200+ Essential kubectl Commands for Managing and Troubleshooting Kubernetes Clusters

Overview

kubectl is the official CLI for interacting with a Kubernetes API server. Mastery of its commands is required for daily cluster operations, application deployment, fault diagnosis and performance tuning.

Technical characteristics

Declarative management : Supports YAML/JSON manifests for infrastructure‑as‑code.

Multi‑cluster support : Context mechanism enables seamless switching between clusters and environments.

Rich output formats : JSON, YAML, wide, custom‑columns, etc., for automation.

Powerful filtering : Label selectors, field selectors, JSONPath for precise resource targeting.

Real‑time watch : Watch mechanism streams resource changes and events.

Plugin extensibility : kubectl plugins integrate with the ecosystem.

Applicable scenarios

Routine cluster administration (node management, RBAC, namespace isolation).

Application lifecycle (deployments, rollouts, rollbacks, scaling, gray releases).

Fault diagnosis (pod logs, events, network policies, resource bottlenecks).

Performance optimization (resource requests/limits, HPA/VPA).

Security and compliance (Secrets, ServiceAccounts, PodSecurityPolicies, NetworkPolicies).

Automation (CI/CD integration, batch scripts, backup/restore).

Environment requirements

Kubernetes cluster : v1.20+ (recommended v1.24+). Some commands need newer API versions.

kubectl client : Within one minor version of the cluster for API compatibility.

OS : Linux/macOS/Windows; Linux provides the most complete feature set.

Network : Access to API server (default 6443); configure kubeconfig accordingly.

Permissions : RBAC appropriate to the task; follow the principle of least privilege.

Optional tools : jq, yq, grep, awk for advanced data processing.

Preparation

Install kubectl and verify versions

# Check client and server versions
kubectl version --short
kubectl version --output=yaml

# Verify cluster connectivity
kubectl cluster-info
kubectl cluster-info dump | grep -i "cluster-info"

kubectl version must be within one minor version of the cluster (e.g., client 1.24 works with server 1.23‑1.25).

Manage kubeconfig

# Show current kubeconfig path
echo $KUBECONFIG

# View configuration
kubectl config view
kubectl config view --raw

# Current context
kubectl config current-context

# List contexts and clusters
kubectl config get-contexts
kubectl config get-clusters

The default file is ~/.kube/config; restrict its permissions (chmod 600) in production.

Core configuration

Multi‑cluster context management

# Switch context
kubectl config use-context production-cluster

# Create a new context
kubectl config set-context dev-context \
  --cluster=dev-cluster \
  --user=dev-admin \
  --namespace=development

# Change default namespace of the current context
kubectl config set-context --current --namespace=kube-system

# Delete or rename contexts
kubectl config delete-context old-context
kubectl config rename-context old-name new-name

Cluster credentials

# Set cluster endpoint and CA
kubectl config set-cluster prod-cluster \
  --server=https://k8s-api.example.com:6443 \
  --certificate-authority=/path/to/ca.crt \
  --embed-certs=true

# Certificate‑based user credentials
kubectl config set-credentials admin-user \
  --client-certificate=/path/to/admin.crt \
  --client-key=/path/to/admin.key \
  --embed-certs=true

# Token‑based user credentials
kubectl config set-credentials token-user \
  --token=eyJhbGciOiJSUzI1NiIsImtpZCI6...

# Disable TLS verification (test only)
kubectl config set-cluster test-cluster \
  --server=https://test-api:6443 \
  --insecure-skip-tls-verify=true

Command‑line completion

# Bash completion
echo 'source <(kubectl completion bash)' >> ~/.bashrc
echo 'alias k=kubectl' >> ~/.bashrc
echo 'complete -F __start_kubectl k' >> ~/.bashrc
source ~/.bashrc

# Zsh completion
echo 'source <(kubectl completion zsh)' >> ~/.zshrc
echo 'alias k=kubectl' >> ~/.zshrc
echo 'compdef __start_kubectl k' >> ~/.zshrc
source ~/.zshrc

# Verify completion
kubectl get po<TAB>   # expands to pods

Resource management examples

Node management

# List nodes
kubectl get nodes -o wide
kubectl describe node node-name
kubectl top nodes --sort-by=cpu

# Cordon / uncordon
kubectl cordon node-name
kubectl uncordon node-name

# Drain for maintenance
kubectl drain node-name --ignore-daemonsets --delete-emptydir-data
kubectl drain node-name --ignore-daemonsets --force --grace-period=0

# Labels and taints
kubectl label nodes node-name env=production
kubectl taint nodes node-name key=value:NoSchedule
kubectl describe node node-name | grep -i taint

Namespace management

# List, create, delete namespaces
kubectl get ns
kubectl create namespace development
kubectl delete namespace old-project

# Labels and resource quotas
kubectl label namespace production env=prod team=backend
kubectl get resourcequota -n production
kubectl describe resourcequota -n production

Quota management

# Create a quota
kubectl create quota dev-quota \
  --hard=cpu=10,memory=20Gi,pods=20 \
  -n development

# View quotas
kubectl get resourcequota --all-namespaces
kubectl describe quota dev-quota -n development

# Delete quota
kubectl delete quota dev-quota -n development

RBAC management

# List roles and clusterroles
kubectl get roles -A
kubectl get clusterroles

# Create a role
kubectl create role pod-reader \
  --verb=get,list,watch \
  --resource=pods \
  -n development

# Create a clusterrole
kubectl create clusterrole deployment-manager \
  --verb=get,list,create,delete \
  --resource=deployments

# Bind role to a user
kubectl create rolebinding dev-pod-reader \
  --role=pod-reader \
  --user=john \
  -n development

# Bind clusterrole to a user
kubectl create clusterrolebinding cluster-admin-binding \
  --clusterrole=cluster-admin \
  [email protected]

ServiceAccount management

# List ServiceAccounts
kubectl get serviceaccounts -A

# Create a ServiceAccount
kubectl create serviceaccount myapp -n production

# Generate a token (Kubernetes 1.24+)
kubectl create token myapp -n production
kubectl create token myapp --duration=8760h -n production

# Delete ServiceAccount
kubectl delete sa myapp -n production

Pod management

# List pods
kubectl get pods -A
kubectl get po -n production

# Detailed view
kubectl get pods -o wide
kubectl describe pod nginx-pod -n production

# Create a pod from the CLI
kubectl run nginx --image=nginx:1.21 --port=80

# Create a pod with resource limits
kubectl run nginx --image=nginx:1.21 \
  --requests='cpu=100m,memory=256Mi' \
  --limits='cpu=200m,memory=512Mi'

# Logs
kubectl logs nginx-pod -n production
kubectl logs nginx-pod -n production --tail=100
kubectl logs nginx-pod -n production --since=1h
kubectl logs nginx-pod -n production -f

# Exec into a container
kubectl exec -it nginx-pod -n production -- bash

# Delete pod
kubectl delete pod nginx-pod -n production
kubectl delete pod nginx-pod -n production --force --grace-period=0

# Delete by label
kubectl delete pods -l app=nginx -n production

Deployment management

# Create deployment
kubectl create deployment nginx --image=nginx:1.21 --replicas=3

# Scale
kubectl scale deployment nginx --replicas=5 -n production

# Autoscale (HPA)
kubectl autoscale deployment nginx --min=3 --max=10 --cpu-percent=80

# Update image (rolling update)
kubectl set image deployment/nginx nginx=nginx:1.22 -n production

# Rollout status
kubectl rollout status deployment/nginx -n production

# Rollback
kubectl rollout undo deployment/nginx -n production
kubectl rollout undo deployment/nginx --to-revision=2 -n production

# Pause / resume
kubectl rollout pause deployment/nginx -n production
kubectl rollout resume deployment/nginx -n production

# Restart
kubectl rollout restart deployment/nginx -n production

StatefulSet and DaemonSet

# StatefulSet
kubectl get statefulsets -A
kubectl apply -f mysql-statefulset.yaml
kubectl scale statefulset mysql --replicas=5 -n production
kubectl rollout status statefulset/mysql -n production
kubectl delete statefulset mysql --cascade=orphan -n production

# DaemonSet
kubectl get daemonsets -A
kubectl describe daemonset fluentd -n kube-system
kubectl set image daemonset/fluentd fluentd=fluentd:v1.15 -n kube-system
kubectl rollout status daemonset/fluentd -n kube-system

Job and CronJob

# One‑off Job
kubectl create job backup --image=backup-tool:latest
kubectl get jobs -A
kubectl describe job backup -n production
kubectl delete job backup -n production

# CronJob
kubectl create cronjob daily-backup \
  --image=backup-tool:latest \
  --schedule="0 2 * * *"

kubectl get cronjobs -A
kubectl create job manual-backup --from=cronjob/daily-backup -n production

# Suspend / resume
kubectl patch cronjob daily-backup -p '{"spec":{"suspend":true}}' -n production
kubectl patch cronjob daily-backup -p '{"spec":{"suspend":false}}' -n production

Service and Ingress

# Service
kubectl create service clusterip nginx --tcp=80:80
kubectl expose deployment nginx --port=80 --type=ClusterIP
kubectl describe service nginx -n production
kubectl delete service nginx -n production

# Ingress (requires controller)
kubectl apply -f ingress.yaml
kubectl describe ingress web-ingress -n production
kubectl delete ingress web-ingress -n production

NetworkPolicy and DNS

# NetworkPolicy
kubectl get networkpolicies -A
kubectl apply -f network-policy.yaml
kubectl delete networkpolicy deny-all -n production

# CoreDNS
kubectl get configmap coredns -n kube-system -o yaml
kubectl run dnsutils --image=tutum/dnsutils --rm -it -- nslookup kubernetes.default
kubectl run dnsutils --image=tutum/dnsutils --rm -it -- nslookup nginx.production.svc.cluster.local

Storage (PV, PVC, StorageClass)

# PersistentVolume
kubectl get pv
kubectl describe pv pv-name

# PersistentVolumeClaim
kubectl get pvc -n production
kubectl describe pvc data-pvc -n production
kubectl apply -f pvc.yaml
kubectl delete pvc data-pvc -n production

# StorageClass
kubectl get storageclass
kubectl describe storageclass standard
kubectl patch storageclass standard -p '{"metadata":{"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
kubectl patch storageclass standard -p '{"metadata":{"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'

ConfigMap and Secret

# ConfigMap
kubectl create configmap app-config \
  --from-literal=database.host=mysql.prod \
  --from-literal=database.port=3306
kubectl create configmap nginx-config --from-file=nginx.conf
kubectl get configmap app-config -o yaml
kubectl edit configmap app-config -n production
kubectl delete configmap app-config -n production

# Secret
kubectl create secret generic db-secret \
  --from-literal=username=admin \
  --from-literal=password=P@ssw0rd
kubectl create secret tls tls-secret --cert=path/to/tls.crt --key=path/to/tls.key
kubectl get secret db-secret -o yaml
kubectl get secret db-secret -o jsonpath='{.data.password}' | base64 -d
kubectl delete secret db-secret -n production

Advanced queries and debugging

# Label selector
kubectl get pods -l app=nginx
kubectl get pods -l 'env in (prod,staging)'

# Field selector
kubectl get pods --field-selector status.phase=Running

# Custom columns
kubectl get pods -o custom-columns=NAME:.metadata.name,IP:.status.podIP,CPU:.spec.containers[*].resources.requests.cpu

# JSONPath
kubectl get nodes -o jsonpath='{.items[*].status.addresses[?(@.type=="InternalIP")].address}'

# Dry‑run and diff
kubectl create deployment nginx --image=nginx --dry-run=client -o yaml
kubectl diff -f deployment.yaml

# Patch
kubectl patch deployment nginx -p '{"spec":{"replicas":5}}'

# Watch
kubectl get pods -w

# Debug (Kubernetes 1.23+)
kubectl debug nginx-pod -it --image=busybox --target=nginx-container
kubectl debug nginx-pod -it --copy-to=nginx-debug --container=debugger --image=busybox

Best practices

Performance optimization

Set resources.requests and resources.limits for every container.

Enable Horizontal Pod Autoscaler (HPA) for CPU‑ or memory‑based scaling.

Use node and pod affinity/anti‑affinity to improve scheduling.

Prefer imagePullPolicy: IfNotPresent to avoid unnecessary pulls.

Security hardening

Avoid cluster‑admin bindings; grant the minimum permissions required.

Enable Pod Security Policies or the newer PodSecurity standards.

Apply NetworkPolicy for namespace‑level isolation.

Rotate Secrets and certificates regularly; store them in external secret managers.

High availability

Define PodDisruptionBudget to guarantee minimum replica counts during maintenance.

Run at least three replicas across multiple zones.

Configure liveness and readiness probes for all services.

Troubleshooting

Common error patterns

ImagePullBackOff – image not found or no pull permission. Check image name/tag and imagePullSecrets.

CrashLoopBackOff – container exits immediately. Inspect logs and health checks.

Pending – insufficient resources or scheduling constraints. Check node capacity, taints, and affinity rules.

OOMKilled – memory limit exceeded. Increase limits.memory or optimise the application.

Performance metrics

# Node and pod usage
kubectl top nodes
kubectl top pods -A --sort-by=cpu
kubectl top pod nginx-pod -n production --containers

# API version inspection
kubectl explain pod
kubectl explain deployment.spec.strategy

Typical alert thresholds: CPU >85 %, memory >90 %, pod restarts >5 times/hour, disk usage >85 %.

Conclusion

The guide provides a systematic reference of more than 200 kubectl commands, covering cluster bootstrapping to advanced debugging, together with best‑practice recommendations for security, performance and high availability. Mastering these commands enables operators to manage Kubernetes workloads efficiently and reliably.

Further learning

Deep dive into Kubernetes Operators, CRDs, and Admission Webhooks.

Explore cloud‑native tooling such as Helm, Kustomize, and Argo CD for GitOps workflows.

Build a full observability stack with Prometheus, Grafana, Loki, and Jaeger.

Reference the official Kubernetes documentation and the kubectl command reference for up‑to‑date syntax.