{"id":13644108,"url":"https://github.com/ssup2/kpexec","last_synced_at":"2026-03-09T11:02:49.635Z","repository":{"id":49971598,"uuid":"242557925","full_name":"ssup2/kpexec","owner":"ssup2","description":" kpexec is a kubernetes cli that runs commands in a container with high privileges.","archived":false,"fork":false,"pushed_at":"2025-12-04T16:16:48.000Z","size":30696,"stargazers_count":263,"open_issues_count":1,"forks_count":15,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-12-07T23:43:24.538Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ssup2.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-02-23T17:13:09.000Z","updated_at":"2025-12-04T16:16:52.000Z","dependencies_parsed_at":"2024-01-14T09:18:39.195Z","dependency_job_id":"d7e1308a-379b-48ad-afd7-ab53e7dcf034","html_url":"https://github.com/ssup2/kpexec","commit_stats":null,"previous_names":[],"tags_count":24,"template":false,"template_full_name":null,"purl":"pkg:github/ssup2/kpexec","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ssup2%2Fkpexec","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ssup2%2Fkpexec/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ssup2%2Fkpexec/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ssup2%2Fkpexec/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ssup2","download_url":"https://codeload.github.com/ssup2/kpexec/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ssup2%2Fkpexec/sbom","scorecard":{"id":845134,"data":{"date":"2025-08-11","repo":{"name":"github.com/ssup2/kpexec","commit":"d07f09ce3782e4b815a6390931f846a0ce2328f4"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.4,"checks":[{"name":"Code-Review","score":1,"reason":"Found 3/30 approved changesets -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/build-cnsenter-tools.yml:1","Warn: no topLevel permission defined: .github/workflows/build-cnsenter.yml:1","Warn: no topLevel permission defined: .github/workflows/release-krew.yml:1","Warn: no topLevel permission defined: .github/workflows/test.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.4.1 not signed: https://api.github.com/repos/ssup2/kpexec/releases/120556649","Warn: release artifact v0.4.0 not signed: https://api.github.com/repos/ssup2/kpexec/releases/77711917","Warn: release artifact v0.3.5 not signed: https://api.github.com/repos/ssup2/kpexec/releases/58217915","Warn: release artifact v0.3.4 not signed: https://api.github.com/repos/ssup2/kpexec/releases/44202992","Warn: release artifact v0.3.3 not signed: https://api.github.com/repos/ssup2/kpexec/releases/44202129","Warn: release artifact v0.4.1 does not have provenance: https://api.github.com/repos/ssup2/kpexec/releases/120556649","Warn: release artifact v0.4.0 does not have provenance: https://api.github.com/repos/ssup2/kpexec/releases/77711917","Warn: release artifact v0.3.5 does not have provenance: https://api.github.com/repos/ssup2/kpexec/releases/58217915","Warn: release artifact v0.3.4 does not have provenance: https://api.github.com/repos/ssup2/kpexec/releases/44202992","Warn: release artifact v0.3.3 does not have provenance: https://api.github.com/repos/ssup2/kpexec/releases/44202129"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-cnsenter-tools.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/ssup2/kpexec/build-cnsenter-tools.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-cnsenter-tools.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/ssup2/kpexec/build-cnsenter-tools.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-cnsenter-tools.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/ssup2/kpexec/build-cnsenter-tools.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-cnsenter-tools.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/ssup2/kpexec/build-cnsenter-tools.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-cnsenter.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/ssup2/kpexec/build-cnsenter.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-cnsenter.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/ssup2/kpexec/build-cnsenter.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-cnsenter.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/ssup2/kpexec/build-cnsenter.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-cnsenter.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/ssup2/kpexec/build-cnsenter.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-krew.yml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/ssup2/kpexec/release-krew.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-krew.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/ssup2/kpexec/release-krew.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/ssup2/kpexec/test.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/ssup2/kpexec/test.yml/master?enable=pin","Warn: containerImage not pinned by hash: Dockerfile-cnsenter:2","Warn: containerImage not pinned by hash: Dockerfile-cnsenter:9","Warn: containerImage not pinned by hash: Dockerfile-cnsenter:18: pin your Docker image by updating alpine:3.13.1 to alpine:3.13.1@sha256:08d6ca16c60fe7490c03d10dc339d9fd8ea67c6466dea8d558526b1330a85930","Warn: containerImage not pinned by hash: Dockerfile-cnsenter-tools:2","Warn: containerImage not pinned by hash: Dockerfile-cnsenter-tools:9","Warn: containerImage not pinned by hash: Dockerfile-cnsenter-tools:19: pin your Docker image by updating alpine:3.13.1 to alpine:3.13.1@sha256:08d6ca16c60fe7490c03d10dc339d9fd8ea67c6466dea8d558526b1330a85930","Warn: downloadThenRun not pinned by hash: .github/workflows/test.yml:26","Info:   0 out of   5 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   7 third-party GitHubAction dependencies pinned","Info:   0 out of   6 containerImage dependencies pinned","Info:   1 out of   1 goCommand dependencies pinned","Info:   0 out of   1 downloadThenRun dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 3 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"17 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2022-1147 / GHSA-2qjp-425j-52j9","Warn: Project is vulnerable to: GO-2023-1573 / GHSA-259w-8hf6-59c2","Warn: Project is vulnerable to: GO-2023-1574 / GHSA-hmfx-3pcx-653p","Warn: Project is vulnerable to: GO-2023-2412 / GHSA-7ww5-4wqc-m92c","Warn: Project is vulnerable to: GO-2025-3528 / GHSA-265r-hfxg-fhmg","Warn: Project is vulnerable to: GO-2022-0969 / GHSA-69cg-p879-7622","Warn: Project is vulnerable to: GO-2023-1495 / GHSA-fxg5-wq6x-vr4w","Warn: Project is vulnerable to: GO-2022-1144 / GHSA-xrjj-mj9h-534m","Warn: Project is vulnerable to: GO-2023-1571 / GHSA-vvpx-j8f3-3w6h","Warn: Project is vulnerable to: GO-2023-1988 / GHSA-2wrh-6pvc-2jm9","Warn: Project is vulnerable to: GO-2023-2102 / GHSA-4374-p667-p6c8","Warn: Project is vulnerable to: GHSA-qppj-fm5r-hxr3","Warn: Project is vulnerable to: GO-2024-2687 / GHSA-4v7x-pqxf-cx7m","Warn: Project is vulnerable to: GO-2024-3333","Warn: Project is vulnerable to: GO-2025-3503 / GHSA-qxp5-gwg8-xv66","Warn: Project is vulnerable to: GO-2025-3595 / GHSA-vvgc-356p-c3xw","Warn: Project is vulnerable to: GO-2024-2611 / GHSA-8r3f-844c-mc37"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-23T21:14:24.697Z","repository_id":49971598,"created_at":"2025-08-23T21:14:24.697Z","updated_at":"2025-08-23T21:14:24.697Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30291840,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-09T02:57:19.223Z","status":"ssl_error","status_checked_at":"2026-03-09T02:56:26.373Z","response_time":61,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T01:01:57.632Z","updated_at":"2026-03-09T11:02:49.628Z","avatar_url":"https://github.com/ssup2.png","language":"Go","funding_links":[],"categories":["Go","K8S-Tools"],"sub_categories":[],"readme":"# kpexec\n\n![kpexec Demo](image/kpexec_Demo.gif)\n\n**kpexec** is a K8s cli that runs commands in a container with high privileges **without SSH**. It runs a highly privileged container on the same node as the target container and joins into the namespaces of the target container (IPC, UTS, PID, net, mount). This is useful for debugging where you often need to execute commands with high privileges. Also, kpexec has a **tools mode**, which adds useful debugging tools into the debugged container. The tools mode is useful when there necessary debugging tools are missing in the target container.\n\nIn contrast, kubectl-exec runs the command with the same privileges as the container. For example, if a container does not have network privileges, the command executed by kubectl-exec also has no network privileges. This makes debugging the pod difficult. If you use kpexec instead of kubectl-exec, you can easily get high privileges for debugging.\n\nkpexec now supports the following container runtimes.\n* containerd\n* CRI-O\n* Docker\n\nkpexec now supports the following CPU architectures.\n* amd64\n* arm64\n\n## Check \u0026 Install\n\nSince kpexec uses kubectl internally, **kubectl** installation and **kubeconfig** files must be properly configured before using kpexec. Whenever kpexec is executed, kpexec creates a **cnsenter (Container Namespace Enter) pod** to executes cnsenter. cnsenter is a command to exec command in the target container through **CRI (Container Runtime Interface)**.\n\nThe cnsenter pod must be created with **hostPID**, **Privileged** and **hostPath** Option. Therefore, before using kpexec, you should check if the pod options mentioned are available in your K8s cluster. Fortunately, in most K8s clusters including managed K8s clusters by public cloud service such as EKS, AKS and GKE, the pod options mentioned available without configuration. Therefore, kpexec can also be used in most K8s clusters without any configuration.\n\n### Download Binary\n\nInstall via download the kpexec binary\n\n```bash\n$ export KPEXEC_VERSION=v0.4.6\n\n# Linux / amd64\n$ wget -c \"https://github.com/ssup2/kpexec/releases/download/${KPEXEC_VERSION}/kpexec_${KPEXEC_VERSION}_Linux_amd64.tar.gz\" -O - | tar -C /usr/local/bin/ -xz\n\n# Linux / arm64\n$ wget -c \"https://github.com/ssup2/kpexec/releases/download/${KPEXEC_VERSION}/kpexec_${KPEXEC_VERSION}_Linux_arm64.tar.gz\" -O - | tar -C /usr/local/bin/ -xz\n\n# macOS / amd64\n$ wget -c \"https://github.com/ssup2/kpexec/releases/download/${KPEXEC_VERSION}/kpexec_${KPEXEC_VERSION}_Darwin_amd64.tar.gz\" -O - | tar -C /usr/local/bin/ -xz\n\n# macOS / arm64\n$ wget -c \"https://github.com/ssup2/kpexec/releases/download/${KPEXEC_VERSION}/kpexec_${KPEXEC_VERSION}_Darwin_arm64.tar.gz\" -O - | tar -C /usr/local/bin/ -xz\n\n# Windows / amd64\n# Download and install from https://github.com/ssup2/kpexec/releases/download/${KPEXEC_VERSION}/kpexec_${KPEXEC_VERSION}_Windows_amd64.tar.gz\n```\n\n### Homebrew\n\nInstall via Homebrew.\n\n```bash\n$ brew install ssup2/tap/kpexec\n```\n\n### Krew\n\nInstall via Krew. kpexec is registered with krew under the name **pexec**. If you installed kpexec through Krew, you should use the **kubectl pexec** command instead of the kpexec command. And in this case, shell autocompetion doesn't work.\n\n```bash\n$ kubectl krew install pexec\n```\n\n## Set shell autocompletion (Optional)\n\nkpexec supports shell autocompletion on Bash or Zsh shell. Before setting kpexec shell autocompletion, enable shell autocompletion via the link below.\n* https://kubernetes.io/docs/tasks/tools/install-kubectl/#enabling-shell-autocompletion\n\n### Bash\n\nSet kpexec shell autocompletion to bash shell through the following commands.\n```bash\n$ source \u003c(kpexec --completion bash)\n$ sudo sh -c \"echo 'source \u003c(kpexec --completion bash)' \u003e\u003e~/.bashrc\"\n```\n\n### Zsh\n\nSet kpexec shell autocompletion to zsh shell through the following commands.\n```bash\n$ source \u003c(kpexec --completion zsh)\n$ sudo sh -c \"echo 'source \u003c(kpexec --completion zsh)' \u003e\u003e~/.zshrc\"\n```\n\n## Usage\n\nBelow are examples of kpexec usage.\n```bash\n# Get output from running 'date' command from pod mypod, using the first container by default.\n$ kpexec mypod -- date\n$ kubectl pexec mypod -- date\n\n# Get output from running 'date' command in golang-container from pod mypod and namespace mynamespace.\n$ kpexec -n mynamespace mypod -c date-container -- date\n$ kubectl pexec -n mynamespace mypod -c date-container -- date\n\n# Switch to raw terminal mode, sends stdin to 'bash' in bash-container from pod mypod\n# and sends stdout/stderr from 'bash' back to the client.\n$ kpexec -it mypod -c bash-container -- bash\n$ kubectl pexec -it mypod -c bash-container -- bash\n\n# Enable tools mode.\n$ kpexec -it -T mypod -c bash-container -- bash\n$ kubectl pexec -it -T mypod -c bash-container -- bash\n\n# Set cnsenter pod's image\n$ kpexec -it -T --cnsenter-img=ssup2/my-cnsenter-tools:latest mypod -c bash-container -- bash\n$ kubectl pexec -it -T --cnsenter-img=ssup2/my-cnsenter-tools:latest mypod -c bash-container -- bash\n\n# Set CRI socket path / containerd socket path\n$ kpexec -it -T --cri /run/my/containerd.sock -c bash-container -- bash\n$ kubectl pexec -it -T --cri /run/my/containerd.sock -c bash-container -- bash\n\n# kpexec removes the cnsetner pod it created after executing the command.\n# If cnsenter pods remain due to external factors, you can remove all remaining cnsenter pods\n# by executing cnsenter garbage collector.\n$ kpexec --cnsenter-gc\n$ kubectl pexec --cnsenter-gc\n```\n\n## How it works\n\n![kpexec Operation](image/kpexec_Operation.png)\n\nThe figure above shows the operation processs of kpexec. At first, kpexec obtains the information of target pod from K8s API Server and finds out which Node the target pod exists in. After that, kpexec creates a cnsenter pod in the node where target pod exists and executes cnsetner. cnsenter gets the target container's pid and root directory information from container runtime through CRI (Container Runtime Interface). Then cnsetner executes the command in the target container based on the obtained information.\n\ncnsenter pod uses the below images defaultly. The cnsenter pod image can be set with the '--cnsenter-img' option.\n* default mode - ssup2/cnsenter:[kpexec version]\n* tools mode - ssup2/cnsenter-tools:[kpexec version]\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fssup2%2Fkpexec","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fssup2%2Fkpexec","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fssup2%2Fkpexec/lists"}