Kubesafe π Tired of accidentally running dangerous commands on the wrong Kubernetes cluster? Meet kubesafe β your safety net for cluster management.
kubesafe allows you to safely run commands acrosss multiple Kubernetes contexts. By allowing you to mark specific contexts as "safe" and define a list of protected commands, kubesafe makes sure you never accidentally run a dangerous command on the wrong cluster.
Key Features:
- π Works with any Kubernetes tool: kubesafe can wraps any CLI that targets a Kubernetes cluster. Whether you're using kubectl, helm, or any other tool, kubesafe has you covered.
- π‘οΈ Context Protection with Custom Commands: Mark one or more contexts as "safe" and define a list of commands that require confirmation before execution.
- π Flexible and Customizable: Easily configure protected contexts and commands to suit your workflow.
Simply prepend kubesafe
to any command you want to run:
# Example with kubectl
kubesafe kubectl delete pod my-pod
# Example with Helm
kubesafe helm upgrade my-release stable/my-chart
Kubesafe seamlessly wraps any CLI command you provide as the first argument (e.g., kubectl, helm, kubecolor, etc.). If you attempt to run a protected command in a safe context, kubesafe will prompt you for confirmation before proceeding.
For convenience, you can set aliases in your shell configuration:
alias kubectl='kubesafe kubectl'
alias helm='kubesafe helm'
Now, every time you use kubectl or helm, kubesafe will automatically protect your commands!
To manage your safe contexts and protected commands, see the Managing contexts section.
$ brew tap Telemaco019/kubesafe
$ brew install kubesafe
$ go install github.com/telemaco019/kubesafe/kubesafe@latest
Kubesafe makes it easy to manage your safe contexts and protected commands. To see all available options, run:
kubesafe --help
To add a safe context, simply execute:
kubesafe context add
Kubesafe will guide you interactively to select a context to mark as "safe" and choose the commands you want to protect. Alternatively, you can add a safe context directly by specifying its name:
kubesafe context add my-context
The provided value can also be a regular expression to match multiple contexts:
kubesafe context add "prod-.*"
This will mark all context starting with prod-
as safe.
By default, kubesafe allows you to interactively choose commands to protect from a predefined list. However, if you prefer to specify your own custom commands, you can provide them as a comma-separated list like this:
kubesafe context add my-context --commands "delete,apply,upgdrade"
To display all your configured safe contexts and their protected commands, use:
kubesafe context list
To remove a context from your list of safe contexts, run:
kubesafe context remove my-context
Kubesafe supports a non-interactive mode, which can be enabled by adding the --no-interactive
flag directly after the kubesafe
command.
In this mode, kubesafe will skip confirmation prompts and automatically abort the command if it is protected.
Example:
kubesafe --no-interactive kubectl delete pod my-pod
You can hook up kubesafe
with the Kubernetes VSCode Extension
to add an extra safety layer to your workflow. Once set up, you'll get a warning popup whenever you try to run a protected command in a safe context.
Just make sure kubesafe
is running in non-interactive mode (--no-interactive
) and tell the extension to
use kubesafe
as your kubectl
command.
-
The extension settings only allows to set the kubectl path, so you need to create a shell script that calls
kubesafe
with the--no-interactive
flag.Create a file named
kubesafe-kubectl
and give it execution permissions:cat <<'EOT' > kubesafe-kubectl #!/bin/sh kubesafe --no-interactive kubectl "$@" EOT chmod +x kubesafe-kubectl
-
Set the path to the
kubesafe-kubectl
script in the Kubernetes extension settings:- Open the VSCode settings (
Cmd + ,
on Mac,Ctrl + ,
on Windows/Linux) - Search for
Kubernetes: Kubectl Path
- Set the value of the setting
Vscode-kubernetes: Kubectl-path
to the path of thekubesafe-kubectl
script.
- Open the VSCode settings (
-
That's it! Now, whenever you run a kubectl command in VSCode, you'll get a warning popup if you try to run a protected command in a safe context.
Kubesafe draws inspiration from existing kubectl plugins that offer similar features but are restricted to working exclusively with kubectl:
- kubectl-prompt: A kubectl plugin that displays a warning prompt when issuing commands in a flagged cluster or namespace
- kubectl-safe: A kubectl plugin to prevent shooting yourself in the foot with edit commands.
This project is licensed under the Apache License. See the LICENSE file for details.