Tips & Tricks
This section contains a non-exhaustive, but hopefully helpful list of Kubernetes tips.
Kubectl
Use
kubectl explain RESOURCE_NAME to get documentation directly in your terminalGet all pods not in Running state:
kubectl get po -A --field-selector=status.phase!=RunningUse
kubectl get events --sort-by=.metadata.creationTimestamp to debug resource eventsGet images running in the cluster:
kubectl get pods -A -o jsonpath='{..image}' | tr -s '[[:space:]]' '\n' | sort | uniqUse
kubectl logs -f deployment/NAME to stream logs from all pods in a deploymentCreate temporary debug pods with
kubectl run debug --rm -it --image=busybox -- shUse
kubectl scale deployment NAME --replicas=0 to quickly shut down an appCreate a Deployment imperatively:
kubectl create deploy NAME --image=nginx --replicas=3 — faster than writing YAML for quick testsRun a Pod and expose it in one command:
kubectl run NAME --image=ghost:4 --port=2368 --expose — creates both the Pod and a ClusterIP ServiceCreate a Job imperatively:
kubectl create job NAME --image=busybox -- echo hello — useful for one-off tasks without writing a manifestUse
kubectl rollout status deployment NAME to watch for rollout progressEnable auto-scaling with
kubectl autoscale deployment NAME --min=2 --max=5 --cpu-percent=80Use
kubectl get all -n NAMESPACE to see all resources in a namespaceUse
kubectl cp myfile.txt POD_NAME:/tmp to copy files to and from podsUse
kubectl describe pod NAME to get full details including events and mounted volumesAdd
--show-labels to kubectl get to see labels directly in outputExtract object names:
kubectl get deployment -o jsonpath='{.items[*].metadata.name}'Annotate deployments to track rollouts:
kubectl annotate deployment NAME kubernetes.io/change-cause='Reason'Use
kubectl diff -f manifest.yaml before applying to see what will changeUse
kubectl get endpoints to troubleshoot service-to-pod mappingUse
--dry-run=client -o yaml to preview resources before creating them, e.g. kubectl run nginx --image=nginx --dry-run=client -o yaml > pod.yamlUse
kubectl get --watch to follow updates to resources liveUse
kubectl patch for quick configuration updates instead of editing full manifestsHelm
Use
helm template ... | kubectl diff -f - to preview Helm chart changes before applying themUse
helm lint to validate your Helm chart before deployingUse
helm get values RELEASE_NAME to see current Helm release configurationUse
helm rollback RELEASE_NAME REVISION to quickly revert problematic deploymentsUse
helm diff plugin to compare releases before upgradingNetworking
Use
kubectl port-forward svc/my-service 8080:80 to access services locallyUse
kubectl get svc -o wide to view service cluster IPs and external endpointsUse
kubectl get pods -o json | jq '.items[] | .status.podIP' to get all pod IPsUse
kubectl get ingress -A to see all ingress rules across namespacesTest network connectivity between pods with
kubectl exec POD_NAME -- nc -zv SERVICE_NAME PORTTools
Install kubectx & kubens to quickly switch between contexts and namespaces
Use k9s for an interactive terminal UI to explore Kubernetes resources
Use kubent to check for deprecated APIs before upgrading clusters
Use kubectl-neat to remove noise in manifest output
Install Stern to tail logs across multiple pods
Install kube-ps1 to show context and namespace in your shell prompt
Security
Run
kubectl auth can-i VERB RESOURCE to debug RBAC permissionsMount secrets as volumes for better safety than using env vars
Limit the scope of cluster roles and bindings to follow least-privilege principles
Use NetworkPolicies to restrict pod-to-pod communication
Use
kubectl create secret generic mysecret --from-literal=key=value instead of applying YAML for secretsUse Pod Security Admission to enforce security constraints
Install Falco for runtime security monitoring and threat detection
Always implement RBAC to ensure least privilege principles to applications and users
Avoid privileged containers as they run with host-level permissions
Configure containers to run as non-root using
securityContext.runAsNonRoot: trueDisable automatic service account token mounting when not needed
Use AppArmor profiles to restrict container access to system resources
Configure seccomp profiles to limit system calls. e.g.
seccompProfile.type: RuntimeDefaultUse compliance tools like kube-bench or Kubescape to verify security standards
If possible, encrypt secrets at rest using EncryptionConfiguration in your cluster
Scan container images for vulnerabilities using tools like Trivy in your CI pipeline
Best practices
Define resource limits in all your pods to avoid cluster overloads
Write manifests with envFrom, not many individual env, to load configmaps easily
Label nodes with
kubectl label node NODE_NAME KEY=VALUE and schedule pods accordinglyUse
kubectl taint nodes NODE key=value:NoSchedule to control which nodes can be scheduledUse PodDisruptionBudget to prevent voluntary evictions during maintenance
Use ResourceQuotas to limit memory/CPU usage per namespace
Use readinessProbe & livenessProbe to make apps production-ready
Prefer initContainers for setup logic rather than scripting inside the main container
Never use
:latest image tags in production. Always use a specific version tag insteadConfigure Affinity / antiAffinity rules to distribute pods across different nodes for high availability
Troubleshooting
Use
kubectl get events --sort-by=.lastTimestamp -n NAMESPACE to see the most recent events in a namespaceCheck node health with
kubectl describe node NODE_NAME to see conditions and resource usageFind stuck pods with
kubectl get pods --field-selector=status.phase=PendingUse
kubectl get pods --field-selector=status.phase=Failed to find failed podsPerformance
Use
kubectl top pods --sort-by=cpu to find CPU-hungry podsUse
kubectl top pods --sort-by=memory to find memory-intensive podsUse
kubectl get pods -o wide to check pod distribution across nodesMonitoring
Use ServiceMonitor CRDs with Prometheus Operator for automatic metrics discovery
Monitor cluster resource usage with
kubectl top nodes regularlyEnable Kubernetes audit logging to track API server requests and security events
Set up alerting rules with tools like AlertManager to notify of cluster issues
Scheduling
Use taints and tolerations to control which pods can be scheduled on specific nodes
Set pod priorities with PriorityClass to ensure critical pods are scheduled first
Use tools like Descheduler to rebalance pods and prevent node overloading