No description
| README.md | ||
Kubernetes Quick Operations Path
A hands-on, do-it-yourself path to learn core Kubernetes operations. Each section is a checklist — run the commands, observe the state, then move on. Assumes you start with an empty cluster.
0. Prerequisites
- Install a local cluster:
kind,minikube, ork3d - Install
kubectland verify:kubectl version --client - Spin up cluster:
kind create cluster(or equivalent) - Check nodes:
kubectl get nodes -o wide - Check system pods:
kubectl get pods -A - Learn the inspection trio:
get,describe,logs - Set up shell aliases:
alias k=kubectland tab completion
1. Namespaces
- List existing:
kubectl get ns - Create one:
kubectl create ns demo - Set default for current context:
kubectl config set-context --current --namespace=demo - Create via YAML and
kubectl apply -f ns.yaml - Delete and watch cascading cleanup:
kubectl delete ns demo - Observe: which resources are namespaced vs cluster-scoped?
kubectl api-resources --namespaced=true|false
2. Pods
- Run a one-off pod:
kubectl run nginx --image=nginx - Inspect:
kubectl describe pod nginx - Exec into it:
kubectl exec -it nginx -- sh - Port-forward:
kubectl port-forward pod/nginx 8080:80 - Tail logs:
kubectl logs -f nginx - Write a Pod YAML by hand (containers, image, ports, env, resources, liveness/readiness probes)
- Try multi-container pod (sidecar pattern): two containers sharing a volume
- Force-delete a stuck pod:
kubectl delete pod nginx --grace-period=0 --force
3. Deployments
- Create:
kubectl create deployment web --image=nginx --replicas=3 - Scale:
kubectl scale deploy/web --replicas=5 - Rolling update:
kubectl set image deploy/web nginx=nginx:1.25 - Watch rollout:
kubectl rollout status deploy/web - Rollback:
kubectl rollout undo deploy/web - View history:
kubectl rollout history deploy/web - Tweak strategy in YAML:
maxSurge,maxUnavailable - Kill a pod and watch the ReplicaSet recreate it
- Compare: Deployment → ReplicaSet → Pod (
kubectl get rs,kubectl get pods --show-labels)
4. StatefulSets
- Deploy a 3-replica StatefulSet (e.g., nginx with a headless Service)
- Observe ordered pod names:
web-0,web-1,web-2 - Verify stable DNS:
nslookup web-0.headless-svcfrom inside a pod - Attach a
volumeClaimTemplatesfor per-pod PVCs - Delete a pod, watch it come back with the same name + same volume
- Scale down and observe reverse order
- Compare update strategies:
RollingUpdatevsOnDelete
5. DaemonSets & Jobs (bonus built-ins)
- Create a DaemonSet — one pod per node (e.g., a log collector)
- Run a Job:
kubectl create job hello --image=busybox -- echo hi - Run a CronJob on a schedule
- Inspect completion status and pod retention
6. Services
- ClusterIP (default): expose Deployment internally
kubectl expose deploy/web --port=80 --target-port=80- Curl from another pod:
kubectl run tmp --rm -it --image=busybox -- wget -qO- web - Resolve DNS:
nslookup web.<namespace>.svc.cluster.local
- NodePort: expose on each node's IP at a static port
- LoadBalancer: requires cloud or
metallb/cloud-provider-kind; observe external IP - Headless Service (
clusterIP: None): pod-level DNS for StatefulSets - Inspect endpoints:
kubectl get endpoints web— these are the pod IPs behind the service - Break a selector label, watch endpoints empty out
7. ConfigMaps
- From literal:
kubectl create configmap app-cfg --from-literal=LOG_LEVEL=debug - From file:
kubectl create configmap app-cfg --from-file=config.yaml - Consume as env vars in a Pod (
envFrom: configMapRef) - Consume as mounted file (
volumes: configMap) - Update the ConfigMap — observe mounted files update (env vars do NOT)
- Trigger reload: rollout restart
kubectl rollout restart deploy/web
8. Secrets
- Create:
kubectl create secret generic db --from-literal=password=s3cr3t - Inspect (base64-encoded, not encrypted):
kubectl get secret db -o yaml - Mount as env var and as file — same patterns as ConfigMap
- Create a TLS secret:
kubectl create secret tls ... - Create a docker-registry pull secret and reference via
imagePullSecrets - Learn the limits: Secrets are base64, not encrypted at rest by default — read on encryption-at-rest config and external secret stores
9. Putting it together
- Build a small app stack in one namespace:
- Deployment for the app
- ConfigMap for non-sensitive config
- Secret for credentials
- ClusterIP Service for internal access
- LoadBalancer (or port-forward) for external access
- Break things on purpose: delete a pod, scale to 0, mismatch a selector, mount a missing ConfigMap key
- Diagnose with
describe,logs,get events --sort-by=.lastTimestamp
10. Next steps
- Ingress + IngressController (nginx-ingress, traefik)
- PersistentVolumes / StorageClasses / PVCs
- RBAC: Roles, ClusterRoles, ServiceAccounts
- NetworkPolicies
- Resource limits, HPA, PDBs
- Helm and Kustomize
- Operators and CRDs
Cheat-sheet commands
kubectl get <kind> -A -o wide
kubectl describe <kind>/<name>
kubectl logs -f <pod> [-c <container>]
kubectl exec -it <pod> -- sh
kubectl apply -f <file>.yaml
kubectl delete -f <file>.yaml
kubectl explain <kind>.spec # field-level docs
kubectl get events --sort-by=.lastTimestamp
kubectl run tmp --rm -it --image=busybox -- sh # throwaway debug pod