Alice GG
Posted on August 8, 2023

5 kubectl plugins to make your life easier

I have been using Kubernetes for five years, but only very recently started using plugins to enhance my kubectl commands. I will show you five plugins that help me avoid repetitive tasks, make cluster administration simpler, and incident response less stressful. All the plugins presented in this article are installable using Krew.

Blue lego bricks
Photo by Iker Urteaga

Note for Mac users

If you’re using an ARM Mac, most of the plugins I mention will appear uninstallable when using Krew. It is generally because the plugin authors didn’t release a mac-arm64 build. But you can install the mac-amd64 builds, which work as well, by overriding the KREW_ARCH environment variable. For example:

KREW_ARCH=amd64 kubectl krew install janitor

Tail

Logging pods through kubectl logs -f is always a good way to know what a running pod is doing. Sadly, I never manage to remember how to make it log multiple pods at once. The tail plugins solve that, by giving us a set of helper functions to easily stream the logs of a group of pods. For example, it can retrieve logs from all the pods created by a Job, or all the pods attached to a Service:

❯ k tail --job=logging-job
default/logging-job-xtx4s[busybox-container]: My log

❯ k tail --svc=mikochi
default/mikochi-69d47757f6-9nds7[mikochi]: [GIN] 2023/07/27 - 12:31:16 | 200 |     496.098µs |       10.42.0.1 | GET      "/api/refresh"
default/mikochi-69d47757f6-9nds7[mikochi]: [GIN] 2023/07/27 - 12:31:16 | 200 |   10.347273ms |       10.42.0.1 | GET      "/api/browse/"
default/mikochi-69d47757f6-9nds7[mikochi]: [GIN] 2023/07/27 - 12:31:16 | 200 |    9.598031ms |       10.42.0.1 | GET      "/api/browse/"
default/mikochi-69d47757f6-9nds7[mikochi]: [GIN] 2023/07/27 - 12:31:19 | 200 |     193.686µs |       10.42.0.1 | GET      "/ready"

Janitor

Janitor is a kubectl plugin that allows you to list resources in a problematic state. Instead of battling with grep, it gives you access to commands to automatically list unhealthy, unready, or unscheduled Pods, failed Jobs, pending PVCs, and or unclaimed PVs. This is helpful when examining a cluster during an incident, as it can directly point you toward ongoing issues.

❯ k janitor pods status
STATUS             COUNT
Running            4
Error              6
ImagePullBackOff   1

❯ k janitor pods unhealthy
NAME                 STATUS             AGE
failing-job-ln7rf    Error              4m40s
failing-job-vbfqd    Error              4m33s
failing-job2-kmxqm   Error              4m30s
failing-job-cjbt6    Error              4m27s
failing-job2-grwcn   Error              4m23s
failing-job2-s842x   Error              4m17s
my-container         ImagePullBackOff   17m

❯ k janitor jobs failed
NAME           REASON                 MESSAGE                                       AGE
failing-job    BackoffLimitExceeded   Job has reached the specified backoff limit   4m46s
failing-job2   BackoffLimitExceeded   Job has reached the specified backoff limit   4m36s

Neat

Neat is a simple utility to remove generated fields from the command output. You can use it by simply piping the output of kubectl get into kubectl neat. This makes for a more readable output and is very convenient if you want to save the yaml to create a new resource.

❯ k get pod -o yaml mikochi-69d47757f6-9nds7
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: "2023-07-21T12:30:58Z"
  generateName: mikochi-69d47757f6-
  labels:
    app.kubernetes.io/instance: mikochi
    app.kubernetes.io/name: mikochi
    pod-template-hash: 69d47757f6
  name: mikochi-69d47757f6-9nds7
  namespace: default
.......

❯ k get pod -o yaml mikochi-69d47757f6-9nds7 | k neat
apiVersion: v1
kind: Pod
metadata:
  labels:
    app.kubernetes.io/instance: mikochi
    app.kubernetes.io/name: mikochi
    pod-template-hash: 69d47757f6
  name: mikochi-69d47757f6-9nds7
  namespace: default
.......

View-secret

Since the data inside Secrets is base64 encoded, reading them often results in a mix of kubectl get, jq, and base64 -d. The view-secret plugin aims at simplifying that, by allowing you to directly read and decrypt values from secrets.

❯ k view-secret mikochi username
[CENSORED]

❯ k view-secret mikochi password
[ALSO CENSORED]

Node-shell

If you want to directly access a node, finding the node IP, using SSH with the right RSA key, etc… can make you lose precious time during an incident. But it is possible to obtain a root shell from a (privileged) container using nsenter. The node-shell plugin leverages this to give you access to the nodes in a single kubectl command:

❯ k node-shell my-node
spawning "nsenter-qco8qi" on "my-node"
If you don't see a command prompt, try pressing enter.
root@my-node:/# cat /etc/rancher/k3s/k3s.yaml
apiVersion: v1
clusters:
- cluster:
.......