kubectl + krew: the plugins that make kubectl bearable

Install krew

(
  set -x; cd "$(mktemp -d)" &&
  OS="$(uname | tr '[:upper:]' '[:lower:]')" &&
  ARCH="$(uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/')" &&
  KREW="krew-${OS}_${ARCH}" &&
  curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/${KREW}.tar.gz" &&
  tar zxvf "${KREW}.tar.gz" &&
  ./"${KREW}" install krew
)

# Add to PATH
export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"
echo 'export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"' >> ~/.bashrc

# Verify
kubectl krew search

The must-have plugins

kubectx + kubens

kubectl krew install ctx ns

# Switch contexts (cluster + auth bundle) with fuzzy menu
kubectl ctx

# Switch namespace (no more -n <ns> on every command)
kubectl ns kube-system
kubectl get pods    # now operates in kube-system

# Show current
kubectl ctx -c
kubectl ns -c

Bonus: with fzf installed, both ctx and ns use it for fuzzy filtering — type a few characters of the cluster / namespace name and pick. Drop the typing of long names.

neat

kubectl krew install neat

# Strip Kubernetes-added cruft (status, managedFields, resourceVersion, etc.)
kubectl get deployment my-app -o yaml | kubectl neat

# Result: clean YAML you could commit to Git

Useful for "extract a manifest from the live cluster and put it in your repo." Without neat, the YAML is full of generated fields you don't want.

tree

kubectl krew install tree

# See the hierarchy of owned objects
kubectl tree deployment my-app
# Deployment my-app
# └── ReplicaSet my-app-abc123
#     ├── Pod my-app-abc123-x
#     ├── Pod my-app-abc123-y
#     └── Pod my-app-abc123-z

# Works for Helm releases, Argo CD apps, any owner-reference chain

node-shell

kubectl krew install node-shell

# Get a root shell on a node (via a privileged pod)
kubectl node-shell node-1.lab

Spawns a privileged pod on the target node with host mounts; perfect for debugging node issues without SSH. Replaces the "I need to debug kubelet on this node" workflow that previously meant configuring SSH access to every node.

view-secret

kubectl krew install view-secret

# Decode a secret (no more base64 -d gymnastics)
kubectl view-secret my-app-secret

# Decode a specific key
kubectl view-secret my-app-secret database-url

who-can

kubectl krew install who-can

# Show every subject that can do something
kubectl who-can list pods --all-namespaces
kubectl who-can delete deployments
kubectl who-can create namespaces

Reverse-RBAC: instead of "what can this user do?" (which kubectl auth can-i covers), it's "who can do this?" Useful for finding which ServiceAccounts have suspiciously broad permissions.

sniff

kubectl krew install sniff

# Live tcpdump on a pod (opens Wireshark on your laptop)
kubectl sniff my-pod -p
kubectl sniff my-pod -n my-namespace -c my-container -p

Spawns a privileged sniffer container alongside the target pod, captures traffic, streams to your local Wireshark. The Kubernetes equivalent of "tcpdump on the host." See tcpdump tutorial for the underlying tool.

iexec

kubectl krew install iexec

# Interactive shell into a pod with selector
kubectl iexec -l app=my-app -- bash

# Picks one matching pod (or prompts if multiple); skips the
# "kubectl get pods | grep | copy name | kubectl exec" dance

cnpg

For CloudNativePG users (the Postgres operator), kubectl krew install cnpg installs the cnpg plugin for managing PostgreSQL clusters. Per-operator plugins are increasingly common.

Less-obvious but useful

• example — kubectl example ingress prints a working sample manifest for any resource type
• resource-capacity — per-node CPU/memory request/usage summary
• tree + kubescape — security scoring + per-resource hierarchy
• cert-manager — pretty-print cert-manager Certificate / Order / Challenge statuses
• kor — "Kubernetes Orphan" finder: unused ConfigMaps, Secrets, Services, RoleBindings, etc.
• access-matrix — tabular RBAC view: rows are resources, columns are subjects, cells are verbs
• warp — live multi-pod tail with regex filters

Find more

# Browse all available
kubectl krew search

# Search by keyword
kubectl krew search secret
kubectl krew search debug

# Update plugin list
kubectl krew update

# Upgrade installed plugins
kubectl krew upgrade

The krew index has ~250 plugins; growing. Most are useful for specific operator-domain workflows (Istio, Linkerd, cert-manager, Argo CD, etc.).

Worth knowing

• krew plugins are just binaries on PATH; you can write your own (kubectl-foo → kubectl foo).
• For team-shared plugin pinning, commit a script that installs the same set on every developer's machine.
• Some plugins overlap with k9s (see that tutorial) functionality — k9s gives you most of these visually; krew gives them composable on the CLI for scripts.

The most valuable thing is installing ctx + ns + neat the first hour and never typing kubectl --context=foo --namespace=bar get pods ever again.