{"id":19299967,"url":"https://github.com/cloudogu/sudo-kubeconfig","last_synced_at":"2025-10-12T16:06:01.029Z","repository":{"id":72236267,"uuid":"322251009","full_name":"cloudogu/sudo-kubeconfig","owner":"cloudogu","description":"Create a sudo kubeconfig for your current kubernetes context","archived":false,"fork":false,"pushed_at":"2023-02-07T07:41:43.000Z","size":19,"stargazers_count":7,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-10-12T16:02:57.850Z","etag":null,"topics":["kubeconfig","kubectl-sudo","kubernetes","sudo"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloudogu.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-12-17T09:53:42.000Z","updated_at":"2025-04-14T17:42:52.000Z","dependencies_parsed_at":"2023-02-25T17:31:03.272Z","dependency_job_id":null,"html_url":"https://github.com/cloudogu/sudo-kubeconfig","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/cloudogu/sudo-kubeconfig","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudogu%2Fsudo-kubeconfig","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudogu%2Fsudo-kubeconfig/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudogu%2Fsudo-kubeconfig/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudogu%2Fsudo-kubeconfig/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloudogu","download_url":"https://codeload.github.com/cloudogu/sudo-kubeconfig/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudogu%2Fsudo-kubeconfig/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279011985,"owners_count":26085039,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-12T02:00:06.719Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kubeconfig","kubectl-sudo","kubernetes","sudo"],"created_at":"2024-11-09T23:13:18.208Z","updated_at":"2025-10-12T16:06:01.024Z","avatar_url":"https://github.com/cloudogu.png","language":"Shell","readme":"cloudogu/sudo-kubeconfig \n===\n\nCreate a sudo kubeconfig for your current kubernetes context.\n\n\u003cimg src=\"https://github.com/cloudogu/sudo-kubeconfig/wiki/sudo-kubeconfig.gif\" alt=\"Demo gif\" width=\"516\" height=\"309\"\u003e \n\nFor questions or suggestions you are welcome to join us at our myCloudogu [community forum](https://community.cloudogu.com/c/kubernetes/54).\n\n[![Discuss it on myCloudogu](https://static.cloudogu.com/static/images/discuss-it.png)](https://community.cloudogu.com/c/kubernetes/54)\n\n## Motivation\n\nThe [kubectl sudo](https://github.com/postfinance/kubectl-sudo) and [helm sudo](https://github.com/cloudogu/helm-sudo) plugins use a powerful concept to prevent accidental `kubectl apply` or `helm install` to clusters: Using kuberentes' `impersonate` functionality as a `sudo` mechanism.\n\nThe plugins provide a good developer experience but are restricted to `kubectl` and `helm`.\n\nWhat about other CLIs that rely on kubeconfig such as k9s, velero, fluxctl, istioctl, etc.? Can this mechanism be used \nfor them as well? \nThis repo provides an option for that: a \"sudo-context\".\nThe sudo-context is a duplicate of your usual context in kubeconfig that uses the same cluster but a different user.\nThis user sets `as` and `as-groups` just like `kubectl sudo` does.\n\n## Creating a sudo-context\n\nOne option for creating a \"sudo context\" is [create-sudo-kubeconfig.sh](create-sudo-kubeconfig.sh).\nIt guides you through the \"sudo context\" creation interactively.\n\n```shell\nSUDO_KUBECONTEXT_VERSION=0.1.1\nwget -P /tmp/ \"https://raw.githubusercontent.com/cloudogu/sudo-kubeconfig/${SUDO_KUBECONTEXT_VERSION}/create-sudo-kubeconfig.sh\"\nchmod +x /tmp/create-sudo-kubeconfig.sh\n/tmp/create-sudo-kubeconfig.sh\n```\n\n## Using a sudo-context\n\nSee bellow for an example using local KIND/k3s/k3d cluster.\n\n* Create an impersonator `ClusterRole` (see [kubectl-sudo](https://github.com/postfinance/kubectl-sudo) for details of the concept)\n  `kubectl apply -f \"https://raw.githubusercontent.com/cloudogu/sudo-kubeconfig/${SUDO_KUBECONTEXT_VERSION}/clusterrole-sudoer.yaml\"`\n* Authorize users via `ClusterRoleBinding`, e.g. like \n  `kubectl create clusterrolebinding cluster-sudoers --clusterrole=sudoer --user=you`\n* Restrict your user to read-only permissions (e.g. using the built-in `viewer` clusterrole)\n* Create sudo-kubeconfig\n```shell\nSUDO_KUBECONTEXT_VERSION=0.1.1\nwget -P /tmp/ \"https://raw.githubusercontent.com/cloudogu/sudo-kubeconfig/${SUDO_KUBECONTEXT_VERSION}/create-sudo-kubeconfig.sh\"\nchmod +x /tmp/create-sudo-kubeconfig.sh\n/tmp/create-sudo-kubeconfig.sh\n```\n\nOnce you created a sudo context, you can use it like so:\n\n```shell\nfluxctl --context SUDO-context     \nk9s --context SUDO-context #  Hint: You can also change the context from within k9s using \":ctx\"\n```\n\n⚠️ Please note\n* The SUDO-context also contains a namespace. This might be different from your current context. So: better your `-n` in your commands or kubernetes ressources, or use `kubectl sudo` and `helm sudo` plugins.\n* It's good practice *not* to use the \"sudo context\" as current context, but to use it explicitly via an additional parameter.\n\nBy the way, you can also use this context for kubectl or helm, as an alternative to `kubectl sudo` plugin:\n\n```shell\nkubectl--context SUDO-context  # Hint use auto completion for the context\n# This also works with aliases  ...\nkgpo --context SUDO-context\n#  ... and plugins\nkubectl whoami --context SUDO-context\nhelm --kube-context SUDO-context # Hint use auto completion for the context\n```\n\n## Trying sudo-kubeconfig in KIND, k3s/k3d\n\nThe kubeconfig used by k3s/k3d and KIND uses a client cert that already is in the `system:masters` group. This makes it \ndifficult to restrict privileges using RBAC.\n\nOne option to try out sudo-kubeconfig is to create a service account and authenticate with its token.\n\n```shell\n# Preparations\n# Create unprivileged service account\nkubectl create sa unpriv --namespace default\n# Enable sudo for service account\nkubectl create clusterrolebinding cluster-sudoers \\\n    --clusterrole=sudoer \\\n    --serviceaccount=default:unpriv\n# Optional: Allow read-only access by default\nkubectl create clusterrolebinding cluster-viewers \\\n    --clusterrole=view \\\n    --serviceaccount=default:unpriv\n\n# Create kubeconfig to authenticate using service account's token\nwget -P /tmp https://raw.githubusercontent.com/zlabjp/kubernetes-scripts/4ed8/create-kubeconfig\nchmod +x /tmp/create-kubeconfig\ntmpConfig=$(mktemp)\n/tmp/create-kubeconfig unpriv --namespace=default \u003e ${tmpConfig}\nexport KUBECONFIG=${tmpConfig}\n\n./create-sudo-kubeconfig.sh\n\n# Fails with\n# error: failed to create deployment: deployments.apps is forbidden: User \"system:serviceaccount:default:unpriv\" cannot create resource \"deployments\" in API group \"apps\" in the namespace \"default\"\nkubectl create deployment nginx --image=nginx\n# Success: deployment.apps/nginx created\nkubectl create deploy nginx --image=nginx --context=SUDO-kind \n\n# Fail\nhelm install nginx bitnami/nginx\n# Success\nhelm install nginx bitnami/nginx --kube-context=SUDO-kind \n\n# Reset to default kubeconfig\nunset KUBECONFIG\n```\n\n## Options\n\nVia Environment Variables.\n\n* `SUDO_PREFIX` - Prefix added to current kubecontext and user to flag it as \"sudo\". Default: `SUDO-`\n* `SUDO_CONTEXT_POSTFIX` - Postfix added to current kubecontext to raise attention to it being for sudo only. Default: ``\n* `DEBUG` - prints echo of commands (set -x)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudogu%2Fsudo-kubeconfig","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudogu%2Fsudo-kubeconfig","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudogu%2Fsudo-kubeconfig/lists"}