Interaction
Basic¶
| Tool | Description |
|---|---|
| kubectl | See Kubectl page |
| lazydocker | A simple terminal UI for both docker and docker-compose |
| havener | A swiss army knife for Kubernetes tasks |
| debug-shell | k run -it --rm --restart=Never kube-shell --image=busybox:1.28 -- sh |
debug scratch images |
$ wget -O busybox https://busybox.net/downloads/binaries/1.21.1/busybox-x86_64$ docker cp busybox <container>:/busybox$ docker exec -ti <container>:/busybox sh |
Inspection¶
| Tool | Description |
|---|---|
| dive |
|
| ima.ge.cx | A site that allows you to inspect the contents of Docker images without pulling them locally |
| dfimage | Reverse-engineer a Dockerfile from a Docker image |
| syft | CLI tool and library for generating a Software Bill of Materials from container images and filesystems |
| octant | A web-based, highly extensible platform for developers to better understand the complexity of Kubernetes clusters |
| lens | Standalone Kubernetes IDE (~Octant) |
| kubectl-dig | Deep kubernetes visibility from kubectl |
| container-diff | Tool for analyzing and comparing (diffing) container images |
| kpexec | Cli that runs commands in a container with high privileges |
| krew | Package manager for "kubectl plugins" |
Useful Krew Plugins¶
| Name | Description |
|---|---|
debug-shell |
Create pod with interactive kube-shell |
exec-as |
Like kubectl exec, but offers a user flag |
mtail |
Tail logs from multiple pods matching label selectors |
node-admin |
List nodes and run privileged pod with chroot |
node-shell |
Exec into a node via kubectl |
open-svc |
Open the Kubernetes URL(s) for the specified service |
pod-shell |
Display a list of pods to execute a shell in |
ssh-jump |
A kubectl plugin to SSH into Kubernetes nodes |
view-secret |
Decode secrets |
view-serviceaccount-kubeconfig |
Show a kubeconfig setting to access the apiserver |
warp |
Sync and execute local files in Pod |
access-matrix |
Show an access matrix for all resources (rakkess) |
kubectl-images |
List the container images used in the cluster |
kubesec-scan |
Scan Kubernetes resources with kubesec.io |
kubetap |
Interactively proxy Kubernetes Services |
rbac-lookup |
Reverse lookup for RBAC |
rbac-view |
A tool to visualize your RBAC permissions |
sniff |
NOT OPSEC SAFE, easily start a remote packet capture |
sudo |
Run Kubernetes commands impersonated as group |
tree |
Browse Kubernetes object hierarchies as a tree |