Kubesafe: Never run Kubernetes commands on the wrong cluster again
(github.com)15 points by Telemaco019 2 days ago | 7 comments
15 points by Telemaco019 2 days ago | 7 comments
Telemaco019 a day ago | root | parent |
Thanks Robert! Yes, you can achieve this with ACLs in Kubernetes, but it requires setting up multiple Roles and contexts. Even then, you might accidentally switch to a higher-permission Role and accidentally run a risky command, thinking you're in a different cluster or using a low-permission user.
Kubesafe is just an extra safety net to prevent those kind of accidents :)
robertlagrant a day ago | root | parent |
That makes sense - thanks for the reply.
I am not trying to shit on this, sorry - but can't you achieve the same thing with rudimentary automation, and barring that, rudimentary scripting? This seems to just be adding y/n prompts to certain contexts. How's that different than a bash wrapper script that does something like this?
context=$(grep "current-context:" ~/.kube/config | grep "*prod*")
if [[ -z ${context} ]]
then # do the command
else # do a y/n prompt
fi
Am I missing something?
Telemaco019 a day ago | root | parent |
Thanks for the feedback John! You're right, that's pretty much it :)
I developed kubesafe because (1) I was tired of tinkering with shell aliases and scripts (especially when I wanted to define protected commands) and (2) I needed something that worked smoothly with all Kubernetes tools like kubectl, helm, kubecolor, etc.
Kubesafe is just a convenient way to manage protected commands and contexts. Nothing too fancy!
Btw - I also found a kubectl plugin written in Bash that’s similar to what you mentioned, in case you're interested: https://github.com/jordanwilson230/kubectl-plugins/blob/krew...
robertlagrant a day ago | next |
This seems good, but can it also be done via ACLs in vanilla Kubernetes?