The Kubernetes Cheat Sheet They Don’t Teach You — 20 Hidden Commands Every SRE Must Know

Why the basics aren’t enough

Every Kubernetes book covers the same 10 commands. But production incidents don’t wait for you to open a tutorial. The engineers who resolve P0s in five minutes are the ones who know exactly which flag to reach for when a pod is crash-looping inside a distroless image, or when they need to compare resource requests across every node in a 200-node cluster without writing a script.

The 20 commands below are grouped by what you’re trying to do. Copy them, adapt the namespaces and resource names, and you’ll have a solid mental model before your next on-call shift — or your CKA exam.

1. Debug a running container without SSH

01 Inject an ephemeral debug container

Distroless images have no shell. Before Kubernetes 1.23 you were stuck. Now you can attach a full debug image as an ephemeral sidecar without restarting the pod:

# Attach a busybox shell into a running pod (non-destructive, pod keeps running)
kubectl debug -it my-pod \
  --image=busybox:1.36 \
  --target=my-container \
  -n production

The --target flag shares the process namespace with my-container, so you can inspect its filesystem via /proc/<pid>/root. The ephemeral container disappears when you exit. Nothing is restarted.

02 Clone a failing pod onto a node for live debugging

Sometimes you need the exact same environment but with a shell baked in. kubectl debug can clone the pod spec and override the image in one command:

# Clone the pod, swap the image with one that has a shell
kubectl debug my-pod \
  --copy-to=my-pod-debug \
  --image=ubuntu:22.04 \
  --share-processes \
  -it -- bash

The cloned pod gets a new name (my-pod-debug), shares the process tree with all original containers, and drops you into bash. Delete it manually when you’re done.

2. Extract exactly the data you need with JSONPath

03 Get one field from every pod in the cluster

# Print pod name + node it is running on, all namespaces
kubectl get pods -A \
  -o jsonpath='{range .items[*]}{.metadata.namespace}{"\t"}{.metadata.name}{"\t"}{.spec.nodeName}{"\n"}{end}'

04 List every image in use across the cluster

# Unique container images, sorted and deduplicated
kubectl get pods -A \
  -o jsonpath='{.items[*].spec.containers[*].image}' \
  | tr ' ' '\n' | sort -u

05 Find all pods NOT in Running state

# Field selector filters server-side — much faster than grep on large clusters
kubectl get pods -A --field-selector=status.phase!=Running

06 Custom columns — build your own table

# Show name, status, restart count, and node in one clean table
kubectl get pods -n production \
  -o custom-columns=\
'NAME:.metadata.name,\
STATUS:.status.phase,\
RESTARTS:.status.containerStatuses[0].restartCount,\
NODE:.spec.nodeName'

3. Understand what’s happening right now

07 Sort events by timestamp to find the real cause

The default kubectl get events output is unordered and noisy. This one-liner shows the most recent events first, with the involved object and reason visible at a glance:

# Most recent events first — add -n <namespace> to narrow scope
kubectl get events -A \
  --sort-by='.lastTimestamp' \
  | tail -30

08 Watch events for a specific object in real time

kubectl get events -n production \
  --field-selector involvedObject.name=my-deployment \
  -w

09 See resource usage across all nodes

# Requires metrics-server — shows CPU and memory as % of allocatable
kubectl top nodes --sort-by=cpu

10 See which pods are consuming the most memory

kubectl top pods -A --sort-by=memory | head -20

4. Generate YAML without touching the cluster

11 Dry-run to generate a clean resource manifest

This is the single most important CKA exam speed-up. Never write YAML from scratch — generate a skeleton and edit it:

# Generate a Deployment manifest without creating anything
kubectl create deployment nginx \
  --image=nginx:1.25 \
  --replicas=3 \
  --dry-run=client \
  -o yaml > nginx-deploy.yaml

# Same trick for any resource type
kubectl create configmap app-config \
  --from-literal=ENV=production \
  --dry-run=client -o yaml

kubectl create secret generic db-creds \
  --from-literal=password=s3cr3t \
  --dry-run=client -o yaml

kubectl expose deployment nginx \
  --port=80 --target-port=80 --type=ClusterIP \
  --dry-run=client -o yaml

5. Apply changes surgically

12 Patch a single field without editing the full YAML

# Change image of a specific container in a deployment
kubectl set image deployment/nginx nginx=nginx:1.26 -n production

# Or use a strategic merge patch inline
kubectl patch deployment nginx \
  -p '{"spec":{"replicas":5}}' \
  -n production

13 Force-replace a resource (use sparingly)

# Deletes the resource then recreates it — useful for immutable fields
kubectl replace --force -f resource.yaml

14 Rollout commands every engineer should know

# View rollout history
kubectl rollout history deployment/nginx -n production

# Roll back to the previous revision
kubectl rollout undo deployment/nginx -n production

# Roll back to a specific revision
kubectl rollout undo deployment/nginx --to-revision=3 -n production

# Pause a rolling update mid-way (canary-style)
kubectl rollout pause deployment/nginx -n production

# Resume
kubectl rollout resume deployment/nginx -n production

6. Inspect cluster internals

15 Find all API resources the cluster supports

# Full list with API group, version, and whether namespaced
kubectl api-resources --verbs=list --namespaced -o wide

# Filter to just custom resource definitions
kubectl api-resources | grep -v "^NAME" | awk '{print $5}' | sort -u

16 Explain any field in the API schema

# Works offline — reads from the server's OpenAPI schema
kubectl explain pod.spec.containers.livenessProbe
kubectl explain networkpolicy.spec.ingress.from
kubectl explain persistentvolumeclaim.spec --recursive

17 Check what permissions a ServiceAccount has

# Can the 'ci-runner' SA in 'ci' namespace create pods?
kubectl auth can-i create pods \
  --as=system:serviceaccount:ci:ci-runner \
  -n production

# Dump ALL permissions for a subject
kubectl auth can-i --list \
  --as=system:serviceaccount:ci:ci-runner \
  -n production

7. Copy files and port-forward without SSH

18 Copy files into or out of a running container

# Download a log file from a pod
kubectl cp production/my-pod:/var/log/app.log ./app.log

# Upload a config file into a running container
kubectl cp ./override.conf production/my-pod:/etc/app/override.conf

19 Port-forward to a service (not just a pod)

# Forward local 8080 → service port 80, works even without Ingress
kubectl port-forward svc/my-service 8080:80 -n production

# Forward to a pod directly by label selector (round-robin if multiple)
kubectl port-forward \
  $(kubectl get pod -n production -l app=nginx -o name | head -1) \
  9090:80 -n production

20 Label-based filtering on every resource type

# Get all resources with a given label across resource types
kubectl get all -l app=frontend -n production

# Show labels as a column in the output
kubectl get pods -n production --show-labels

# Overwrite a label on a running pod (useful to remove it from a Service's selector)
kubectl label pod my-pod app=frontend-debug --overwrite -n production

The cheat sheet at a glance

Here are all 20 grouped by category so you can scan them during an incident or exam:

## DEBUG
kubectl debug -it <pod> --image=busybox --target=<container>         # 01 ephemeral container
kubectl debug <pod> --copy-to=<name> --image=ubuntu -it -- bash      # 02 clone pod for debug

## JSONPATH / OUTPUT
kubectl get pods -A -o jsonpath='{range .items[*]}{...}{end}'          # 03 multi-field extract
kubectl get pods -A -o jsonpath='{.items[*].spec.containers[*].image}' # 04 all images
kubectl get pods -A --field-selector=status.phase!=Running             # 05 non-running pods
kubectl get pods -o custom-columns='NAME:.metadata.name,...'           # 06 custom table

## EVENTS / OBSERVABILITY
kubectl get events -A --sort-by='.lastTimestamp' | tail -30           # 07 recent events
kubectl get events --field-selector involvedObject.name=<obj> -w      # 08 watch one object
kubectl top nodes --sort-by=cpu                                        # 09 node resource usage
kubectl top pods -A --sort-by=memory | head -20                        # 10 top memory pods

## DRY-RUN / GENERATE YAML
kubectl create deployment ... --dry-run=client -o yaml                 # 11 generate deploy yaml

## PATCHING / ROLLOUTS
kubectl set image deployment/<d> <c>=<image>                         # 12 update image
kubectl replace --force -f resource.yaml                               # 13 force-replace
kubectl rollout undo/pause/resume/history deployment/<d>               # 14 rollout controls

## CLUSTER INTERNALS
kubectl api-resources --verbs=list --namespaced -o wide               # 15 all API resources
kubectl explain pod.spec.containers.livenessProbe --recursive          # 16 schema explorer
kubectl auth can-i create pods --as=system:serviceaccount:ns:sa        # 17 RBAC check

## FILES / PORT-FORWARD
kubectl cp <ns>/<pod>:/remote/path ./local/path                       # 18 copy files
kubectl port-forward svc/<svc> <local>:<remote>                      # 19 port-forward svc
kubectl get all -l app=<label> --show-labels                          # 20 label filtering

Exam tie-in: CKA, CKAD, and CKS

If you’re preparing for any of the CNCF Kubernetes certifications, these 20 commands appear repeatedly in the exam environment:

• CKA (Certified Kubernetes Administrator): Commands 01, 07, 08, 11, 14, 15, 16, 17 are core to the troubleshooting and cluster management domains. The 2-hour exam rewards speed, so --dry-run=client fluency is essential.
• CKAD (Certified Kubernetes Application Developer): Commands 03, 04, 06, 11, 12, 18, 19, 20 map directly to the application deployment, environment config, and services domains. Custom columns and JSONPath will save you 20+ minutes.
• CKS (Certified Kubernetes Security Specialist): Command 17 (kubectl auth can-i --list) is invaluable for RBAC audit tasks. Combine it with kubectl get rolebindings -o yaml to verify least-privilege configurations quickly.

The CKA exam allows the Kubernetes documentation. The commands above won’t be in the docs as one-liners. Practise them until they’re in your fingers, not your browser history.