Day 6: Extending Kubernetes plugin using Krew

As per the official Github link

Krew is a tool that makes it easy to use kubectl plugins. Krew helps you discover plugins, install and manage them on your machine. It is similar to tools like apt, dnf, or brew.

Before we dig deeper into how krew works, let me show you how to write your own custom plugin.

• You can write it in any language(shell, perl, python). It should be executable and should in your PATH variable(echo $PATH). For this blog, I will write it in the shell script.
• The script’s name must start with kubectl-<plugin name>, for e.g.: kubectl-helloworld.

sudo vim /usr/local/bin/kubectl-helloworld
#!/bin/bash
echo "hello kubernetes"
# Don't forget to make it executable
chmod +x /usr/local/bin/kubectl-helloworld

• As the script is in my path, I can call it

kubectl-helloworld                        
hello kubernetes

• But now the question is how to call it via kubectl, you need to use kubectl following plugin name

kubectl helloworld                        
hello kubernetes

• To list the installed plugins

kubectl plugin list
The following compatible plugins are available:
/usr/local/bin/kubectl-helloworld

• To delete this plugin(script)

rm -rf /usr/local/bin/kubectl-helloworld

• To install krew, please follow their official guide

(
  set -x; cd "$(mktemp -d)" &&
  curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/krew.tar.gz" &&
  tar zxvf krew.tar.gz &&
  KREW=./krew-"$(uname | tr '[:upper:]' '[:lower:]')_$(uname -m | sed -e 's/x86_64/amd64/' -e 's/arm.*$/arm/' -e 's/aarch64$/arm64/')" &&
  "$KREW" install krew
)
+zsh:2> mktemp -d
+zsh:2> cd /tmp/tmp.aHZ7ibUYl2
+zsh:3> curl -fsSLO https://github.com/kubernetes-sigs/krew/releases/latest/download/krew.tar.gz
+zsh:4> tar zxvf krew.tar.gz
./LICENSE
./krew-darwin_amd64
./krew-linux_amd64
./krew-linux_arm
./krew-windows_amd64.exe
+zsh:5> KREW=+zsh:5> uname
+zsh:5> KREW=+zsh:5> tr '[:upper:]' '[:lower:]'
+zsh:5> KREW=+zsh:5> uname -m
+zsh:5> KREW=+zsh:5> sed -e s/x86_64/amd64/ -e 's/arm.*$/arm/' -e 's/aarch64$/arm64/'
+zsh:5> KREW=./krew-linux_amd64 
+zsh:6> ./krew-linux_amd64 install krew
Adding "default" plugin index from https://github.com/kubernetes-sigs/krew-index.git.
Updated the local copy of plugin index.
Installing plugin: krew
Installed plugin: krew
\
 | Use this plugin:
 |  kubectl krew
 | Documentation:
 |  https://krew.sigs.k8s.io/
 | Caveats:
 | \
 |  | krew is now installed! To start using kubectl plugins, you need to add
 |  | krew's installation directory to your PATH:
 |  | 
 |  |   * macOS/Linux:
 |  |     - Add the following to your ~/.bashrc or ~/.zshrc:
 |  |         export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"
 |  |     - Restart your shell.
 |  | 
 |  |   * Windows: Add %USERPROFILE%\.krew\bin to your PATH environment variable
 |  | 
 |  | To list krew commands and to get help, run:
 |  |   $ kubectl krew
 |  | For a full list of available plugins, run:
 |  |   $ kubectl krew search
 |  | 
 |  | You can find documentation at
 |  |   https://krew.sigs.k8s.io/docs/user-guide/quickstart/.
 | /
/

• Add krew to your path variable

export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"

NOTE: Don’t forget to add it into your .bashrc or .zshrc.

• To list krew commands and to get help

kubectl krew
krew is the kubectl plugin manager.
You can invoke krew through kubectl: "kubectl krew [command]..."
Usage:
  kubectl krew [command]
Available Commands:
  help        Help about any command
  index       Manage custom plugin indexes
  info        Show information about an available plugin
  install     Install kubectl plugins
  list        List installed kubectl plugins
  search      Discover kubectl plugins
  uninstall   Uninstall plugins
  update      Update the local copy of the plugin index
  upgrade     Upgrade installed plugins to newer versions
  version     Show krew version and diagnostics
Flags:
  -h, --help      help for krew
  -v, --v Level   number for the log level verbosity
Use "kubectl krew [command] --help" for more information about a command.

• To update the local copy of the plugin index

kubectl krew update
Updated the local copy of plugin index.

• To list the installed kubectl plugins

kubectl krew list  
PLUGIN  VERSION
krew    v0.4.0

• For a complete list of available plugins

kubectl krew search        
NAME                            DESCRIPTION                                         INSTALLED
access-matrix                   Show an RBAC access matrix for server resources     no
advise-psp                      Suggests PodSecurityPolicies for cluster.           no
allctx                          Run commands on contexts in your kubeconfig         no
apparmor-manager                Manage AppArmor profiles for cluster.               no
auth-proxy                      Authentication proxy to a pod or service            no
azad-proxy                      Generate and handle authentication for azad-kub...  no
bd-xray                         Run Black Duck Image Scans                          no
bulk-action                     Do bulk actions on Kubernetes resources.            no
ca-cert                         Print the PEM CA certificate of the current clu...  no
capture                         Triggers a Sysdig capture to troubleshoot the r...  no
cert-manager                    Manage cert-manager resources inside your cluster   no
change-ns                       View or change the current namespace via kubectl.   no
cilium                          Easily interact with Cilium agents.                 no
cluster-group                   Exec commands across a group of contexts.           no

Let’s try to explore few plugins

1. who-can

As per who-can github link, who-can shows which subjects have RBAC permissions to VERB [TYPE | TYPE/NAME | NONRESOURCEURL]

• To get more information

kubectl krew info who-can
NAME: who-can
INDEX: default
URI: https://github.com/aquasecurity/kubectl-who-can/releases/download/v0.3.0/kubectl-who-can_linux_x86_64.tar.gz
SHA256: 5497e652ebc5820d6099aa94af8e5b66f8f7c2d5dba7a8f90ae04f7de8672479
VERSION: v0.3.0
HOMEPAGE: https://github.com/aquasecurity/kubectl-who-can
DESCRIPTION: 
Shows which subjects have RBAC permissions to VERB [TYPE | TYPE/NAME | NONRESOURCEURL]
VERB is a logical Kubernetes API verb like 'get', 'list', 'watch', 'delete', etc.
TYPE is a Kubernetes resource. Shortcuts and API groups will be resolved, e.g. 'po' or 'pod.metrics.k8s.io'.
NAME is the name of a particular Kubernetes resource.
NONRESOURCEURL is a partial URL that starts with "/".
For example, if you want to find all subjects who have permission to
delete pods in a particular namespace, or to delete nodes in the cluster
(dangerous!) you could run the following commands:
$ kubectl who-can delete pods --namespace foo
$ kubectl who-can delete nodes
For usage or examples, run:
$ kubectl who-can -h
CAVEATS:
\
 | The plugin requires the rights to list (Cluster)Role and (Cluster)RoleBindings.
/

• To install the plugin

kubectl krew install who-can
Updated the local copy of plugin index.
Installing plugin: who-can
Installed plugin: who-can
\
 | Use this plugin:
 |  kubectl who-can
 | Documentation:
 |  https://github.com/aquasecurity/kubectl-who-can
 | Caveats:
 | \
 |  | The plugin requires the rights to list (Cluster)Role and (Cluster)RoleBindings.
 | /
/
WARNING: You installed plugin "who-can" from the krew-index plugin repository.
   These plugins are not audited for security by the Krew maintainers.
   Run them at your own risk.

• To verify it

kubectl krew list           
PLUGIN   VERSION
krew     v0.4.0
who-can  v0.3.0

Testing time

• Using who-can you can find out who can delete pods in the default namespace

kubectl who-can delete pods --namespace default
No subjects found with permissions to delete pods assigned through RoleBindings
CLUSTERROLEBINDING                           SUBJECT                                 TYPE            SA-NAMESPACE
cluster-admin                                system:masters                          Group           
local-path-provisioner-bind                  local-path-provisioner-service-account  ServiceAccount  local-path-storage
system:controller:cronjob-controller         cronjob-controller                      ServiceAccount  kube-system
system:controller:daemon-set-controller      daemon-set-controller                   ServiceAccount  kube-system
system:controller:generic-garbage-collector  generic-garbage-collector               ServiceAccount  kube-system
system:controller:job-controller             job-controller                          ServiceAccount  kube-system

• Some other examples you can try

# List who can get pods from any of the available namespaces
  kubectl who-can get pods --all-namespaces
# List who can create pods in the current namespace
  kubectl who-can create pods
# List who can get pods specifying the API group
  kubectl who-can get pods.metrics.k8s.io
# List who can create services in namespace "foo"
  kubectl who-can create services -n foo
# List who can get the service named "mongodb" in namespace "bar"
  kubectl who-can get svc/mongodb --namespace bar
# List who can do everything with pods in the current namespace
  kubectl who-can '*' pods
# List who can list every resource in the namespace "baz"
  kubectl who-can list '*' -n baz
# List who can read pod logs
  kubectl who-can get pods --subresource=log
# List who can access the URL /logs/
  kubectl who-can get /logs

2. change-ns

The next plugin I am going to explore is the change namespace(change-ns). As per change-ns official github link, change-ns plugin is used for switching the namespace that the current KUBECONFIG context points to. In order to remain as indestructive as possible, no previously existing contexts are modified.

Installation

kubectl krew install change-ns
Updated the local copy of plugin index.
Installing plugin: change-ns
Installed plugin: change-ns
\
 | Use this plugin:
 |  kubectl change-ns
 | Documentation:
 |  https://github.com/juanvallejo/kubectl-ns
/
WARNING: You installed plugin "change-ns" from the krew-index plugin repository.
   These plugins are not audited for security by the Krew maintainers.
   Run them at your own risk.

• Now to switch to the kube-system namespace

kubectl change-ns kube-system
namespace changed to "kube-system"

• To verify it

kubectl change-ns            
kube-system

3. Kubectl grep

The next plugin I want to explore is grep. As per grep  GitHub link, it filter Kubernetes resources by matching their names.

kubectl krew install grep      
Updated the local copy of plugin index.
Installing plugin: grep
Installed plugin: grep
\
 | Use this plugin:
 |  kubectl grep
 | Documentation:
 |  https://github.com/guessi/kubectl-grep
/
WARNING: You installed plugin "grep" from the krew-index plugin repository.
   These plugins are not audited for security by the Krew maintainers.
   Run them at your own risk.

• Now to grep all the pods with name proxy in kube-system namespace

kubectl grep pods -n kube-system proxy
NAMESPACE     NAME               READY   STATUS    RESTART   AGE
kube-system   kube-proxy-ph589   1/1     Running   1         2d10h
kube-system   kube-proxy-rghxq   1/1     Running   1         2d10h
kube-system   kube-proxy-tq4r5   1/1     Running   1         2d10h

• Some other Kubernetes resources it support

Available Commands:
  configmaps   Search ConfigMaps by keyword, by namespace
  daemonsets   Search Daemonsets by keyword, by namespace
  deployments  Search Deployments by keyword, by namespace
  help         Help about any command
  hpas         Search HPAs by keyword, by namespace
  nodes        Search Nodes by keyword
  pods         Search Pods by keyword, by namespace
  secrets      Search Secrets by keyword, by namespace
  statefulsets Search Statefulsets by keyword, by namespace
  version      Print version number

NOTE: It doesn’t support Kubernetes service resource.

Wrapping Up

Krew is a powerful plugin manager, and it can add more functionality to your kubectl with the help of different plugins. I only tried a handful of plugins, but if you have your favorite plugin, which I didn’t cover in this blog, please let me know in the comment section.