One powerful tool for managing and interacting with containerized applications in Kubernetes at your disposal is `kubectl exec'. This allows you to execute commands inside running pods within your Kubernetes cluster. In this tutorial, we will explore the intricacies of `kubectl exec` in detail - its usage, syntax, various options for fine-tuning your command execution, best practices, and much more.

Kubectl exec, kubectl exec command, kubectl command banner

By the end of this article, you will have a comprehensive understanding of `kubectl exec` and be equipped with the knowledge to confidently utilize it in your Kubernetes workflow.

Let's dive into the world of `kubectl exec` and unlock the power of executing commands within Kubernetes pods!

What is Kubectl Exec Command?

The `kubectl exec` command is a powerful tool in Kubernetes that allows you to execute commands inside a running container within a pod. 

It enables you to interact with the container and perform various operations, such as running scripts, debugging, or troubleshooting.

When you execute the `kubectl exec` command, it establishes a connection with the Kubernetes API server. It locates the specified pod based on the provided pod name and optional namespace. 

Once the pod is identified, `kubectl exec` communicates with the API server to create an "exec" session within the target container.

To establish this session, the Kubernetes API server utilizes the pod's networking infrastructure and container runtime capabilities.

It sends a request to the container runtime (such as Docker) on the target node, asking it to execute a command inside the specified container.

The container runtime then sets up a communication channel between the `kubectl` client and the container. 

It connects the client's input/output streams with the corresponding streams inside the container, allowing for interactive communication.

At this point, the `kubectl` client acts as a mediator, relaying input from the user's terminal to the container's standard input, and forwarding output from the container's standard output/error streams to the user's terminal. 

This enables real-time interaction with the container as if you had SSH or terminal access to it.

It's worth noting that for `kubectl exec` to work, the pod must have appropriate privileges and access permissions. 

Additionally, the container image should contain the necessary shell interpreters or commands required for the commands or scripts you want to execute.

Also Read: A Complete List of kubectl Commands

When to use Kubectl Exec Command 

The `kubectl exec` command is useful in several scenarios when working with Kubernetes pods and containers. 

Here are some common situations where you might need to use `kubectl exec'.

Debugging and Troubleshooting

When you encounter issues with your application running inside a container, `kubectl exec` allows you to enter the container and investigate the problem. 

You can run commands to check log files, inspect the environment, or diagnose network-related issues. 

Here's an example.

kubectl exec my-pod -- tail -f /var/log/myapp.log

Running One-Time Administrative Tasks

You can use `kubectl exec` to execute administrative tasks or perform one-time operations inside a container. 

This can include running database migrations, initializing configurations, or executing backups. 

Let's look at an example of this.

kubectl exec my-pod -- python migrate

Interacting with Containerized Tools

If your container contains specific tools or utilities, you can leverage `kubectl exec` to access and use them. 

This is helpful when you need to perform tasks such as running database queries, executing performance tests, or utilizing specialized debugging tools. 

Here's how to do it.

kubectl exec my-pod -- psql -U myuser -d mydb -c "SELECT * FROM users"

Inspecting Container Environment

You can use `kubectl exec` to examine the environment variables, file system, or installed packages within a container. 

This is particularly useful when you need to verify configurations, check resource usage, or validate the presence of specific dependencies. 

Let's look at how to do it.

kubectl exec my-pod -- printenv

Running Containerized Scripts

If you have scripts or automation tasks encapsulated within your container, `kubectl exec` enables you to trigger their execution. 

This can include running backup scripts, triggering periodic cleanup, or performing batch operations. 

Here's how.

kubectl exec my-pod -- /bin/sh

Also Read: How to Work with Kubernetes Clusters using Kubeadm?

Syntax Kubectl in Clusters, Containers, Nodes, and Pods 

The `kubectl exec` command is used to execute a command inside a running container of a pod. 

Let's look at the `kubectl exec` syntax for pods, clusters, and namespaces.

For a single-container pod:

kubectl exec [options]<pod-name> -- <command>[args…]

For a multi-container pod, you need to specify the container name along with the pod name:

kubectl exec [options]<pod-name> -c <container-name> -- <command>[args…]

To execute a command on a specific node in the cluster, you can use the `--node` flag:

kubectl exec <pod-name> --node=<node-name> -- <command>

To execute a command on a pod in a specific namespace, you can use the `-n` flag:

kubectl exec -n <namespace> <pod-name> -- <command>

Here's an example to illustrate these syntaxes.

For a single-container pod:

kubectl exec my-pod -- ls /app
kubectl exec my-pod --container my-container -- echo "Hello, World!"

For a multi-container pod:

kubectl exec my-pod -c my-container -- ls /app
kubectl exec my-pod -c my-container -- echo "Hello, World!"

For a specific node:

kubectl exec my-pod --node=node-1 -- ls /app

In a specific namespace:

kubectl exec -n my-namespace my-pod -- ls /app

Please note that in all the examples, `<pod-name>` should be replaced with the actual name of the pod, `<container-name>` with the name of the container inside the pod (only for multi-container pods), `<node-name>` with the name of the node, `<namespace>` with the desired namespace, and `<command>` with the command you want to execute inside the container.

Note: Anything following the double dash -- is considered a shell command and is delivered to the container. So you'd be able to run any sophisticated shell commands using | pipes and awk, sed, and so on.

Humalect CTA banner, Kubectl Exec

Executing Shell Scripts with kubectl exec

To execute a shell script within a container using `kubectl exec`, you can pass the shell interpreter and the script file as arguments.

Here's an example:

kubectl exec POD_NAME -- /bin/sh -c 'cat | /bin/sh'

In this command, replace `POD_NAME` with the pod's name that contains the container where you want to execute the shell script. 

The `/bin/sh -c` specifies the shell interpreter to use, and `'cat | /bin/sh'` is the command that reads the contents of the `` file and pipes it to the shell interpreter.

Make sure you have the shell script (``) available on the machine from which you are running the `kubectl exec` command. You can modify the file path and name accordingly.

If your shell script requires arguments, you can include them after the shell interpreter. 

Here's an example:

kubectl exec POD_NAME -- /bin/sh -c 'sh arg1 arg2'

In this case, `arg1` and `arg2` are the arguments passed to the shell script (``).

Note: The double dash (--) separates the kubectl arguments from the arguments you want to send to the command.

Also Read: Kubectl Config Get Context Tutorial

Kubectl Exec - Advanced Options

Let’s explore the power of 'kubectl exec' command with a few advanced options.

1. Log to standard error as well as files, and set the log level to 2.

kubectl exec --alsologtostderr=true --stderrthreshold=2 pod-name -- command

2. Provide a certificate authority file for TLS verification.

kubectl exec --certificate-authority=path/to/ca/file pod-name -- command

3. Specify a client certificate and key file for TLS authentication.

kubectl exec --client-certificate=path/to/cert/file --client-key=path/to/key/file pod-name -- command

4. Use a specific cluster from the kubeconfig file.

kubectl exec --cluster=cluster-name pod-name -- command

5. Use a specific context from the kubeconfig file.

kubectl exec --context=context-name pod-name -- command

6. Skip TLS verification (insecure).

kubectl exec --insecure-skip-tls-verify=true pod-name -- command

7. Specify a custom kubeconfig file.

kubectl exec --kubeconfig=path/to/kubeconfig/file pod-name -- command

8. Set the log directory to write log files.

kubectl exec --log-dir=path/to/log/directory pod-name -- command

9. Set the log flush frequency to 10 seconds.

kubectl exec --log-flush-frequency=10s pod-name -- command

10. Set the log level to 1 (info) and log to standard error instead of files.

kubectl exec --logtostderr=true --v=1 pod-name -- command

These examples demonstrate how you can use various flags with the `kubectl exec` command to customize your execution experience.

Replace `pod-name` with the actual name of the pod you want to execute commands in, and `command` with the desired command you wish to run inside the pod.

humalect cta banner, Kubectl exec command

Kubectl Exec Command Alternative

kubectl exec is the ultimate choice when it comes to accessing the inner workings of a Kubernetes container. 

Its purpose-built design eliminates the hassle of identifying the precise physical node to establish a connection with.

However, in the rare scenario where an alternative is indispensable, particularly when kubectl is unavailable on the system, one potential approach involves running an SSH daemon within the container itself. 

It is important to note that this approach expands the attack surface and contradicts the fundamental principle of assigning a single purpose to each container.

Alternatively, you can explore the realm of web-based Kubernetes dashboards. 

Numerous renowned options, including the official Kubernetes dashboard, possess the capability to furnish interactive shell sessions that can be seamlessly accessed through your web browser. 

How to Get SSH or Terminal Access to the Container on the POD Using kubectl exec

For this, you can specify an interactive terminal (`kubectl exec -it`) option along with the shell command to run inside the container.

Here's an example:

kubectl exec -it POD_NAME -- /bin/sh

In this command, replace `POD_NAME` with the name of the pod that contains the container you want to access. 

The `/bin/sh` command launches a shell inside the container, allowing you to interact with it as if you were using a terminal.

Alternatively, if your container has a different default shell, you can specify it instead of `/bin/sh`. 

For example, to use Bash:

kubectl exec -it POD_NAME -- /bin/bash

Once you execute the command, you will be connected to the terminal of the specified container, and you can run commands and interact with it as if you had SSH access. 

To exit the terminal session, use the `exit` command or press `Ctrl + D`.

kubectl exec PODNAME -n NAMESPAE -c CONTAINER_NAME -i -t – sh -c "clear; (bash || ash || sh || ksh || csh || zsh )"

Use this command to check if any of the above shell is present in your container or not to be used or SSH’d into. 

Humalect CTA banner, Kubectl exec

kubectl exec as Root

Kubernetes follows the immutable infrastructure philosophy, but there are cases where you may need to connect to and inspect pods, especially during cluster development. 

Connecting to a pod in Kubernetes is straightforward using the `kubectl exec` command. 

However, by default, it does not grant root access unless the container's image is built with root as the current user. 

In the world of Docker, connecting to a container as root is easy with the `docker exec` command. However, when running the same container in a Kubernetes cluster, it is not as straightforward.

To connect to a container within a pod as the root user, a workaround is needed. Here are the steps:

  1. Identify the node hosting the pod you want to access as root by running `kubectl get pods -o wide`.

  2. Inspect the pod to determine the corresponding Docker container you wish to connect to using `kubectl describe pod <pod-name>`.

  3. Note down the Container ID from the pod's description.

  4. SSH into the node that hosts the pod.

  5. Run the `docker exec` command with the Container ID and specify `root` as the user to connect to the container as root.

With this approach, you can gain root access within the container running in the Kubernetes cluster.

Note: This workaround involves manually connecting to the node and executing the `docker exec` command, and it may not be the ideal method for production environments. It's important to use root access sparingly and follow security best practices.

Also Read: Top Alternatives to Docker & Docker Desktop

Things to Avoid when Using kubectl exec

Here are a few things to avoid when using 'kubectl exec'.

Avoid relying heavily on interactive sessions.

While interactive sessions with 'kubectl exec -it' can be useful for troubleshooting or debugging, relying too much on interactive sessions for routine tasks may not be ideal.

Instead, consider using proper automation and container orchestration techniques for regular operations.

Do not execute long-running processes or background tasks.

The kubectl exec command is primarily intended for running short-lived commands within a container.

Avoid executing long-running processes or background tasks using kubectl exec, as it is not designed for that purpose. 

Instead, consider using other mechanisms, such as Kubernetes Jobs or CronJobs, to handle such tasks.

Avoid executing sensitive commands without proper security measures.

Be cautious when executing commands that involve sensitive information, such as credentials or Kubernetes secrets

Ensure that you have proper security measures in place, such as encrypted connections, secure environments, and access controls.

Do not use kubectl exec as a primary method for application administration.

While kubectl exec can be helpful for troubleshooting or inspecting container environments, it is not recommended as the primary method for application administration.

Utilize appropriate configuration management tools, deployment techniques, and container orchestrators to manage and maintain your applications.

Also Read: Top 24 Kubernetes Best Practices that You Must Know

TL;DR - Summary of Kubectl Exec Commands

Here's a summary list of `kubectl exec` command examples for common scenarios:

  1. View log files in real-time: kubectl exec my-pod -- tail -f /var/log/myapp.log
  2. Run database migrations or administrative tasks: kubectl exec my-pod -- python migrate
  3. Execute database queries or interact with specialized tools: kubectl exec my-pod -- psql -U myuser -d mydb -c "SELECT * FROM users"
  4. Check environment variables or inspect container environment: kubectl exec my-pod -- printenv
  5. Run containerized scripts or trigger automation tasks: kubectl exec my-pod -- /bin/sh
  6. Open an interactive terminal session (SSH-like access): kubectl exec -it my-pod -- /bin/sh
  7. Execute commands in a specific container within a pod: kubectl exec -it my-pod -c my-container -- /bin/bash
  8. Check the contents of a file within a container: kubectl exec my-pod -- cat /path/to/file.txt
  9. Copy files between a local directory and a container: kubectl cp /path/to/local/file.txt my-pod:/path/to/destination/file.txt
  10. Execute a command with arguments inside a container: kubectl exec my-pod -- /bin/sh -c 'sh arg1 arg2'
  11. Execute a command in a specific namespace: kubectl exec -it my-pod --namespace my-namespace -- /bin/bash
  12. Run a command inside a container using the pod's full name (including the namespace): kubectl exec -it my-namespace/my-pod -- /bin/sh
  13. Execute a command in a pod using a specific service account: kubectl exec -it my-pod --as my-service-account -- /bin/sh
  14. Run a command in a specific container when a pod has multiple containers: kubectl exec -it my-pod -c my-container -- /bin/bash
  15. Pass environment variables to a command executed within a container: kubectl exec -it my-pod --env VAR_NAME=value -- /bin/sh
  16. Execute a command in a pod using a specific node: kubectl exec -it my-pod --overrides '{"apiVersion":"v1","spec":{"nodeName":"my-node"} }' -- /bin/sh
  17. Set resource limits (CPU/memory) for a command executed within a container: kubectl exec -it my-pod --limits=cpu=200m,memory=512Mi -- /bin/sh
  18. Run a command with stdin input passed from a local file: kubectl exec -i my-pod -- /bin/sh < local_file.txt
  19. Execute a command in a specific container using a shell other than `/bin/sh`: kubectl exec -it my-pod -c my-container -- /bin/bash
  20. Run a command inside a container as a specific user: kubectl exec -it my-pod --as-user=1000 --as-group=1000 -- /bin/sh
  21. Update packages: kubectl exec my-pod -- apt-get update
  22. Get a shell to the running container: kubectl exec --stdin --tty shell-demo -- /bin/bash

Note: kubectl exec is a container inspection tool, not a tool for running apps or modifying container setup. Remember, with great power comes great responsibility. Be cautious while executing commands inside containers, as one wrong move could unleash chaos upon your beloved pods. Always double-check the command and handle it with care.