Diff the live version against a would-be applied version
Synopsis
Diff configurations specified by file name or stdin between the current online configuration, and the configuration as it would be if applied.
The output is always YAML.
KUBECTL_EXTERNAL_DIFF environment variable can be used to select your own diff command. Users can use external commands with params too, example: KUBECTL_EXTERNAL_DIFF=“colordiff -N -u”
By default, the “diff” command available in your path will be run with the “-u” (unified diff) and “-N” (treat absent files as empty) options.
Exit status: 0 No differences were found. 1 Differences were found. >1 Kubectl or diff failed with an error.
Note: KUBECTL_EXTERNAL_DIFF, if used, is expected to follow that convention.
datumctl diff -f FILENAME
Examples
# Diff resources included in pod.json
kubectl diff -f pod.json
# Diff file read from stdin
cat service.yaml | kubectl diff -f -
Options
| Flag | Type | Description |
|---|
--concurrency | int | Number of objects to process in parallel when diffing against the live version. Larger number = faster, but more memory, I/O and CPU over that shorter period of time. (default 1) |
--field-manager | string | Name of the manager used to track field ownership. (default "kubectl-client-side-apply") |
-f, --filename | strings | Filename, directory, or URL to files containing the configuration to diff. |
--force-conflicts | — | If true, server-side apply will force the changes against conflicts. |
-h, --help | — | Help for diff. |
-k, --kustomize | string | Process the kustomization directory. This flag can’t be used together with -f or -R. |
--prune | — | Include resources that would be deleted by pruning. Can be used with -l and default shows all resources would be pruned. |
--prune-allowlist | stringArray | Overwrite the default allowlist with <group/version/kind> for --prune. |
-R, --recursive | — | Process the directory used in -f, --filename recursively. |
-l, --selector | string | Selector (label query) to filter on, supports =, ==, !=, in, notin. |
--server-side | — | If true, apply runs in the server instead of the client. |
--show-managed-fields | — | If true, include managed fields in the diff. |
Options inherited from parent commands
| Flag | Type | Description |
|---|
--as | string | Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group | stringArray | Group to impersonate for the operation. Can be repeated to specify multiple groups. |
--as-uid | string | UID to impersonate for the operation. |
--as-user-extra | stringArray | User extras to impersonate for the operation. Can be repeated to specify multiple values for the same key. |
--certificate-authority | string | Path to a cert file for the certificate authority. |
--disable-compression | — | If true, opt-out of response compression for all requests to the server. |
--insecure-skip-tls-verify | — | If true, the server’s certificate will not be checked for validity. This will make your HTTPS connections insecure. |
--log-flush-frequency | duration | Maximum number of seconds between log flushes. (default 5s) |
-n, --namespace | string | If present, the namespace scope for this CLI request. |
--organization | string | Organization name. |
--platform-wide | — | Access the platform root instead of a project or organization control plane. |
--project | string | Project name. |
--request-timeout | string | The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don’t timeout requests. (default "0") |
-s, --server | string | The address and port of the Kubernetes API server. |
--tls-server-name | string | Server name to use for server certificate validation. If not provided, the hostname used to contact the server is used. |
--token | string | Bearer token for authentication to the API server. |
--user | string | The name of the kubeconfig user to use. |
-v, --v | Level | Number for the log level verbosity. |
--vmodule | moduleSpec | Comma-separated list of pattern=N settings for file-filtered logging (only works for the default text log format). |
See also
- datumctl - A CLI for interacting with the Datum platform
Auto generated by spf13/cobra on 24-Feb-2026
Last modified on March 25, 2026
