From 5564f8934c4a93c43c74caf1eb219a0777d499e4 Mon Sep 17 00:00:00 2001 From: chaosinthecrd Date: Mon, 9 Oct 2023 13:57:42 +0100 Subject: [PATCH 1/5] adding kube-lock plugin --- plugins/lock.yaml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 plugins/lock.yaml diff --git a/plugins/lock.yaml b/plugins/lock.yaml new file mode 100644 index 00000000000..0bd73a024d7 --- /dev/null +++ b/plugins/lock.yaml @@ -0,0 +1,42 @@ +apiVersion: krew.googlecontainertools.github.com/v1alpha2 +kind: Plugin +metadata: + name: lock +spec: + version: v0.0.4 + homepage: https://github.com/chaosinthecrd/kube-lock + shortDescription: A pane of glass between you and your Kubernetes clusters + description: | + Sits as an intermediary between you and kubectl, allowing you to lock and unlock contexts. + Prevents misfires to production / high-value Kubernetes clusters that you might have strong IAM privileges on. + Supports custom 'Profiles', allowing you to restrict certain verbs from being passed to high-value clusters. + caveats: must alias `kubectl` to kubectl-lock kubectl in `.bashrc`/`.zshrc` (e.g., alias kubectl='kubectl-lock kubectl') + platforms: + - selector: + matchLabels: + os: darwin + arch: amd64 + uri: https://github.com/chaosinthecrd/kube-lock/releases/download/v0.0.4/kube-lock_v0.0.4_darwin_amd64.tar.gz + sha256: d9e87d41876ea0bbbb33deac37589877c81f17e5dea820c605e6d636a6267e9e + bin: kubectl-lock + - selector: + matchLabels: + os: darwin + arch: arm64 + uri: https://github.com/chaosinthecrd/kube-lock/releases/download/v0.0.4/kube-lock_v0.0.4_darwin_arm64.tar.gz + sha256: c6498479a52cbfcfb303ea06b9c12fd0e4d05aac2035f505c0db4e8fd54a9e23 + bin: kubectl-lock + - selector: + matchLabels: + os: linux + arch: amd64 + uri: https://github.com/chaosinthecrd/kube-lock/releases/download/v0.0.4/kube-lock_v0.0.4_linux_amd64.tar.gz + sha256: b8b7c140eff6c983d2d22127ea0617a333bdd88728782647b787e793e95bf346 + bin: kubectl-lock + - selector: + matchLabels: + os: windows + arch: amd64 + uri: https://github.com/chaosinthecrd/kube-lock/releases/download/v0.0.4/kube-lock_v0.0.4_windows_amd64.tar.gz + sha256: cac8d24f8fe430b59327b98ba0181e2dc0f3a9b6bb8433a29144314501220e20 + bin: kubectl-lock.exe From 8b5b12b036cb86d728fe3936d0f5edbb5ca520bd Mon Sep 17 00:00:00 2001 From: chaosinthecrd Date: Mon, 9 Oct 2023 14:05:10 +0100 Subject: [PATCH 2/5] updating manifest to shorten long description --- plugins/lock.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/plugins/lock.yaml b/plugins/lock.yaml index 0bd73a024d7..22f9e058631 100644 --- a/plugins/lock.yaml +++ b/plugins/lock.yaml @@ -7,9 +7,7 @@ spec: homepage: https://github.com/chaosinthecrd/kube-lock shortDescription: A pane of glass between you and your Kubernetes clusters description: | - Sits as an intermediary between you and kubectl, allowing you to lock and unlock contexts. - Prevents misfires to production / high-value Kubernetes clusters that you might have strong IAM privileges on. - Supports custom 'Profiles', allowing you to restrict certain verbs from being passed to high-value clusters. + An intermediary between you and kubectl, allowing you to lock/unlock contexts. caveats: must alias `kubectl` to kubectl-lock kubectl in `.bashrc`/`.zshrc` (e.g., alias kubectl='kubectl-lock kubectl') platforms: - selector: From d5ae1f62fe0dedf4b803d7241e7bb001235d38bb Mon Sep 17 00:00:00 2001 From: chaosinthecrd Date: Mon, 9 Oct 2023 14:15:52 +0100 Subject: [PATCH 3/5] fixed the caveat --- plugins/lock.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/lock.yaml b/plugins/lock.yaml index 22f9e058631..ce257f4042d 100644 --- a/plugins/lock.yaml +++ b/plugins/lock.yaml @@ -8,7 +8,7 @@ spec: shortDescription: A pane of glass between you and your Kubernetes clusters description: | An intermediary between you and kubectl, allowing you to lock/unlock contexts. - caveats: must alias `kubectl` to kubectl-lock kubectl in `.bashrc`/`.zshrc` (e.g., alias kubectl='kubectl-lock kubectl') + caveats: must alias `kubectl` to kubectl-lock kubectl in `.bashrc`/`.zshrc` (e.g., alias kubectl='kubectl-lock kubectl --') platforms: - selector: matchLabels: From fdfe5550a763b5e3e3be9bc6fc8007fb647f3002 Mon Sep 17 00:00:00 2001 From: chaosinthecrd Date: Tue, 10 Oct 2023 10:47:25 +0100 Subject: [PATCH 4/5] updated description --- plugins/lock.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/plugins/lock.yaml b/plugins/lock.yaml index ce257f4042d..b4d5a52cbef 100644 --- a/plugins/lock.yaml +++ b/plugins/lock.yaml @@ -5,9 +5,10 @@ metadata: spec: version: v0.0.4 homepage: https://github.com/chaosinthecrd/kube-lock - shortDescription: A pane of glass between you and your Kubernetes clusters + shortDescription: A client-side lock for kubernetes contexts to prevent kubectl misfires. description: | - An intermediary between you and kubectl, allowing you to lock/unlock contexts. + This tool allows you to `lock` and `unlock` contexts to prevent accidentally issuing destructive commands to the wrong contexts. + You can also set `profiles`, which let you lock the context while keeping certain verb/resource combinations available. caveats: must alias `kubectl` to kubectl-lock kubectl in `.bashrc`/`.zshrc` (e.g., alias kubectl='kubectl-lock kubectl --') platforms: - selector: From c38668688167f3edd715a2cd2557057e77782211 Mon Sep 17 00:00:00 2001 From: chaosinthecrd Date: Tue, 10 Oct 2023 10:53:48 +0100 Subject: [PATCH 5/5] updated the description --- plugins/lock.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/plugins/lock.yaml b/plugins/lock.yaml index b4d5a52cbef..540e80e93a3 100644 --- a/plugins/lock.yaml +++ b/plugins/lock.yaml @@ -7,8 +7,11 @@ spec: homepage: https://github.com/chaosinthecrd/kube-lock shortDescription: A client-side lock for kubernetes contexts to prevent kubectl misfires. description: | - This tool allows you to `lock` and `unlock` contexts to prevent accidentally issuing destructive commands to the wrong contexts. - You can also set `profiles`, which let you lock the context while keeping certain verb/resource combinations available. + This tool allows you to `lock` and `unlock` contexts to prevent accidentally + issuing destructive commands to the wrong contexts. You can also set `profiles`, + which let you lock the context while keeping certain verb/resource combinations + available. It achieves by acting as a wrapper around `kubectl` and assessing + the command executed against a configuration file (at `~./kube-lock.yaml`). caveats: must alias `kubectl` to kubectl-lock kubectl in `.bashrc`/`.zshrc` (e.g., alias kubectl='kubectl-lock kubectl --') platforms: - selector: