{"id":21291497,"url":"https://github.com/postfinance/kubectl-sudo","last_synced_at":"2026-02-23T23:03:00.351Z","repository":{"id":51733545,"uuid":"152578950","full_name":"postfinance/kubectl-sudo","owner":"postfinance","description":"Run kubernetes commands with the security privileges of another user","archived":false,"fork":false,"pushed_at":"2026-02-13T09:21:55.000Z","size":26,"stargazers_count":172,"open_issues_count":0,"forks_count":17,"subscribers_count":8,"default_branch":"master","last_synced_at":"2026-02-13T17:25:24.130Z","etag":null,"topics":["kubectl","kubectl-plugins","kubernetes","security-privileges","sudo"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/postfinance.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2018-10-11T11:13:09.000Z","updated_at":"2026-02-13T09:21:58.000Z","dependencies_parsed_at":"2025-05-17T23:07:52.410Z","dependency_job_id":"407984e4-c754-415b-957b-7242e6f2200a","html_url":"https://github.com/postfinance/kubectl-sudo","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/postfinance/kubectl-sudo","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/postfinance%2Fkubectl-sudo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/postfinance%2Fkubectl-sudo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/postfinance%2Fkubectl-sudo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/postfinance%2Fkubectl-sudo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/postfinance","download_url":"https://codeload.github.com/postfinance/kubectl-sudo/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/postfinance%2Fkubectl-sudo/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29760078,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-23T21:02:23.375Z","status":"ssl_error","status_checked_at":"2026-02-23T20:58:31.539Z","response_time":90,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kubectl","kubectl-plugins","kubernetes","security-privileges","sudo"],"created_at":"2024-11-21T13:33:55.163Z","updated_at":"2026-02-23T23:03:00.321Z","avatar_url":"https://github.com/postfinance.png","language":"Shell","readme":"\u003c!-- START doctoc generated TOC please keep comment here to allow auto update --\u003e\n\u003c!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --\u003e\n**Table of Contents**\n\n- [kubectl sudo](#kubectl-sudo)\n  - [TL;DR](#tldr)\n  - [Why](#why)\n  - [How](#how)\n  - [Installation](#installation)\n  - [Plugin Compatibility](#plugin-compatibility)\n  - [Configuration](#configuration)\n  - [Similar projects](#similar-projects)\n\n\u003c!-- END doctoc generated TOC please keep comment here to allow auto update --\u003e\n\n# kubectl sudo\n\n## TL;DR\nThis plugin allows users to run kubernetes commands with the security privileges of another user:\n\n```bash\n$ kubectl get nodes\nError from server (Forbidden): nodes is forbidden: User \"bofh\" cannot list nodes at the cluster scope\n```\n\n```bash\n$ kubectl sudo get nodes\nNAME                     STATUS   ROLES    AGE   VERSION\nkubelet1.example.com     Ready    \u003cnone\u003e   96d   v1.11.2\nkubelet2.example.com     Ready    \u003cnone\u003e   96d   v1.11.2\n```\n\nWith audit log containing the origin and the impersonated user and group, if configured correctly:\n```json\n{\n  \"kind\": \"Event\",\n  \"apiVersion\": \"audit.k8s.io/v1beta1\",\n  \"level\": \"Metadata\",\n  \"stage\": \"ResponseComplete\",\n  \"requestURI\": \"/api/v1/nodes?limit=500\",\n  \"verb\": \"list\",\n  \"user\": {\n    \"username\": \"bofh\",\n    \"groups\": [\n      \"bofh_accounts\",\n      \"system:authenticated\"\n    ]\n  },\n  \"impersonatedUser\": {\n    \"username\": \"bofh\",\n    \" groups\": [\n      \"system:masters\"\n    ]\n  },\n  \"objectRef\": {\n    \"resource\": \"nodes\",\n    \"apiVersion\": \"v1\"\n  },\n}\n```\n\n## Why\nKubernetes cluster administrators have great power. A mistake could\ncause the cluster to become unhealthy or insecure and, as such, could impact\nany or all tenants sharing the cluster. A simple `kubectl -f` with the wrong namespace\ncan end badly.\n\n## How\nThis project does not really introduce a kubectl plugin, but a concept\nof how to provide a sudo like system for kubernetes access.\n\nTo reduce the surface of unwanted or unexpected actions you can reduce the default priviledges\na cluster administrator has to the level of an unprivileged account and give them the ability to impersonate users and groups.\nWhen cluster administrators need to do more priviledged actions, they can switch\nthe group to `system:masters` or another group or user according to the needed privilidge level.\n\nIn order to implement that concept, you need to declare a `ClusterRole` for\n[impersonation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation):\n\n```yaml\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n  name: impersonator\nrules:\n- apiGroups: [\"\"]\n  verbs: [\"impersonate\"]\n  resources: [\"users\", \"groups\", \"serviceaccounts\"]\n```\n\nNow you can assign this ClusterRole to the cluster administrators (e.g. group `bofh_accounts`):\n```yaml\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n  name: cluster-administrators\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: impersonator\nsubjects:\n- apiGroup: rbac.authorization.k8s.io\n  kind: Group\n  name: bofh_accounts\n```\n\nAny user which has the group `bofh_accounts` can now do administration tasks with:\n\n```\nkubectl --as=$USER --as-group=system:masters delete node kubelet3.example.com\n```\n\nThe provided kubectl plugin is just a wrapper for `kubectl` to shorten the `--as` and `--as-group` part.\n\n## Installation\nPlace [kubectl-sudo](bash/kubectl-sudo) anywhere in your `$PATH` with execute permissions.\nFor further information, see the offical [plugin documentation](https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/).\n\n## Plugin Compatibility\nWorks on systems with `/bin/sh` and kubectl \u003e= 1.12. `kubectl` must be inside `$PATH`.\n\n## Configuration\nThis plugin can be configured using environment variables:\n- `KUBECTL_SUDO_PROMPT=true` whether or not the plugin prompts the user before executing the kubectl command. Default value is `false`.\n\n## Similar projects\n* [cloudogu/helm-sudo](https://github.com/cloudogu/helm-sudo): Same functionality as kubectl-sudo for [helm](https://helm.sh/)\n* [cloudogu/sudo-kubeconfig](https://github.com/cloudogu/sudo-kubeconfig): Create a sudo kubeconfig for your current kubernetes context.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpostfinance%2Fkubectl-sudo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpostfinance%2Fkubectl-sudo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpostfinance%2Fkubectl-sudo/lists"}