Skip to content

feat(kubectl): Alpine-based kubectl container image (#9809)#9896

Merged
h0lybyte merged 8 commits intodevfrom
trunk/kubectl-image-1775772245
Apr 9, 2026
Merged

feat(kubectl): Alpine-based kubectl container image (#9809)#9896
h0lybyte merged 8 commits intodevfrom
trunk/kubectl-image-1775772245

Conversation

@h0lybyte
Copy link
Copy Markdown
Member

@h0lybyte h0lybyte commented Apr 9, 2026
edited
Loading

Summary

  • New apps/vm/kubectl/ project — chiseled Ubuntu + kubectl with Rust CLI wrapper for KubeVirt VM management
  • Non-root, drop-ALL-caps compatible, read-only rootfs safe
  • Replaces registry.k8s.io/kubectl (distroless, no /bin/sh) which broke all Job scripts
  • fix(kubevirt): Removed vmx CPU feature from macos-builder VM — cluster is AMD EPYC Rome (exposes svm not vmx), causing Unschedulable node affinity mismatch. Also set evictionStrategy: None and runStrategy: Manual for single-node compatibility.

Test plan

  • docker build -t kbve/kubectl:latest apps/vm/kubectl/
  • docker run --rm kbve/kubectl:latest version --client
  • Apply angelscript manifests via ArgoCD sync
  • virtctl start macos-builder -n angelscript — confirm VMI schedules and boots

Ref #9809

@h0lybyte
feat(kubectl): add Alpine-based kubectl container image (#9809)
b8c39d3 
Alpine 3.21 + kubectl 1.33.2 with sh, curl, wget, jq. Non-root user
(uid 65534), drop-ALL-caps safe. Replaces distroless registry.k8s.io/kubectl
which lacks /bin/sh for Job scripts.
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 9, 2026
edited
Loading

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 6 package(s) with unknown licenses.
See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA c3411b2.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

apps/vm/kubectl/Cargo.toml

PackageVersionLicenseIssue Type
clap>= 4.0.0, < 5.0.0NullUnknown License
serde>= 1.0.0, < 2.0.0NullUnknown License
serde_json>= 1.0.0, < 2.0.0NullUnknown License
tokio>= 1.0.0, < 2.0.0NullUnknown License
tracing>= 0.1.0, < 0.2.0NullUnknown License
tracing-subscriber>= 0.3.0, < 0.4.0NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
cargo/clap >= 4.0.0, < 5.0.0 UnknownUnknown
cargo/serde >= 1.0.0, < 2.0.0 UnknownUnknown
cargo/serde_json >= 1.0.0, < 2.0.0 UnknownUnknown
cargo/tokio >= 1.0.0, < 2.0.0 UnknownUnknown
cargo/tracing >= 0.1.0, < 0.2.0 UnknownUnknown
cargo/tracing-subscriber >= 0.3.0, < 0.4.0 UnknownUnknown

Scanned Files

  • apps/vm/kubectl/Cargo.toml

h0lybyte added 7 commits April 9, 2026 18:24
@h0lybyte
feat(kubectl): add Rust CLI layer, multi-stage Docker build, MDX page (
8e9a9d1 
…#9809)

Add kbve-kubectl Rust CLI with guest-exec, run, and info subcommands
for KubeVirt VM lifecycle management via QEMU Guest Agent. Multi-stage
Dockerfile using chisel-ubuntu-axum builder. MDX project page wired
for ci-docker pipeline.
@h0lybyte
refactor(kubectl): switch to chiseled Ubuntu runtime from Alpine (#9809)
bb02560 
Replace Alpine runtime with scratch-based chiseled Ubuntu 24.04 using
Canonical chisel. Busybox for shell, curl from Ubuntu slice, jq + kubectl
as static binaries. Matches the chisel-ubuntu-axum ecosystem pattern.
@h0lybyte
feat(kubectl-e2e): add e2e test suite for kubectl container image (#9809
397925a 
)

Vitest-based e2e tests that build the image, run it, and validate:
shell availability, busybox utilities, kubectl, jq, curl, CA certs,
kbve-kubectl CLI subcommands (info, run, guest-exec), non-root user.
@h0lybyte
fix(kubectl): enable e2e testing in MDX pipeline config (#9809)
37eea8b 
Set has_test: true, e2e_name: kubectl-e2e, test_framework: typescript
so ci-docker builds and tests the image before publish.
@h0lybyte
fix(kubevirt): remove vmx CPU feature blocking macOS VM on AMD host
8b2eb94 
The macos-builder VM was unschedulable because the vmx (Intel VT-x)
CPU feature was required but the cluster node is AMD EPYC Rome which
exposes svm instead. Also switched evictionStrategy to None for
single-node compatibility and aligned runStrategy with windows-builder.
@h0lybyte
refactor(kubectl): optimize Rust CLI — Cow strings, serde_json payloa…
95b65a3 
…ds, parallel tool checks (#9809)

Extract init_tracing(), add kubectl_output() helper with Cow error
returns, use serde_json::json! for guest-exec payload (proper escaping),
parallelize tool availability checks with futures::join_all, simplify
cmd_run match arms.
@h0lybyte
perf(kubectl): inline hints, drop futures dep, reduce allocations (#9809
c3411b2 
)

- Add #[inline] on init_tracing, kubectl_output, check_tool, cmd_run
- Replace futures::join_all with tokio::spawn — drops futures crate
  (7 sub-crates) from the dependency tree
- Hoist TOOLS and VERSION to module-level const
- kubectl_output: try String::from_utf8 first to avoid lossy double
  allocation when output is valid UTF-8
- Extract first_nonempty_line helper for domain parsing
@h0lybyte h0lybyte merged commit db3aafd into dev Apr 9, 2026
1 of 2 checks passed
@h0lybyte h0lybyte deleted the trunk/kubectl-image-1775772245 branch April 9, 2026 23:15
@h0lybyte h0lybyte mentioned this pull request Apr 10, 2026
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@h0lybyte