The isUpgrade() check used exact string match (== "Upgrade") for the
Connection header value. A client sending "Connection: upgrade"
(lowercase) would bypass this check. While not exploitable in practice
(the Upgrade header check catches real upgrades), this hardens the
proxy with defense-in-depth.
Also adds a comprehensive security test suite covering jailbreak
attempts: method override smuggling, path traversal, dryRun parameter
injection, upgrade header smuggling, review endpoint spoofing, unusual
HTTP methods, concurrent request filtering, and credential leakage.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The readonly proxy now permits:
- K8s "review" POST endpoints (SubjectAccessReview, TokenReview, etc.)
that query auth state without persisting resources
- Requests with ?dryRun=All for server-side validation
Review endpoints are matched with anchored regexps pinned to
authorization.k8s.io and authentication.k8s.io API groups, preventing
spoofing via custom resources with the same name.
Refactors the handler into small, independently tested filter functions
(isUpgrade, isReadOnly, isNonMutatingPost, isDryRun) composed by a
checkRequest commander.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Introduces a new internal/proxy package that provides a localhost HTTP
reverse proxy enforcing read-only access to the Kubernetes API server.
- Allows GET, HEAD, OPTIONS requests (kubectl get/describe/logs/top/watch)
- Blocks POST, PUT, DELETE, PATCH with metav1.Status 405 responses
- Blocks Connection: Upgrade requests (kubectl exec/cp/port-forward)
- Uses client-go transport for TLS/auth to the real API server
- Rewrites kubeconfig: server URL to proxy, strips auth, sets insecure-skip-tls-verify
- Appends [RO] suffix to context name in rewritten kubeconfig
- DEBUG=1 enables request/response logging
- Comprehensive test coverage for all proxy behavior
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When kubens needs to query the Kubernetes API (e.g. to check if a
namespace exists), it builds a REST client from the in-memory
kubeconfig bytes using clientcmd.RESTConfigFromKubeConfig(). This
function has no knowledge of the kubeconfig file's location on disk,
so it cannot resolve relative paths in exec credential plugin commands
(e.g. `command: ../scripts/get-token.sh`). This causes a "no such file
or directory" error for users whose kubeconfig uses relative paths in
exec-based authentication.
The fix threads the kubeconfig file path through a new PathHinter
optional interface on ReadWriteResetCloser. When a file path is
available, newKubernetesClientSet now uses
clientcmd.NewNonInteractiveDeferredLoadingClientConfig with
ExplicitPath, which resolves relative paths relative to the kubeconfig
file's directory — matching kubectl's own behavior. The old
bytes-based fallback is preserved for in-memory configs (e.g. tests).
Fixes#488
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Previously, kubectx would error with "multiple files in KUBECONFIG are
currently not supported" when KUBECONFIG contained colon-separated paths.
This is a common setup where users maintain separate kubeconfig files for
different clusters/environments.
This change evolves the internal Kubeconfig struct from holding a single
file to a slice of file entries, matching kubectl's merge semantics:
- Reading current-context: first file with a non-empty value wins
- Writing current-context: always written to the first file
- Listing contexts: merged from all files, first occurrence wins for
duplicate names
- Modifying a context (delete/rename/set-namespace): written to the
file that owns that context
- Missing files in the KUBECONFIG list are silently skipped (matching
kubectl behavior), but permission errors are propagated
The Loader interface already returned []ReadWriteResetCloser, so all
public method signatures remain unchanged — zero modifications needed
in cmd/kubectx/ or cmd/kubens/ callers.
Fixes#485Fixes#211
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
t.Setenv is the modern standard Go testing utility (since Go 1.17) that automatically restores environment variables when the test completes. This replaces the custom testutil.WithEnvVar function which manually saved and restored env var state.
The testutil.go file is deleted as it only contained WithEnvVar. The testutil package remains for its other utilities like KubeconfigBuilder.
Adds a new CacheDir() function that respects the XDG_CACHE_HOME environment variable,
matching the bash scripts' behavior. kubectx and kubens now prefer XDG_CACHE_HOME when
set, falling back to $HOME/.kube otherwise. This aligns the Go implementations with
the bash scripts' cache directory logic.
Includes comprehensive tests covering all scenarios:
- XDG_CACHE_HOME set (returns the XDG value)
- XDG_CACHE_HOME unset (falls back to $HOME/.kube)
- Neither set (returns empty string)
This change addresses eight key improvements to the kubectx/kubens codebase:
Resource Management Fixes:
- Fix use-after-close bugs where Kubeconfig was accessed after Close()
- Fix resource leaks on error paths by ensuring defer kc.Close() is called
- Fix YAML encoder not being closed after Encode(), causing buffered data loss
API Design Improvements:
- Change ContextNames() to return ([]string, error) instead of silently returning
nil on error, making parse failures distinguishable from empty results
- Change GetCurrentContext() to return (string, error) instead of returning ""
for both "not set" and parse error cases
- Update all 16 call sites across cmd/kubectx and cmd/kubens packages to handle
the new error returns while preserving backward-compatible behavior
Error Handling:
- Add explicit error handling for printer.Success() calls in 5+ locations
by prefixing unchecked calls with _ =
Performance:
- Add slice pre-allocation in namespace list pagination using slices.Grow()
before append loops, reducing allocations when fetching 500+ item batches
All changes maintain backward compatibility for missing kubeconfig keys while
improving error transparency and resource safety.
Modernize the codebase to use idiomatic Go 1.25 patterns, removing deprecated APIs and reducing external dependencies.
- Replace deprecated `io/ioutil` with `os.ReadFile`, `os.WriteFile`, `os.MkdirTemp`, `os.CreateTemp`
- Replace `interface{}` with `any` (Go 1.18+)
- Remove `github.com/pkg/errors` dependency entirely, using stdlib `fmt.Errorf` with `%w` and `errors.New`
- Use `errors.As()` instead of direct type assertions on error values
- Use `strings.Cut()` for delimiter parsing instead of `strings.Split` + length check
- Use `slices.Contains()` for linear search in `ContextExists()`
- Use `t.Setenv()` and `t.TempDir()` in tests instead of manual env save/restore and temp dir cleanup
- Delete unused `internal/testutil/tempfile.go` helper
- Update GitHub Actions CI and release workflows from Go 1.22 to 1.25
Net result: -70 lines, 1 fewer external dependency.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Spawns an isolated sub-shell with a minimal kubeconfig containing only the specified context.
This allows the user to launch a shell where they can only interact with a single cluster without having to worry about a command or an LLM agent interacting with other contexts.
Inside the isolated shell, most context switching/editing operations on kubectx are blocked. Nested shells not allowed.
Fixes#12.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* fix(release): customize goreleaser config file, by adding json schema and fixing configuration version
* fix(go): rename invalid comment format
* fix(ci): made release workflow work again
replace goreleaser --rm-dist flag by --clean
increment go version for release pipeline
fetch previous tags use by goreleaser
give release workflow content write permissions to publish release
* stop using XDG_CACHE_HOME as home directory
XDG_CACHE_HOME is not a substitute for $HOME, see [1].
[1]: https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
* fix bats testing setup/teardown
since cmdutil.Homedir() would treat $XDG_CACHE_HOME as $HOME, deleting
$XDG_CACHE_HOME would wipe out previous kubens state. now that we're not
doing that, we need to make a real synthetic $HOME and clear it out so
that $HOME/.kube/kubens doesn't persist between runs.
