1 - Web UI (Dashboard)
Dashboard is a web-based Kubernetes user interface. You can use Dashboard to deploy containerized applications to a Kubernetes cluster, troubleshoot your containerized application, and manage the cluster resources. You can use Dashboard to get an overview of applications running on your cluster, as well as for creating or modifying individual Kubernetes resources (such as Deployments, Jobs, DaemonSets, etc). For example, you can scale a Deployment, initiate a rolling update, restart a pod or deploy new applications using a deploy wizard.
Dashboard also provides information on the state of Kubernetes resources in your cluster and on any errors that may have occurred.
Deploying the Dashboard UI
The Dashboard UI is not deployed by default. To deploy it, run the following command:
kubectl apply -f
Accessing the Dashboard UI
To protect your cluster data, Dashboard deploys with a minimal RBAC configuration by default. Currently, Dashboard only supports logging in with a Bearer Token. To create a token for this demo, you can follow our guide on creating a sample user.
Warning: The sample user created in the tutorial will have administrative privileges and is for educational purposes only.
Command line proxy
You can access Dashboard using the kubectl command-line tool by running the following command:
kubectl proxy
Kubectl will make Dashboard available at http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/.
The UI can only be accessed from the machine where the command is executed. See kubectl proxy --help
for more options.
Note: Kubeconfig Authentication method does NOT support external identity providers or x509 certificate-based authentication.
Welcome view
When you access Dashboard on an empty cluster, you'll see the welcome page.
This page contains a link to this document as well as a button to deploy your first application.
In addition, you can view which system applications are running by default in the kube-system
namespace of your cluster, for example the Dashboard itself.
Deploying containerized applications
Dashboard lets you create and deploy a containerized application as a Deployment and optional Service with a simple wizard. You can either manually specify application details, or upload a YAML or JSON file containing application configuration.
Click the CREATE button in the upper right corner of any page to begin.
Specifying application details
The deploy wizard expects that you provide the following information:
App name (mandatory): Name for your application. A label with the name will be added to the Deployment and Service, if any, that will be deployed.
The application name must be unique within the selected Kubernetes namespace. It must start with a lowercase character, and end with a lowercase character or a number, and contain only lowercase letters, numbers and dashes (-). It is limited to 24 characters. Leading and trailing spaces are ignored.
Container image (mandatory): The URL of a public Docker container image on any registry, or a private image (commonly hosted on the Google Container Registry or Docker Hub). The container image specification must end with a colon.
Number of pods (mandatory): The target number of Pods you want your application to be deployed in. The value must be a positive integer.
A Deployment will be created to maintain the desired number of Pods across your cluster.
Service (optional): For some parts of your application (e.g. frontends) you may want to expose a Service onto an external, maybe public IP address outside of your cluster (external Service).
Note: For external Services, you may need to open up one or more ports to do so.Other Services that are only visible from inside the cluster are called internal Services.
Irrespective of the Service type, if you choose to create a Service and your container listens on a port (incoming), you need to specify two ports. The Service will be created mapping the port (incoming) to the target port seen by the container. This Service will route to your deployed Pods. Supported protocols are TCP and UDP. The internal DNS name for this Service will be the value you specified as application name above.
If needed, you can expand the Advanced options section where you can specify more settings:
Description: The text you enter here will be added as an annotation to the Deployment and displayed in the application's details.
Labels: Default labels to be used for your application are application name and version. You can specify additional labels to be applied to the Deployment, Service (if any), and Pods, such as release, environment, tier, partition, and release track.
release=1.0 tier=frontend environment=pod track=stable
Namespace: Kubernetes supports multiple virtual clusters backed by the same physical cluster. These virtual clusters are called namespaces. They let you partition resources into logically named groups.
Dashboard offers all available namespaces in a dropdown list, and allows you to create a new namespace. The namespace name may contain a maximum of 63 alphanumeric characters and dashes (-) but can not contain capital letters. Namespace names should not consist of only numbers. If the name is set as a number, such as 10, the pod will be put in the default namespace.
In case the creation of the namespace is successful, it is selected by default. If the creation fails, the first namespace is selected.
Image Pull Secret: In case the specified Docker container image is private, it may require pull secret credentials.
Dashboard offers all available secrets in a dropdown list, and allows you to create a new secret. The secret name must follow the DNS domain name syntax, for example
. The content of a secret must be base64-encoded and specified in a.dockercfg
file. The secret name may consist of a maximum of 253 characters.In case the creation of the image pull secret is successful, it is selected by default. If the creation fails, no secret is applied.
CPU requirement (cores) and Memory requirement (MiB): You can specify the minimum resource limits for the container. By default, Pods run with unbounded CPU and memory limits.
Run command and Run command arguments: By default, your containers run the specified Docker image's default entrypoint command. You can use the command options and arguments to override the default.
Run as privileged: This setting determines whether processes in privileged containers are equivalent to processes running as root on the host. Privileged containers can make use of capabilities like manipulating the network stack and accessing devices.
Environment variables: Kubernetes exposes Services through environment variables. You can compose environment variable or pass arguments to your commands using the values of environment variables. They can be used in applications to find a Service. Values can reference other variables using the
Uploading a YAML or JSON file
Kubernetes supports declarative configuration. In this style, all configuration is stored in YAML or JSON configuration files using the Kubernetes API resource schemas.
As an alternative to specifying application details in the deploy wizard, you can define your application in YAML or JSON files, and upload the files using Dashboard.
Using Dashboard
Following sections describe views of the Kubernetes Dashboard UI; what they provide and how can they be used.
When there are Kubernetes objects defined in the cluster, Dashboard shows them in the initial view. By default only objects from the default namespace are shown and this can be changed using the namespace selector located in the navigation menu.
Dashboard shows most Kubernetes object kinds and groups them in a few menu categories.
Admin Overview
For cluster and namespace administrators, Dashboard lists Nodes, Namespaces and Persistent Volumes and has detail views for them. Node list view contains CPU and memory usage metrics aggregated across all Nodes. The details view shows the metrics for a Node, its specification, status, allocated resources, events and pods running on the node.
Shows all applications running in the selected namespace. The view lists applications by workload kind (e.g., Deployments, Replica Sets, Stateful Sets, etc.) and each workload kind can be viewed separately. The lists summarize actionable information about the workloads, such as the number of ready pods for a Replica Set or current memory usage for a Pod.
Detail views for workloads show status and specification information and surface relationships between objects. For example, Pods that Replica Set is controlling or New Replica Sets and Horizontal Pod Autoscalers for Deployments.
Shows Kubernetes resources that allow for exposing services to external world and discovering them within a cluster. For that reason, Service and Ingress views show Pods targeted by them, internal endpoints for cluster connections and external endpoints for external users.
Storage view shows Persistent Volume Claim resources which are used by applications for storing data.
Config Maps and Secrets
Shows all Kubernetes resources that are used for live configuration of applications running in clusters. The view allows for editing and managing config objects and displays secrets hidden by default.
Logs viewer
Pod lists and detail pages link to a logs viewer that is built into Dashboard. The viewer allows for drilling down logs from containers belonging to a single Pod.
2 - Accessing Clusters
This topic discusses multiple ways to interact with clusters.
Accessing for the first time with kubectl
When accessing the Kubernetes API for the first time, we suggest using the
Kubernetes CLI, kubectl
To access a cluster, you need to know the location of the cluster and have credentials to access it. Typically, this is automatically set-up when you work through a Getting started guide, or someone else setup the cluster and provided you with credentials and a location.
Check the location and credentials that kubectl knows about with this command:
kubectl config view
Many of the examples provide an introduction to using kubectl and complete documentation is found in the kubectl manual.
Directly accessing the REST API
Kubectl handles locating and authenticating to the apiserver. If you want to directly access the REST API with an http client like curl or wget, or a browser, there are several ways to locate and authenticate:
- Run kubectl in proxy mode.
- Recommended approach.
- Uses stored apiserver location.
- Verifies identity of apiserver using self-signed cert. No MITM possible.
- Authenticates to apiserver.
- In future, may do intelligent client-side load-balancing and failover.
- Provide the location and credentials directly to the http client.
- Alternate approach.
- Works with some types of client code that are confused by using a proxy.
- Need to import a root cert into your browser to protect against MITM.
Using kubectl proxy
The following command runs kubectl in a mode where it acts as a reverse proxy. It handles locating the apiserver and authenticating. Run it like this:
kubectl proxy --port=8080
See kubectl proxy for more details.
Then you can explore the API with curl, wget, or a browser, replacing localhost with [::1] for IPv6, like so:
curl http://localhost:8080/api/
The output is similar to this:
"kind": "APIVersions",
"versions": [
"serverAddressByClientCIDRs": [
"clientCIDR": "",
"serverAddress": ""
Without kubectl proxy
Use kubectl describe secret...
to get the token for the default service account with grep/cut:
APISERVER=$(kubectl config view --minify | grep server | cut -f 2- -d ":" | tr -d " ")
SECRET_NAME=$(kubectl get secrets | grep ^default | cut -f1 -d ' ')
TOKEN=$(kubectl describe secret $SECRET_NAME | grep -E '^token' | cut -f2 -d':' | tr -d " ")
curl $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure
The output is similar to this:
"kind": "APIVersions",
"versions": [
"serverAddressByClientCIDRs": [
"clientCIDR": "",
"serverAddress": ""
Using jsonpath
APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
SECRET_NAME=$(kubectl get serviceaccount default -o jsonpath='{.secrets[0].name}')
TOKEN=$(kubectl get secret $SECRET_NAME -o jsonpath='{.data.token}' | base64 --decode)
curl $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure
The output is similar to this:
"kind": "APIVersions",
"versions": [
"serverAddressByClientCIDRs": [
"clientCIDR": "",
"serverAddress": ""
The above examples use the --insecure
flag. This leaves it subject to MITM
attacks. When kubectl accesses the cluster it uses a stored root certificate
and client certificates to access the server. (These are installed in the
directory). Since cluster certificates are typically self-signed, it
may take special configuration to get your http client to use root
On some clusters, the apiserver does not require authentication; it may serve on localhost, or be protected by a firewall. There is not a standard for this. Controlling Access to the API describes how a cluster admin can configure this.
Programmatic access to the API
Kubernetes officially supports Go and Python client libraries.
Go client
- To get the library, run the following command:
go get<kubernetes-version-number>
, see for detailed installation instructions. See to see which versions are supported. - Write an application atop of the client-go clients. Note that client-go defines its own API objects, so if needed, please import API definitions from client-go rather than from the main repository, e.g.,
import ""
is correct.
The Go client can use the same kubeconfig file as the kubectl CLI does to locate and authenticate to the apiserver. See this example.
If the application is deployed as a Pod in the cluster, please refer to the next section.
Python client
To use Python client, run the following command: pip install kubernetes
. See Python Client Library page for more installation options.
The Python client can use the same kubeconfig file as the kubectl CLI does to locate and authenticate to the apiserver. See this example.
Other languages
There are client libraries for accessing the API from other languages. See documentation for other libraries for how they authenticate.
Accessing the API from a Pod
When accessing the API from a pod, locating and authenticating to the apiserver are somewhat different.
The recommended way to locate the apiserver within the pod is with
the kubernetes.default.svc
DNS name, which resolves to a Service IP which in turn
will be routed to an apiserver.
The recommended way to authenticate to the apiserver is with a
service account credential. By kube-system, a pod
is associated with a service account, and a credential (token) for that
service account is placed into the filesystem tree of each container in that pod,
at /var/run/secrets/
If available, a certificate bundle is placed into the filesystem tree of each
container at /var/run/secrets/
, and should be
used to verify the serving certificate of the apiserver.
Finally, the default namespace to be used for namespaced API operations is placed in a file
at /var/run/secrets/
in each container.
From within a pod the recommended ways to connect to API are:
- Run
kubectl proxy
in a sidecar container in the pod, or as a background process within the container. This proxies the Kubernetes API to the localhost interface of the pod, so that other processes in any container of the pod can access it. - Use the Go client library, and create a client using the
functions. They handle locating and authenticating to the apiserver. example
In each case, the credentials of the pod are used to communicate securely with the apiserver.
Accessing services running on the cluster
The previous section was about connecting the Kubernetes API server. This section is about connecting to other services running on Kubernetes cluster. In Kubernetes, the nodes, pods and services all have their own IPs. In many cases, the node IPs, pod IPs, and some service IPs on a cluster will not be routable, so they will not be reachable from a machine outside the cluster, such as your desktop machine.
Ways to connect
You have several options for connecting to nodes, pods and services from outside the cluster:
- Access services through public IPs.
- Use a service with type
to make the service reachable outside the cluster. See the services and kubectl expose documentation. - Depending on your cluster environment, this may only expose the service to your corporate network, or it may expose it to the internet. Think about whether the service being exposed is secure. Does it do its own authentication?
- Place pods behind services. To access one specific pod from a set of replicas, such as for debugging, place a unique label on the pod and create a new service which selects this label.
- In most cases, it should not be necessary for application developer to directly access nodes via their nodeIPs.
- Use a service with type
- Access services, nodes, or pods using the Proxy Verb.
- Does apiserver authentication and authorization prior to accessing the remote service. Use this if the services are not secure enough to expose to the internet, or to gain access to ports on the node IP, or for debugging.
- Proxies may cause problems for some web applications.
- Only works for HTTP/HTTPS.
- Described here.
- Access from a node or pod in the cluster.
- Run a pod, and then connect to a shell in it using kubectl exec. Connect to other nodes, pods, and services from that shell.
- Some clusters may allow you to ssh to a node in the cluster. From there you may be able to access cluster services. This is a non-standard method, and will work on some clusters but not others. Browsers and other tools may or may not be installed. Cluster DNS may not work.
Discovering builtin services
Typically, there are several services which are started on a cluster by kube-system. Get a list of these
with the kubectl cluster-info
kubectl cluster-info
The output is similar to this:
Kubernetes master is running at
elasticsearch-logging is running at
kibana-logging is running at
kube-dns is running at
grafana is running at
heapster is running at
This shows the proxy-verb URL for accessing each service.
For example, this cluster has cluster-level logging enabled (using Elasticsearch), which can be reached
if suitable credentials are passed. Logging can also be reached through a kubectl proxy, for example at:
(See Access Clusters Using the Kubernetes API for how to pass credentials or use kubectl proxy.)
Manually constructing apiserver proxy URLs
As mentioned above, you use the kubectl cluster-info
command to retrieve the service's proxy URL. To create proxy URLs that include service endpoints, suffixes, and parameters, you append to the service's proxy URL:
If you haven't specified a name for your port, you don't have to specify port_name in the URL. You can also use the port number in place of the port_name for both named and unnamed ports.
By default, the API server proxies to your service using http. To use https, prefix the service name with https:
The supported formats for the name segment of the URL are:
- proxies to the default or unnamed port using http<service_name>:<port_name>
- proxies to the specified port name or port number using httphttps:<service_name>:
- proxies to the default or unnamed port using https (note the trailing colon)https:<service_name>:<port_name>
- proxies to the specified port name or port number using https
- To access the Elasticsearch service endpoint
, you would use:
- To access the Elasticsearch cluster health information
, you would use:
"cluster_name" : "kubernetes_logging",
"status" : "yellow",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"active_primary_shards" : 5,
"active_shards" : 5,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 5
Using web browsers to access services running on the cluster
You may be able to put an apiserver proxy url into the address bar of a browser. However:
- Web browsers cannot usually pass tokens, so you may need to use basic (password) auth. Apiserver can be configured to accept basic auth, but your cluster may not be configured to accept basic auth.
- Some web apps may not work, particularly those with client side javascript that construct urls in a way that is unaware of the proxy path prefix.
Requesting redirects
The redirect capabilities have been deprecated and removed. Please use a proxy (see below) instead.
So Many Proxies
There are several different proxies you may encounter when using Kubernetes:
The kubectl proxy:
- runs on a user's desktop or in a pod
- proxies from a localhost address to the Kubernetes apiserver
- client to proxy uses HTTP
- proxy to apiserver uses HTTPS
- locates apiserver
- adds authentication headers
The apiserver proxy:
- is a bastion built into the apiserver
- connects a user outside of the cluster to cluster IPs which otherwise might not be reachable
- runs in the apiserver processes
- client to proxy uses HTTPS (or http if apiserver so configured)
- proxy to target may use HTTP or HTTPS as chosen by proxy using available information
- can be used to reach a Node, Pod, or Service
- does load balancing when used to reach a Service
The kube proxy:
- runs on each node
- proxies UDP and TCP
- does not understand HTTP
- provides load balancing
- is only used to reach services
A Proxy/Load-balancer in front of apiserver(s):
- existence and implementation varies from cluster to cluster (e.g. nginx)
- sits between all clients and one or more apiservers
- acts as load balancer if there are several apiservers.
Cloud Load Balancers on external services:
- are provided by some cloud providers (e.g. AWS ELB, Google Cloud Load Balancer)
- are created automatically when the Kubernetes service has type
- use UDP/TCP only
- implementation varies by cloud provider.
Kubernetes users will typically not need to worry about anything other than the first two types. The cluster admin will typically ensure that the latter types are setup correctly.
3 - Configure Access to Multiple Clusters
This page shows how to configure access to multiple clusters by using
configuration files. After your clusters, users, and contexts are defined in
one or more configuration files, you can quickly switch between clusters by using the
kubectl config use-context
Note: A file that is used to configure access to a cluster is sometimes called a kubeconfig file. This is a generic way of referring to configuration files. It does not mean that there is a file namedkubeconfig
Warning: Only use kubeconfig files from trusted sources. Using a specially-crafted kubeconfig file could result in malicious code execution or file exposure. If you must use an untrusted kubeconfig file, inspect it carefully first, much as you would a shell script.
Before you begin
You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:
To check that kubectl is installed,
run kubectl version --client
. The kubectl version should be
within one minor version of your
cluster's API server.
Define clusters, users, and contexts
Suppose you have two clusters, one for development work and one for scratch work.
In the development
cluster, your frontend developers work in a namespace called frontend
and your storage developers work in a namespace called storage
. In your scratch
developers work in the default namespace, or they create auxiliary namespaces as they
see fit. Access to the development cluster requires authentication by certificate. Access
to the scratch cluster requires authentication by username and password.
Create a directory named config-exercise
. In your
directory, create a file named config-demo
with this content:
apiVersion: v1
kind: Config
preferences: {}
- cluster:
name: development
- cluster:
name: scratch
- name: developer
- name: experimenter
- context:
name: dev-frontend
- context:
name: dev-storage
- context:
name: exp-scratch
A configuration file describes clusters, users, and contexts. Your config-demo
has the framework to describe two clusters, two users, and three contexts.
Go to your config-exercise
directory. Enter these commands to add cluster details to
your configuration file:
kubectl config --kubeconfig=config-demo set-cluster development --server= --certificate-authority=fake-ca-file
kubectl config --kubeconfig=config-demo set-cluster scratch --server= --insecure-skip-tls-verify
Add user details to your configuration file:
kubectl config --kubeconfig=config-demo set-credentials developer --client-certificate=fake-cert-file --client-key=fake-key-seefile
kubectl config --kubeconfig=config-demo set-credentials experimenter --username=exp --password=some-password
- To delete a user you can run
kubectl --kubeconfig=config-demo config unset users.<name>
- To remove a cluster, you can run
kubectl --kubeconfig=config-demo config unset clusters.<name>
- To remove a context, you can run
kubectl --kubeconfig=config-demo config unset contexts.<name>
Add context details to your configuration file:
kubectl config --kubeconfig=config-demo set-context dev-frontend --cluster=development --namespace=frontend --user=developer
kubectl config --kubeconfig=config-demo set-context dev-storage --cluster=development --namespace=storage --user=developer
kubectl config --kubeconfig=config-demo set-context exp-scratch --cluster=scratch --namespace=default --user=experimenter
Open your config-demo
file to see the added details. As an alternative to opening the
file, you can use the config view
kubectl config --kubeconfig=config-demo view
The output shows the two clusters, two users, and three contexts:
apiVersion: v1
- cluster:
certificate-authority: fake-ca-file
name: development
- cluster:
insecure-skip-tls-verify: true
name: scratch
- context:
cluster: development
namespace: frontend
user: developer
name: dev-frontend
- context:
cluster: development
namespace: storage
user: developer
name: dev-storage
- context:
cluster: scratch
namespace: default
user: experimenter
name: exp-scratch
current-context: ""
kind: Config
preferences: {}
- name: developer
client-certificate: fake-cert-file
client-key: fake-key-file
- name: experimenter
password: some-password
username: exp
The fake-ca-file
, fake-cert-file
and fake-key-file
above are the placeholders
for the pathnames of the certificate files. You need to change these to the actual pathnames
of certificate files in your environment.
Sometimes you may want to use Base64-encoded data embedded here instead of separate
certificate files; in that case you need to add the suffix -data
to the keys, for example,
, client-certificate-data
, client-key-data
Each context is a triple (cluster, user, namespace). For example, the
context says, "Use the credentials of the developer
user to access the frontend
namespace of the development
Set the current context:
kubectl config --kubeconfig=config-demo use-context dev-frontend
Now whenever you enter a kubectl
command, the action will apply to the cluster,
and namespace listed in the dev-frontend
context. And the command will use
the credentials of the user listed in the dev-frontend
To see only the configuration information associated with
the current context, use the --minify
kubectl config --kubeconfig=config-demo view --minify
The output shows configuration information associated with the dev-frontend
apiVersion: v1
- cluster:
certificate-authority: fake-ca-file
name: development
- context:
cluster: development
namespace: frontend
user: developer
name: dev-frontend
current-context: dev-frontend
kind: Config
preferences: {}
- name: developer
client-certificate: fake-cert-file
client-key: fake-key-file
Now suppose you want to work for a while in the scratch cluster.
Change the current context to exp-scratch
kubectl config --kubeconfig=config-demo use-context exp-scratch
Now any kubectl
command you give will apply to the default namespace of
the scratch
cluster. And the command will use the credentials of the user
listed in the exp-scratch
View configuration associated with the new current context, exp-scratch
kubectl config --kubeconfig=config-demo view --minify
Finally, suppose you want to work for a while in the storage
namespace of the
Change the current context to dev-storage
kubectl config --kubeconfig=config-demo use-context dev-storage
View configuration associated with the new current context, dev-storage
kubectl config --kubeconfig=config-demo view --minify
Create a second configuration file
In your config-exercise
directory, create a file named config-demo-2
with this content:
apiVersion: v1
kind: Config
preferences: {}
- context:
cluster: development
namespace: ramp
user: developer
name: dev-ramp-up
The preceding configuration file defines a new context named dev-ramp-up
Set the KUBECONFIG environment variable
See whether you have an environment variable named KUBECONFIG
. If so, save the
current value of your KUBECONFIG
environment variable, so you can restore it later.
For example:
Windows PowerShell
environment variable is a list of paths to configuration files. The list is
colon-delimited for Linux and Mac, and semicolon-delimited for Windows. If you have
environment variable, familiarize yourself with the configuration files
in the list.
Temporarily append two paths to your KUBECONFIG
environment variable. For example:
export KUBECONFIG=$KUBECONFIG:config-demo:config-demo-2
Windows PowerShell
In your config-exercise
directory, enter this command:
kubectl config view
The output shows merged information from all the files listed in your KUBECONFIG
environment variable. In particular, notice that the merged information has the
context from the config-demo-2
file and the three contexts from
the config-demo
- context:
cluster: development
namespace: frontend
user: developer
name: dev-frontend
- context:
cluster: development
namespace: ramp
user: developer
name: dev-ramp-up
- context:
cluster: development
namespace: storage
user: developer
name: dev-storage
- context:
cluster: scratch
namespace: default
user: experimenter
name: exp-scratch
For more information about how kubeconfig files are merged, see Organizing Cluster Access Using kubeconfig Files
Explore the $HOME/.kube directory
If you already have a cluster, and you can use kubectl
to interact with
the cluster, then you probably have a file named config
in the $HOME/.kube
Go to $HOME/.kube
, and see what files are there. Typically, there is a file named
. There might also be other configuration files in this directory. Briefly
familiarize yourself with the contents of these files.
Append $HOME/.kube/config to your KUBECONFIG environment variable
If you have a $HOME/.kube/config
file, and it's not already listed in your
environment variable, append it to your KUBECONFIG
environment variable now.
For example:
export KUBECONFIG=$KUBECONFIG:$HOME/.kube/config
Windows Powershell
View configuration information merged from all the files that are now listed
environment variable. In your config-exercise directory, enter:
kubectl config view
Clean up
Return your KUBECONFIG
environment variable to its original value. For example:
Windows PowerShell
4 - Use Port Forwarding to Access Applications in a Cluster
This page shows how to use kubectl port-forward
to connect to a MongoDB
server running in a Kubernetes cluster. This type of connection can be useful
for database debugging.
Before you begin
You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:
Your Kubernetes server must be at or later than version v1.10. To check the version, enterkubectl version
.Install MongoDB Shell.
Creating MongoDB deployment and service
Create a Deployment that runs MongoDB:
kubectl apply -f
The output of a successful command verifies that the deployment was created:
deployment.apps/mongo created
View the pod status to check that it is ready:
kubectl get pods
The output displays the pod created:
NAME READY STATUS RESTARTS AGE mongo-75f59d57f4-4nd6q 1/1 Running 0 2m4s
View the Deployment's status:
kubectl get deployment
The output displays that the Deployment was created:
The Deployment automatically manages a ReplicaSet. View the ReplicaSet status using:
kubectl get replicaset
The output displays that the ReplicaSet was created:
NAME DESIRED CURRENT READY AGE mongo-75f59d57f4 1 1 1 3m12s
Create a Service to expose MongoDB on the network:
kubectl apply -f
The output of a successful command verifies that the Service was created:
service/mongo created
Check the Service created:
kubectl get service mongo
The output displays the service created:
Verify that the MongoDB server is running in the Pod, and listening on port 27017:
# Change mongo-75f59d57f4-4nd6q to the name of the Pod kubectl get pod mongo-75f59d57f4-4nd6q --template='{{(index (index .spec.containers 0).ports 0).containerPort}}{{"\n"}}'
The output displays the port for MongoDB in that Pod:
(this is the TCP port allocated to MongoDB on the internet).
Forward a local port to a port on the Pod
kubectl port-forward
allows using resource name, such as a pod name, to select a matching pod to port forward to.# Change mongo-75f59d57f4-4nd6q to the name of the Pod kubectl port-forward mongo-75f59d57f4-4nd6q 28015:27017
which is the same as
kubectl port-forward pods/mongo-75f59d57f4-4nd6q 28015:27017
kubectl port-forward deployment/mongo 28015:27017
kubectl port-forward replicaset/mongo-75f59d57f4 28015:27017
kubectl port-forward service/mongo 28015:27017
Any of the above commands works. The output is similar to this:
Forwarding from -> 27017 Forwarding from [::1]:28015 -> 27017
Note:kubectl port-forward
does not return. To continue with the exercises, you will need to open another terminal.
Start the MongoDB command line interface:
mongosh --port 28015
At the MongoDB command line prompt, enter the
command:db.runCommand( { ping: 1 } )
A successful ping request returns:
{ ok: 1 }
Optionally let kubectl choose the local port
If you don't need a specific local port, you can let kubectl
choose and allocate
the local port and thus relieve you from having to manage local port conflicts, with
the slightly simpler syntax:
kubectl port-forward deployment/mongo :27017
The kubectl
tool finds a local port number that is not in use (avoiding low ports numbers,
because these might be used by other applications). The output is similar to:
Forwarding from -> 27017
Forwarding from [::1]:63753 -> 27017
Connections made to local port 28015 are forwarded to port 27017 of the Pod that is running the MongoDB server. With this connection in place, you can use your local workstation to debug the database that is running in the Pod.
Note:kubectl port-forward
is implemented for TCP ports only. The support for UDP protocol is tracked in issue 47862.
5 - Use a Service to Access an Application in a Cluster
This page shows how to create a Kubernetes Service object that external clients can use to access an application running in a cluster. The Service provides load balancing for an application that has two running instances.
Before you begin
You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:
To check the version, enterkubectl version
- Run two instances of a Hello World application.
- Create a Service object that exposes a node port.
- Use the Service object to access the running application.
Creating a service for an application running in two pods
Here is the configuration file for the application Deployment:
apiVersion: apps/v1
kind: Deployment
name: hello-world
run: load-balancer-example
replicas: 2
run: load-balancer-example
- name: hello-world
- containerPort: 8080
protocol: TCP
Run a Hello World application in your cluster: Create the application Deployment using the file above:
kubectl apply -f
The preceding command creates a Deployment and an associated ReplicaSet. The ReplicaSet has two Pods each of which runs the Hello World application.
Display information about the Deployment:
kubectl get deployments hello-world kubectl describe deployments hello-world
Display information about your ReplicaSet objects:
kubectl get replicasets kubectl describe replicasets
Create a Service object that exposes the deployment:
kubectl expose deployment hello-world --type=NodePort --name=example-service
Display information about the Service:
kubectl describe services example-service
The output is similar to this:
Name: example-service Namespace: default Labels: run=load-balancer-example Annotations: <none> Selector: run=load-balancer-example Type: NodePort IP: Port: <unset> 8080/TCP TargetPort: 8080/TCP NodePort: <unset> 31496/TCP Endpoints:, Session Affinity: None Events: <none>
Make a note of the NodePort value for the service. For example, in the preceding output, the NodePort value is 31496.
List the pods that are running the Hello World application:
kubectl get pods --selector="run=load-balancer-example" --output=wide
The output is similar to this:
NAME READY STATUS ... IP NODE hello-world-2895499144-bsbk5 1/1 Running ... worker1 hello-world-2895499144-m1pwt 1/1 Running ... worker2
Get the public IP address of one of your nodes that is running a Hello World pod. How you get this address depends on how you set up your cluster. For example, if you are using Minikube, you can see the node address by running
kubectl cluster-info
. If you are using Google Compute Engine instances, you can use thegcloud compute instances list
command to see the public addresses of your nodes.On your chosen node, create a firewall rule that allows TCP traffic on your node port. For example, if your Service has a NodePort value of 31568, create a firewall rule that allows TCP traffic on port 31568. Different cloud providers offer different ways of configuring firewall rules.
Use the node address and node port to access the Hello World application:
curl http://<public-node-ip>:<node-port>
is the public IP address of your node, and<node-port>
is the NodePort value for your service. The response to a successful request is a hello message:Hello Kubernetes!
Using a service configuration file
As an alternative to using kubectl expose
, you can use a
service configuration file
to create a Service.
Cleaning up
To delete the Service, enter this command:
kubectl delete services example-service
To delete the Deployment, the ReplicaSet, and the Pods that are running the Hello World application, enter this command:
kubectl delete deployment hello-world
6 - Connect a Frontend to a Backend Using Services
This task shows how to create a frontend and a backend microservice. The backend microservice is a hello greeter. The frontend exposes the backend using nginx and a Kubernetes Service object.
- Create and run a sample
backend microservice using a Deployment object. - Use a Service object to send traffic to the backend microservice's multiple replicas.
- Create and run a
frontend microservice, also using a Deployment object. - Configure the frontend microservice to send traffic to the backend microservice.
- Use a Service object of
to expose the frontend microservice outside the cluster.
Before you begin
You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:
To check the version, enterkubectl version
.This task uses Services with external load balancers, which require a supported environment. If your environment does not support this, you can use a Service of type NodePort instead.
Creating the backend using a Deployment
The backend is a simple hello greeter microservice. Here is the configuration file for the backend Deployment:
apiVersion: apps/v1
kind: Deployment
name: backend
app: hello
tier: backend
track: stable
replicas: 3
app: hello
tier: backend
track: stable
- name: hello
image: ""
- name: http
containerPort: 80
Create the backend Deployment:
kubectl apply -f
View information about the backend Deployment:
kubectl describe deployment backend
The output is similar to this:
Name: backend
Namespace: default
CreationTimestamp: Mon, 24 Oct 2016 14:21:02 -0700
Labels: app=hello
Selector: app=hello,tier=backend,track=stable
Replicas: 3 desired | 3 updated | 3 total | 3 available | 0 unavailable
StrategyType: RollingUpdate
MinReadySeconds: 0
RollingUpdateStrategy: 1 max unavailable, 1 max surge
Pod Template:
Labels: app=hello
Image: ""
Port: 80/TCP
Environment: <none>
Mounts: <none>
Volumes: <none>
Type Status Reason
---- ------ ------
Available True MinimumReplicasAvailable
Progressing True NewReplicaSetAvailable
OldReplicaSets: <none>
NewReplicaSet: hello-3621623197 (3/3 replicas created)
Creating the hello
Service object
The key to sending requests from a frontend to a backend is the backend Service. A Service creates a persistent IP address and DNS name entry so that the backend microservice can always be reached. A Service uses selectors to find the Pods that it routes traffic to.
First, explore the Service configuration file:
apiVersion: v1
kind: Service
name: hello
app: hello
tier: backend
- protocol: TCP
port: 80
targetPort: http
In the configuration file, you can see that the Service, named hello
traffic to Pods that have the labels app: hello
and tier: backend
Create the backend Service:
kubectl apply -f
At this point, you have a backend
Deployment running three replicas of your hello
application, and you have a Service that can route traffic to them. However, this
service is neither available nor resolvable outside the cluster.
Creating the frontend
Now that you have your backend running, you can create a frontend that is accessible outside the cluster, and connects to the backend by proxying requests to it.
The frontend sends requests to the backend worker Pods by using the DNS name
given to the backend Service. The DNS name is hello
, which is the value
of the name
field in the examples/service/access/backend-service.yaml
configuration file.
The Pods in the frontend Deployment run a nginx image that is configured
to proxy requests to the hello
backend Service. Here is the nginx configuration file:
# The identifier Backend is internal to nginx, and used to name this specific upstream
upstream Backend {
# hello is the internal DNS name used by the backend Service inside Kubernetes
server hello;
server {
listen 80;
location / {
# The following statement will proxy traffic to the upstream named Backend
proxy_pass http://Backend;
Similar to the backend, the frontend has a Deployment and a Service. An important
difference to notice between the backend and frontend services, is that the
configuration for the frontend Service has type: LoadBalancer
, which means that
the Service uses a load balancer provisioned by your cloud provider and will be
accessible from outside the cluster.
apiVersion: v1
kind: Service
name: frontend
app: hello
tier: frontend
- protocol: "TCP"
port: 80
targetPort: 80
type: LoadBalancer
apiVersion: apps/v1
kind: Deployment
name: frontend
app: hello
tier: frontend
track: stable
replicas: 1
app: hello
tier: frontend
track: stable
- name: nginx
image: ""
command: ["/usr/sbin/nginx","-s","quit"]
Create the frontend Deployment and Service:
kubectl apply -f
kubectl apply -f
The output verifies that both resources were created:
deployment.apps/frontend created
service/frontend created
Note: The nginx configuration is baked into the container image. A better way to do this would be to use a ConfigMap, so that you can change the configuration more easily.
Interact with the frontend Service
Once you've created a Service of type LoadBalancer, you can use this command to find the external IP:
kubectl get service frontend --watch
This displays the configuration for the frontend
Service and watches for
changes. Initially, the external IP is listed as <pending>
frontend LoadBalancer <pending> 80/TCP 10s
As soon as an external IP is provisioned, however, the configuration updates
to include the new IP under the EXTERNAL-IP
frontend LoadBalancer XXX.XXX.XXX.XXX 80/TCP 1m
That IP can now be used to interact with the frontend
service from outside the
Send traffic through the frontend
The frontend and backend are now connected. You can hit the endpoint by using the curl command on the external IP of your frontend Service.
curl http://${EXTERNAL_IP} # replace this with the EXTERNAL-IP you saw earlier
The output shows the message generated by the backend:
Cleaning up
To delete the Services, enter this command:
kubectl delete services frontend backend
To delete the Deployments, the ReplicaSets and the Pods that are running the backend and frontend applications, enter this command:
kubectl delete deployment frontend backend
This page shows how to create an External Load Balancer.
Note: This feature is only available for cloud providers or environments which support external load balancers.
When creating a service, you have the option of automatically creating a cloud network load balancer. This provides an externally-accessible IP address that sends traffic to the correct port on your cluster nodes provided your cluster runs in a supported environment and is configured with the correct cloud load balancer provider package.
For information on provisioning and using an Ingress resource that can give services externally-reachable URLs, load balance the traffic, terminate SSL etc., please check the Ingress documentation.
Before you begin
You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:
To check the version, enterkubectl version
Configuration file
To create an external load balancer, add the following line to your service configuration file:
type: LoadBalancer
Your configuration file might look like:
apiVersion: v1
kind: Service
name: example-service
app: example
- port: 8765
targetPort: 9376
type: LoadBalancer
Using kubectl
You can alternatively create the service with the kubectl expose
command and
its --type=LoadBalancer
kubectl expose rc example --port=8765 --target-port=9376 \
--name=example-service --type=LoadBalancer
This command creates a new service using the same selectors as the referenced
resource (in the case of the example above, a replication controller named
For more information, including optional flags, refer to the
kubectl expose
Finding your IP address
You can find the IP address created for your service by getting the service
information through kubectl
kubectl describe services example-service
which should produce output like this:
Name: example-service
Namespace: default
Labels: <none>
Annotations: <none>
Selector: app=example
Type: LoadBalancer
LoadBalancer Ingress:
Port: <unnamed> 80/TCP
NodePort: <unnamed> 32445/TCP
Session Affinity: None
Events: <none>
The IP address is listed next to LoadBalancer Ingress
Note: If you are running your service on Minikube, you can find the assigned IP address and port with:
minikube service example-service --url
Preserving the client source IP
Due to the implementation of this feature, the source IP seen in the target container is not the original source IP of the client. To enable preservation of the client IP, the following fields can be configured in the service spec (supported in GCE/Google Kubernetes Engine environments):
- denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints. There are two available options: Cluster (default) and Local. Cluster obscures the client source IP and may cause a second hop to another node, but should have good overall load-spreading. Local preserves the client source IP and avoids a second hop for LoadBalancer and NodePort type services, but risks potentially imbalanced traffic spreading.service.spec.healthCheckNodePort
- specifies the health check node port (numeric port number) for the service. IfhealthCheckNodePort
isn't specified, the service controller allocates a port from your cluster's NodePort range. You can configure that range by setting an API server command line option,--service-node-port-range
. It will use the user-specifiedhealthCheckNodePort
value if specified by the client. It only has an effect whentype
is set to LoadBalancer andexternalTrafficPolicy
is set to Local.
Setting externalTrafficPolicy
to Local in the Service configuration file
activates this feature.
apiVersion: v1
kind: Service
name: example-service
app: example
- port: 8765
targetPort: 9376
externalTrafficPolicy: Local
type: LoadBalancer
Garbage Collecting Load Balancers
Kubernetes v1.17 [stable]
In usual case, the correlating load balancer resources in cloud provider should be cleaned up soon after a LoadBalancer type Service is deleted. But it is known that there are various corner cases where cloud resources are orphaned after the associated Service is deleted. Finalizer Protection for Service LoadBalancers was introduced to prevent this from happening. By using finalizers, a Service resource will never be deleted until the correlating load balancer resources are also deleted.
Specifically, if a Service has type
LoadBalancer, the service controller will attach
a finalizer named
The finalizer will only be removed after the load balancer resource is cleaned up.
This prevents dangling load balancer resources even in corner cases such as the
service controller crashing.
External Load Balancer Providers
It is important to note that the datapath for this functionality is provided by a load balancer external to the Kubernetes cluster.
When the Service type
is set to LoadBalancer, Kubernetes provides functionality equivalent to type
equals ClusterIP to pods
within the cluster and extends it by programming the (external to Kubernetes) load balancer with entries for the Kubernetes
pods. The Kubernetes service controller automates the creation of the external load balancer, health checks (if needed),
firewall rules (if needed) and retrieves the external IP allocated by the cloud provider and populates it in the service
Caveats and Limitations when preserving source IPs
GCE/AWS load balancers do not provide weights for their target pools. This was not an issue with the old LB kube-proxy rules which would correctly balance across all endpoints.
With the new functionality, the external traffic is not equally load balanced across pods, but rather equally balanced at the node level (because GCE/AWS and other external LB implementations do not have the ability for specifying the weight per node, they balance equally across all target nodes, disregarding the number of pods on each node).
We can, however, state that for NumServicePods << NumNodes or NumServicePods >> NumNodes, a fairly close-to-equal distribution will be seen, even without weights.
Once the external load balancers provide weights, this functionality can be added to the LB programming path. Future Work: No support for weights is provided for the 1.4 release, but may be added at a future date
Internal pod to pod traffic should behave similar to ClusterIP services, with equal probability across all pods.
8 - List All Container Images Running in a Cluster
This page shows how to use kubectl to list all of the Container images for Pods running in a cluster.
Before you begin
You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:
To check the version, enterkubectl version
.In this exercise you will use kubectl to fetch all of the Pods running in a cluster, and format the output to pull out the list of Containers for each.
List all Container images in all namespaces
- Fetch all Pods in all namespaces using
kubectl get pods --all-namespaces
- Format the output to include only the list of Container image names
-o jsonpath={.items[*].spec.containers[*].image}
. This will recursively parse out theimage
field from the returned json.- See the jsonpath reference for further information on how to use jsonpath.
- Format the output using standard tools:
- Use
to replace spaces with newlines - Use
to sort the results - Use
to aggregate image counts
- Use
kubectl get pods --all-namespaces -o jsonpath="{.items[*].spec.containers[*].image}" |\
tr -s '[[:space:]]' '\n' |\
sort |\
uniq -c
The above command will recursively return all fields named image
for all items returned.
As an alternative, it is possible to use the absolute path to the image
field within the Pod. This ensures the correct field is retrieved
even when the field name is repeated,
e.g. many fields are called name
within a given item:
kubectl get pods --all-namespaces -o jsonpath="{.items[*].spec.containers[*].image}"
The jsonpath is interpreted as follows:
: for each returned value.spec
: get the spec.containers[*]
: for each container.image
: get the image
Note: When fetching a single Pod by name, for examplekubectl get pod nginx
, the.items[*]
portion of the path should be omitted because a single Pod is returned instead of a list of items.
List Container images by Pod
The formatting can be controlled further by using the range
operation to
iterate over elements individually.
kubectl get pods --all-namespaces -o=jsonpath='{range .items[*]}{"\n"}{}{":\t"}{range .spec.containers[*]}{.image}{", "}{end}{end}' |\
List Container images filtering by Pod label
To target only Pods matching a specific label, use the -l flag. The
following matches only Pods with labels matching app=nginx
kubectl get pods --all-namespaces -o=jsonpath="{.items[*].spec.containers[*].image}" -l app=nginx
List Container images filtering by Pod namespace
To target only pods in a specific namespace, use the namespace flag. The
following matches only Pods in the kube-system
kubectl get pods --namespace kube-system -o jsonpath="{.items[*].spec.containers[*].image}"
List Container images using a go-template instead of jsonpath
As an alternative to jsonpath, Kubectl supports using go-templates for formatting the output:
kubectl get pods --all-namespaces -o go-template --template="{{range .items}}{{range .spec.containers}}{{.image}} {{end}}{{end}}"
9 - Set up Ingress on Minikube with the NGINX Ingress Controller
An Ingress is an API object that defines rules which allow external access to services in a cluster. An Ingress controller fulfills the rules set in the Ingress.
This page shows you how to set up a simple Ingress which routes requests to Service web or web2 depending on the HTTP URI.
Before you begin
You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:
To check the version, enterkubectl version
.Create a Minikube cluster
Click Launch Terminal
(Optional) If you installed Minikube locally, run the following command:
minikube start
Enable the Ingress controller
To enable the NGINX Ingress controller, run the following command:
minikube addons enable ingress
Verify that the NGINX Ingress controller is running
kubectl get pods -n kube-system
Note: This can take up to a minute.Output:
NAME READY STATUS RESTARTS AGE default-http-backend-59868b7dd6-xb8tq 1/1 Running 0 1m kube-addon-manager-minikube 1/1 Running 0 3m kube-dns-6dcb57bcc8-n4xd4 3/3 Running 0 2m kubernetes-dashboard-5498ccf677-b8p5h 1/1 Running 0 2m nginx-ingress-controller-5984b97644-rnkrg 1/1 Running 0 1m storage-provisioner 1/1 Running 0 2m
Deploy a hello, world app
Create a Deployment using the following command:
kubectl create deployment web
deployment.apps/web created
Expose the Deployment:
kubectl expose deployment web --type=NodePort --port=8080
service/web exposed
Verify the Service is created and is available on a node port:
kubectl get service web
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE web NodePort <none> 8080:31637/TCP 12m
Visit the service via NodePort:
minikube service web --url
Note: Katacoda environment only: at the top of the terminal panel, click the plus sign, and then click Select port to view on Host 1. Enter the NodePort, in this case31637
, and then click Display Port.Output:
Hello, world! Version: 1.0.0 Hostname: web-55b8c6998d-8k564
You can now access the sample app via the Minikube IP address and NodePort. The next step lets you access the app using the Ingress resource.
Create an Ingress resource
The following file is an Ingress resource that sends traffic to your Service via
- Create
from the following file:
kind: Ingress
name: example-ingress
annotations: /$1
- host:
- path: /
pathType: Prefix
name: web
number: 8080
Create the Ingress resource by running the following command:
kubectl apply -f
Output: created
Verify the IP address is set:
kubectl get ingress
Note: This can take a couple of minutes.NAME CLASS HOSTS ADDRESS PORTS AGE example-ingress <none> 80 38s
Add the following line to the bottom of the
file.Note: If you are running Minikube locally, useminikube ip
to get the external IP. The IP address displayed within the ingress list will be the internal IP.
This sends requests from to Minikube.
Verify that the Ingress controller is directing traffic:
Hello, world! Version: 1.0.0 Hostname: web-55b8c6998d-8k564
Note: If you are running Minikube locally, you can visit from your browser.
Create Second Deployment
Create a v2 Deployment using the following command:
kubectl create deployment web2
deployment.apps/web2 created
Expose the Deployment:
kubectl expose deployment web2 --port=8080 --type=NodePort
service/web2 exposed
Edit Ingress
Edit the existing
and add the following lines:- path: /v2 pathType: Prefix backend: service: name: web2 port: number: 8080
Apply the changes:
kubectl apply -f example-ingress.yaml
ingress.networking/example-ingress configured
Test Your Ingress
Access the 1st version of the Hello World app.
Hello, world! Version: 1.0.0 Hostname: web-55b8c6998d-8k564
Access the 2nd version of the Hello World app.
Hello, world! Version: 2.0.0 Hostname: web2-75cd47646f-t8cjk
Note: If you are running Minikube locally, you can visit and from your browser.
10 - Communicate Between Containers in the Same Pod Using a Shared Volume
This page shows how to use a Volume to communicate between two Containers running in the same Pod. See also how to allow processes to communicate by sharing process namespace between containers.
Before you begin
You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:
To check the version, enterkubectl version
.Creating a Pod that runs two Containers
In this exercise, you create a Pod that runs two Containers. The two containers share a Volume that they can use to communicate. Here is the configuration file for the Pod:
apiVersion: v1
kind: Pod
name: two-containers
restartPolicy: Never
- name: shared-data
emptyDir: {}
- name: nginx-container
image: nginx
- name: shared-data
mountPath: /usr/share/nginx/html
- name: debian-container
image: debian
- name: shared-data
mountPath: /pod-data
command: ["/bin/sh"]
args: ["-c", "echo Hello from the debian container > /pod-data/index.html"]
In the configuration file, you can see that the Pod has a Volume named
The first container listed in the configuration file runs an nginx server. The
mount path for the shared Volume is /usr/share/nginx/html
The second container is based on the debian image, and has a mount path of
. The second container runs the following command and then terminates.
echo Hello from the debian container > /pod-data/index.html
Notice that the second container writes the index.html
file in the root
directory of the nginx server.
Create the Pod and the two Containers:
kubectl apply -f
View information about the Pod and the Containers:
kubectl get pod two-containers --output=yaml
Here is a portion of the output:
apiVersion: v1
kind: Pod
name: two-containers
namespace: default
- containerID: docker://c1d8abd1 ...
image: debian
name: debian-container
- containerID: docker://96c1ff2c5bb ...
image: nginx
name: nginx-container
You can see that the debian Container has terminated, and the nginx Container is still running.
Get a shell to nginx Container:
kubectl exec -it two-containers -c nginx-container -- /bin/bash
In your shell, verify that nginx is running:
root@two-containers:/# apt-get update
root@two-containers:/# apt-get install curl procps
root@two-containers:/# ps aux
The output is similar to this:
root 1 ... Ss 21:12 0:00 nginx: master process nginx -g daemon off;
Recall that the debian Container created the index.html
file in the nginx root
directory. Use curl
to send a GET request to the nginx server:
root@two-containers:/# curl localhost
The output shows that nginx serves a web page written by the debian container:
Hello from the debian container
The primary reason that Pods can have multiple containers is to support helper applications that assist a primary application. Typical examples of helper applications are data pullers, data pushers, and proxies. Helper and primary applications often need to communicate with each other. Typically this is done through a shared filesystem, as shown in this exercise, or through the loopback network interface, localhost. An example of this pattern is a web server along with a helper program that polls a Git repository for new updates.
The Volume in this exercise provides a way for Containers to communicate during the life of the Pod. If the Pod is deleted and recreated, any data stored in the shared Volume is lost.
11 - Configure DNS for a Cluster
Kubernetes offers a DNS cluster addon, which most of the supported environments enable by default. In Kubernetes version 1.11 and later, CoreDNS is recommended and is installed by default with kubeadm.
For more information on how to configure CoreDNS for a Kubernetes cluster, see the Customizing DNS Service. An example demonstrating how to use Kubernetes DNS with kube-dns, see the Kubernetes DNS sample plugin.