Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?


Failed to load latest commit information.
Latest commit message
Commit time
August 4, 2022 08:35
October 11, 2018 13:31
October 11, 2018 13:31
January 28, 2021 17:32

Table of Contents

kubectl sudo


This plugin allows users to run kubernetes commands with the security privileges of another user:

$ kubectl get nodes
Error from server (Forbidden): nodes is forbidden: User "bofh" cannot list nodes at the cluster scope
$ kubectl sudo get nodes
NAME                     STATUS   ROLES    AGE   VERSION     Ready    <none>   96d   v1.11.2     Ready    <none>   96d   v1.11.2

With audit log containing the origin and the impersonated user and group, if configured correctly:

  "kind": "Event",
  "apiVersion": "",
  "level": "Metadata",
  "stage": "ResponseComplete",
  "requestURI": "/api/v1/nodes?limit=500",
  "verb": "list",
  "user": {
    "username": "bofh",
    "groups": [
  "impersonatedUser": {
    "username": "bofh",
    " groups": [
  "objectRef": {
    "resource": "nodes",
    "apiVersion": "v1"


Kubernetes cluster administrators have great power. A mistake could cause the cluster to become unhealthy or insecure and, as such, could impact any or all tenants sharing the cluster. A simple kubectl -f with the wrong namespace can end badly.


This project does not really introduce a kubectl plugin, but a concept of how to provide a sudo like system for kubernetes access.

To reduce the surface of unwanted or unexpected actions you can reduce the default priviledges a cluster administrator has to the level of an unprivileged account and give them the ability to impersonate users and groups. When cluster administrators need to do more priviledged actions, they can switch the group to system:masters or another group or user according to the needed privilidge level.

In order to implement that concept, you need to declare a ClusterRole for impersonation:

kind: ClusterRole
  name: impersonator
- apiGroups: [""]
  verbs: ["impersonate"]
  resources: ["users", "groups", "serviceaccounts"]

Now you can assign this ClusterRole to the cluster administrators (e.g. group bofh_accounts):

kind: ClusterRoleBinding
  name: cluster-administrators
  kind: ClusterRole
  name: impersonator
- apiGroup:
  kind: Group
  name: bofh_accounts

Any user which has the group bofh_accounts can now do administration tasks with:

kubectl --as=$USER --as-group=system:masters delete node

The provided kubectl plugin is just a wrapper for kubectl to shorten the --as and --as-group part.


Place kubectl-sudo anywhere in your $PATH with execute permissions. For further information, see the offical plugin documentation.

Plugin Compatibility

Works on systems with /bin/sh and kubectl >= 1.12. kubectl must be inside $PATH.


This plugin can be configured using environment variables:

  • KUBECTL_SUDO_PROMPT=true whether or not the plugin prompts the user before executing the kubectl command. Default value is false.

Similar projects