CLI utility, which makes it easy to reach K8s API via jumphost, using SSH port forwarding.
Like aws-vault is a helper for AWS
related CLI tools, k8s-vault is a helper for CLI tools using KUBECONFIG.
Unlike AWS-Vault, vault here is used as a verb, synonymous to leap, jump,
spring, etc..
Original implementation of k8s-vault in Bash is available here.
NOTE: Bash implementation uses slightly different config file, and old config wont work with this implementation. See example config.
Get latest release from Releases page.
Or build from source:
git clone https://github.com/anapsix/k8s-vault.cr.git
cd k8s-vault.cr
shards build # or "make src/cli"
# copy ./bin/k8s-vault to some directory in your PATHYour k8s-vault config is expected at ~/.kube/k8s-vault-new.yaml, but it's
location can be customized using K8SVAULT_CONFIG environment variable.
Likewise, KUBECONFIG is expected at ~/.kube/config, but environment variable
will take precedence.
# Single CLI command mode
$ k8s-vault exec my-prod-context -- kubectl get nodes
(outputs results of "kubectl get nodes")
(SSH connection is terminated)
# SHELL mode
$ k8s-vault exec my-prod-context -s
(new shell is opened, with KUBECONFIG environment variable set)
$ kubectl get nodes
$ exit
(SSH connection is terminated)
when launched in SHELL mode,
K8SVAULT_CONTEXTenvironment variable will be be set to selected context
Usage: k8s-vault [--debug] [completion|exec <context-name>] [-s | -- <cli tool using KUBECONFIG>]
CLI Options:
-h | --help | --usage displays usage
-d | --debug enabled debug output
example-config outputs example config
completion outputs bash completion code
exec executes K8s-Vault
Environment variables:
K8SVAULT_CONFIG path to k8s-vault config file, defaults to ~/.kube/k8s-vault.yaml
KUBECONFIG path to KUBECONFIG file
It works in two modes:
1. Single CLI command mode:
- generates KUBECONFIG from exiting one, based on context name passed
- sets up SSH Connection, Port-Forwarding random local port (or configured
static port) to K8s API server host, selected from existing KUBECONFIG
based on passed context name
- executes CLI command
- SSH Connection self-terminates after CLI command terminates
2. SHELL mode:
- generates KUBECONFIG from exiting one, based on context name passed
- sets up SSH Connection, Port-Forwarding random local port (or configured
static port) to K8s API server host, selected from existing KUBECONFIG
based on passed context name
- executes SHELL (using $SHELL environmental variable), with KUBECONFIG
environment variable value set to generated temp config file
- when SHELL terminates, SSH connection is also terminated
- Fork it (https://github.com/anapsix/k8s-vault.cr/fork)
- Create your feature branch (
git checkout -b my-new-feature) - Commit your changes (
git commit -am 'Add some feature') - Push to the branch (
git push origin my-new-feature) - Create a new Pull Request
- anapsix (Anastas Dancha) - creator, maintainer