Ace Cloud Interviews
All cheat sheets
⚙️

Kubernetes Cheat Sheet

kubectl commands and concepts for cloud interviews

Key Concepts

Pod

The smallest deployable unit. One or more containers that share network and storage. Pods are ephemeral - they are created and destroyed, never restarted in place.

Deployment

Manages a set of identical, stateless pods. Handles rolling updates, rollbacks, and scaling. Use for web servers, APIs, workers.

Use StatefulSet instead when pods need stable identity or persistent per-pod storage.

ReplicaSet

Ensures N copies of a pod are running at all times. Deployments manage ReplicaSets - you rarely interact with ReplicaSets directly.

Service

Stable network endpoint for a set of pods. Types: ClusterIP (internal only), NodePort (exposes on node IP), LoadBalancer (provisions a cloud LB), ExternalName (DNS alias).

Ingress

HTTP/HTTPS routing from outside the cluster to internal Services. Requires an Ingress Controller (nginx, ALB, Traefik). Handles path-based and host-based routing.

ConfigMap vs Secret

ConfigMap stores non-sensitive config (env vars, config files). Secret stores sensitive data (passwords, tokens) - base64 encoded, not encrypted by default.

Use external secret managers (AWS Secrets Manager, Vault) for production secrets.

Liveness vs Readiness probe

Liveness: is the container alive? Fails = restart the container. Readiness: is the container ready to serve traffic? Fails = remove from Service endpoints (no traffic sent).

Never check external dependencies in a liveness probe - you'll cause cascading restarts.

Requests vs Limits

Request: guaranteed resources the scheduler uses to place the pod. Limit: maximum the container can use. CPU is throttled at limit; memory OOMKills the container.

DaemonSet

Runs one pod on every node (or a subset). Used for log collectors, monitoring agents, network plugins. Pod is automatically added to new nodes.

StatefulSet

Like a Deployment but pods have stable network identity (pod-0, pod-1) and dedicated PersistentVolumeClaims. Use for databases, Kafka, Elasticsearch.

PersistentVolume (PV) / PVC

PV is a piece of storage in the cluster. PVC is a request for storage by a pod. StorageClass defines how PVs are dynamically provisioned (e.g., AWS EBS, EFS).

Taints and Tolerations

Taints repel pods from nodes. Tolerations allow a pod to be scheduled on a tainted node. Used to dedicate nodes for specific workloads (GPU nodes, spot nodes).

RBAC

Role-Based Access Control. Role/ClusterRole = permissions. RoleBinding/ClusterRoleBinding = assign role to user/serviceaccount. Always use least privilege.

Horizontal Pod Autoscaler (HPA)

Automatically scales the number of pod replicas based on CPU, memory, or custom metrics. Works with Deployments and StatefulSets.

CrashLoopBackOff

Pod keeps crashing and Kubernetes keeps restarting it with exponential backoff. Check logs with --previous flag. Common causes: bad config, missing env var, OOMKill.

Commands

Get / List Resources

kubectl get pods
kubectl get pods -n kube-system
kubectl get pods -A               # all namespaces
kubectl get pods -o wide          # with node info
kubectl get pods --show-labels
kubectl get all                   # pods, svcs, deploys
kubectl get nodes
kubectl get nodes -o wide
kubectl describe node <name>
kubectl top nodes                 # CPU/memory usage
kubectl get svc
kubectl get deploy
kubectl get rs                    # replicasets
kubectl get cm                    # configmaps
kubectl get secret
kubectl get pvc                   # persistent volume claims

Pod Operations

# Logs
kubectl logs <pod>
kubectl logs <pod> -c <container> # multi-container
kubectl logs <pod> --previous     # crashed container
kubectl logs <pod> -f             # follow / stream
kubectl logs <pod> --tail=100
# Shell access
kubectl exec -it <pod> -- bash
kubectl exec -it <pod> -c <container> -- sh

# Run one-off command
kubectl exec <pod> -- env
# Port-forward (local debug)
kubectl port-forward pod/<name> 8080:80
kubectl port-forward svc/<name> 8080:80

# Copy files
kubectl cp <pod>:/path ./local-path
kubectl cp ./local-file <pod>:/path

Apply / Delete

kubectl apply -f manifest.yaml
kubectl apply -f ./directory/
kubectl apply -f https://example.com/manifest.yaml

kubectl delete -f manifest.yaml
kubectl delete pod <name>
kubectl delete pod <name> --force  # immediate
# Dry run (validate without applying)
kubectl apply -f manifest.yaml --dry-run=client

# Diff against live cluster
kubectl diff -f manifest.yaml
# Edit live resource
kubectl edit deploy <name>
kubectl edit cm <name>

# Patch inline
kubectl patch deploy <name>   -p '{"spec":{"replicas":3}}'

Deployments

# Rollout status and history
kubectl rollout status deploy/<name>
kubectl rollout history deploy/<name>

# Rollback
kubectl rollout undo deploy/<name>
kubectl rollout undo deploy/<name> --to-revision=2

# Pause / resume
kubectl rollout pause deploy/<name>
kubectl rollout resume deploy/<name>
# Scale
kubectl scale deploy <name> --replicas=3

# Update image
kubectl set image deploy/<name>   container=image:v2

# Restart pods (rolling)
kubectl rollout restart deploy/<name>

Namespaces & Context

kubectl get ns
kubectl create ns <name>
kubectl delete ns <name>

# Set default namespace for session
kubectl config set-context --current   --namespace=<name>
# Contexts (clusters)
kubectl config get-contexts
kubectl config use-context <name>
kubectl config current-context
kubectl config view

ConfigMaps & Secrets

# Create configmap
kubectl create cm my-config   --from-literal=key=value   --from-file=app.properties

# View
kubectl get cm my-config -o yaml
# Create secret
kubectl create secret generic my-secret   --from-literal=password=s3cr3t

# Decode a secret value
kubectl get secret my-secret -o jsonpath=  '{.data.password}' | base64 -d

Debugging

# Describe shows events (check for errors)
kubectl describe pod <name>
kubectl describe deploy <name>
kubectl describe node <name>

# Pod not starting? Check events:
kubectl get events --sort-by=.metadata.creationTimestamp
# Ephemeral debug container (k8s 1.23+)
kubectl debug -it <pod>   --image=busybox --target=<container>

# Check resource usage
kubectl top pods
kubectl top pods --containers
# Common exit codes
# 0   = completed successfully
# 1   = app error / unhandled exception
# 137 = OOMKilled (out of memory)
# 143 = SIGTERM not handled

Labels & Selectors

# Filter by label
kubectl get pods -l app=frontend
kubectl get pods -l env=prod,tier=web
kubectl get pods -l 'env in (prod,stg)'

# Add / remove labels
kubectl label pod <name> env=prod
kubectl label pod <name> env-   # remove
# Useful output formats
kubectl get pods -o json
kubectl get pods -o yaml
kubectl get pods -o jsonpath='{.items[*].metadata.name}'
kubectl get pods -o custom-columns=  NAME:.metadata.name,STATUS:.status.phase

Generate YAML Stubs

# Generate without applying
kubectl run nginx --image=nginx   --dry-run=client -o yaml > pod.yaml

kubectl create deploy nginx   --image=nginx --replicas=2   --dry-run=client -o yaml > deploy.yaml

kubectl create svc clusterip my-svc   --tcp=80:8080   --dry-run=client -o yaml > svc.yaml

acecloudinterviews.com - Free forever. No login required.