This cheat sheet covers every gcloud and kubectl command tested on Google Cloud certifications — organised by category so you can scan exactly what you need. Each command links through to a dedicated topic page with practice quizzes. Want to test your recall instead of just reading? Take the interactive quiz →
Create a Docker repository in Artifact Registry
gcloud artifacts repositories create REPO_NAME --repository-format=docker --location=REGIONConfigure Docker to authenticate with Artifact Registry in a given region
gcloud auth configure-docker REGION-docker.pkg.devCreate a GKE Autopilot cluster
gcloud container clusters create-auto CLUSTER_NAME --region=REGIONSSH to a Compute Engine instance through Identity-Aware Proxy without a public IP
gcloud compute ssh INSTANCE_NAME --tunnel-through-iap --zone=ZONEOpen an IAP TCP tunnel to port 22 on a Compute Engine instance for SSH forwarding
gcloud compute start-iap-tunnel INSTANCE_NAME 22 --local-host-port=localhost:2222 --zone=ZONEList all Docker images stored in an Artifact Registry repository
gcloud artifacts docker images list REGION-docker.pkg.dev/PROJECT_ID/REPO_NAMEMap a custom domain to a Cloud Run service
gcloud beta run domain-mappings create --service=SERVICE_NAME --domain=DOMAIN_NAME --region=REGIONCreate a Cloud Deploy release from the current directory
gcloud deploy releases create RELEASE_NAME --delivery-pipeline=PIPELINE_NAME --region=REGION --source=.Create a Workload Identity Federation pool for authenticating external workloads
gcloud iam workload-identity-pools create POOL_ID --location=global --display-name='My Pool'Create an OIDC provider in a Workload Identity Federation pool
gcloud iam workload-identity-pools providers create-oidc PROVIDER_ID --workload-identity-pool=POOL_ID --location=global --issuer-uri=ISSUER_URI --attribute-mapping='google.subject=assertion.sub'Export the Binary Authorization policy to a YAML file
gcloud container binauthz policy export > policy.yamlList all packages in an Artifact Registry repository
gcloud artifacts packages list --repository=REPO_NAME --location=REGIONList all rollouts for a Cloud Deploy release
gcloud deploy rollouts list --delivery-pipeline=PIPELINE_NAME --release=RELEASE_NAME --region=REGIONSplit Cloud Run traffic 90/10 between two revisions for a canary rollout
gcloud run services update-traffic SERVICE_NAME --to-revisions=REVISION1=90,REVISION2=10 --region=REGIONAdd a tag to a specific version of a package in Artifact Registry
gcloud artifacts tags add TAG_NAME --package=PACKAGE_NAME --location=REGION --repository=REPO_NAME --version=VERSIONAdd a BGP peer to a Cloud Router for a VPN or Interconnect attachment
gcloud compute routers add-bgp-peer ROUTER_NAME --peer-name=PEER_NAME --interface=INTERFACE_NAME --peer-ip-address=PEER_IP --peer-asn=PEER_ASN --region=REGIONRetrieve the serial port output from a Compute Engine instance for boot-time debugging
gcloud compute instances get-serial-port-output INSTANCE_NAME --zone=ZONEDisplay configuration details for a Cloud Run job
gcloud run jobs describe JOB_NAME --region=REGIONUpdate a Cloud Run job to use a new container image
gcloud run jobs update JOB_NAME --image=NEW_IMAGE_URL --region=REGIONList all Cloud Run jobs in a given region
gcloud run jobs list --region=REGIONDeploy the current directory's application to Google App Engine
gcloud app deployOpen the deployed App Engine application URL in your default browser
gcloud app browseStream live log entries from the deployed App Engine application
gcloud app logs tailDisplay metadata about the current App Engine application including region and URL
gcloud app describeList all deployed versions of the App Engine application and their traffic allocation
gcloud app versions listList all services deployed in the App Engine application
gcloud app services listShow details and traffic splits for a specific App Engine service
gcloud app services describe SERVICEShow details of a specific App Engine version within a service
gcloud app versions describe VERSION --service SERVICEDelete a specific App Engine version that is not receiving traffic
gcloud app versions delete VERSION --service SERVICEStop serving traffic to a specific App Engine version
gcloud app versions stop VERSION --service SERVICEStart a previously stopped App Engine version to resume serving traffic
gcloud app versions start VERSION --service SERVICEList all regions where App Engine applications can be created
gcloud app regions listDeploy an App Engine app with a specific version identifier
gcloud app deploy --version VERSIONRoute 100% of App Engine traffic to a specific version
gcloud app services set-traffic SERVICE --splits VERSION=1List all running instances of the App Engine application
gcloud app instances listShow details of a specific App Engine instance
gcloud app instances describe INSTANCE --service SERVICE --version VERSIONForce-stop and delete a specific App Engine instance
gcloud app instances delete INSTANCE --service SERVICE --version VERSIONRead recent log entries from the App Engine application
gcloud app logs readList all App Engine operations and their completion status
gcloud app operations listDeploy a new App Engine version without shifting traffic to it
gcloud app deploy --no-promoteAuthorize gcloud to access Google Cloud using your user account credentials
gcloud auth loginList all credentialed accounts and identify the currently active account
gcloud auth listPrint an OAuth2 access token for the active account to use in API requests
gcloud auth print-access-tokenAuthenticate gcloud using a service account JSON key file
gcloud auth activate-service-account --key-file KEY_FILESet up Application Default Credentials for local development libraries and tools
gcloud auth application-default loginRevoke credentials and remove access for a specific account from gcloud
gcloud auth revoke ACCOUNTRegister gcloud as a Docker credential helper for Google Container Registry
gcloud auth configure-dockerPrint an OpenID Connect identity token for the active account
gcloud auth print-identity-tokenPrint an access token generated from Application Default Credentials
gcloud auth application-default print-access-tokenRevoke Application Default Credentials stored on the local machine
gcloud auth application-default revokeSet the quota project used by Application Default Credentials
gcloud auth application-default set-quota-project PROJECT_IDAuthenticate with gcloud without automatically opening a browser window
gcloud auth login --no-launch-browserSwitch the active gcloud account without re-authenticating
gcloud config set account ACCOUNTRevoke credentials for all accounts logged into gcloud
gcloud auth revoke --allConfigure Docker to authenticate with a regional Artifact Registry
gcloud auth configure-docker REGION-docker.pkg.devActivate a service account by specifying both email and key file path
gcloud auth activate-service-account SA_EMAIL --key-file KEY_FILEConfigure gcloud to impersonate a service account for all commands
gcloud config set auth/impersonate_service_account SA_EMAILList credentialed accounts filtered to a specific account email
gcloud auth list --filter-account ACCOUNTAuthenticate gcloud using a credential configuration file
gcloud auth login --cred-file CREDENTIAL_FILEDisplay OAuth2 token details for a specific credentialed account
gcloud auth describe ACCOUNTList all datasets in the current BigQuery project
bq lsCreate a new BigQuery dataset
bq mk DATASET_NAMEDisplay schema and metadata for a BigQuery table
bq show DATASET.TABLERun a BigQuery query using standard SQL (GoogleSQL)
bq query --use_legacy_sql=false 'SELECT * FROM DATASET.TABLE'Load a CSV file from Cloud Storage into a BigQuery table using a schema file
bq load DATASET.TABLE gs://BUCKET/FILE.csv SCHEMA.jsonExport a BigQuery table to a CSV file in Cloud Storage
bq extract DATASET.TABLE gs://BUCKET/export.csvDelete a BigQuery table without prompting for confirmation
bq rm -f DATASET.TABLEDisplay the first rows of a BigQuery table
bq head DATASET.TABLECopy a BigQuery table to a new destination table
bq cp SOURCE_DATASET.SOURCE_TABLE DEST_DATASET.DEST_TABLECreate a BigQuery table with an explicit schema file
bq mk --table DATASET.TABLE SCHEMA.jsonEstimate the bytes processed by a BigQuery query without running it
bq query --dry_run --use_legacy_sql=false 'SELECT * FROM DATASET.TABLE'Run a BigQuery query and write the results to a destination table
bq query --use_legacy_sql=false --destination_table=DATASET.RESULTS_TABLE 'SELECT * FROM DATASET.TABLE'Load newline-delimited JSON data from Cloud Storage into BigQuery
bq load --source_format=NEWLINE_DELIMITED_JSON DATASET.TABLE gs://BUCKET/FILE.json SCHEMA.jsonCreate a BigQuery view with a standard SQL query
bq mk --use_legacy_sql=false --view 'SELECT id, name FROM DATASET.TABLE' DATASET.VIEW_NAMECreate a BigQuery dataset in a specific region such as the EU
bq mk --location=EU DATASET_NAMEExport a BigQuery table to compressed CSV files in Cloud Storage
bq extract --compression=GZIP --destination_format=CSV DATASET.TABLE gs://BUCKET/export_*.csv.gzRun a BigQuery query that fails if it would process more than 1 GB of data
bq query --use_legacy_sql=false --maximum_bytes_billed=1000000000 'SELECT * FROM DATASET.TABLE'Set a 30-day expiry on a BigQuery table (value in seconds)
bq update --expiration=2592000 DATASET.TABLELoad Parquet files from Cloud Storage into BigQuery with schema autodetection
bq load --source_format=PARQUET --autodetect DATASET.TABLE gs://BUCKET/*.parquetCreate a BigQuery table partitioned by day using a schema file
bq mk --table --time_partitioning_type=DAY DATASET.PARTITIONED_TABLE SCHEMA.jsonCreate a Cloud Build trigger on a Cloud Source Repository branch
gcloud builds triggers create cloud-source-repositories --repo=my-app-repo --branch-pattern=main --build-config=cloudbuild.yamlList recent Cloud Build jobs for the current project
gcloud builds listShow detailed information about a specific Cloud Build job
gcloud builds describe BUILD_IDCancel an in-progress Cloud Build job
gcloud builds cancel BUILD_IDSubmit the current directory as a Cloud Build job and tag the resulting container image
gcloud builds submit --tag IMAGE_URLSubmit a Cloud Build job using a custom build configuration file
gcloud builds submit --config cloudbuild.yamlStream or display the log output for a specific Cloud Build run
gcloud builds log BUILD_IDList all Cloud Build triggers configured in the current project
gcloud builds triggers listShow full configuration details of a specific Cloud Build trigger
gcloud builds triggers describe TRIGGER_IDDelete a Cloud Build trigger by its ID
gcloud builds triggers delete TRIGGER_IDManually execute a Cloud Build trigger against a specific branch
gcloud builds triggers run TRIGGER_ID --branch BRANCHCreate a Cloud Build trigger that fires on pushes to a GitHub repository
gcloud builds triggers create github --repo-name REPO --repo-owner OWNER --branch-pattern PATTERN --build-config cloudbuild.yamlTemporarily disable a Cloud Build trigger without deleting it
gcloud builds triggers pause TRIGGER_IDRe-enable a previously paused Cloud Build trigger
gcloud builds triggers resume TRIGGER_IDCreate a Cloud Build trigger by importing its YAML configuration file
gcloud builds triggers import --source FILEExport a Cloud Build trigger configuration to a YAML file
gcloud builds triggers export TRIGGER_ID --destination FILEBuild a container image from source using Cloud Buildpacks without a Dockerfile
gcloud builds submit --pack image=IMAGEList only failed Cloud Build runs in the current project
gcloud builds list --filter status=FAILURERun a Cloud Build without uploading any local source code
gcloud builds submit --no-source --config cloudbuild.yamlList all private worker pools configured for Cloud Build
gcloud builds worker-pools listDeploy a new or updated Cloud Function with an HTTP trigger
gcloud functions deploy FUNCTION_NAME --runtime RUNTIME --trigger-httpList all deployed Cloud Functions in the current project
gcloud functions listShow details and configuration of a specific Cloud Function
gcloud functions describe FUNCTION_NAMEDelete a deployed Cloud Function from the project
gcloud functions delete FUNCTION_NAMEDeploy an HTTP Cloud Function that requires authentication
gcloud functions deploy processOrder --runtime=nodejs18 --trigger-http --region=us-central1 --no-allow-unauthenticatedDeploy a Cloud Function that is triggered by a Pub/Sub topic
gcloud functions deploy FUNCTION_NAME --runtime RUNTIME --trigger-topic TOPIC_NAMEInvoke a deployed Cloud Function directly with test data
gcloud functions call FUNCTION_NAME --data DATADisplay recent log output from a deployed Cloud Function
gcloud functions logs read FUNCTION_NAMEDeploy a Cloud Function specifying a custom entry point handler name
gcloud functions deploy FUNCTION_NAME --runtime nodejs20 --trigger-http --entry-point HANDLERDeploy a Cloud Function and set environment variables for it
gcloud functions deploy FUNCTION_NAME --set-env-vars KEY=VALUEDeploy a Cloud Function with a specific memory allocation
gcloud functions deploy FUNCTION_NAME --memory 512MBDeploy a Cloud Function with a custom maximum execution timeout
gcloud functions deploy FUNCTION_NAME --timeout 300sAllow unauthenticated public access to an HTTP Cloud Function
gcloud functions add-iam-policy-binding FUNCTION_NAME --member allUsers --role roles/cloudfunctions.invokerRetrieve the IAM policy controlling who can invoke a Cloud Function
gcloud functions get-iam-policy FUNCTION_NAMEDeploy a publicly accessible HTTP Cloud Function with no auth required
gcloud functions deploy FUNCTION_NAME --trigger-http --allow-unauthenticatedDeploy a Cloud Function connected to a VPC network via a connector
gcloud functions deploy FUNCTION_NAME --vpc-connector CONNECTORList all event types that can trigger a Cloud Function
gcloud functions event-types listDeploy a second-generation Cloud Function with the specified runtime and region
gcloud functions deploy FUNCTION_NAME --gen2 --runtime python311 --trigger-http --region REGIONDeploy a Cloud Function using a specific service account identity
gcloud functions deploy FUNCTION_NAME --service-account SA_EMAILUpdate a single environment variable on a deployed Cloud Function without redeploying code
gcloud functions deploy FUNCTION_NAME --update-env-vars KEY=VALUESplit Cloud Run traffic between two revisions for a canary rollout
gcloud run services update-traffic checkout-api --to-revisions=checkout-api-00003=10,checkout-api-00002=90Deploy a container to Cloud Run with public access enabled
gcloud run deploy my-app --image=gcr.io/my-project/my-app:v2 --region=us-central1 --platform=managed --allow-unauthenticatedList all Cloud Run services in the current project
gcloud run services listShow detailed configuration and status of a Cloud Run service
gcloud run services describe SERVICE_NAMEDelete a Cloud Run service and all its revisions
gcloud run services delete SERVICE_NAMEDeploy a container image to Cloud Run in a specific region
gcloud run deploy SERVICE_NAME --image IMAGE --region REGIONDeploy a container image to Cloud Run as a new or updated service
gcloud run deploy SERVICE --image IMAGE --region REGIONList all revisions of a Cloud Run service
gcloud run revisions list --service SERVICE --region REGIONShow configuration and status of a specific Cloud Run revision
gcloud run revisions describe REVISION --region REGIONDelete a specific Cloud Run revision that is not serving traffic
gcloud run revisions delete REVISION --region REGIONRoute 100% of Cloud Run traffic to the latest deployed revision
gcloud run services update-traffic SERVICE --to-latest --region REGIONSplit Cloud Run traffic evenly between two revisions for canary testing
gcloud run services update-traffic SERVICE --to-revisions REV1=50,REV2=50 --region REGIONAllow unauthenticated public access to a Cloud Run service
gcloud run services add-iam-policy-binding SERVICE --member allUsers --role roles/run.invoker --region REGIONRetrieve the IAM policy for a Cloud Run service
gcloud run services get-iam-policy SERVICE --region REGIONUpdate environment variables on a deployed Cloud Run service
gcloud run services update SERVICE --set-env-vars KEY=VALUE --region REGIONUpdate the memory limit for a deployed Cloud Run service
gcloud run services update SERVICE --memory MEMORY --region REGIONSet the maximum number of concurrent requests per Cloud Run container instance
gcloud run services update SERVICE --concurrency N --region REGIONCreate a Cloud Run Job for running containerised batch tasks
gcloud run jobs create JOB --image IMAGE --region REGIONTrigger an execution of a Cloud Run Job
gcloud run jobs execute JOB --region REGIONSet a minimum number of Cloud Run instances to keep warm and avoid cold starts
gcloud run services update SERVICE --min-instances N --region REGIONCreate a Cloud Scheduler HTTP job with OIDC authentication targeting Cloud Run
gcloud scheduler jobs create http daily-process --schedule="0 2 * * *" --uri=https://my-service-xyz.run.app/process --http-method=POST --oidc-service-account-email=scheduler-sa@my-project.iam.gserviceaccount.comList all Cloud Scheduler jobs in the current project
gcloud scheduler jobs listShow detailed configuration of a specific Cloud Scheduler job
gcloud scheduler jobs describe JOB_NAMEDelete a Cloud Scheduler job permanently
gcloud scheduler jobs delete JOB_NAMEPause a Cloud Scheduler job so it stops triggering on its schedule
gcloud scheduler jobs pause JOB_NAMEManually trigger a Cloud Scheduler job immediately outside its normal schedule
gcloud scheduler jobs run JOB_NAMECreate a Cloud Scheduler job that sends HTTP requests on a cron schedule
gcloud scheduler jobs create http JOB_NAME --schedule "CRON" --uri URI --location LOCATIONCreate a Cloud Scheduler job that publishes a message to a Pub/Sub topic
gcloud scheduler jobs create pubsub JOB_NAME --schedule "CRON" --topic TOPIC --message-body MESSAGE --location LOCATIONCreate a Cloud Scheduler job that calls an App Engine endpoint
gcloud scheduler jobs create app-engine JOB_NAME --schedule "CRON" --relative-url URL --location LOCATIONUpdate the cron schedule of an existing Cloud Scheduler HTTP job
gcloud scheduler jobs update http JOB_NAME --schedule "NEW_CRON" --location LOCATIONResume a previously paused Cloud Scheduler job
gcloud scheduler jobs resume JOB_NAME --location LOCATIONList all Cloud Scheduler jobs in a specific region
gcloud scheduler jobs list --location LOCATIONList only currently enabled Cloud Scheduler jobs in a region
gcloud scheduler jobs list --location LOCATION --filter state=ENABLEDDelete a Cloud Scheduler job without an interactive confirmation prompt
gcloud scheduler jobs delete JOB_NAME --location LOCATION --quietCreate a Cloud Scheduler job that authenticates to an OIDC-protected endpoint
gcloud scheduler jobs create http JOB_NAME --schedule "CRON" --uri URI --oidc-service-account-email SA_EMAIL --location LOCATIONExport a Cloud Scheduler job configuration as YAML
gcloud scheduler jobs describe JOB_NAME --location LOCATION --format yamlAdd or update HTTP headers on an existing Cloud Scheduler HTTP job
gcloud scheduler jobs update http JOB_NAME --update-headers KEY=VALUE --location LOCATIONManually trigger an immediate execution of a Cloud Scheduler job
gcloud scheduler jobs run JOB_NAME --location LOCATIONList all regions where Cloud Scheduler is available
gcloud scheduler locations listCreate a Cloud Scheduler job that publishes to Pub/Sub every Monday at 9am
gcloud scheduler jobs create pubsub JOB_NAME --schedule "0 9 * * 1" --topic TOPIC --message-body MESSAGE --location LOCATIONCreate a Cloud SQL read replica using --master-instance-name
gcloud sql instances create prod-db-replica --master-instance-name=prod-dbList all Cloud SQL instances in the current project
gcloud sql instances listShow detailed information about a specific Cloud SQL instance
gcloud sql instances describe INSTANCE_NAMEDelete a Cloud SQL instance and all its data permanently
gcloud sql instances delete INSTANCE_NAMEList all databases within a specific Cloud SQL instance
gcloud sql databases list --instance INSTANCE_NAMEOpen an interactive SQL session to a Cloud SQL instance
gcloud sql connect INSTANCE_NAME --user USERCreate a new database inside an existing Cloud SQL instance
gcloud sql databases create DB_NAME --instance INSTANCEDelete a database from a Cloud SQL instance
gcloud sql databases delete DB_NAME --instance INSTANCEShow details and collation settings of a Cloud SQL database
gcloud sql databases describe DB_NAME --instance INSTANCECreate a new database user in a Cloud SQL instance
gcloud sql users create USER --instance INSTANCE --password PASSWORDList all database users in a Cloud SQL instance
gcloud sql users list --instance INSTANCEDelete a database user from a Cloud SQL instance
gcloud sql users delete USER --instance INSTANCESet database engine flags on a Cloud SQL instance
gcloud sql instances patch INSTANCE --database-flags FLAG=VALUEConfigure the automated backup start time for a Cloud SQL instance
gcloud sql instances patch INSTANCE --backup-start-time HH:MMChange the machine type (tier) of a Cloud SQL instance
gcloud sql instances patch INSTANCE --tier TIERRestart a Cloud SQL instance to apply pending flag changes
gcloud sql instances restart INSTANCECreate an exact copy of a Cloud SQL instance
gcloud sql instances clone INSTANCE CLONE_NAMEList all available automated and on-demand backups for a Cloud SQL instance
gcloud sql backups list --instance INSTANCEExport a Cloud SQL database to a SQL dump file in Cloud Storage
gcloud sql instances export INSTANCE gs://BUCKET/FILE --database DB_NAMEImport a SQL dump file from Cloud Storage into a Cloud SQL instance
gcloud sql instances import INSTANCE gs://BUCKET/FILE --database DB_NAMECopy files or objects between your local filesystem and Cloud Storage
gcloud storage cp LOCAL_PATH gs://BUCKET_NAME/OBJECT_PATHList objects and prefixes inside a Cloud Storage bucket
gcloud storage ls gs://BUCKET_NAMECreate a new Cloud Storage bucket in a specified location
gcloud storage buckets create gs://BUCKET_NAME --location LOCATIONDelete objects or buckets from Cloud Storage
gcloud storage rm gs://BUCKET_NAME/OBJECT_PATHList all Cloud Storage buckets in the current project
gcloud storage buckets listShow detailed metadata and configuration for a specific Cloud Storage bucket
gcloud storage buckets describe gs://BUCKET_NAMEMove or rename an object within Cloud Storage
gcloud storage mv gs://BUCKET/SOURCE gs://BUCKET/DESTPrint the contents of a Cloud Storage object to stdout
gcloud storage cat gs://BUCKET/OBJECTShow metadata such as size, hash, and content type for a Cloud Storage object
gcloud storage objects describe gs://BUCKET/OBJECTRecursively copy a local directory and all its contents to Cloud Storage
gcloud storage cp -r LOCAL_DIR gs://BUCKET/Enable object versioning on a Cloud Storage bucket
gcloud storage buckets update gs://BUCKET --versioningApply a lifecycle management policy to a Cloud Storage bucket from a JSON file
gcloud storage buckets update gs://BUCKET --lifecycle-file LIFECYCLE_FILEMake all objects in a Cloud Storage bucket publicly readable
gcloud storage buckets add-iam-policy-binding gs://BUCKET --member allUsers --role roles/storage.objectViewerRetrieve the IAM policy for a Cloud Storage bucket
gcloud storage buckets get-iam-policy gs://BUCKETList Cloud Storage objects with their sizes and last-modified timestamps
gcloud storage ls -l gs://BUCKETSynchronise a local directory to Cloud Storage, copying only changed files
gcloud storage rsync LOCAL_DIR gs://BUCKET/Enable uniform bucket-level access to disable per-object ACLs
gcloud storage buckets update gs://BUCKET --uniform-bucket-level-accessDownload an object from Cloud Storage to the local filesystem
gcloud storage cp gs://BUCKET/OBJECT LOCAL_PATHDelete an empty Cloud Storage bucket
gcloud storage buckets delete gs://BUCKETSet a retention policy to prevent object deletion for a specified period
gcloud storage buckets update gs://BUCKET --retention-period SECONDSCreate a new Cloud Storage bucket
gsutil mb gs://BUCKET_NAMEList all Cloud Storage buckets accessible in the current project
gsutil lsUpload a local file to a Cloud Storage bucket
gsutil cp FILE.TXT gs://BUCKET_NAME/Download a file from Cloud Storage to the current directory
gsutil cp gs://BUCKET_NAME/FILE.TXT .Delete an object from a Cloud Storage bucket
gsutil rm gs://BUCKET_NAME/FILE.TXTRename or move an object within Cloud Storage
gsutil mv gs://BUCKET_NAME/OLD.TXT gs://BUCKET_NAME/NEW.TXTRemove an empty Cloud Storage bucket
gsutil rb gs://BUCKET_NAMEPrint the contents of a Cloud Storage object to stdout
gsutil cat gs://BUCKET_NAME/FILE.TXTDisplay the total size of a Cloud Storage bucket in human-readable format
gsutil du -sh gs://BUCKET_NAMEDisplay metadata for a specific Cloud Storage object
gsutil stat gs://BUCKET_NAME/FILE.TXTRecursively upload an entire local directory to Cloud Storage
gsutil cp -r ./LOCAL_DIR/ gs://BUCKET_NAME/Synchronise a local directory with a Cloud Storage bucket, copying only changed files
gsutil rsync -r ./LOCAL_DIR gs://BUCKET_NAMEUpload a directory to Cloud Storage using parallel multi-threaded transfers
gsutil -m cp -r ./DATA/ gs://BUCKET_NAME/Enable object versioning on a Cloud Storage bucket
gsutil versioning set on gs://BUCKET_NAMEApply a lifecycle configuration file to a Cloud Storage bucket
gsutil lifecycle set lifecycle.json gs://BUCKET_NAMEGrant a user the Storage Object Viewer role on a Cloud Storage bucket
gsutil iam ch user:USER@example.com:roles/storage.objectViewer gs://BUCKET_NAMEApply a CORS configuration file to a Cloud Storage bucket
gsutil cors set cors.json gs://BUCKET_NAMEGenerate a signed URL valid for 1 hour for a private Cloud Storage object
gsutil signurl -d 1h KEY.json gs://BUCKET_NAME/PRIVATE_FILE.TXTSet a 365-day retention policy on a Cloud Storage bucket
gsutil retention set 365d gs://BUCKET_NAMECopy CSV files to Cloud Storage, skipping any files that already exist at the destination
gsutil cp -n ./DATA/*.csv gs://BUCKET_NAME/DATA/Display the API server endpoint addresses and cluster services URLs
kubectl cluster-infoShow the client and server Kubernetes version information
kubectl versionDisplay the merged kubeconfig settings from all configured files
kubectl config viewPrint the name of the currently active kubeconfig context
kubectl config current-contextList all available kubeconfig contexts and highlight the active one
kubectl config get-contextsSwitch the active kubeconfig context to a different cluster or user
kubectl config use-context CONTEXT_NAMEModify a kubeconfig context to set its default namespace or cluster
kubectl config set-context CONTEXT_NAME --namespace NAMESPACERename a kubectl context in the kubeconfig file
kubectl config rename-context OLD_NAME NEW_NAMERemove a context entry from the kubeconfig file
kubectl config delete-context CONTEXTAdd or update a cluster entry in the kubeconfig with its API server URL
kubectl config set-cluster CLUSTER --server SERVERSet the credentials for a user entry in the kubeconfig file
kubectl config set-credentials USER --token TOKENRemove a cluster entry from the kubeconfig file
kubectl config delete-cluster CLUSTERShow only the kubeconfig entries relevant to the current context
kubectl config view --minifyDump detailed cluster diagnostic information for debugging
kubectl cluster-info dumpDisplay only the kubectl client version without contacting the server
kubectl version --clientList all cluster names defined in the kubeconfig file
kubectl config get-clustersDisplay the full kubeconfig including unredacted certificate data
kubectl config view --rawRemove a user entry from the kubeconfig file
kubectl config delete-user USERList only the Kubernetes resource types that are scoped to a namespace
kubectl api-resources --namespacedSet the default namespace for the current kubectl context so you don't need -n on every command
kubectl config set-context --current --namespace NAMESPACECreate a new Compute Engine virtual machine instance
gcloud compute instances create INSTANCE_NAME --zone ZONE --machine-type MACHINE_TYPEList all Compute Engine VM instances in the current project
gcloud compute instances listShow detailed metadata and configuration of a specific VM instance
gcloud compute instances describe INSTANCE_NAME --zone ZONEPermanently delete a Compute Engine VM instance and its boot disk
gcloud compute instances delete INSTANCE_NAME --zone ZONEStart a previously stopped Compute Engine VM instance
gcloud compute instances start INSTANCE_NAME --zone ZONEStop a running Compute Engine VM instance without deleting it
gcloud compute instances stop INSTANCE_NAME --zone ZONEOpen an SSH connection to a Compute Engine VM instance
gcloud compute ssh INSTANCE_NAME --zone ZONEPerform a hard reset on a Compute Engine VM instance (equivalent to power cycle)
gcloud compute instances reset INSTANCE_NAME --zone ZONEList all available Compute Engine zones and their status
gcloud compute zones listCreate a new persistent disk in a specified zone
gcloud compute disks create DISK_NAME --size SIZE --zone ZONECreate a new VPC firewall rule to allow or deny specific traffic
gcloud compute firewall-rules create RULE_NAME --allow PROTOCOL:PORTList all VPC firewall rules in the current project
gcloud compute firewall-rules listReserve a new static external IP address in a specified region
gcloud compute addresses create ADDRESS_NAME --region REGIONAdd network tags to a Compute Engine instance for firewall rule targeting
gcloud compute instances add-tags INSTANCE_NAME --tags TAG1,TAG2 --zone ZONESecurely copy files between a local machine and a Compute Engine instance over SSH
gcloud compute scp LOCAL_PATH INSTANCE_NAME:REMOTE_PATH --zone ZONEList all available Compute Engine disk images including public and custom images
gcloud compute images listDelete a VM from the wrong zone, update the default zone, and recreate it
gcloud compute instances delete web-server --zone=us-east1-b && gcloud config set compute/zone us-central1-a && gcloud compute instances create web-serverCreate a new Compute Engine disk from an existing snapshot
gcloud compute disks create restored-disk --source-snapshot=data-server-snapshot --zone=us-east1-bCreate a snapshot of a Compute Engine persistent disk
gcloud compute snapshots create SNAPSHOT_NAME --source-disk DISK --source-disk-zone ZONEList all available Compute Engine machine types in a specific zone
gcloud compute machine-types list --filter zone:ZONEInitialize the gcloud CLI with a new configuration, project, and default settings
gcloud initSet the active GCP project for all subsequent gcloud commands
gcloud config set project PROJECT_IDSet the default Compute Engine region for the current configuration
gcloud config set compute/region REGIONSet the default Compute Engine zone for the current configuration
gcloud config set compute/zone ZONEDisplay all properties in the active gcloud configuration
gcloud config listCreate a new named gcloud configuration profile
gcloud config configurations create CONFIG_NAMESwitch to a different named gcloud configuration profile
gcloud config configurations activate CONFIG_NAMEList all available gcloud configuration profiles and show which is active
gcloud config configurations listList all GCP projects accessible with the active account credentials
gcloud projects listPrint the currently active GCP project from the gcloud configuration
gcloud config get projectPrint the currently configured default Compute Engine region
gcloud config get compute/regionPrint the currently configured default Compute Engine zone
gcloud config get compute/zoneRemove a property from the active gcloud configuration so it has no default
gcloud config unset compute/regionDisplay diagnostic info about the gcloud installation, environment, and logs
gcloud infoDisplay the installed version of the gcloud CLI and all components
gcloud versionList all installed and available gcloud components with their versions
gcloud components listUpdate all installed gcloud SDK components to their latest versions
gcloud components updateShow all properties set in a specific named gcloud configuration
gcloud config configurations describe CONFIG_NAMEPermanently delete a named gcloud configuration profile
gcloud config configurations delete CONFIG_NAMESet which Google account is active in the current gcloud configuration
gcloud config set core/account ACCOUNTCreate a ConfigMap from literal key-value pairs on the command line
kubectl create configmap CONFIGMAP_NAME --from-literal=KEY=VALUEList all ConfigMaps in the current namespace
kubectl get configmapsShow the stored data and metadata of a specific ConfigMap
kubectl describe configmap CONFIGMAP_NAMECreate an opaque Secret from literal key-value pairs for sensitive data
kubectl create secret generic SECRET_NAME --from-literal=KEY=VALUEList all Secrets and their types in the current namespace
kubectl get secretsShow metadata and data key sizes of a specific Secret without revealing values
kubectl describe secret SECRET_NAMECreate a ConfigMap populated with the contents of a file on disk
kubectl create configmap CONFIGMAP_NAME --from-file=FILEPATHCreate a TLS Secret from a certificate and private key file pair
kubectl create secret tls SECRET_NAME --cert=CERT_FILE --key=KEY_FILEList all Kubernetes service accounts in the current namespace
kubectl get serviceaccountsDelete a ConfigMap from the current namespace
kubectl delete configmap CONFIG_NAMEOpen a ConfigMap for in-place editing in the default editor
kubectl edit configmap CONFIG_NAMECreate a ConfigMap from a single key-value literal pair
kubectl create configmap CONFIG_NAME --from-literal KEY=VALUECreate a Kubernetes secret for authenticating with a private container registry
kubectl create secret docker-registry REGISTRY_SECRET --docker-server SERVER --docker-username USER --docker-password PASSDelete a secret from the current namespace
kubectl delete secret SECRET_NAMEOpen a Kubernetes secret for in-place editing (values are base64-encoded)
kubectl edit secret SECRET_NAMEExtract and decode a specific key from a Kubernetes secret
kubectl get secret SECRET_NAME -o jsonpath='{.data.KEY}' | base64 --decodeCreate a ConfigMap by importing all key-value pairs from a .env file
kubectl create configmap CONFIG_NAME --from-env-file ENV_FILECreate a secret with a specific key mapped to a file's contents
kubectl create secret generic SECRET_NAME --from-file KEY=FILE_PATHList all ConfigMaps across every namespace in the cluster
kubectl get configmaps --all-namespacesUpdate a specific key in a ConfigMap using a JSON patch
kubectl patch configmap CONFIG_NAME --patch '{"data":{"KEY":"VALUE"}}'List cluster events sorted by creation time to troubleshoot recent issues
kubectl get events --sort-by=.metadata.creationTimestampRetrieve logs from the previous terminated instance of a pod container
kubectl logs POD_NAME --previousStream live log output from a pod container in real time
kubectl logs -f POD_NAMEAttach to the primary process running inside a pod container for live interaction
kubectl attach POD_NAME -c CONTAINER_NAME -itRetrieve logs from a specific container within a multi-container pod
kubectl logs POD_NAME -c CONTAINER_NAMEBlock until a pod reaches a specified condition or the timeout expires
kubectl wait --for=condition=ready pod/POD_NAME --timeout TIMEOUTList cluster events sorted chronologically to diagnose recent failures
kubectl get events --sort-by .metadata.creationTimestampAttach a debug container to a running pod for live troubleshooting
kubectl debug pod POD_NAME --image IMAGE --stdin --ttyShow CPU and memory usage broken down per container within a specific pod
kubectl top pod POD_NAME --containersLaunch a temporary BusyBox pod for network or DNS debugging, auto-deleted on exit
kubectl run debug-pod --image=busybox --rm -it --restart=Never -- shOutput the full pod specification and current status as YAML
kubectl get pod POD_NAME -o yamlExtract the conditions array from a pod to inspect readiness and scheduling state
kubectl get pod POD_NAME -o jsonpath='{.status.conditions}'Describe a ReplicaSet to diagnose pod scheduling or image pull failures
kubectl describe replicaset RS_NAMERead the serial port output from a Compute Engine VM to diagnose boot failures
gcloud compute instances get-serial-port-output INSTANCE_NAME --zone ZONERead error and critical log entries from the past hour across all services
gcloud logging read "severity>=ERROR" --freshness 1h --limit 50Query Cloud Logging for Kubernetes container logs from a GKE cluster
gcloud logging read "resource.type=k8s_container" --limit 50Show events and routing rules for an ingress to debug traffic routing issues
kubectl describe ingress INGRESS_NAMEShow pod logs from only the last hour to narrow down a recent error
kubectl logs POD_NAME --since=1hOpen an interactive shell session inside a running pod container
kubectl exec -it POD_NAME -- /bin/shCheck whether the current user has permission to create pods in a namespace
kubectl auth can-i create pods --namespace NAMESPACEUpdate an existing Deployment Manager deployment with a revised config file
gcloud deployment-manager deployments update prod-infra --config prod.yamlList all Deployment Manager deployments in the current project
gcloud deployment-manager deployments listShow detailed information about a specific Deployment Manager deployment
gcloud deployment-manager deployments describe DEPLOYMENT_NAMECreate a new Deployment Manager deployment from a YAML config file
gcloud deployment-manager deployments create DEPLOYMENT_NAME --config CONFIG_FILEDelete an existing Deployment Manager deployment and all its managed resources
gcloud deployment-manager deployments delete DEPLOYMENT_NAMEUpdate an existing Deployment Manager deployment with a revised config file
gcloud deployment-manager deployments update DEPLOYMENT_NAME --config CONFIG_FILEList Deployment Manager deployments filtered by operation type
gcloud deployment-manager deployments list --filter "operation.operationType=insert"List all resource types available for use in Deployment Manager configurations
gcloud deployment-manager types listList all individual resources created by a Deployment Manager deployment
gcloud deployment-manager resources list --deployment DEPLOYMENTShow details and current state of a specific resource in a Deployment Manager deployment
gcloud deployment-manager resources describe RESOURCE --deployment DEPLOYMENTPreview a Deployment Manager deployment without actually creating resources
gcloud deployment-manager deployments create DEPLOYMENT --config CONFIG --previewUpdate an existing Deployment Manager deployment with a new configuration file
gcloud deployment-manager deployments update DEPLOYMENT --config CONFIGCancel a Deployment Manager deployment that is in preview state
gcloud deployment-manager deployments cancel-preview DEPLOYMENTList all manifests (config snapshots) for a Deployment Manager deployment
gcloud deployment-manager manifests list --deployment DEPLOYMENTShow the expanded configuration snapshot for a specific Deployment Manager manifest
gcloud deployment-manager manifests describe MANIFEST --deployment DEPLOYMENTList all Deployment Manager operations and their current status
gcloud deployment-manager operations listShow detailed status and error information for a Deployment Manager operation
gcloud deployment-manager operations describe OPERATIONStop an in-progress Deployment Manager deployment operation
gcloud deployment-manager deployments stop DEPLOYMENTRemove a Deployment Manager deployment record without deleting the underlying resources
gcloud deployment-manager deployments delete DEPLOYMENT --delete-policy ABANDONList all Deployment Manager deployments and output as JSON for scripting
gcloud deployment-manager deployments list --format jsonCreate a new deployment with a single replica of the specified image
kubectl create deployment DEPLOYMENT_NAME --image IMAGE_NAMEList all deployments and their ready replica counts in the current namespace
kubectl get deploymentsShow detailed state, strategy, and events for a specific deployment
kubectl describe deployment DEPLOYMENT_NAMEDelete a deployment and all of its managed replica sets and pods
kubectl delete deployment DEPLOYMENT_NAMEScale the number of pod replicas in a deployment to a specified count
kubectl scale deployment DEPLOYMENT_NAME --replicas REPLICA_COUNTUpdate the container image of a deployment to trigger a rolling update
kubectl set image deployment/DEPLOYMENT_NAME CONTAINER_NAME=IMAGE_NAMEWatch the progress of a rolling update for a deployment until completion
kubectl rollout status deployment/DEPLOYMENT_NAMERoll back a deployment to its previous revision
kubectl rollout undo deployment/DEPLOYMENT_NAMETrigger a rolling restart of all pods in a deployment without changing the spec
kubectl rollout restart deployment/DEPLOYMENT_NAMEView the revision history and change causes for a deployment
kubectl rollout history deployment/DEPLOYMENT_NAMEList all replica sets and their desired, current, and ready pod counts
kubectl get replicasetsApply a partial modification to a deployment using a JSON or YAML patch
kubectl patch deployment DEPLOYMENT_NAME -p PATCH_JSONCreate a Horizontal Pod Autoscaler to automatically scale a deployment based on CPU usage
kubectl autoscale deployment DEPLOYMENT_NAME --min MIN --max MAX --cpu-percent CPU_PERCENTList all Horizontal Pod Autoscalers and their current scaling metrics
kubectl get hpaValidate a deployment manifest locally without sending it to the cluster
kubectl apply -f DEPLOYMENT_FILE --dry-run=clientExport a deployment's full specification as YAML for inspection or backup
kubectl get deployment DEPLOYMENT -o yamlPause a deployment rollout to safely stage multiple changes
kubectl rollout pause deployment DEPLOYMENTResume a paused deployment rollout to continue the update
kubectl rollout resume deployment DEPLOYMENTList pods matching a specific label selector to verify a deployment's pods
kubectl get pods -l app=APP_LABELSet or update an environment variable on all containers in a deployment
kubectl set env deployment DEPLOYMENT KEY=VALUECreate a new Google Kubernetes Engine cluster with specified node count
gcloud container clusters create CLUSTER_NAME --zone ZONE --num-nodes NUM_NODESList all GKE clusters in the current project across all zones
gcloud container clusters listDelete a GKE cluster and all its associated resources
gcloud container clusters delete CLUSTER_NAME --zone ZONEFetch kubeconfig credentials to enable kubectl access to a GKE cluster
gcloud container clusters get-credentials CLUSTER_NAME --zone ZONEResize the number of nodes in a GKE cluster node pool
gcloud container clusters resize CLUSTER_NAME --num-nodes NUM_NODES --zone ZONEAdd a new node pool to an existing GKE cluster
gcloud container node-pools create POOL_NAME --cluster CLUSTER_NAME --zone ZONEList all node pools belonging to a specific GKE cluster
gcloud container node-pools list --cluster CLUSTER_NAME --zone ZONEUpdate a GKE cluster configuration such as enabling node autoscaling
gcloud container clusters update CLUSTER_NAME --zone ZONE --enable-autoscaling --min-nodes MIN --max-nodes MAXStream live logs from a Deployment by referencing the Deployment object directly
kubectl logs deployment/orders-api -fUpdate a Deployment's container memory limit using kubectl set resources
kubectl set resources deployment backend --limits=memory=512MiUpgrade a specific GKE node pool to a newer Kubernetes version
gcloud container clusters upgrade prod-cluster --node-pool=default-pool --cluster-version=1.28 --zone=us-central1-aEnable cluster autoscaling on a GKE node pool with min/max node bounds
gcloud container node-pools update default-pool --cluster=prod-cluster --enable-autoscaling --min-nodes=2 --max-nodes=10 --zone=us-central1-aRoll back a Kubernetes deployment to its previous revision
kubectl rollout undo deployment/api-serverScale a Kubernetes deployment to a specific replica count and verify
kubectl scale deployment web-api --replicas=8Create a ConfigMap from a file and inject it as environment variables into a deployment
kubectl create configmap web-config --from-file=config.propertiesConfigure GKE Workload Identity: bind IAM policy and annotate the Kubernetes service account
gcloud iam service-accounts add-iam-policy-binding gcs-reader@my-project.iam.gserviceaccount.com --role=roles/iam.workloadIdentityUser --member="serviceAccount:my-project.svc.id.goog[prod/ksa-reader]"Show detailed configuration and status of a GKE cluster
gcloud container clusters describe CLUSTER_NAME --zone ZONERemove a node pool from a GKE cluster and drain its nodes
gcloud container node-pools delete POOL_NAME --cluster CLUSTER_NAME --zone ZONEShow configuration details of a specific GKE node pool
gcloud container node-pools describe POOL_NAME --cluster CLUSTER_NAME --zone ZONEList all GKE operations in a zone to monitor cluster creation or upgrade progress
gcloud container operations list --zone ZONECreate a custom IAM role from a YAML definition file
gcloud iam roles create devReadRole --project=my-project --file=role-definition.yamlList all custom IAM roles defined in a specific project
gcloud iam roles list --project PROJECT_IDShow the permissions and metadata for a specific IAM role
gcloud iam roles describe ROLE_IDCreate a custom IAM role in a project from a YAML permissions file
gcloud iam roles create ROLE_ID --project PROJECT_ID --file YAML_FILEAdd one or more permissions to an existing custom IAM role in a project
gcloud iam roles update ROLE_ID --project PROJECT_ID --add-permissions PERMISSIONCopy an existing IAM role to create a new custom role in a destination project
gcloud iam roles copy --source SOURCE_ROLE --destination DEST_ROLE --dest-project PROJECT_IDRevoke a specific IAM role from a member on a project
gcloud projects remove-iam-policy-binding PROJECT_ID --member MEMBER --role ROLEReplace the entire IAM policy on a project with a policy defined in a JSON file
gcloud projects set-iam-policy PROJECT_ID POLICY_FILEList only the custom IAM roles defined within a specific project
gcloud iam roles list --project PROJECT_IDAdd a new permission to an existing custom IAM role
gcloud iam roles update ROLE_ID --project PROJECT_ID --add-permissions PERMISSIONDisable a custom IAM role so it cannot be granted to new members
gcloud iam roles disable ROLE_ID --project PROJECT_IDRestore a previously deleted custom IAM role within the undelete window
gcloud iam roles undelete ROLE_ID --project PROJECT_IDRetrieve the IAM policy for a resource hierarchy folder
gcloud resource-manager folders get-iam-policy FOLDER_IDRetrieve the IAM policy for a GCP organization
gcloud organizations get-iam-policy ORG_IDGrant an IAM role to a member at the folder level
gcloud resource-manager folders add-iam-policy-binding FOLDER_ID --member MEMBER --role ROLEView the IAM policy that controls who can act as or impersonate a service account
gcloud iam service-accounts get-iam-policy SA_EMAILGrant workload identity access so a Kubernetes SA can impersonate a Google SA
gcloud iam service-accounts add-iam-policy-binding SA_EMAIL --role roles/iam.workloadIdentityUser --member MEMBERSearch across all IAM policies in a project to find specific role grants
gcloud asset search-all-iam-policies --scope projects/PROJECT_ID --query QUERYCreate a custom IAM role from a YAML or JSON role definition file
gcloud iam roles create ROLE_ID --project PROJECT_ID --file ROLE_DEFINITION_FILEDelete a custom IAM role from a project (can be undeleted within 7 days)
gcloud iam roles delete ROLE_ID --project PROJECT_IDCreate a new IAM service account in the current project
gcloud iam service-accounts create SA_NAME --display-name DISPLAY_NAMEList all service accounts in the current project
gcloud iam service-accounts listGenerate and download a new JSON key file for a service account
gcloud iam service-accounts keys create KEY_FILE --iam-account SA_EMAILGrant an IAM role to a member on a specific project
gcloud projects add-iam-policy-binding PROJECT_ID --member MEMBER --role ROLERetrieve the full IAM policy (all role bindings) for a project
gcloud projects get-iam-policy PROJECT_IDList all predefined and custom IAM roles available in the project
gcloud iam roles listDelete a service account and revoke all its associated credentials
gcloud iam service-accounts delete SA_EMAILShow details including display name and unique ID for a service account
gcloud iam service-accounts describe SA_EMAILUpdate the display name of an existing service account
gcloud iam service-accounts update SA_EMAIL --display-name NEW_NAMEDisable a service account to prevent it from authenticating without deleting it
gcloud iam service-accounts disable SA_EMAILRe-enable a previously disabled service account
gcloud iam service-accounts enable SA_EMAILList all key IDs and their creation times for a service account
gcloud iam service-accounts keys list --iam-account SA_EMAILRevoke and delete a specific service account key by its ID
gcloud iam service-accounts keys delete KEY_ID --iam-account SA_EMAILAllow a user to impersonate and act as a service account
gcloud iam service-accounts add-iam-policy-binding SA_EMAIL --member user:USER_EMAIL --role roles/iam.serviceAccountUserGrant a service account the Storage Admin role on a project
gcloud projects add-iam-policy-binding PROJECT_ID --member serviceAccount:SA_EMAIL --role roles/storage.adminView all IAM bindings on a service account resource itself
gcloud iam service-accounts get-iam-policy SA_EMAILRemove a specific IAM role from a service account on a project
gcloud projects remove-iam-policy-binding PROJECT_ID --member serviceAccount:SA_EMAIL --role ROLESign a binary blob using a service account to produce a cryptographic signature
gcloud iam service-accounts sign-blob --iam-account SA_EMAIL INPUT_FILE OUTPUT_FILECreate a service account with a description in an explicitly specified project
gcloud iam service-accounts create SA_NAME --project PROJECT_ID --description DESCRIPTIONGenerate a P12 format service account key for legacy authentication libraries
gcloud iam service-accounts keys create KEY_FILE --iam-account SA_EMAIL --key-file-type p12Create a Role that allows getting and listing pods in the current namespace
kubectl create role POD_READER --verb=get,list --resource=podsCreate a ClusterRole that allows reading secrets across all namespaces
kubectl create clusterrole SECRET_READER --verb=get,list --resource=secretsBind a Role to a user so that user gains those permissions in the current namespace
kubectl create rolebinding ALICE_READER --role=pod-reader --user=aliceBind a ClusterRole to a user, granting those permissions across the entire cluster
kubectl create clusterrolebinding ADMIN_BINDING --clusterrole=cluster-admin --user=adminApply a NetworkPolicy manifest from a file to restrict pod-to-pod traffic
kubectl apply -f network-policy.yamlList all CustomResourceDefinitions installed in the cluster
kubectl get crdsCreate a service account in a specific namespace
kubectl create serviceaccount APP_SA -n prodList all RoleBindings across every namespace in the cluster
kubectl get rolebindings --all-namespacesCheck whether user bob can delete deployments in the staging namespace
kubectl auth can-i delete deployments --as=bob -n stagingCheck whether the current user has all permissions on all resources cluster-wide
kubectl auth can-i '*' '*' --all-namespacesCreate a Role in the prod namespace that allows full ConfigMap management
kubectl create role CONFIGMAP_MANAGER --verb=get,list,create,update,delete --resource=configmaps -n prodGrant a service account view access by binding a ClusterRole via a RoleBinding
kubectl create rolebinding APP_SA_BINDING --clusterrole=view --serviceaccount=default:app-saInstall a CustomResourceDefinition into the cluster from a YAML manifest
kubectl apply -f crd.yamlList all instances of a custom resource by its kind name
kubectl get CUSTOM_RESOURCE_KINDDisplay the full spec and events for a NetworkPolicy in the prod namespace
kubectl describe networkpolicy POLICY_NAME -n prodApply RBAC roles and bindings from a file, updating any that have changed
kubectl auth reconcile -f rbac.yamlShow the API documentation for the NetworkPolicy spec field
kubectl explain networkpolicy.specCheck whether the current user can list secrets in the kube-system namespace
kubectl auth can-i list secrets -n kube-systemList all NetworkPolicy resources across every namespace in the cluster
kubectl get networkpolicies --all-namespacesList all ClusterRoles defined in the cluster
kubectl get clusterrolesCreate a new Cloud SQL database instance with specified version and tier
gcloud sql instances create INSTANCE_NAME --database-version DATABASE_VERSION --tier TIERCreate a new Pub/Sub topic for publishing messages
gcloud pubsub topics create TOPIC_NAMECreate a new Pub/Sub subscription attached to an existing topic
gcloud pubsub subscriptions create SUBSCRIPTION_NAME --topic TOPIC_NAMERead and display log entries from Cloud Logging with an optional filter
gcloud logging read FILTER --limit LIMITList all cryptographic keys in a Cloud KMS keyring
gcloud kms keys list --keyring KEYRING_NAME --location LOCATIONEnable a Google Cloud API or service for the current project
gcloud services enable SERVICE_NAMEList all APIs and services currently enabled in the project
gcloud services list --enabledSubmit a build to Cloud Build and push the resulting image to Container Registry
gcloud builds submit --tag gcr.io/PROJECT_ID/IMAGE_NAMECreate a new GCP project with a specified ID and display name
gcloud projects create PROJECT_ID --name NAMESchedule a GCP project for deletion after a 30-day recovery window
gcloud projects delete PROJECT_IDShow metadata including project number, labels, and lifecycle state for a project
gcloud projects describe PROJECT_IDList all Cloud Billing accounts accessible to the current user
gcloud billing accounts listAttach a billing account to a GCP project to enable paid services
gcloud billing projects link PROJECT_ID --billing-account BILLING_ACCOUNT_IDDisable an API service on the current project
gcloud services disable SERVICE_NAMECreate a new Secret Manager secret and set its initial value from a file
gcloud secrets create SECRET_NAME --data-file FILERead and output the latest version of a Secret Manager secret
gcloud secrets versions access latest --secret SECRET_NAMEList all secrets stored in Secret Manager for the current project
gcloud secrets listList all Cloud KMS key rings in a specific region
gcloud kms keyrings list --location LOCATIONList only the APIs currently enabled on the active project
gcloud services list --enabledCreate a new Cloud KMS symmetric encryption key in a key ring
gcloud kms keys create KEY_NAME --location LOCATION --keyring KEYRING --purpose encryptionList all namespaces in the cluster and their status
kubectl get namespacesCreate a new namespace to isolate resources within the cluster
kubectl create namespace NAMESPACE_NAMEDelete a namespace and all resources contained within it
kubectl delete namespace NAMESPACE_NAMEList all pods within a specific namespace using the -n flag
kubectl get pods -n NAMESPACEShow detailed information about a Kubernetes namespace including resource quotas and limits
kubectl describe namespace NAMESPACE_NAMESet the default namespace for the current kubectl context so you don't need -n on every command
kubectl config set-context --current --namespace NAMESPACE_NAMEExport a namespace definition as YAML
kubectl get namespace NAMESPACE -o yamlList all workloads, services, and other resources within a namespace
kubectl get all -n NAMESPACEDelete all deployments, pods, services and other resources within a namespace
kubectl delete all --all -n NAMESPACECreate a ResourceQuota to limit total resource consumption within a namespace
kubectl create quota QUOTA_NAME --namespace NAMESPACE --hard=pods=10,requests.cpu=4Show all resource quotas and their current usage in a namespace
kubectl get resourcequota -n NAMESPACEShow current consumption versus limits for a specific resource quota
kubectl describe resourcequota QUOTA_NAME -n NAMESPACEList LimitRange policies that set default and maximum resource limits in a namespace
kubectl get limitrange -n NAMESPACEList all recent events in a specific namespace to diagnose resource issues
kubectl get events -n NAMESPACECheck whether a specific user has permission to list pods in a namespace
kubectl auth can-i list pods --namespace NAMESPACE --as USERAdd a label to a namespace, commonly used for network policy targeting
kubectl label namespace NAMESPACE KEY=VALUEApply a manifest file into a specific namespace
kubectl apply -f MANIFEST_FILE --namespace NAMESPACEList all service accounts in a specific namespace
kubectl get serviceaccounts -n NAMESPACEApply a LimitRange manifest to set default CPU and memory limits in a namespace
kubectl apply -f limitrange.yaml -n NAMESPACEList all pods across every namespace in the cluster
kubectl get pods --all-namespacesCreate bidirectional VPC Network Peering between two projects
gcloud compute networks peerings create peer-a-to-b --network=vpc-a --peer-project=project-b --peer-network=vpc-b --project=project-aList all VPC networks in the current project
gcloud compute networks listShow detailed information about a specific VPC network
gcloud compute networks describe NETWORK_NAMECreate a new VPC network with custom subnet mode for fine-grained subnet control
gcloud compute networks create NETWORK_NAME --subnet-mode customList all VPC firewall rules in the current project
gcloud compute firewall-rules listCreate a firewall rule to allow TCP traffic on a specific port within a VPC network
gcloud compute firewall-rules create RULE_NAME --allow tcp:PORT --network NETWORK_NAMEList all subnets across all VPC networks in the current project
gcloud compute networks subnets listCreate a new subnet within a VPC network with a specified IP range
gcloud compute networks subnets create SUBNET --network NETWORK --region REGION --range RANGEShow detailed configuration of a subnet including its CIDR range and secondary ranges
gcloud compute networks subnets describe SUBNET --region REGIONDelete a VPC network after removing all its resources
gcloud compute networks delete NETWORKUpdate an existing VPC firewall rule to change allowed protocols or ports
gcloud compute firewall-rules update RULE_NAME --allow PROTOCOL:PORTDelete a VPC firewall rule from the current project
gcloud compute firewall-rules delete RULE_NAMEShow the full configuration of a specific VPC firewall rule
gcloud compute firewall-rules describe RULE_NAMEList all static IP addresses reserved in the current project
gcloud compute addresses listShow the IP address value and status of a reserved static address
gcloud compute addresses describe ADDRESS_NAME --region REGIONRelease a reserved static IP address back to the shared pool
gcloud compute addresses delete ADDRESS_NAME --region REGIONList all VPC routes in the current project
gcloud compute routes listList all load balancer forwarding rules in the current project
gcloud compute forwarding-rules listList all backend services configured for load balancing
gcloud compute backend-services listExpand the IP range of an existing subnet to a larger CIDR prefix
gcloud compute networks subnets expand-ip-range SUBNET --region REGION --prefix-length PREFIXList all nodes in the cluster with their status and Kubernetes version
kubectl get nodesShow detailed information including capacity, conditions, and allocated resources for a node
kubectl describe node NODE_NAMEMark a node as unschedulable to prevent new pods from being assigned to it
kubectl cordon NODE_NAMEMark a previously cordoned node as schedulable again to accept new pods
kubectl uncordon NODE_NAMESafely evict all pods from a node in preparation for maintenance
kubectl drain NODE_NAME --ignore-daemonsets --delete-emptydir-dataApply a taint to a node to repel pods that do not tolerate the taint
kubectl taint nodes NODE_NAME KEY=VALUE:EFFECTDisplay CPU and memory usage metrics for all nodes in the cluster
kubectl top nodeAdd or update a label on a node for scheduling constraints and selection
kubectl label nodes NODE_NAME KEY=VALUEList all nodes with extended details including internal IP, OS image, and container runtime
kubectl get nodes -o wideList all cluster nodes with their full set of labels
kubectl get nodes --show-labelsRemove a label from a node by appending a dash to the key name
kubectl label node NODE_NAME KEY-Remove a taint from a node by appending a dash to the key name
kubectl taint nodes NODE_NAME KEY-Export a node's full specification including conditions and allocatable resources as YAML
kubectl get node NODE_NAME -o yamlShow node CPU and memory usage sorted by highest CPU consumption
kubectl top nodes --sort-by cpuFilter the node list to only nodes matching a specific label selector
kubectl get nodes --selector KEY=VALUEExtract the allocatable CPU and memory resources from a specific node
kubectl get node NODE_NAME -o jsonpath='{.status.allocatable}'Remove a node object from the cluster (after draining it first)
kubectl delete node NODE_NAMEExtract the kubelet version from every node to verify upgrade status
kubectl get nodes -o jsonpath='{.items[*].status.nodeInfo.kubeletVersion}'Add or update an annotation on a node
kubectl annotate node NODE_NAME KEY=VALUEMark a node as unschedulable using a JSON patch without draining it
kubectl patch node NODE_NAME -p '{"spec":{"unschedulable":true}}'Create a Cloud Logging sink to export audit logs to Cloud Storage
gcloud logging sinks create audit-export storage.googleapis.com/compliance-logs-bucket --log-filter='logName:cloudaudit.googleapis.com'Write a log entry to a named Cloud Logging log for testing or manual audit purposes
gcloud logging write LOG_NAME "MESSAGE"List all available log names in the current project
gcloud logging logs listList all log sinks configured to export logs to external destinations
gcloud logging sinks listList all log-based metrics defined in the current project
gcloud logging metrics listList all Cloud Monitoring dashboards in the current project
gcloud monitoring dashboards listCreate a log sink to export matching log entries to Cloud Storage, BigQuery, or Pub/Sub
gcloud logging sinks create SINK_NAME DESTINATION --log-filter FILTERDelete a log export sink from the current project
gcloud logging sinks delete SINK_NAMEShow the destination and filter configuration for a log sink
gcloud logging sinks describe SINK_NAMECreate a log-based metric to count or extract values from matching log entries
gcloud logging metrics create METRIC_NAME --description DESC --log-filter FILTERDelete a log-based metric from the current project
gcloud logging metrics delete METRIC_NAMEList log buckets available for storing log data in a region
gcloud logging buckets list --location LOCATIONList all Cloud Monitoring alerting policies in the current project
gcloud monitoring policies listList all notification channels configured for Cloud Monitoring alerts
gcloud monitoring channels listQuery Cloud Logging for error-level logs from Compute Engine instances
gcloud logging read "resource.type=gce_instance AND severity>=ERROR" --limit 20Read Cloud Audit Logs for admin activity in the current project
gcloud logging read "logName=projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity" --limit 10List all log views available for a specific log bucket
gcloud logging views list --bucket LOG_BUCKET --location LOCATIONShow the full widget configuration of a Cloud Monitoring dashboard
gcloud monitoring dashboards describe DASHBOARD_NAMEUpdate the log filter on an existing log export sink
gcloud logging sinks update SINK_NAME --log-filter NEW_FILTERList recent error events from Cloud Error Reporting for a specific service
gcloud beta error-reporting events list --service SERVICEList all pods in the current namespace
kubectl get podsList all pods across every namespace in the cluster
kubectl get pods --all-namespacesShow detailed information including events and conditions for a specific pod
kubectl describe pod POD_NAMEDelete a specific pod from the current namespace
kubectl delete pod POD_NAMEOpen an interactive shell session inside a running pod container
kubectl exec -it POD_NAME -- /bin/shPrint the stdout logs from a specific pod container
kubectl logs POD_NAMEForward a local port to a port on a specific pod for debugging access
kubectl port-forward pod/POD_NAME LOCAL_PORT:REMOTE_PORTCopy files between a pod container and the local filesystem
kubectl cp POD_NAME:REMOTE_PATH LOCAL_PATHDisplay CPU and memory usage metrics for pods in the current namespace
kubectl top podCreate and run a single pod with the specified container image
kubectl run POD_NAME --image IMAGE_NAMEList all pods along with their associated label key-value pairs
kubectl get pods --show-labelsList pods with additional details including node name and IP address
kubectl get pods -o wideFilter and list pods matching a specific label selector
kubectl get pods -l KEY=VALUEOutput the full YAML specification of a specific pod resource
kubectl get pod POD_NAME -o yamlAdd or update an annotation on a specific pod resource
kubectl annotate pod POD_NAME KEY=VALUEAdd or update a label on a specific pod for selection and organization
kubectl label pod POD_NAME KEY=VALUEList pods sorted by their start time to identify the most recently started pods
kubectl get pods --sort-by=.status.startTimeForce-restart all pods in a namespace by deleting them (deployments recreate them)
kubectl delete pods --all -n NAMESPACEBlock until a pod reaches the Ready state or the timeout expires
kubectl wait pod POD_NAME --for=condition=Ready --timeout=60sExtract the container image names for all pods in the current namespace
kubectl get pods -o jsonpath='{.items[*].spec.containers[*].image}'Grant a service account the Pub/Sub Publisher role on a specific topic
gcloud pubsub topics add-iam-policy-binding order-events --member=serviceAccount:app-sa@my-project.iam.gserviceaccount.com --role=roles/pubsub.publisherList all Pub/Sub topics in the current project
gcloud pubsub topics listDelete a Pub/Sub topic and detach all its subscriptions
gcloud pubsub topics delete TOPIC_NAMEList all Pub/Sub subscriptions in the current project
gcloud pubsub subscriptions listPull and acknowledge pending messages from a Pub/Sub subscription
gcloud pubsub subscriptions pull SUB_NAMEPublish a message string to a Pub/Sub topic from the command line
gcloud pubsub topics publish TOPIC_NAME --message MESSAGEShow configuration including ack deadline and push endpoint for a Pub/Sub subscription
gcloud pubsub subscriptions describe SUBSCRIPTIONDelete a Pub/Sub subscription and stop message delivery
gcloud pubsub subscriptions delete SUBSCRIPTIONExtend the acknowledgement deadline for an in-flight Pub/Sub message
gcloud pubsub subscriptions modify-message-ack-deadline SUBSCRIPTION --ack-deadline 60 --ack-ids ACK_IDRewind or fast-forward a Pub/Sub subscription to a specific timestamp
gcloud pubsub subscriptions seek SUBSCRIPTION --time TIMEShow configuration and associated subscriptions for a Pub/Sub topic
gcloud pubsub topics describe TOPICCreate a Pub/Sub snapshot to preserve the current message backlog for a subscription
gcloud pubsub snapshots create SNAPSHOT --subscription SUBSCRIPTIONList all Pub/Sub snapshots in the current project
gcloud pubsub snapshots listCreate a Pub/Sub subscription with a custom acknowledgement deadline of 60 seconds
gcloud pubsub subscriptions create SUBSCRIPTION --topic TOPIC --ack-deadline 60Create a push subscription that delivers messages to an HTTPS endpoint
gcloud pubsub subscriptions create SUBSCRIPTION --topic TOPIC --push-endpoint URLPull and automatically acknowledge up to 10 messages from a Pub/Sub subscription
gcloud pubsub subscriptions pull SUBSCRIPTION --max-messages 10 --auto-ackAllow anyone to publish messages to a Pub/Sub topic without authentication
gcloud pubsub topics add-iam-policy-binding TOPIC --member allUsers --role roles/pubsub.publisherAcknowledge a specific Pub/Sub message by its ack ID to prevent redelivery
gcloud pubsub subscriptions ack SUBSCRIPTION --ack-ids ACK_IDUpdate the HTTPS push endpoint URL on an existing push subscription
gcloud pubsub subscriptions modify-push-config SUBSCRIPTION --push-endpoint NEW_URLList all Pub/Sub topics in JSON format for scripting or automation
gcloud pubsub topics list --format jsonApply a YAML or JSON resource configuration file to create or update resources
kubectl apply -f FILENAMECreate resources from a YAML or JSON file, failing if they already exist
kubectl create -f FILENAMEDelete all resources defined in a YAML or JSON configuration file
kubectl delete -f FILENAMEShow differences between the live resource state and a local configuration file
kubectl diff -f FILENAMEList all common resource types (pods, services, deployments, etc.) in the current namespace
kubectl get allList all supported resource types, their short names, and API groups in the cluster
kubectl api-resourcesList all available API group versions supported by the cluster
kubectl api-versionsDisplay the schema and documentation fields for a Kubernetes resource type
kubectl explain RESOURCEList all persistent volumes in the cluster and their bound status
kubectl get persistentvolumesList all persistent volume claims and their binding status in the current namespace
kubectl get persistentvolumeclaimsList all batch jobs and their completion status in the current namespace
kubectl get jobsList all CronJobs and their schedules in the current namespace
kubectl get cronjobsList all DaemonSets and their desired and available pod counts
kubectl get daemonsetsList all StatefulSets and their ready replica counts in the current namespace
kubectl get statefulsetsList all network policies controlling traffic flow between pods
kubectl get networkpoliciesReplace an existing Kubernetes resource with the definition in a file
kubectl replace -f FILEList all workloads, services and core resources across every namespace
kubectl get all --all-namespacesCreate a resource and save its configuration as an annotation for future apply operations
kubectl create -f FILE --save-configApply all manifests in a directory and delete labelled resources not present in the directory
kubectl apply --prune -f DIRECTORY -l APP=LABELValidate a manifest against the live API server without creating the resource
kubectl create -f FILE --dry-run=server -o yamlList all services and their cluster IPs and ports in the current namespace
kubectl get servicesCreate a service to expose a deployment's pods to network traffic
kubectl expose deployment DEPLOYMENT_NAME --port PORT --type TYPEShow detailed information including endpoints for a specific service
kubectl describe service SERVICE_NAMERemove a service and stop routing traffic to its backing pods
kubectl delete service SERVICE_NAMEOpen a service's live configuration in an editor for in-place modification
kubectl edit service SERVICE_NAMEList all ingress resources and their associated hosts and paths
kubectl get ingressList all endpoints showing the backing pod IPs for each service
kubectl get endpointsExpose a single pod as a LoadBalancer service with an external IP
kubectl expose pod POD_NAME --port PORT --type LoadBalancerExpose a deployment as a NodePort service accessible on every cluster node
kubectl expose deployment DEPLOYMENT --port PORT --target-port TARGET_PORT --type NodePortExport a service definition as YAML to inspect its selectors and ports
kubectl get service SERVICE -o yamlChange the type of a service from ClusterIP to LoadBalancer using a JSON patch
kubectl patch service SERVICE -p '{"spec":{"type":"LoadBalancer"}}'Create an internal ClusterIP service with a specific port mapping
kubectl create service clusterip SERVICE --tcp=PORT:TARGET_PORTCreate a NodePort service that forwards traffic to a specified target port
kubectl create service nodeport SERVICE --tcp=PORT:TARGET_PORTCreate a LoadBalancer service that provisions an external cloud load balancer
kubectl create service loadbalancer SERVICE --tcp=PORTCreate an Ingress resource to route HTTP traffic to a service
kubectl create ingress INGRESS --rule HOST/PATH=SERVICE:PORTDelete an Ingress resource and remove its routing rules
kubectl delete ingress INGRESSApply a NetworkPolicy manifest to restrict ingress or egress traffic between pods
kubectl apply -f networkpolicy.yamlList all NetworkPolicy resources in a specific namespace
kubectl get networkpolicies -n NAMESPACEForward a local port to a Kubernetes service for local testing without a public endpoint
kubectl port-forward service/SERVICE LOCAL_PORT:SERVICE_PORTExport the default service account definition for the current namespace as YAML
kubectl get serviceaccount default -o yamlInitialise a Terraform working directory, downloading providers and modules
terraform initPreview the infrastructure changes Terraform will make without applying them
terraform planApply the Terraform configuration to create or update real infrastructure
terraform applyDestroy all infrastructure resources managed by the current Terraform configuration
terraform destroyCheck Terraform configuration files for syntax errors and internal consistency
terraform validateReformat Terraform configuration files to the canonical style
terraform fmtPrint the output values defined in the Terraform configuration
terraform outputList all resources tracked in the current Terraform state file
terraform state listDisplay a human-readable view of the current Terraform state
terraform showImport an existing infrastructure resource into the Terraform state without recreating it
terraform import RESOURCE_ADDRESS RESOURCE_IDGenerate a Terraform execution plan and save it to a file for later use
terraform plan -out=tfplanApply a previously saved Terraform execution plan file
terraform apply tfplanApply a Terraform configuration with an inline variable override
terraform apply -var='project_id=my-project'Create a new Terraform workspace for environment isolation
terraform workspace new WORKSPACE_NAMESwitch to an existing Terraform workspace
terraform workspace select WORKSPACE_NAMEApply Terraform changes to a single specific resource, ignoring others
terraform apply -target=google_compute_instance.webMove a resource to a different address in the Terraform state file without recreating it
terraform state mv OLD_RESOURCE_ADDRESS NEW_RESOURCE_ADDRESSRemove a resource from Terraform state without destroying the real infrastructure
terraform state rm RESOURCE_ADDRESSMark a Terraform-managed resource for forced recreation on the next apply
terraform taint RESOURCE_ADDRESSApply Terraform changes without prompting for interactive confirmation
terraform apply -auto-approveReading commands is one thing — knowing them under exam pressure is another.
Practice with interactive quizzes →Free easy mode · Premium hard mode · Adaptive learning