Extending Kubernetes with the plugin using Krew

As per the official Github link
Krew is a tool that makes it easy to use kubectl plugins. Krew helps you discover plugins, install and manage them on your machine. It is similar to tools like apt, dnf, or brew.
Before we dig deeper into how krew works, let me show you how to write your own custom plugin.
- You can write it in any language(shell, perl, python). It should be executable and should in your PATH variable(echo $PATH). For this blog, I will write it in the shell script.
- The script’s name must start with kubectl-<plugin name>, for e.g.: kubectl-helloworld.
sudo vim /usr/local/bin/kubectl-helloworld
#!/bin/bash
echo "hello kubernetes"
# Don't forget to make it executable
chmod +x /usr/local/bin/kubectl-helloworld
- As the script is in my path, I can call it
kubectl-helloworld
hello kubernetes
- But now the question is how to call it via kubectl, you need to use kubectl following plugin name
kubectl helloworld
hello kubernetes
- To list the installed plugins
kubectl plugin list
The following compatible plugins are available:
/usr/local/bin/kubectl-helloworld
- To delete this plugin(script)
rm -rf /usr/local/bin/kubectl-helloworld
- To install krew, please follow their official guide
(
set -x; cd "$(mktemp -d)" &&
curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/krew.tar.gz" &&
tar zxvf krew.tar.gz &&
KREW=./krew-"$(uname | tr '[:upper:]' '[:lower:]')_$(uname -m | sed -e 's/x86_64/amd64/' -e 's/arm.*$/arm/' -e 's/aarch64$/arm64/')" &&
"$KREW" install krew
)
+zsh:2> mktemp -d
+zsh:2> cd /tmp/tmp.aHZ7ibUYl2
+zsh:3> curl -fsSLO https://github.com/kubernetes-sigs/krew/releases/latest/download/krew.tar.gz
+zsh:4> tar zxvf krew.tar.gz
./LICENSE
./krew-darwin_amd64
./krew-linux_amd64
./krew-linux_arm
./krew-windows_amd64.exe
+zsh:5> KREW=+zsh:5> uname
+zsh:5> KREW=+zsh:5> tr '[:upper:]' '[:lower:]'
+zsh:5> KREW=+zsh:5> uname -m
+zsh:5> KREW=+zsh:5> sed -e s/x86_64/amd64/ -e 's/arm.*$/arm/' -e 's/aarch64$/arm64/'
+zsh:5> KREW=./krew-linux_amd64
+zsh:6> ./krew-linux_amd64 install krew
Adding "default" plugin index from https://github.com/kubernetes-sigs/krew-index.git.
Updated the local copy of plugin index.
Installing plugin: krew
Installed plugin: krew
\
| Use this plugin:
| kubectl krew
| Documentation:
| https://krew.sigs.k8s.io/
| Caveats:
| \
| | krew is now installed! To start using kubectl plugins, you need to add
| | krew's installation directory to your PATH:
| |
| | * macOS/Linux:
| | - Add the following to your ~/.bashrc or ~/.zshrc:
| | export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"
| | - Restart your shell.
| |
| | * Windows: Add %USERPROFILE%\.krew\bin to your PATH environment variable
| |
| | To list krew commands and to get help, run:
| | $ kubectl krew
| | For a full list of available plugins, run:
| | $ kubectl krew search
| |
| | You can find documentation at
| | https://krew.sigs.k8s.io/docs/user-guide/quickstart/.
| /
/
- Add krew to your path variable
export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"
NOTE: Don’t forget to add it into your .bashrc or .zshrc.
- To list krew commands and to get help
kubectl krew
krew is the kubectl plugin manager.
You can invoke krew through kubectl: "kubectl krew [command]..."
Usage:
kubectl krew [command]
Available Commands:
help Help about any command
index Manage custom plugin indexes
info Show information about an available plugin
install Install kubectl plugins
list List installed kubectl plugins
search Discover kubectl plugins
uninstall Uninstall plugins
update Update the local copy of the plugin index
upgrade Upgrade installed plugins to newer versions
version Show krew version and diagnostics
Flags:
-h, --help help for krew
-v, --v Level number for the log level verbosity
Use "kubectl krew [command] --help" for more information about a command.
- To update the local copy of the plugin index
kubectl krew update
Updated the local copy of plugin index.
- To list the installed kubectl plugins
kubectl krew list
PLUGIN VERSION
krew v0.4.0
- For a complete list of available plugins
kubectl krew search
NAME DESCRIPTION INSTALLED
access-matrix Show an RBAC access matrix for server resources no
advise-psp Suggests PodSecurityPolicies for cluster. no
allctx Run commands on contexts in your kubeconfig no
apparmor-manager Manage AppArmor profiles for cluster. no
auth-proxy Authentication proxy to a pod or service no
azad-proxy Generate and handle authentication for azad-kub... no
bd-xray Run Black Duck Image Scans no
bulk-action Do bulk actions on Kubernetes resources. no
ca-cert Print the PEM CA certificate of the current clu... no
capture Triggers a Sysdig capture to troubleshoot the r... no
cert-manager Manage cert-manager resources inside your cluster no
change-ns View or change the current namespace via kubectl. no
cilium Easily interact with Cilium agents. no
cluster-group Exec commands across a group of contexts. no
Let’s try to explore few plugins
1. who-can
As per who-can github link, who-can shows which subjects have RBAC permissions to VERB [TYPE | TYPE/NAME | NONRESOURCEURL]
- To get more information
kubectl krew info who-can
NAME: who-can
INDEX: default
URI: https://github.com/aquasecurity/kubectl-who-can/releases/download/v0.3.0/kubectl-who-can_linux_x86_64.tar.gz
SHA256: 5497e652ebc5820d6099aa94af8e5b66f8f7c2d5dba7a8f90ae04f7de8672479
VERSION: v0.3.0
HOMEPAGE: https://github.com/aquasecurity/kubectl-who-can
DESCRIPTION:
Shows which subjects have RBAC permissions to VERB [TYPE | TYPE/NAME | NONRESOURCEURL]
VERB is a logical Kubernetes API verb like 'get', 'list', 'watch', 'delete', etc.
TYPE is a Kubernetes resource. Shortcuts and API groups will be resolved, e.g. 'po' or 'pod.metrics.k8s.io'.
NAME is the name of a particular Kubernetes resource.
NONRESOURCEURL is a partial URL that starts with "/".
For example, if you want to find all subjects who have permission to
delete pods in a particular namespace, or to delete nodes in the cluster
(dangerous!) you could run the following commands:
$ kubectl who-can delete pods --namespace foo
$ kubectl who-can delete nodes
For usage or examples, run:
$ kubectl who-can -h
CAVEATS:
\
| The plugin requires the rights to list (Cluster)Role and (Cluster)RoleBindings.
/
- To install the plugin
kubectl krew install who-can
Updated the local copy of plugin index.
Installing plugin: who-can
Installed plugin: who-can
\
| Use this plugin:
| kubectl who-can
| Documentation:
| https://github.com/aquasecurity/kubectl-who-can
| Caveats:
| \
| | The plugin requires the rights to list (Cluster)Role and (Cluster)RoleBindings.
| /
/
WARNING: You installed plugin "who-can" from the krew-index plugin repository.
These plugins are not audited for security by the Krew maintainers.
Run them at your own risk.
- To verify it
kubectl krew list
PLUGIN VERSION
krew v0.4.0
who-can v0.3.0
Testing time
- Using who-can you can find out who can delete pods in the default namespace
kubectl who-can delete pods --namespace default
No subjects found with permissions to delete pods assigned through RoleBindings
CLUSTERROLEBINDING SUBJECT TYPE SA-NAMESPACE
cluster-admin system:masters Group
local-path-provisioner-bind local-path-provisioner-service-account ServiceAccount local-path-storage
system:controller:cronjob-controller cronjob-controller ServiceAccount kube-system
system:controller:daemon-set-controller daemon-set-controller ServiceAccount kube-system
system:controller:generic-garbage-collector generic-garbage-collector ServiceAccount kube-system
system:controller:job-controller job-controller ServiceAccount kube-system
- Some other examples you can try
# List who can get pods from any of the available namespaces
kubectl who-can get pods --all-namespaces
# List who can create pods in the current namespace
kubectl who-can create pods
# List who can get pods specifying the API group
kubectl who-can get pods.metrics.k8s.io
# List who can create services in namespace "foo"
kubectl who-can create services -n foo
# List who can get the service named "mongodb" in namespace "bar"
kubectl who-can get svc/mongodb --namespace bar
# List who can do everything with pods in the current namespace
kubectl who-can '*' pods
# List who can list every resource in the namespace "baz"
kubectl who-can list '*' -n baz
# List who can read pod logs
kubectl who-can get pods --subresource=log
# List who can access the URL /logs/
kubectl who-can get /logs
2. change-ns
The next plugin I am going to explore is the change namespace(change-ns). As per change-ns official github link, change-ns plugin is used for switching the namespace that the current KUBECONFIG context points to. In order to remain as indestructive as possible, no previously existing contexts are modified.
Installation
kubectl krew install change-ns
Updated the local copy of plugin index.
Installing plugin: change-ns
Installed plugin: change-ns
\
| Use this plugin:
| kubectl change-ns
| Documentation:
| https://github.com/juanvallejo/kubectl-ns
/
WARNING: You installed plugin "change-ns" from the krew-index plugin repository.
These plugins are not audited for security by the Krew maintainers.
Run them at your own risk.
- Now to switch to the kube-system namespace
kubectl change-ns kube-system
namespace changed to "kube-system"
- To verify it
kubectl change-ns
kube-system
3. Kubectl grep
The next plugin I want to explore is grep. As per grep GitHub link, it filter Kubernetes resources by matching their names.
kubectl krew install grep
Updated the local copy of plugin index.
Installing plugin: grep
Installed plugin: grep
\
| Use this plugin:
| kubectl grep
| Documentation:
| https://github.com/guessi/kubectl-grep
/
WARNING: You installed plugin "grep" from the krew-index plugin repository.
These plugins are not audited for security by the Krew maintainers.
Run them at your own risk.
- Now to grep all the pods with name proxy in kube-system namespace
kubectl grep pods -n kube-system proxy
NAMESPACE NAME READY STATUS RESTART AGE
kube-system kube-proxy-ph589 1/1 Running 1 2d10h
kube-system kube-proxy-rghxq 1/1 Running 1 2d10h
kube-system kube-proxy-tq4r5 1/1 Running 1 2d10h
- Some other Kubernetes resources it support
Available Commands:
configmaps Search ConfigMaps by keyword, by namespace
daemonsets Search Daemonsets by keyword, by namespace
deployments Search Deployments by keyword, by namespace
help Help about any command
hpas Search HPAs by keyword, by namespace
nodes Search Nodes by keyword
pods Search Pods by keyword, by namespace
secrets Search Secrets by keyword, by namespace
statefulsets Search Statefulsets by keyword, by namespace
version Print version number
NOTE: It doesn’t support Kubernetes service resource.
Wrapping Up
Krew is a powerful plugin manager, and it can add more functionality to your kubectl with the help of the different plugins. I only tried handful of plugins, but if you have your favorite plugin, which I didn’t cover in this blog, please let me know in the comment section.
Tag:devops, krew, kubernetes, plugins