Tips & Tricks
This section contains a non-exhaustive, but hopefully helpful list of Kubernetes tips.
π₯οΈ Kubectl
Use
kubectl explain RESOURCE_NAME to get documentation directly in your terminal
Get all pods not in Running state:
kubectl get po -A --field-selector=status.phase!=Running
Use
kubectl get events --sort-by=.metadata.creationTimestamp to debug resource events
Get images running in the cluster:
kubectl get pods -A -o jsonpath='{..image}' | tr -s '[[:space:]]' '\n' | sort | uniq
Use
kubectl logs -f deployment/NAME to stream logs from all pods in a deployment
Create temporary debug pods with
kubectl run debug --rm -it --image=busybox -- sh
Use
kubectl scale deployment NAME --replicas=0 to quickly shut down an app
Use
kubectl rollout status deployment NAME to watch for rollout progress
Enable auto-scaling with
kubectl autoscale deployment NAME --min=2 --max=5 --cpu-percent=80
Use
kubectl get all -n NAMESPACE to see all resources in a namespace
Use
kubectl cp myfile.txt POD_NAME:/tmp to copy files to and from pods
Use
kubectl describe pod NAME to get full details including events and mounted volumes
Add
--show-labels to kubectl get to see labels directly in output
Extract object names:
kubectl get deployment -o jsonpath='{.items[*].metadata.name}'
Annotate deployments to track rollouts:
kubectl annotate deployment NAME kubernetes.io/change-cause='Reason'
Use
kubectl diff -f manifest.yaml before applying to see what will change
Use
kubectl get endpoints to troubleshoot service-to-pod mapping
Use
--dry-run=client -o yaml to preview resources before creating them
Use
kubectl get --watch to follow updates to resources live
Use
kubectl patch for quick configuration updates instead of editing full manifests
π¦ Helm
Use
helm template ... | kubectl diff -f - to preview Helm chart changes before applying them
Use
helm lint to validate your Helm chart before deploying
Use
helm get values RELEASE_NAME to see current Helm release configuration
Use
helm rollback RELEASE_NAME REVISION to quickly revert problematic deployments
Use
helm diff plugin to compare releases before upgrading
π Networking
Use
kubectl port-forward svc/my-service 8080:80 to access services locally
Use
kubectl get svc -o wide to view service cluster IPs and external endpoints
Use
kubectl get pods -o json | jq '.items[] | .status.podIP' to get all pod IPs
Use
kubectl get ingress -A to see all ingress rules across namespaces
Test network connectivity between pods with
kubectl exec POD_NAME -- nc -zv SERVICE_NAME PORT
π οΈ Tools
Install kubectx & kubens to quickly switch between contexts and namespaces
Use k9s for an interactive terminal UI to explore Kubernetes resources
Use kubent to check for deprecated APIs before upgrading clusters
Use kubectl-neat to remove noise in manifest output
Install Stern to tail logs across multiple pods
Install kube-ps1 to show context and namespace in your shell prompt
Use kube-no-trouble before upgrading Kubernetes versions
Explore the CNCF projects for battle-tested tools instead of building everything from scratch
π Security
Run
kubectl auth can-i VERB RESOURCE to debug RBAC permissions
Mount secrets as volumes for better safety than using env vars
Limit the scope of cluster roles and bindings to follow least-privilege principles
Use NetworkPolicies to restrict pod-to-pod communication
Use
kubectl create secret generic mysecret --from-literal=key=value instead of applying YAML for secrets
Use Pod Security Admission to enforce security constraints
Install Falco for runtime security monitoring and threat detection
Always implement RBAC to ensure least privilege principles to applications and users
Avoid privileged containers as they run with host-level permissions
Configure containers to run as non-root using
securityContext.runAsNonRoot: true
Use private container registries instead of public ones to reduce security risks
Disable automatic service account token mounting when not needed
Use AppArmor profiles to restrict container access to system resources
Configure seccomp profiles to limit system calls. e.g.
seccompProfile.type: RuntimeDefault
Use compliance tools like kube-bench or Kubescape to verify security standards
If possible, encrypt secrets at rest using EncryptionConfiguration in your cluster
Scan container images for vulnerabilities using tools like Trivy in your CI pipeline
β Best practices
Define resource limits in all your pods to avoid cluster overloads
Write manifests with envFrom, not many individual env, to load configmaps easily
Label nodes with
kubectl label node NODE_NAME KEY=VALUE and schedule pods accordingly
Use
kubectl taint nodes NODE key=value:NoSchedule to control which nodes can be scheduled
Use PodDisruptionBudget to prevent voluntary evictions during maintenance
Use ResourceQuotas to limit memory/CPU usage per namespace
Use ConfigMap for application configuration and mount as volumes
Split environments using namespaces
Use readinessProbe & livenessProbe to make apps production-ready
Prefer initContainers for setup logic rather than scripting inside the main container
Never use
:latest image tags in production. Always use a specific version tag instead
Use external configuration with ConfigMaps and Secrets instead of hardcoding values in pods
Configure Affinity / antiAffinity rules to distribute pods across different nodes for high availability
Use appropriate node selection with nodeSelector, nodeAffinity, or topologySpreadConstraints
Deploy clusters across multiple availability zones or regions for geographic redundancy
Implement advanced deployment strategies (blue-green, canary) using tools like Argo Rollouts
π Troubleshooting
Use
kubectl get events --sort-by=.lastTimestamp -n NAMESPACE to see the most recent events in a namespace
Check node health with
kubectl describe node NODE_NAME to see conditions and resource usage
Find stuck pods with
kubectl get pods --field-selector=status.phase=Pending
Use
kubectl get pods --field-selector=status.phase=Failed to find failed pods
π Performance
Use
kubectl top pods --sort-by=cpu to find CPU-hungry pods
Use
kubectl top pods --sort-by=memory to find memory-intensive pods
Enable Vertical Pod Autoscaling (VPA) for right-sizing recommendations
Use
kubectl get pods -o wide to check pod distribution across nodes
Set resource.requests and resource.limits based on actual usage patterns
Use node affinity rules to optimize pod placement for performance
π Monitoring
Install Prometheus and Grafana for comprehensive cluster monitoring
Set up cluster-level logging with Fluent Bit or Fluentd
Use ServiceMonitor CRDs with Prometheus Operator for automatic metrics discovery
Monitor cluster resource usage with
kubectl top nodes regularly
Enable Kubernetes audit logging to track API server requests and security events
Set up alerting rules with tools like AlertManager to notify of cluster issues
π Scheduling
Use taints and tolerations to control which pods can be scheduled on specific nodes
Set pod priorities with PriorityClass to ensure critical pods are scheduled first
Use tools like Descheduler to rebalance pods and prevent node overloading
π§ Cluster management
Keep Kubernetes updated. Regularly upgrade to the latest stable version
Migrate away from deprecated APIs before they’re removed in newer Kubernetes versions
Consider managed Kubernetes services to reduce operational overhead