Skip to content

Safely manage multiple Kubernetes clusters by defining safe contexts and protected commands.

License

Notifications You must be signed in to change notification settings

Telemaco019/kubesafe

Folders and files

NameName
Last commit message
Last commit date

Latest commit

d792eda Β· Jan 14, 2025

History

23 Commits
Sep 8, 2024
Jan 14, 2025
Jan 12, 2025
Jan 12, 2025
Sep 8, 2024
Sep 8, 2024
Jan 12, 2025
Sep 8, 2024
Sep 8, 2024
Jan 14, 2025
Dec 19, 2024
Dec 19, 2024

Repository files navigation

Kubesafe


Kubesafe πŸ” Tired of accidentally running dangerous commands on the wrong Kubernetes cluster? Meet kubesafe β€” your safety net for cluster management.

Build Status


kubesafe allows you to safely run commands acrosss multiple Kubernetes contexts. By allowing you to mark specific contexts as "safe" and define a list of protected commands, kubesafe makes sure you never accidentally run a dangerous command on the wrong cluster.

Key Features:

  • πŸš€ Works with any Kubernetes tool: kubesafe can wraps any CLI that targets a Kubernetes cluster. Whether you're using kubectl, helm, or any other tool, kubesafe has you covered.
  • πŸ›‘οΈ Context Protection with Custom Commands: Mark one or more contexts as "safe" and define a list of commands that require confirmation before execution.
  • πŸ”„ Flexible and Customizable: Easily configure protected contexts and commands to suit your workflow.

How does it work?

Simply prepend kubesafe to any command you want to run:

# Example with kubectl
kubesafe kubectl delete pod my-pod

# Example with Helm
kubesafe helm upgrade my-release stable/my-chart

Kubesafe seamlessly wraps any CLI command you provide as the first argument (e.g., kubectl, helm, kubecolor, etc.). If you attempt to run a protected command in a safe context, kubesafe will prompt you for confirmation before proceeding.

For convenience, you can set aliases in your shell configuration:

alias kubectl='kubesafe kubectl'
alias helm='kubesafe helm'

Now, every time you use kubectl or helm, kubesafe will automatically protect your commands!

To manage your safe contexts and protected commands, see the Managing contexts section.

Installation

Install with Homebrew (Mac/Linux)

$ brew tap Telemaco019/kubesafe
$ brew install kubesafe

Install with Go

$ go install github.com/telemaco019/kubesafe/kubesafe@latest

Managing contexts

Kubesafe makes it easy to manage your safe contexts and protected commands. To see all available options, run:

kubesafe --help

Add a safe context

To add a safe context, simply execute:

kubesafe context add

Kubesafe will guide you interactively to select a context to mark as "safe" and choose the commands you want to protect. Alternatively, you can add a safe context directly by specifying its name:

kubesafe context add my-context

The provided value can also be a regular expression to match multiple contexts:

kubesafe context add "prod-.*"

This will mark all context starting with prod- as safe.

Define custom protected commands

By default, kubesafe allows you to interactively choose commands to protect from a predefined list. However, if you prefer to specify your own custom commands, you can provide them as a comma-separated list like this:

kubesafe context add my-context --commands "delete,apply,upgdrade"

List safe contexts

To display all your configured safe contexts and their protected commands, use:

kubesafe context list

Remove a safe context

To remove a context from your list of safe contexts, run:

kubesafe context remove my-context

Non-interactive mode

Kubesafe supports a non-interactive mode, which can be enabled by adding the --no-interactive flag directly after the kubesafe command.

In this mode, kubesafe will skip confirmation prompts and automatically abort the command if it is protected.

Example:

kubesafe --no-interactive kubectl delete pod my-pod

VSCode Integration

You can hook up kubesafe with the Kubernetes VSCode Extension to add an extra safety layer to your workflow. Once set up, you'll get a warning popup whenever you try to run a protected command in a safe context.

Just make sure kubesafe is running in non-interactive mode (--no-interactive) and tell the extension to use kubesafe as your kubectl command.

How to configure the Kubernetes VSCode Extension

  1. The extension settings only allows to set the kubectl path, so you need to create a shell script that calls kubesafe with the --no-interactive flag.

    Create a file named kubesafe-kubectl and give it execution permissions:

    cat <<'EOT' > kubesafe-kubectl
    #!/bin/sh
    kubesafe --no-interactive kubectl "$@"
    EOT
    
    chmod +x kubesafe-kubectl
  2. Set the path to the kubesafe-kubectl script in the Kubernetes extension settings:

    • Open the VSCode settings (Cmd + , on Mac, Ctrl + , on Windows/Linux)
    • Search for Kubernetes: Kubectl Path
    • Set the value of the setting Vscode-kubernetes: Kubectl-path to the path of the kubesafe-kubectl script.
    Screenshot

  3. That's it! Now, whenever you run a kubectl command in VSCode, you'll get a warning popup if you try to run a protected command in a safe context.

    Example

Similar tools

Kubesafe draws inspiration from existing kubectl plugins that offer similar features but are restricted to working exclusively with kubectl:

  • kubectl-prompt: A kubectl plugin that displays a warning prompt when issuing commands in a flagged cluster or namespace
  • kubectl-safe: A kubectl plugin to prevent shooting yourself in the foot with edit commands.

License

This project is licensed under the Apache License. See the LICENSE file for details.

About

Safely manage multiple Kubernetes clusters by defining safe contexts and protected commands.

Resources

License

Stars

Watchers

Forks

Packages

No packages published