Extend kubectl with plugins

    This guide demonstrates how to install and write extensions for kubectl. By thinking of core commands as essential building blocks for interacting with a Kubernetes cluster, a cluster administrator can think of plugins as a means of utilizing these building blocks to create more complex behavior. Plugins extend kubectl with new sub-commands, allowing for new and custom features not included in the main distribution of kubectl.

    You need to have a working kubectl binary installed.

    A plugin is a standalone executable file, whose name begins with kubectl-. To install a plugin, move its executable file to anywhere on your PATH.

    You can also discover and install kubectl plugins available in the open source using . Krew is a plugin manager maintained by the Kubernetes SIG CLI community.

    Caution: Kubectl plugins available via the Krew plugin index are not audited for security. You should install and run third-party plugins at your own risk, since they are arbitrary programs running on your machine.

    kubectl provides a command kubectl plugin list that searches your PATH for valid plugin executables. Executing this command causes a traversal of all files in your PATH. Any files that are executable, and begin with kubectl- will show up in the order in which they are present in your PATH in this command’s output. A warning will be included for any files beginning with kubectl- that are not executable. A warning will also be included for any valid plugin files that overlap each other’s name.

    You can use to discover and install kubectl plugins from a community-curated plugin index.

    Limitations

    It is currently not possible to create plugins that overwrite existing kubectl commands. For example, creating a plugin kubectl-version will cause that plugin to never be executed, as the existing kubectl version command will always take precedence over it. Due to this limitation, it is also not possible to use plugins to add new subcommands to existing kubectl commands. For example, adding a subcommand kubectl create foo by naming your plugin kubectl-create-foo will cause that plugin to be ignored.

    kubectl plugin list shows warnings for any valid plugins that attempt to do this.

    You can write a plugin in any programming language or script that allows you to write command-line commands.

    There is no plugin installation or pre-loading required. Plugin executables receive the inherited environment from the kubectl binary. A plugin determines which command path it wishes to implement based on its name. For example, a plugin named kubectl-foo provides a command kubectl foo. You must install the plugin executable somewhere in your PATH.

    Example plugin

    Using a plugin

    To use a plugin, make the plugin executable:

    1. sudo chmod +x ./kubectl-foo

    and place it anywhere in your PATH:

    1. sudo mv ./kubectl-foo /usr/local/bin
    1. kubectl foo
    1. I am a plugin named kubectl-foo

    All args and flags are passed as-is to the executable:

    1. kubectl foo version
    1. 1.0.0

    All environment variables are also passed as-is to the executable:

    1. kubectl foo config
    1. /home/<user>/.kube/config
    1. KUBECONFIG=/etc/kube/config kubectl foo config
    1. /etc/kube/config

    Additionally, the first argument that is passed to a plugin will always be the full path to the location where it was invoked ($0 would equal /usr/local/bin/kubectl-foo in the example above).

    As seen in the example above, a plugin determines the command path that it will implement based on its filename. Every sub-command in the command path that a plugin targets, is separated by a dash (-). For example, a plugin that wishes to be invoked whenever the command kubectl foo bar baz is invoked by the user, would have the filename of kubectl-foo-bar-baz.

    Flags and argument handling

    Note:

    The plugin mechanism does not create any custom, plugin-specific values or environment variables for a plugin process.

    An older kubectl plugin mechanism provided environment variables such as ; that no longer happens.

    kubectl plugins must parse and validate all of the arguments passed to them. See for details of a Go library aimed at plugin authors.

    Here are some additional cases where users invoke your plugin while providing additional flags and arguments. This builds upon the kubectl-foo-bar-baz plugin from the scenario above.

    If you run kubectl foo bar baz arg1 --flag=value arg2, kubectl’s plugin mechanism will first try to find the plugin with the longest possible name, which in this case would be kubectl-foo-bar-baz-arg1. Upon not finding that plugin, kubectl then treats the last dash-separated value as an argument (arg1 in this case), and attempts to find the next longest possible name, kubectl-foo-bar-baz. Upon having found a plugin with this name, kubectl then invokes that plugin, passing all args and flags after the plugin’s name as arguments to the plugin process.

    Example:

    1. The following kubectl-compatible plugins are available:
    2. /usr/local/bin/kubectl-foo-bar-baz
    1. # test that calling your plugin via a "kubectl" command works
    2. # even when additional arguments and flags are passed to your
    3. # plugin executable by the user.
    4. kubectl foo bar baz arg1 --meaningless-flag=true
    1. My first command-line argument was arg1

    As you can see, your plugin was found based on the kubectl command specified by a user, and all extra arguments and flags were passed as-is to the plugin executable once it was found.

    Names with dashes and underscores

    Although the kubectl plugin mechanism uses the dash (-) in plugin filenames to separate the sequence of sub-commands processed by the plugin, it is still possible to create a plugin command containing dashes in its commandline invocation by using underscores (_) in its filename.

    1. # create a plugin containing an underscore in its filename
    2. echo -e '#!/bin/bash\n\necho "I am a plugin with a dash in my name"' > ./kubectl-foo_bar
    3. sudo chmod +x ./kubectl-foo_bar
    4. # move the plugin into your $PATH
    5. sudo mv ./kubectl-foo_bar /usr/local/bin
    6. # You can now invoke your plugin via kubectl:
    7. kubectl foo-bar
    1. I am a plugin with a dash in my name

    Note that the introduction of underscores to a plugin filename does not prevent you from having commands such as kubectl foo_bar. The command from the above example, can be invoked using either a dash (-) or an underscore (_):

    1. # You can invoke your custom command with a dash
    2. kubectl foo-bar
    1. I am a plugin with a dash in my name
    1. kubectl foo_bar
    1. I am a plugin with a dash in my name

    Name conflicts and overshadowing

    It is possible to have multiple plugins with the same filename in different locations throughout your PATH. For example, given a PATH with the following value: PATH=/usr/local/bin/plugins:/usr/local/bin/moreplugins, a copy of plugin kubectl-foo could exist in /usr/local/bin/plugins and /usr/local/bin/moreplugins, such that the output of the command is:

    1. PATH=/usr/local/bin/plugins:/usr/local/bin/moreplugins kubectl plugin list

    In the above scenario, the warning under /usr/local/bin/moreplugins/kubectl-foo tells you that this plugin will never be executed. Instead, the executable that appears first in your PATH, /usr/local/bin/plugins/kubectl-foo, will always be found and executed first by the kubectl plugin mechanism.

    A way to resolve this issue is to ensure that the location of the plugin that you wish to use with kubectl always comes first in your PATH. For example, if you want to always use /usr/local/bin/moreplugins/kubectl-foo anytime that the kubectl command kubectl foo was invoked, change the value of your PATH to be /usr/local/bin/moreplugins:/usr/local/bin/plugins.

    Invocation of the longest executable filename

    There is another kind of overshadowing that can occur with plugin filenames. Given two plugins present in a user’s PATH: kubectl-foo-bar and kubectl-foo-bar-baz, the kubectl plugin mechanism will always choose the longest possible plugin name for a given user command. Some examples below, clarify this further:

    1. # for a given kubectl command, the plugin with the longest possible filename will always be preferred
    2. kubectl foo bar baz
    1. Plugin kubectl-foo-bar-baz is executed
    1. kubectl foo bar
    1. Plugin kubectl-foo-bar is executed
    1. kubectl foo bar baz buz
    1. Plugin kubectl-foo-bar-baz is executed, with "buz" as its first argument
    1. kubectl foo bar buz
    1. Plugin kubectl-foo-bar is executed, with "buz" as its first argument

    This design choice ensures that plugin sub-commands can be implemented across multiple files, if needed, and that these sub-commands can be nested under a “parent” plugin command:

    1. ls ./plugin_command_tree
    1. kubectl-parent
    2. kubectl-parent-subcommand
    3. kubectl-parent-subcommand-subsubcommand

    Checking for plugin warnings

    You can use the aforementioned kubectl plugin list command to ensure that your plugin is visible by kubectl, and verify that there are no warnings preventing it from being called as a kubectl command.

    1. The following kubectl-compatible plugins are available:
    2. test/fixtures/pkg/kubectl/plugins/kubectl-foo
    3. /usr/local/bin/kubectl-foo
    4. - warning: /usr/local/bin/kubectl-foo is overshadowed by a similarly named plugin: test/fixtures/pkg/kubectl/plugins/kubectl-foo
    5. plugins/kubectl-invalid
    6. - warning: plugins/kubectl-invalid identified as a kubectl plugin, but it is not executable
    7. error: 2 plugin warnings were found

    Using the command line runtime package

    If you’re writing a plugin for kubectl and you’re using Go, you can make use of the utility libraries.

    These libraries provide helpers for parsing or updating a user’s kubeconfig file, for making REST-style requests to the API server, or to bind flags associated with configuration and printing.

    See the for an example usage of the tools provided in the CLI Runtime repo.

    If you have developed a plugin for others to use, you should consider how you package it, distribute it and deliver updates to your users.

    Krew offers a cross-platform way to package and distribute your plugins. This way, you use a single packaging format for all target platforms (Linux, Windows, macOS etc) and deliver updates to your users. Krew also maintains a so that other people can discover your plugin and install it.

    Native / platform specific package management

    Alternatively, you can use traditional package managers such as, apt or on Linux, Chocolatey on Windows, and Homebrew on macOS. Any package manager will be suitable if it can place new executables placed somewhere in the user’s PATH. As a plugin author, if you pick this option then you also have the burden of updating your kubectl plugin’s distribution package across multiple platforms for each release.

    Source code

    • Read about Krew, a package manager for kubectl plugins.