Skip to main content

A tool for extracting and analyzing information from kubectl output

Project description

k8s-piper

A tool for extracting key information from kubectl commands and displaying it in an easy-to-digest way.

k8s-piper automatically detects the Kubernetes resource type from piped kubectl output and runs the appropriate analysis — no flags required.


Supported Resources

Resource Kind Analysis
ConfigMap, Secret X.509 certificate extraction and analysis
Deployment, StatefulSet, DaemonSet, Pod, Job, CronJob, ReplicaSet Container images, resource requests/limits, security contexts
Role, ClusterRole RBAC policy rules with wildcard/danger highlighting
RoleBinding, ClusterRoleBinding Role reference and subject bindings

Usage

Pipe any supported kubectl resource into k8s-piper — the kind is detected automatically:

# Certificate analysis (ConfigMap or Secret)
kubectl get cm ca -n mynamespace -o yaml | k8s-piper
kubectl get secret mycerts -n mynamespace -o yaml | k8s-piper

# Workload analysis — images, resources, security (Deployment, Pod, StatefulSet, …)
kubectl get deploy myapp -n mynamespace -o yaml | k8s-piper
kubectl get pod mypod-abc123 -n mynamespace -o yaml | k8s-piper
kubectl get statefulset mydb -n mynamespace -o yaml | k8s-piper

# RBAC analysis (Role, ClusterRole, RoleBinding, ClusterRoleBinding)
kubectl get clusterrole cluster-admin -o yaml | k8s-piper
kubectl get rolebinding myrb -n mynamespace -o yaml | k8s-piper

What Each Analysis Shows

Certificates (ConfigMap / Secret)

  • Subject, Issuer, and Subject Alternative Names
  • Validity period with expiry warnings (⚠ < 30 days, 🔴 < 7 days)
  • Key type, size, and signature algorithm
  • Key Usage and Extended Key Usage
  • OCSP / CRL revocation URLs and Must-Staple flag
  • SHA-256 and SHA-1 fingerprints
  • CA / self-signed status, path length constraint

Workloads (Deployment, Pod, StatefulSet, etc.)

  • Images — full image reference, tag or digest, pull policy; flags latest and untagged images
  • Resources — CPU and memory requests/limits per container; flags missing limits
  • Security Contexts — pod-level and per-container security settings; flags dangerous values such as privileged: true, allowPrivilegeEscalation: true, and added capabilities

RBAC (Role / ClusterRole)

  • Policy rules table: API groups × resources × verbs
  • Wildcard verbs (*) and wildcard resources highlighted in red
  • Rules granting full wildcard access flagged as dangerous

RBAC (RoleBinding / ClusterRoleBinding)

  • Role reference (kind and name)
  • Subjects table: service accounts, users, and groups

Installation

pip install k8s-piper

Or install from source:

git clone https://github.com/tkdpython/k8s-piper.git
cd k8s-piper
pip install -e .

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

k8s_piper-0.3.0.tar.gz (28.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

k8s_piper-0.3.0-py3-none-any.whl (19.3 kB view details)

Uploaded Python 3

File details

Details for the file k8s_piper-0.3.0.tar.gz.

File metadata

  • Download URL: k8s_piper-0.3.0.tar.gz
  • Upload date:
  • Size: 28.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for k8s_piper-0.3.0.tar.gz
Algorithm Hash digest
SHA256 f0c8e2eb1e4fe17d381cc5891756a4fbceea273e0afef67e60f8ac297747f822
MD5 9e726038670f3c6adc99da6df30dc4ef
BLAKE2b-256 743213e4f68e9c2817f089f51920a8ee51022a75cd17795987d02f1fc61398dc

See more details on using hashes here.

Provenance

The following attestation bundles were made for k8s_piper-0.3.0.tar.gz:

Publisher: publish.yml on tkdpython/k8s-piper

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file k8s_piper-0.3.0-py3-none-any.whl.

File metadata

  • Download URL: k8s_piper-0.3.0-py3-none-any.whl
  • Upload date:
  • Size: 19.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for k8s_piper-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 95254a796dcb045281ce6fbf128da019c2f98a52553ac9a604bbe0368d7affb0
MD5 40b89d8ebc2f5622bccc2f8048e5d116
BLAKE2b-256 6c193fbd98b65dc5ff1403f65d0a4f5e11280c5b23284bbb91262186236163a9

See more details on using hashes here.

Provenance

The following attestation bundles were made for k8s_piper-0.3.0-py3-none-any.whl:

Publisher: publish.yml on tkdpython/k8s-piper

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page