Secure Your Kubernetes Access with kubectl-rexec Plugin

Pawan Jaiswal

Pawan Jaiswal

2 min read
Secure Your Kubernetes Access with kubectl-rexec Plugin
Secure Your Kubernetes Access with kubectl-rexec Plugin

Have you ever hopped inside a pod and swiftly debugged something using kubectl exec? It's useful, but it has a big flaw: there is no audit trail.

Kubectl-rexec can help with that.

The Kubectl exec Issue

When you're running:

kubectl exec -it mypod -- bash

You're doing things live inside the container. However, Kubernetes doesn't keep track of your actions within the system, including the commands you typed, the files you handled, and the logs you viewed.

This poses a significant risk to production systems. You're looking for security, traceability, and observability.

A plugin called kubectl-rexec adds auditing and takes the place of kubectl exec. Everything you do within the container is recorded, including commands and, if you allow it, keystrokes. It works particularly well in controlled settings.

Imagine Kubectl exec with a security camera turned on.

Quick Setup Guide

Here's how to give it a quick try.

Set up the webhook and proxy

This installs the rexec backend service and turns off the built-in kubectl exec.

kustomize build manifests/ | kubectl -n kube-system apply -f -

Installing the kubectl-rexec plugin

Ensure that your GOBIN is in the PATH and that Go is installed.

go install github.com/adyen/kubectl-rexec@latest

Execute it similarly to kubectl exec

kubectl rexec exec -ti some-pod -- bash

It functions similarly to kubectl exec, but with complete logging!

Watch It Happen

To see what's happening, you can view the rexec proxy's tail logs:

kubectl -n kube-system logs -l app=rexec -f

You can see from the logs which commands were executed by whom and inside which pods.

Important Configuration Settings

Here are a few helpful indicators:

--audit-trace: Records each keystroke (for TTY sessions).

--by-pass-user: Allows you to omit auditing for system users (such as system:admin).

--by-pass-shared-key: Provides secure communication and is required when running multiple replicas.

--max-strokes-per-line: Modify the frequency of keystroke flushing (defaults are typically acceptable).

Important Information

  • TranslateStreamCloseWebsocketRequests=true and Kubernetes v1.30+ or v1.29 are required.
  • Versions older than 1.29 are not supported.
  • SPDY is not supported by this tool; it only functions over WebSockets.

Real-World Applications

  • Examining internal developer activities in the production environment.
  • Regulatory adherence in healthcare or fintech.
  • Full visibility debugging.

Synopsis

A drop-in substitute for kubectl exec, kubectl-rexec offers improved control, auditing, and visibility. This plugin is essential if you work in settings where accountability is crucial.

Try it out, audit your shell access, and maintain the security of your Kubernetes!

Prefer watching instead of reading? Here’s a quick video guide

Read more