The case of Kubeswitch

Managing a handful of Kubeconfig files and contexts is straightforward and well-supported by existing tools. You can use kubectl config view --flatten, define aliases, or use kubectx.

Meanwhile, Kubernetes adoption has gone through the roof, and large-scale Kubernetes landscapes with hundreds to thousands of clusters are not uncommon. On top of that, projects like Gardener, SIG Cluster-API, or Rancher make it easy to spin up and maintain clusters at scale. There are even scenarios that scale up to one million clusters for edge scenarios.

To sum it up, many have moved on from treating Kubernetes clusters as pets to treating them like cattle. Hence, there is a need for a tool that is built for this reality.

The idea of kubeswitch is to enable seamless interaction with Kubeconfig files for operators of large-scale Kubernetes landscapes. No matter if they are stored on disk, in an Enterprise Vault, are spread in different directories, or need to be synchronized from a remote system.

kubeswitch offers

• convenience features (terminal window isolation, context history, context aliasing, improved search experience, sanitized Kubeconfig preview);
• advanced search capabilities (search index, hot reload, unified search over all kubeconfig stores);
• as well as custom integration points with external systems (see hooks).

Use the command switch to perform a recursive search across all configured Kubeconfig paths such as directories on the local filesystem or paths in Vault.

To not break existing setups, kubeswitch is a drop-in replacement for kubectx. You can just set an alias.

alias kubectx='switch' 
alias kctx='switch'

Configuration

The exemplary config file below (per default located in ~/.kube/switch-config.yaml) configures to perform a recursive search on three different paths across two kubeconfig stores (filesystem and vault).
Also, every 6 hours the custom hook with the name sync-my-kubeconfigs is executed to synchronize kubeconfig files from a remote system to the local disk.

kind: SwitchConfig
vaultAPIAddress: "http://127.0.0.1:8200"
kubeconfigRediscoveryInterval: 1h
kubeconfigPaths:
  - path: "~/.kube/config"
    store: filesystem
  - path: "~/.kube/static-kubeconfigs/"
    store: filesystem
  - path: "landscapes"
    store: vault
hooks:
  - name: sync-my-kubeconfigs
    type: Executable
    path: /usr/local/bin/hook_sync_landscape
    arguments:
      - "sync"
      - "--kubeconfig-path"
      - "/path/to/kubeconfig"
      - "--export-path"
      - "/path/on/local/disk"
    execution:
      interval: 6h

What's next

Looking forward, kubeswitch will hopefully gain support for more storage backends (e.g., local password managers to not having to store unencrypted kubeconfig files on the local filesystem). Additional stores need to implement the KubeconfigStore interface.

Also kubeswitch could be used as an authentication helper for Kubeconfig files to inject credentials from the backing store.

If you find this project interesting, then I invite you to check out kubeswitch on Github with more information or head straight to the installation section. Of course, contributions are more than welcome.

Cheers,

Daniel