Recommended usage conventions for kubectl.
kubectl in Reusable ScriptsFor a stable output in a script:
-o name, -o json, -o yaml, -o go-template, or -o jsonpath.jobs.v1.batch/myjob. This will ensure that kubectl does not use its default version that can change over time.--subresource argument for kubectl subcommands such as get, patch,
edit, apply and replace to fetch and update subresources for all resources that
support them. In Kubernetes version 1.36, only the status, scale
and resize subresources are supported.kubectl edit, the scale subresource is not supported. If you use --subresource with
kubectl edit and specify scale as the subresource, the command will error out.status subresource to a new value, keep in mind that the subresource could be potentially
reconciled by a controller to a different value.kubectl runFor kubectl run to satisfy infrastructure as code:
:v1234, v1.2.3, r03062016-1-4, rather than :latest (For more information, see Kubernetes Configuration Good Practices).kubectl run flags.You can use the --dry-run=client flag to preview the object that would be sent to your cluster, without really submitting it.
kubectl proxyBrowsing untrusted pod or service endpoints through kubectl proxy is dangerous,
as the served content has implicit access to the Kubernetes API using the proxy's
credentials. Use caution and avoid accessing untrusted endpoints while using
privileged credentials.
To reduce risk:
kubectl proxy.--reject-methods='POST,PUT,PATCH,DELETE' to restrict the proxy to
read-only operations when you only need to view resources.--reject-paths to limit which API paths the proxy exposes.kubectl proxy with cluster-admin credentials unless necessary.kubectl applykubectl apply to create or update resources. For more information about using kubectl apply to update resources, see Kubectl Book.