-dev -o custom-columns=USED:.status.used
USED
map[limits.memory:0 requests.cpu:0 requests.memory:0]
I tried many ways but couldn't succeed
[root#iaasn00126847 ~]# k get resourcequota default -n 103000-p4-dev -o custom-columns=USED:.status.used.limits.memory
returns nothing
Is there a delimiter to fetch the same
Try with jsonpath
kubectl get resourcequota default -n 103000-p4-dev -o jsonpath="{.status.used.limits\.memory}"
This is what I tried
$ kubectl apply -f https://k8s.io/examples/admin/resource/quota-mem-cpu.yaml
resourcequota/mem-cpu-demo created
$ kubectl get resourcequota
NAME CREATED AT
mem-cpu-demo 2019-10-09T06:38:39Z
$
$ kubectl get resourcequota mem-cpu-demo -o json
{
"apiVersion": "v1",
"kind": "ResourceQuota",
"metadata": {
"annotations": {
"kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"ResourceQuota\",\"metadata\":{\"annotations\":{},\"name\":\"mem-cpu-demo\",\"namespace\":\"default\"},\"spec\":{\"hard\":{\"limits.cpu\":\"2\",\"limits.memory\":\"2Gi\",\"requests.cpu\":\"1\",\"requests.memory\":\"1Gi\"}}}\n"
},
"creationTimestamp": "2019-10-09T06:38:39Z",
"name": "mem-cpu-demo",
"namespace": "default",
"resourceVersion": "975",
"selfLink": "/api/v1/namespaces/default/resourcequotas/mem-cpu-demo",
"uid": "0d74d782-b717-4845-a0da-424776c05d45"
},
"spec": {
"hard": {
"limits.cpu": "2",
"limits.memory": "2Gi",
"requests.cpu": "1",
"requests.memory": "1Gi"
}
},
"status": {
"hard": {
"limits.cpu": "2",
"limits.memory": "2Gi",
"requests.cpu": "1",
"requests.memory": "1Gi"
},
"used": {
"limits.cpu": "0",
"limits.memory": "0",
"requests.cpu": "0",
"requests.memory": "0"
}
}
}
$
$ kubectl get resourcequota mem-cpu-demo -o jsonpath="{.status.used}"
map[limits.cpu:0 limits.memory:0 requests.cpu:0 requests.memory:0]$
$
$ kubectl get resourcequota mem-cpu-demo -o jsonpath="{.status.used.limits\.memory}"
0
$
$ kubectl get resourcequota mem-cpu-demo -o jsonpath="{.status.hard.limits\.memory}"
2Gi
$
For values with /, you don't need to escape them, but just the dots using brackets.
$ kubectl -n istio-system get service http2-service-ingress \
-o jsonpath="{.metadata.annotations['service\.beta\.kubernetes\.io/aws-load-balancer-type']}"
Since you key (limits.memory) contains dot, maybe you should try like this:
[root#iaasn00126847 ~]# k get resourcequota default -n 103000-p4-dev -o custom-columns=USED:.status.used.'limits\.memory'
There is no need to use jsonpath. You can still use the custom-columns output, but you need to put the key in (single or double) quotes, and escape all the dots, like this:
k get resourcequota default -n 103000-p4-dev -o custom-columns=USED:.status.used."limits\.memory"
I am currently using this with kubectl v1.17, to list nodes, as follows:
kubectl get nodes -o custom-columns=NAME:.metadata.name,ZONE:.metadata.labels.'topology\.kubernetes\.io/region'
kubectl get nodes -o custom-columns=NAME:.metadata.name,ZONE:.metadata.labels."topology\.kubernetes\.io/region"
I am using Stackdriver Monitoring API to get the metrics related to the containers. The JSON object returned from the API has the following details of the container.
Example:
{
"metric": {
"type": "container.googleapis.com/container/cpu/utilization"
},
"resource": {
"type": "gke_container",
"labels": {
"zone": "us-central1-a",
"pod_id": "1138528c-c36e-11e9-a1a7-42010a800198",
"project_id": "auto-scaling-springboot",
"cluster_name": "load-test",
"container_name": "",
"namespace_id": "f0965889-c36d-11e9-9e00-42010a800198",
"instance_id": "3962380509873542383"
}
},
"metricKind": "GAUGE",
"valueType": "DOUBLE",
"points": [
{
"interval": {
"startTime": "2019-09-04T04:00:00Z",
"endTime": "2019-09-04T04:00:00Z"
},
"value": {
"doubleValue": 0.050707947222229495
}
}
]
}
When I execute kubectl describe pod [pod name], I get none of these information unique to a container. Therefore I am unable to identify the results corresponding to a container.
Therfore, how to I get the pod ID so that I'll be able to identify it?
Use kubectl jsonpath
To get a specific pod's UID:
$ kubectl get pods -n <namespace> <pod-name> -o jsonpath='{.metadata.uid}'
$ kubectl get pods -n kube-system kubedb-66f78 -o jsonpath='{.metadata.uid}'
275ecb36-5aa8-4c2a-9c47-d8bb681b9aff⏎
Use kubectl custom-columns
List all PodName along with its UID of a namespace:
$ kubectl get pods -n <namespace> -o custom-columns=PodName:.metadata.name,PodUID:.metadata.uid
$ kubectl get pods -n kube-system -o custom-columns=PodName:.metadata.name,PodUID:.metadata.uid
PodName PodUID
coredns-6955765f44-8kp9t 0ae5c03d-5fb3-4eb9-9de8-2bd4b51606ba
coredns-6955765f44-ccqgg 6aaa09a1-241a-4013-b706-fe80ae371206
etcd-kind-control-plane c7304563-95a8-4428-881e-422ce3e073e7
kindnet-jgb95 f906a249-ab9d-4180-9afa-4075e2058ac7
kube-apiserver-kind-control-plane 971165e8-6c2e-4f99-8368-7802c1e55e60
kube-controller-manager-kind-control-plane a0dce3a7-a734-485d-bfee-8ac3de6bb486
kube-proxy-27wgd d900c0b2-dc21-46b5-a97e-f30e830aa9be
kube-scheduler-kind-control-plane 9c6f2399-4986-4259-9cd7-875eff1d7198
Use Unix/Linux command grep
You can use kubectl get pods along with grep.
$ kubectl get pods -n <namespace> <pod-name> -o yaml | grep uid
uid: bcfbdfb5-ce0f-11e9-b83e-080027d4916d
Optionally, you can try this:
$ kubectl get pod -n <namespace> <pod_name> -o jsonpath='{.metadata.uid}'