https://github.com/cantrellr/k8s-ultimate-toolbox
🛠️ Comprehensive Kubernetes administration workstation with 50+ pre-installed tools. Deploy a fully-equipped debugging pod directly into your cluster. Air-gapped ready.
https://github.com/cantrellr/k8s-ultimate-toolbox
air-gapped cloud-native database debugging devops helm helm-chart k8s k9s keycloak kubectl kubernetes mongodb mongosh offline platform-engineering postgres sre toolbox troubleshooting
Last synced: about 12 hours ago
JSON representation
🛠️ Comprehensive Kubernetes administration workstation with 50+ pre-installed tools. Deploy a fully-equipped debugging pod directly into your cluster. Air-gapped ready.
- Host: GitHub
- URL: https://github.com/cantrellr/k8s-ultimate-toolbox
- Owner: cantrellr
- License: mit
- Created: 2026-06-19T15:00:22.000Z (17 days ago)
- Default Branch: main
- Last Pushed: 2026-06-22T01:14:21.000Z (15 days ago)
- Last Synced: 2026-06-22T03:06:22.570Z (15 days ago)
- Topics: air-gapped, cloud-native, database, debugging, devops, helm, helm-chart, k8s, k9s, keycloak, kubectl, kubernetes, mongodb, mongosh, offline, platform-engineering, postgres, sre, toolbox, troubleshooting
- Language: Shell
- Homepage:
- Size: 164 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: SECURITY.md
Awesome Lists containing this project
README
# K8s Ultimate Toolbox
```
╔═══════════════════════════════════════════════════════════════════════╗
║ ║
║ K8s Ultimate Toolbox ║
║ ║
║ Platform Diagnostics Release - v1.2.0 ║
╚═══════════════════════════════════════════════════════════════════════╝
```
**A Kubernetes administration workstation pod for cluster, identity, database, network, storage, runtime, RBAC, policy, CNI, SELinux, audit, and air-gapped troubleshooting.**
## Executive summary
K8s Ultimate Toolbox deploys a controlled, repeatable troubleshooting pod into a Kubernetes namespace. It gives platform engineers one known-good operational shell instead of forcing troubleshooting tools into every application image.
The v1.2.0 release implements the recommended next additions: `crictl`, `etcdctl`, `etcdutl`, `cmctl`, `step`, `kubent`, `kubeconform`, `popeye`, `kubectl-who-can`, `rbac-lookup`, `cilium`, `hubble`, `calicoctl`, plus SELinux and audit utilities.
## What changed in v1.2.0
| Area | Added |
|---|---|
| Runtime | `crictl` |
| Control plane | `etcdctl`, `etcdutl` |
| Certificates / PKI | `cmctl`, `step` |
| Upgrade safety | `kubent`, `kubeconform` |
| Cluster hygiene | `popeye` |
| RBAC | `kubectl-who-can`, `rbac-lookup` |
| CNI | `cilium`, `hubble`, `calicoctl` |
| SELinux / audit | `getenforce`, `sestatus`, `semanage`, `semodule`, `seinfo`, `sesearch`, `checkpolicy`, `checkmodule`, `audit2allow`, `audit2why`, `ausearch`, `aureport` |
## Architecture
```text
Kubernetes Cluster
└── toolbox namespace
└── Deployment: k8s-ultimate-toolbox
├── init container: update-ca-trust # optional, root, CA trust only
├── container: toolbox # non-root UID 10000
│ ├── kubectl / helm / yq / jq
│ ├── crictl / etcdctl / etcdutl
│ ├── Keycloak CLI tools
│ ├── cmctl / step
│ ├── kubent / kubeconform / popeye
│ ├── kubectl-who-can / rbac-lookup
│ ├── SELinux and audit tools
│ ├── cilium / hubble / calicoctl
│ ├── PostgreSQL and MongoDB diagnostics
│ ├── network and TLS tools
│ └── storage tools
└── workspace volume: emptyDir or PVC
```
## Quick start
```bash
git clone https://github.com/cantrellr/k8s-ultimate-toolbox.git
cd k8s-ultimate-toolbox
helm upgrade --install toolbox ./chart \
-n toolbox --create-namespace
kubectl wait --for=condition=available deploy/toolbox-k8s-ultimate-toolbox \
-n toolbox --timeout=300s
kubectl exec -it -n toolbox deploy/toolbox-k8s-ultimate-toolbox -- bash
```
Show installed tools:
```bash
show-versions.sh
```
## Included tools
| Category | Tools |
|---|---|
| Kubernetes | `kubectl`, `helm`, `yq`, `jq` |
| Runtime / control plane | `crictl`, `etcdctl`, `etcdutl` |
| Identity | `kcadm.sh`, `kcreg.sh`, `kc.sh`, `keycloak-login.sh` |
| Certificates / PKI | `cmctl`, `step`, `openssl`, `certtool` |
| Policy / RBAC / upgrade | `kubent`, `kubeconform`, `popeye`, `kubectl-who-can`, `rbac-lookup` |
| SELinux / audit | `getenforce`, `sestatus`, `semanage`, `semodule`, `seinfo`, `sesearch`, `checkpolicy`, `checkmodule`, `audit2allow`, `audit2why`, `ausearch`, `aureport` |
| CNI | `cilium`, `hubble`, `calicoctl` |
| PostgreSQL | `psql`, `pg_isready`, `pg_dump`, `pg_restore`, `pgbench`, `pgcli`, `pg_activity`, `pgbadger`, `pg-diagnostics.sh` |
| MongoDB | `mongosh`, `mongodump`, `mongorestore`, `mongoexport`, `mongoimport`, `mongostat`, `mongotop`, `bsondump` |
| Network | `curl`, `wget`, `dig`, `nslookup`, `host`, `nc`, `nmap`, `tcpdump`, `traceroute`, `mtr`, `iperf3`, `socat`, `ping`, `telnet`, `ss`, `netstat`, `whois` |
| Storage | `tridentctl`, `nfs-common`, `rsync`, `ssh`, `tar`, `zip`, `unzip` |
| Scripting | Python 3, `kubernetes`, `requests`, `PyYAML`, `Jinja2`, `click`, `SQLAlchemy` |
## SELinux utilities offline bundle
Create a host-installable tarball of SELinux utilities and dependency `.deb` packages from an internet-connected Ubuntu/Debian build host:
```bash
make selinux-bundle
```
Copy the generated `dist/selinux-utils-bundle/*.tar.gz` to the air-gapped target, extract it, and run:
```bash
./install-selinux-utils.sh
```
## Documentation
| Document | Purpose |
|---|---|
| [QUICKSTART.md](QUICKSTART.md) | Fast deployment and validation |
| [TOOLS-REFERENCE.md](TOOLS-REFERENCE.md) | Tool inventory and version matrix |
| [SELINUX-UTILITIES.md](SELINUX-UTILITIES.md) | SELinux/audit tooling and air-gap package bundle guide |
| [POSTGRESQL-DIAGNOSTICS.md](POSTGRESQL-DIAGNOSTICS.md) | PostgreSQL troubleshooting runbook |
| [KEYCLOAK-GUIDE.md](KEYCLOAK-GUIDE.md) | Keycloak CLI usage in the default toolbox container |
| [RECOMMENDED-TOOLS.md](RECOMMENDED-TOOLS.md) | Implemented and future tooling roadmap |
| [OFFLINE-DEPLOYMENT.md](OFFLINE-DEPLOYMENT.md) | Air-gapped bundle workflow |
| [MAKEFILE.md](MAKEFILE.md) | Build system notes |
| [SBOM.md](SBOM.md) | SBOM and supply-chain notes |
| [docs/NERDCTL-GUIDE.md](docs/NERDCTL-GUIDE.md) | Container runtime guidance |
| [CHANGELOG.md](CHANGELOG.md) | Release history |
## Build and offline bundle
```bash
make info
make build-image
make offline-bundle
make selinux-bundle
```
The offline bundle includes the image tarball, packaged Helm chart, deployment scripts, SBOM text output, checksums, and docs. The SELinux utilities bundle is a separate host-installable `.deb` tarball.
## Security posture
This toolbox is powerful. Treat it as privileged operational tooling even though the main container runs as non-root. Use Kubernetes Secrets, short-lived tokens, restricted service accounts, and namespace-scoped RBAC wherever possible. Remove the deployment when troubleshooting is complete in sensitive environments.