Day 6: Extending Kubernetes plugin using Krew
As per the official Github link
Krew is a tool that makes it easy to use kubectl plugins. Krew helps you discover plugins, install and manage them on your machine. It is similar to tools like apt, dnf, or brew.
Before we dig deeper into how krew works, let me show you how to write your own custom plugin.
- You can write it in any language(shell, perl, python). It should be executable and should in your PATH variable(echo $PATH). For this blog, I will write it in the shell script.
- The script’s name must start with kubectl-<plugin name>, for e.g.: kubectl-helloworld.
sudo vim /usr/local/bin/kubectl-helloworld #!/bin/bash echo "hello kubernetes" # Don't forget to make it executable chmod +x /usr/local/bin/kubectl-helloworld
- As the script is in my path, I can call it
kubectl-helloworld hello kubernetes
- But now the question is how to call it via kubectl, you need to use kubectl following plugin name
kubectl helloworld hello kubernetes
- To list the installed plugins
kubectl plugin list The following compatible plugins are available: /usr/local/bin/kubectl-helloworld
- To delete this plugin(script)
rm -rf /usr/local/bin/kubectl-helloworld
- To install krew, please follow their official guide
( set -x; cd "$(mktemp -d)" && curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/krew.tar.gz" && tar zxvf krew.tar.gz && KREW=./krew-"$(uname | tr '[:upper:]' '[:lower:]')_$(uname -m | sed -e 's/x86_64/amd64/' -e 's/arm.*$/arm/' -e 's/aarch64$/arm64/')" && "$KREW" install krew ) +zsh:2> mktemp -d +zsh:2> cd /tmp/tmp.aHZ7ibUYl2 +zsh:3> curl -fsSLO https://github.com/kubernetes-sigs/krew/releases/latest/download/krew.tar.gz +zsh:4> tar zxvf krew.tar.gz ./LICENSE ./krew-darwin_amd64 ./krew-linux_amd64 ./krew-linux_arm ./krew-windows_amd64.exe +zsh:5> KREW=+zsh:5> uname +zsh:5> KREW=+zsh:5> tr '[:upper:]' '[:lower:]' +zsh:5> KREW=+zsh:5> uname -m +zsh:5> KREW=+zsh:5> sed -e s/x86_64/amd64/ -e 's/arm.*$/arm/' -e 's/aarch64$/arm64/' +zsh:5> KREW=./krew-linux_amd64 +zsh:6> ./krew-linux_amd64 install krew Adding "default" plugin index from https://github.com/kubernetes-sigs/krew-index.git. Updated the local copy of plugin index. Installing plugin: krew Installed plugin: krew \ | Use this plugin: | kubectl krew | Documentation: | https://krew.sigs.k8s.io/ | Caveats: | \ | | krew is now installed! To start using kubectl plugins, you need to add | | krew's installation directory to your PATH: | | | | * macOS/Linux: | | - Add the following to your ~/.bashrc or ~/.zshrc: | | export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH" | | - Restart your shell. | | | | * Windows: Add %USERPROFILE%\.krew\bin to your PATH environment variable | | | | To list krew commands and to get help, run: | | $ kubectl krew | | For a full list of available plugins, run: | | $ kubectl krew search | | | | You can find documentation at | | https://krew.sigs.k8s.io/docs/user-guide/quickstart/. | / /
- Add krew to your path variable
export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"
NOTE: Don’t forget to add it into your .bashrc or .zshrc.
- To list krew commands and to get help
kubectl krew krew is the kubectl plugin manager. You can invoke krew through kubectl: "kubectl krew [command]..." Usage: kubectl krew [command] Available Commands: help Help about any command index Manage custom plugin indexes info Show information about an available plugin install Install kubectl plugins list List installed kubectl plugins search Discover kubectl plugins uninstall Uninstall plugins update Update the local copy of the plugin index upgrade Upgrade installed plugins to newer versions version Show krew version and diagnostics Flags: -h, --help help for krew -v, --v Level number for the log level verbosity Use "kubectl krew [command] --help" for more information about a command.
- To update the local copy of the plugin index
kubectl krew update Updated the local copy of plugin index.
- To list the installed kubectl plugins
kubectl krew list PLUGIN VERSION krew v0.4.0
- For a complete list of available plugins
kubectl krew search NAME DESCRIPTION INSTALLED access-matrix Show an RBAC access matrix for server resources no advise-psp Suggests PodSecurityPolicies for cluster. no allctx Run commands on contexts in your kubeconfig no apparmor-manager Manage AppArmor profiles for cluster. no auth-proxy Authentication proxy to a pod or service no azad-proxy Generate and handle authentication for azad-kub... no bd-xray Run Black Duck Image Scans no bulk-action Do bulk actions on Kubernetes resources. no ca-cert Print the PEM CA certificate of the current clu... no capture Triggers a Sysdig capture to troubleshoot the r... no cert-manager Manage cert-manager resources inside your cluster no change-ns View or change the current namespace via kubectl. no cilium Easily interact with Cilium agents. no cluster-group Exec commands across a group of contexts. no
Let’s try to explore few plugins
1. who-can
As per who-can github link, who-can shows which subjects have RBAC permissions to VERB [TYPE | TYPE/NAME | NONRESOURCEURL]
- To get more information
kubectl krew info who-can NAME: who-can INDEX: default URI: https://github.com/aquasecurity/kubectl-who-can/releases/download/v0.3.0/kubectl-who-can_linux_x86_64.tar.gz SHA256: 5497e652ebc5820d6099aa94af8e5b66f8f7c2d5dba7a8f90ae04f7de8672479 VERSION: v0.3.0 HOMEPAGE: https://github.com/aquasecurity/kubectl-who-can DESCRIPTION: Shows which subjects have RBAC permissions to VERB [TYPE | TYPE/NAME | NONRESOURCEURL] VERB is a logical Kubernetes API verb like 'get', 'list', 'watch', 'delete', etc. TYPE is a Kubernetes resource. Shortcuts and API groups will be resolved, e.g. 'po' or 'pod.metrics.k8s.io'. NAME is the name of a particular Kubernetes resource. NONRESOURCEURL is a partial URL that starts with "/". For example, if you want to find all subjects who have permission to delete pods in a particular namespace, or to delete nodes in the cluster (dangerous!) you could run the following commands: $ kubectl who-can delete pods --namespace foo $ kubectl who-can delete nodes For usage or examples, run: $ kubectl who-can -h CAVEATS: \ | The plugin requires the rights to list (Cluster)Role and (Cluster)RoleBindings. /
- To install the plugin
kubectl krew install who-can Updated the local copy of plugin index. Installing plugin: who-can Installed plugin: who-can \ | Use this plugin: | kubectl who-can | Documentation: | https://github.com/aquasecurity/kubectl-who-can | Caveats: | \ | | The plugin requires the rights to list (Cluster)Role and (Cluster)RoleBindings. | / / WARNING: You installed plugin "who-can" from the krew-index plugin repository. These plugins are not audited for security by the Krew maintainers. Run them at your own risk.
- To verify it
kubectl krew list PLUGIN VERSION krew v0.4.0 who-can v0.3.0
Testing time
- Using who-can you can find out who can delete pods in the default namespace
kubectl who-can delete pods --namespace default No subjects found with permissions to delete pods assigned through RoleBindings CLUSTERROLEBINDING SUBJECT TYPE SA-NAMESPACE cluster-admin system:masters Group local-path-provisioner-bind local-path-provisioner-service-account ServiceAccount local-path-storage system:controller:cronjob-controller cronjob-controller ServiceAccount kube-system system:controller:daemon-set-controller daemon-set-controller ServiceAccount kube-system system:controller:generic-garbage-collector generic-garbage-collector ServiceAccount kube-system system:controller:job-controller job-controller ServiceAccount kube-system
- Some other examples you can try
# List who can get pods from any of the available namespaces kubectl who-can get pods --all-namespaces # List who can create pods in the current namespace kubectl who-can create pods # List who can get pods specifying the API group kubectl who-can get pods.metrics.k8s.io # List who can create services in namespace "foo" kubectl who-can create services -n foo # List who can get the service named "mongodb" in namespace "bar" kubectl who-can get svc/mongodb --namespace bar # List who can do everything with pods in the current namespace kubectl who-can '*' pods # List who can list every resource in the namespace "baz" kubectl who-can list '*' -n baz # List who can read pod logs kubectl who-can get pods --subresource=log # List who can access the URL /logs/ kubectl who-can get /logs
2. change-ns
The next plugin I am going to explore is the change namespace(change-ns). As per change-ns official github link, change-ns plugin is used for switching the namespace that the current KUBECONFIG context points to. In order to remain as indestructive as possible, no previously existing contexts are modified.
Installation
kubectl krew install change-ns Updated the local copy of plugin index. Installing plugin: change-ns Installed plugin: change-ns \ | Use this plugin: | kubectl change-ns | Documentation: | https://github.com/juanvallejo/kubectl-ns / WARNING: You installed plugin "change-ns" from the krew-index plugin repository. These plugins are not audited for security by the Krew maintainers. Run them at your own risk.
- Now to switch to the kube-system namespace
kubectl change-ns kube-system namespace changed to "kube-system"
- To verify it
kubectl change-ns kube-system
3. Kubectl grep
The next plugin I want to explore is grep. As per grep GitHub link, it filter Kubernetes resources by matching their names.
kubectl krew install grep Updated the local copy of plugin index. Installing plugin: grep Installed plugin: grep \ | Use this plugin: | kubectl grep | Documentation: | https://github.com/guessi/kubectl-grep / WARNING: You installed plugin "grep" from the krew-index plugin repository. These plugins are not audited for security by the Krew maintainers. Run them at your own risk.
- Now to grep all the pods with name proxy in kube-system namespace
kubectl grep pods -n kube-system proxy NAMESPACE NAME READY STATUS RESTART AGE kube-system kube-proxy-ph589 1/1 Running 1 2d10h kube-system kube-proxy-rghxq 1/1 Running 1 2d10h kube-system kube-proxy-tq4r5 1/1 Running 1 2d10h
- Some other Kubernetes resources it support
Available Commands: configmaps Search ConfigMaps by keyword, by namespace daemonsets Search Daemonsets by keyword, by namespace deployments Search Deployments by keyword, by namespace help Help about any command hpas Search HPAs by keyword, by namespace nodes Search Nodes by keyword pods Search Pods by keyword, by namespace secrets Search Secrets by keyword, by namespace statefulsets Search Statefulsets by keyword, by namespace version Print version number
NOTE: It doesn’t support Kubernetes service resource.
Wrapping Up
Krew is a powerful plugin manager, and it can add more functionality to your kubectl with the help of different plugins. I only tried a handful of plugins, but if you have your favorite plugin, which I didn’t cover in this blog, please let me know in the comment section.