Skip to main content

A tool for extracting and analyzing information from kubectl output

Project description

k8s-piper

A tool for extracting key information from kubectl commands and displaying it in an easy-to-digest way.

k8s-piper automatically detects the Kubernetes resource type from piped kubectl output and runs the appropriate analysis — no flags required.


Supported Resources

Resource Kind Analysis
ConfigMap, Secret X.509 certificate extraction and analysis
Deployment, StatefulSet, DaemonSet, Pod, Job, CronJob, ReplicaSet Container images, resource requests/limits, security contexts
Role, ClusterRole RBAC policy rules with wildcard/danger highlighting
RoleBinding, ClusterRoleBinding Role reference and subject bindings

Usage

Pipe any supported kubectl resource into k8s-piper — the kind is detected automatically:

# Certificate analysis (ConfigMap or Secret)
kubectl get cm ca -n mynamespace -o yaml | k8s-piper
kubectl get secret mycerts -n mynamespace -o yaml | k8s-piper

# Workload analysis — images, resources, security (Deployment, Pod, StatefulSet, …)
kubectl get deploy myapp -n mynamespace -o yaml | k8s-piper
kubectl get pod mypod-abc123 -n mynamespace -o yaml | k8s-piper
kubectl get statefulset mydb -n mynamespace -o yaml | k8s-piper

# RBAC analysis (Role, ClusterRole, RoleBinding, ClusterRoleBinding)
kubectl get clusterrole cluster-admin -o yaml | k8s-piper
kubectl get rolebinding myrb -n mynamespace -o yaml | k8s-piper

What Each Analysis Shows

Certificates (ConfigMap / Secret)

  • Subject, Issuer, and Subject Alternative Names
  • Validity period with expiry warnings (⚠ < 30 days, 🔴 < 7 days)
  • Key type, size, and signature algorithm
  • Key Usage and Extended Key Usage
  • OCSP / CRL revocation URLs and Must-Staple flag
  • SHA-256 and SHA-1 fingerprints
  • CA / self-signed status, path length constraint

Workloads (Deployment, Pod, StatefulSet, etc.)

  • Images — full image reference, tag or digest, pull policy; flags latest and untagged images
  • Resources — CPU and memory requests/limits per container; flags missing limits
  • Security Contexts — pod-level and per-container security settings; flags dangerous values such as privileged: true, allowPrivilegeEscalation: true, and added capabilities

RBAC (Role / ClusterRole)

  • Policy rules table: API groups × resources × verbs
  • Wildcard verbs (*) and wildcard resources highlighted in red
  • Rules granting full wildcard access flagged as dangerous

RBAC (RoleBinding / ClusterRoleBinding)

  • Role reference (kind and name)
  • Subjects table: service accounts, users, and groups

Installation

pip install k8s-piper

Or install from source:

git clone https://github.com/tkdpython/k8s-piper.git
cd k8s-piper
pip install -e .

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

k8s_piper-0.2.0.tar.gz (28.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

k8s_piper-0.2.0-py3-none-any.whl (19.4 kB view details)

Uploaded Python 3

File details

Details for the file k8s_piper-0.2.0.tar.gz.

File metadata

  • Download URL: k8s_piper-0.2.0.tar.gz
  • Upload date:
  • Size: 28.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for k8s_piper-0.2.0.tar.gz
Algorithm Hash digest
SHA256 ea099e3b1f781bc45ef33ce880c46d75553f8dde78419034c1ab9b5be9c21755
MD5 b861f0338df27ac054dbce3857c6835a
BLAKE2b-256 7542dde78417e8a89e8950558188e2196c4896f9edb91523dc2013c16e181cf6

See more details on using hashes here.

Provenance

The following attestation bundles were made for k8s_piper-0.2.0.tar.gz:

Publisher: publish.yml on tkdpython/k8s-piper

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file k8s_piper-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: k8s_piper-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 19.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for k8s_piper-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 b731c00df64bee2c143fce3f768079cca385f201f1991a083cdc37f944715422
MD5 cb99f4cf387f242b7d7b82dca060569a
BLAKE2b-256 9a545a9834ee4579e415bd63f806dd017eb3eb471a8ecbf69d19785a7010bb6d

See more details on using hashes here.

Provenance

The following attestation bundles were made for k8s_piper-0.2.0-py3-none-any.whl:

Publisher: publish.yml on tkdpython/k8s-piper

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page