Extending Kubernetes with plugin using Krew
6 min readFeb 12, 2021
To read the complete blog please visit the below link
As per official github link
Krew is a tool that makes it easy to use kubectl plugins. Krew helps you discover plugins, install and manage them on your machine. It is similar to tools like apt, dnf or brew.
Before we dig deeper into how krew works, let me show you how to write our own custom plugin.
- You can write it any language(shell, perl, python). It should be executable and should in your PATH variable(echo $PATH).For the purpose of this demo, I will write it in shell
- The name of the script must start with kubectl-<plugin name>, for e.g: kubectl-helloworld
sudo vim /usr/local/bin/kubectl-helloworld#!/bin/bash
echo "hello kubernetes"# Don't forget to make it executable
chmod +x /usr/local/bin/kubectl-helloworld
- As the script is in my path, I can call it
kubectl-helloworld
hello kubernetes- But now the question is how to call it via kubectl? Actually it’s simple you just need to use kubectl following plugin name
kubectl helloworld
hello kubernetes- You can also verify it using
kubectl plugin list
The following compatible plugins are available:/usr/local/bin/kubectl-helloworld
- To delete this plugin(script)
rm -rf /usr/local/bin/kubectl-helloworldInstallation
- To install krew please follow there official guide
(
set -x; cd "$(mktemp -d)" &&
curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/krew.tar.gz" &&
tar zxvf krew.tar.gz &&
KREW=./krew-"$(uname | tr '[:upper:]' '[:lower:]')_$(uname -m | sed -e 's/x86_64/amd64/' -e 's/arm.*$/arm/' -e 's/aarch64$/arm64/')" &&
"$KREW" install krew
)
+zsh:2> mktemp -d
+zsh:2> cd /tmp/tmp.aHZ7ibUYl2
+zsh:3> curl -fsSLO https://github.com/kubernetes-sigs/krew/releases/latest/download/krew.tar.gz+zsh:4> tar zxvf krew.tar.gz
./LICENSE
./krew-darwin_amd64
./krew-linux_amd64
./krew-linux_arm
./krew-windows_amd64.exe
+zsh:5> KREW=+zsh:5> uname
+zsh:5> KREW=+zsh:5> tr '[:upper:]' '[:lower:]'
+zsh:5> KREW=+zsh:5> uname -m
+zsh:5> KREW=+zsh:5> sed -e s/x86_64/amd64/ -e 's/arm.*$/arm/' -e 's/aarch64$/arm64/'
+zsh:5> KREW=./krew-linux_amd64
+zsh:6> ./krew-linux_amd64 install krew
Adding "default" plugin index from https://github.com/kubernetes-sigs/krew-index.git.
Updated the local copy of plugin index.
Installing plugin: krew
Installed plugin: krew
\
| Use this plugin:
| kubectl krew
| Documentation:
| https://krew.sigs.k8s.io/
| Caveats:
| \
| | krew is now installed! To start using kubectl plugins, you need to add
| | krew's installation directory to your PATH:
| |
| | * macOS/Linux:
| | - Add the following to your ~/.bashrc or ~/.zshrc:
| | export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"
| | - Restart your shell.
| |
| | * Windows: Add %USERPROFILE%\.krew\bin to your PATH environment variable
| |
| | To list krew commands and to get help, run:
| | $ kubectl krew
| | For a full list of available plugins, run:
| | $ kubectl krew search
| |
| | You can find documentation at
| | https://krew.sigs.k8s.io/docs/user-guide/quickstart/.
| /
/
- Add krew to your path variable
export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"NOTE: Don’t forget to add it into your .bashrc or .zshrc
- To list krew commands and to get help
kubectl krew
krew is the kubectl plugin manager.
You can invoke krew through kubectl: "kubectl krew [command]..."Usage:
kubectl krew [command]Available Commands:
help Help about any command
index Manage custom plugin indexes
info Show information about an available plugin
install Install kubectl plugins
list List installed kubectl plugins
search Discover kubectl plugins
uninstall Uninstall plugins
update Update the local copy of the plugin index
upgrade Upgrade installed plugins to newer versions
version Show krew version and diagnosticsFlags:
-h, --help help for krew
-v, --v Level number for the log level verbosityUse "kubectl krew [command] --help" for more information about a command.
- To update the local copy of the plugin index
kubectl krew update
Updated the local copy of plugin index.- To list the installed kubectl plugins
kubectl krew list
PLUGIN VERSION
krew v0.4.0- For a full list of available plugins
kubectl krew search
NAME DESCRIPTION INSTALLED
access-matrix Show an RBAC access matrix for server resources no
advise-psp Suggests PodSecurityPolicies for cluster. no
allctx Run commands on contexts in your kubeconfig no
apparmor-manager Manage AppArmor profiles for cluster. no
auth-proxy Authentication proxy to a pod or service no
azad-proxy Generate and handle authentication for azad-kub... no
bd-xray Run Black Duck Image Scans no
bulk-action Do bulk actions on Kubernetes resources. no
ca-cert Print the PEM CA certificate of the current clu... no
capture Triggers a Sysdig capture to troubleshoot the r... no
cert-manager Manage cert-manager resources inside your cluster no
change-ns View or change the current namespace via kubectl. no
cilium Easily interact with Cilium agents. no
cluster-group Exec commands across a group of contexts. no
config-cleanup Automatically clean up your kubeconfig no
config-registry Switch between registered kubeconfigs no
creyaml Generate custom resource YAML manifest no
cssh SSH into Kubernetes nodes no
ctx Switch between contexts in your kubeconfig no
custom-cols A "kubectl get" replacement with customizable c... noLet’s try to explore few plugins
who-can: As per who-can github link, who-can shows which subjects have RBAC permissions to VERB [TYPE | TYPE/NAME | NONRESOURCEURL]
- To get more information
kubectl krew info who-can
NAME: who-can
INDEX: default
URI: https://github.com/aquasecurity/kubectl-who-can/releases/download/v0.3.0/kubectl-who-can_linux_x86_64.tar.gz
SHA256: 5497e652ebc5820d6099aa94af8e5b66f8f7c2d5dba7a8f90ae04f7de8672479
VERSION: v0.3.0
HOMEPAGE: https://github.com/aquasecurity/kubectl-who-can
DESCRIPTION:
Shows which subjects have RBAC permissions to VERB [TYPE | TYPE/NAME | NONRESOURCEURL]VERB is a logical Kubernetes API verb like 'get', 'list', 'watch', 'delete', etc.
TYPE is a Kubernetes resource. Shortcuts and API groups will be resolved, e.g. 'po' or 'pod.metrics.k8s.io'.
NAME is the name of a particular Kubernetes resource.
NONRESOURCEURL is a partial URL that starts with "/".For example, if you want to find all subjects who have permission to
delete pods in a particular namespace, or to delete nodes in the cluster
(dangerous!) you could run the following commands:$ kubectl who-can delete pods --namespace foo
$ kubectl who-can delete nodesFor usage or examples, run:$ kubectl who-can -hCAVEATS:
\
| The plugin requires the rights to list (Cluster)Role and (Cluster)RoleBindings.
/
- To install the plugin
kubectl krew install who-can
Updated the local copy of plugin index.
Installing plugin: who-can
Installed plugin: who-can
\
| Use this plugin:
| kubectl who-can
| Documentation:
| https://github.com/aquasecurity/kubectl-who-can
| Caveats:
| \
| | The plugin requires the rights to list (Cluster)Role and (Cluster)RoleBindings.
| /
/
WARNING: You installed plugin "who-can" from the krew-index plugin repository.
These plugins are not audited for security by the Krew maintainers.
Run them at your own risk.- To verify it
kubectl krew list
PLUGIN VERSION
krew v0.4.0
who-can v0.3.0Testing time
- Using who-can you can find out who can delete pods in the default namespace
kubectl who-can delete pods --namespace default
No subjects found with permissions to delete pods assigned through RoleBindingsCLUSTERROLEBINDING SUBJECT TYPE SA-NAMESPACE
cluster-admin system:masters Group
local-path-provisioner-bind local-path-provisioner-service-account ServiceAccount local-path-storage
system:controller:cronjob-controller cronjob-controller ServiceAccount kube-system
system:controller:daemon-set-controller daemon-set-controller ServiceAccount kube-system
system:controller:generic-garbage-collector generic-garbage-collector ServiceAccount kube-system
system:controller:job-controller job-controller ServiceAccount kube-system
system:controller:namespace-controller namespace-controller ServiceAccount kube-system
system:controller:node-controller node-controller ServiceAccount kube-system
system:controller:persistent-volume-binder persistent-volume-binder ServiceAccount kube-system
system:controller:pod-garbage-collector pod-garbage-collector ServiceAccount kube-system
system:controller:replicaset-controller replicaset-controller ServiceAccount kube-system
system:controller:replication-controller replication-controller ServiceAccount kube-system
system:controller:statefulset-controller statefulset-controller ServiceAccount kube-system
system:kube-scheduler system:kube-scheduler User
- Some other examples you can try
# List who can get pods from any of the available namespaces
kubectl who-can get pods --all-namespaces# List who can create pods in the current namespace
kubectl who-can create pods# List who can get pods specifying the API group
kubectl who-can get pods.metrics.k8s.io# List who can create services in namespace "foo"
kubectl who-can create services -n foo# List who can get the service named "mongodb" in namespace "bar"
kubectl who-can get svc/mongodb --namespace bar# List who can do everything with pods in the current namespace
kubectl who-can '*' pods# List who can list every resource in the namespace "baz"
kubectl who-can list '*' -n baz# List who can read pod logs
kubectl who-can get pods --subresource=log# List who can access the URL /logs/
kubectl who-can get /logs
