A tool for extracting and analyzing information from kubectl output
Project description
k8s-piper
A tool for extracting key information from kubectl commands and displaying it in an easy-to-digest way.
k8s-piper automatically detects the Kubernetes resource type from piped kubectl output and runs the appropriate analysis — no flags required.
Supported Resources
| Resource Kind | Analysis |
|---|---|
ConfigMap, Secret |
X.509 certificate extraction and analysis |
Deployment, StatefulSet, DaemonSet, Pod, Job, CronJob, ReplicaSet |
Container images, resource requests/limits, security contexts |
Role, ClusterRole |
RBAC policy rules with wildcard/danger highlighting |
RoleBinding, ClusterRoleBinding |
Role reference and subject bindings |
Usage
Pipe any supported kubectl resource into k8s-piper — the kind is detected automatically:
# Certificate analysis (ConfigMap or Secret)
kubectl get cm ca -n mynamespace -o yaml | k8s-piper
kubectl get secret mycerts -n mynamespace -o yaml | k8s-piper
# Workload analysis — images, resources, security (Deployment, Pod, StatefulSet, …)
kubectl get deploy myapp -n mynamespace -o yaml | k8s-piper
kubectl get pod mypod-abc123 -n mynamespace -o yaml | k8s-piper
kubectl get statefulset mydb -n mynamespace -o yaml | k8s-piper
# RBAC analysis (Role, ClusterRole, RoleBinding, ClusterRoleBinding)
kubectl get clusterrole cluster-admin -o yaml | k8s-piper
kubectl get rolebinding myrb -n mynamespace -o yaml | k8s-piper
What Each Analysis Shows
Certificates (ConfigMap / Secret)
- Subject, Issuer, and Subject Alternative Names
- Validity period with expiry warnings (⚠ < 30 days, 🔴 < 7 days)
- Key type, size, and signature algorithm
- Key Usage and Extended Key Usage
- OCSP / CRL revocation URLs and Must-Staple flag
- SHA-256 and SHA-1 fingerprints
- CA / self-signed status, path length constraint
Workloads (Deployment, Pod, StatefulSet, etc.)
- Images — full image reference, tag or digest, pull policy; flags
latestand untagged images - Resources — CPU and memory requests/limits per container; flags missing limits
- Security Contexts — pod-level and per-container security settings; flags dangerous values such as
privileged: true,allowPrivilegeEscalation: true, and added capabilities
RBAC (Role / ClusterRole)
- Policy rules table: API groups × resources × verbs
- Wildcard verbs (
*) and wildcard resources highlighted in red - Rules granting full wildcard access flagged as dangerous
RBAC (RoleBinding / ClusterRoleBinding)
- Role reference (kind and name)
- Subjects table: service accounts, users, and groups
Installation
pip install k8s-piper
Or install from source:
git clone https://github.com/tkdpython/k8s-piper.git
cd k8s-piper
pip install -e .
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file k8s_piper-0.3.0.tar.gz.
File metadata
- Download URL: k8s_piper-0.3.0.tar.gz
- Upload date:
- Size: 28.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f0c8e2eb1e4fe17d381cc5891756a4fbceea273e0afef67e60f8ac297747f822
|
|
| MD5 |
9e726038670f3c6adc99da6df30dc4ef
|
|
| BLAKE2b-256 |
743213e4f68e9c2817f089f51920a8ee51022a75cd17795987d02f1fc61398dc
|
Provenance
The following attestation bundles were made for k8s_piper-0.3.0.tar.gz:
Publisher:
publish.yml on tkdpython/k8s-piper
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
k8s_piper-0.3.0.tar.gz -
Subject digest:
f0c8e2eb1e4fe17d381cc5891756a4fbceea273e0afef67e60f8ac297747f822 - Sigstore transparency entry: 1531155616
- Sigstore integration time:
-
Permalink:
tkdpython/k8s-piper@6d9f8263b0627436f010a7d4668752ce5f9dc262 -
Branch / Tag:
refs/tags/v0.3.0 - Owner: https://github.com/tkdpython
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@6d9f8263b0627436f010a7d4668752ce5f9dc262 -
Trigger Event:
push
-
Statement type:
File details
Details for the file k8s_piper-0.3.0-py3-none-any.whl.
File metadata
- Download URL: k8s_piper-0.3.0-py3-none-any.whl
- Upload date:
- Size: 19.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
95254a796dcb045281ce6fbf128da019c2f98a52553ac9a604bbe0368d7affb0
|
|
| MD5 |
40b89d8ebc2f5622bccc2f8048e5d116
|
|
| BLAKE2b-256 |
6c193fbd98b65dc5ff1403f65d0a4f5e11280c5b23284bbb91262186236163a9
|
Provenance
The following attestation bundles were made for k8s_piper-0.3.0-py3-none-any.whl:
Publisher:
publish.yml on tkdpython/k8s-piper
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
k8s_piper-0.3.0-py3-none-any.whl -
Subject digest:
95254a796dcb045281ce6fbf128da019c2f98a52553ac9a604bbe0368d7affb0 - Sigstore transparency entry: 1531155729
- Sigstore integration time:
-
Permalink:
tkdpython/k8s-piper@6d9f8263b0627436f010a7d4668752ce5f9dc262 -
Branch / Tag:
refs/tags/v0.3.0 - Owner: https://github.com/tkdpython
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@6d9f8263b0627436f010a7d4668752ce5f9dc262 -
Trigger Event:
push
-
Statement type: