Kubebox : Terminal & Web Console For Kubernetes

Kubebox terminal and web console for kubernetes.

Features

  • ✓ Configuration from kubeconfig files (KUBECONFIG environment variable or $HOME/.kube)
  • ✓ Switch contexts interactively
  • Authentication support (bearer token, basic auth, private key / cert, OAuth, OpenID Connect, Amazon EKS, Google Kubernetes Engine, Digital Ocean)
  • ✓ Namespace selection and pods list watching
  • ✓ Container log scrolling / watching
  • ✓ Container resources usage (memory, CPU, network, file system charts) [1]
  • ✓ Container remote exec terminal
  • ✓ Cluster, namespace, pod events
  • ❏ Object configuration editor and CRUD operations
  • ❏ Cluster and nodes views / monitoring

Run

The following alternatives are available for you to use Kubebox, depending on your preferences and constraints:

Executable

Download the Kubebox standalone executable for your OS:

#Linux
$ curl -Lo kubebox https://github.com/astefanutti/kubebox/releases/download/v0.8.0/kubebox-linux && chmod +x kubebox
#OSX
$ curl -Lo kubebox https://github.com/astefanutti/kubebox/releases/download/v0.8.0/kubebox-macos && chmod +x kubebox
#Windows
$ curl -Lo kubebox.exe https://github.com/astefanutti/kubebox/releases/download/v0.8.0/kubebox-windows.exe

Then run:

$ ./kubebox

Server

Kubebox can be served from a service hosted in your Kubernetes cluster. Terminal emulation is provided by Xterm.js and the communication with the Kubernetes master API is proxied by the server.

To deploy the server in your Kubernetes cluster, run:

$ kubectl apply -f https://raw.github.com/astefanutti/kubebox/master/kubernetes.yaml

To shut down the server and clean-up resources, run:

$ kubectl delete namespace kubebox

For the Ingress resource to work, the cluster must have an Ingress controller running. See Ingress controllers for more information.

Alternatively, to deploy the server in your OpenShift cluster, run:

$ oc new-app -f https://raw.github.com/astefanutti/kubebox/master/openshift.yaml

Kubectl

You can run Kubebox as an in-cluster client with kubectl, e.g.:

$ kubectl run kubebox -it –rm –env=”TERM=xterm” –image=astefanutti/kubebox –restart=Never

If RBAC is enabled, you’ll have to use the --serviceaccount option and reference a service account with sufficient permissions.

Docker

You can run Kubebox using Docker, e.g.:

$ docker run -it –rm astefanutti/kubebox

You may want to mount your home directory so that Kubebox can rely on the ~/.kube/config file, e.g.:

$ docker run -it –rm -v ~/.kube/:/home/node/.kube/:ro astefanutti/kubebox

Online

Kubebox is available online at https://astefanutti.github.com/kubebox. Note that it requires this address to match the allowed origins for CORS by the API server. This can be achived with the Kubernetes API server CLI, e.g.:

$ kube-apiserver –cors-allowed-origins .*

Authentication

We try to support the various authentication strategies supported by kubectl, in order to provide seamless integration with your local setup. Here are the different authentication strategies we support, depending on how you’re using Kubebox:

ExecutableDockerOnline
OpenID Connect✔️✔️✔️[2]
Amazon EKS✔️
Digital Ocean✔️
Google Kubernetes Engine✔️

If the mode you’re using isn’t supported, you can refresh the authentication token/certs manually and update your kubeconfig file accordingly.

cAdvisor

Kubebox relies on cAdvisor to retrieve the resource usage metrics. Before version 0.8.0, Kubebox used to access the cAdvisor endpoints, that are embedded in the Kubelet. However, these endpoints are being deprecated, and will eventually be removed, as discussed in kubernetes#68522.

Starting version 0.8.0, Kubebox expects cAdvisor to be deployed as a DaemonSet. This can be achieved with:

$ kubectl apply -f https://raw.github.com/astefanutti/kubebox/master/cadvisor.yaml

It’s recommended to use the provided cadvisor.yaml file, that’s tested to work with Kubebox. However, the DaemonSet example, from the cAdvisor project, should also work just fine. Note that the cAdvisor containers must run with a privileged security context, so that they can access the container runtime on each node.

You can change the default --storage_duration and --housekeeping_interval options, added to the cAdvisor container arguments declared in the cadvisor.yaml file, to adjust the duration of the storage moving window (default to 5m0s), and the sampling period (default to 10s) respectively. You may also have to provide the path of your cluster container runtime socket, in case it’s not following the usual convention.

Hotkeys

KeybindingDescription
General
l, Ctrl+lLogin
nChange current namespace
[Shift+],
[Alt+]1, …​, 9
Navigate screens
(use Shift or Alt inside exec terminal)
, Navigate list / form / log
EnterSelect item / submit form
EscClose modal window / cancel form / rewind focus
Ctrl+zClose current tab
q, Ctrl+qExit [3]
Login
, Navigate Kube configurations
Pods
EnterSelect pod / cycle containers
rRemote shell into container
mMemory usage
cCPU usage
tNetwork usage
fFile system usage
eOpen pod events tab
Shift+eOpen namespace events tab
Ctrl+eOpen cluster events tab
Log
g, Shift+gMove to top / bottom
Ctrl+u, Ctrl+dMove one page up / down

FAQ

  • Resources usage metrics are unavailable!
    • Starting version 0.8.0, Kubebox expects cAdvisor to be deployed as a DaemonSet. See the cAdvisor section for more details;
    • The metrics are retrieved from the REST API, of the cAdvisor pod running on the same node as the container for which the metrics are being requested. That REST API is accessed via the API server proxy, which requires proper RBAC permission, e.g.: # Permission to list the cAdvisor pods (selected using the `spec.nodeName` field selector) $ kubectl auth can-i list pods -n cadvisor yes # Permission to proxy the selected cAdvisor pod, to call its REST API $ kubectl auth can-i get pod –subresource proxy -n cadvisor yes

Development

$ git clone https://github.com/astefanutti/kubebox.git
$ cd kubebox
$ npm install
$ node index.js

Screenshots

  • Cluster events:
  • Shell into a container:
  • Terminal theme support:
  • Web browser version:
  • Requires cAdvisor to be deployed as a DaemonSet. See the cAdvisor section for more details.
  • Custom IDP certificate authority files are not supported in Web versions.
  • Not available in Web versions.
R K

Recent Posts

Bomber : Navigating Security Vulnerabilities In SBOMs

bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…

18 hours ago

EmbedPayloadInPng : A Guide To Embedding And Extracting Encrypted Payloads In PNG Files

Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…

18 hours ago

Exploit Street – Navigating The New Terrain Of Windows LPEs

Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…

3 days ago

ShadowDumper – Advanced Techniques For LSASS Memory Extraction

Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…

4 days ago

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

2 weeks ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

3 weeks ago