Kubesafe

April 4, 2026 · View on GitHub

Kubesafe 🔁 Tired of accidentally running dangerous commands on the wrong Kubernetes cluster? Meet kubesafe — your safety net for cluster management.

kubesafe allows you to safely run commands acrosss multiple Kubernetes contexts. By allowing you to mark specific contexts as "safe" and define a list of protected commands, kubesafe makes sure you never accidentally run a dangerous command on the wrong cluster.

Key Features:

🚀 Works with any Kubernetes tool: kubesafe can wraps any CLI that targets a Kubernetes cluster. Whether you're using kubectl, helm, or any other tool, kubesafe has you covered.
🛡️ Context Protection with Custom Commands: Mark one or more contexts as "safe" and define a list of commands that require confirmation before execution.
🔄 Flexible and Customizable: Easily configure protected contexts and commands to suit your workflow.

How does it work?

Simply prepend kubesafe to any command you want to run:

# Example with kubectl
kubesafe kubectl delete pod my-pod

# Example with Helm
kubesafe helm upgrade my-release stable/my-chart

Kubesafe seamlessly wraps any CLI command you provide as the first argument (e.g., kubectl, helm, kubecolor, etc.). If you attempt to run a protected command in a safe context, kubesafe will prompt you for confirmation before proceeding.

For convenience, you can set aliases in your shell configuration:

alias kubectl='kubesafe kubectl'
alias helm='kubesafe helm'

Now, every time you use kubectl or helm, kubesafe will automatically protect your commands!

To manage your safe contexts and protected commands, see the Managing contexts section.

Installation

Install with Homebrew (Mac/Linux)

$ brew tap Telemaco019/kubesafe
$ brew install kubesafe

Install with Go

$ go install github.com/telemaco019/kubesafe/kubesafe@latest

For shell completion setup, see Shell completion.

Managing contexts

Kubesafe makes it easy to manage your safe contexts and protected commands. To see all available options, run:

kubesafe --help

Add a safe context

To add a safe context, simply execute:

kubesafe context add

Kubesafe will guide you interactively to select a context to mark as "safe" and choose the commands you want to protect. Alternatively, you can add a safe context directly by specifying its name:

kubesafe context add my-context

The provided value can also be a regular expression to match multiple contexts:

kubesafe context add "prod-.*"

This will mark all context starting with prod- as safe.

Define custom protected commands

By default, kubesafe allows you to interactively choose commands to protect from a predefined list. However, if you prefer to specify your own custom commands, you can provide them as a comma-separated list like this:

kubesafe context add my-context --commands "delete,apply,upgdrade"

List safe contexts

To display all your configured safe contexts and their protected commands, use:

kubesafe context list

Remove a safe context

To remove a context from your list of safe contexts, run:

kubesafe context remove my-context

Show context statistics

To view usage statistics for your safe contexts, including how many times protected commands were blocked, use:

kubesafe stats

Non-interactive mode

Kubesafe supports a non-interactive mode, which can be enabled by adding the --no-interactive flag directly after the kubesafe command.

In this mode, kubesafe will skip confirmation prompts and automatically abort the command if it is protected.

Example:

kubesafe --no-interactive kubectl delete pod my-pod

VSCode Integration

You can hook up kubesafe with the Kubernetes VSCode Extension to add an extra safety layer to your workflow. Once set up, you'll get a warning popup whenever you try to run a protected command in a safe context.

Just make sure kubesafe is running in non-interactive mode (--no-interactive) and tell the extension to use kubesafe as your kubectl command.

How to configure the Kubernetes VSCode Extension

The extension settings only allows to set the kubectl path, so you need to create a shell script that calls kubesafe with the --no-interactive flag.

Create a file named kubesafe-kubectl and give it execution permissions:
```
cat <<'EOT' > kubesafe-kubectl
#!/bin/sh
kubesafe --no-interactive kubectl "$@"
EOT

chmod +x kubesafe-kubectl
```
Set the path to the kubesafe-kubectl script in the Kubernetes extension settings:
- Open the VSCode settings (Cmd + , on Mac, Ctrl + , on Windows/Linux)
- Search for Kubernetes: Kubectl Path
- Set the value of the setting Vscode-kubernetes: Kubectl-path to the path of the kubesafe-kubectl script.
Screenshot
That's it! Now, whenever you run a kubectl command in VSCode, you'll get a warning popup if you try to run a protected command in a safe context.

Example

Shell completion

Kubesafe supports shell completion for Bash, Zsh, and Fish. The completion scripts automatically delegate to the wrapped command's completion system when completing subcommands (e.g., kubesafe kubectl get <TAB> uses kubectl's completions).

Bash

# Load completions for commands you want to wrap (required for delegation)
source <(kubectl completion bash)
source <(helm completion bash)  # Add other commands as needed

# Load kubesafe completion
source <(kubesafe completion bash)

To load completions for each session, add the above lines to your ~/.bashrc.

Zsh

# Load completions for commands you want to wrap (required for delegation)
source <(kubectl completion zsh)
source <(helm completion zsh)  # Add other commands as needed

# Load kubesafe completion
source <(kubesafe completion zsh)

To load completions for each session, add the above lines to your ~/.zshrc.

Fish

# Load completions for commands you want to wrap (required for delegation)
kubectl completion fish | source
helm completion fish | source  # Add other commands as needed

# Load kubesafe completion
kubesafe completion fish | source

To load completions for each session, run:

kubesafe completion fish > ~/.config/fish/completions/kubesafe.fish

Similar tools

Kubesafe draws inspiration from existing kubectl plugins that offer similar features but are restricted to working exclusively with kubectl:

kubectl-prompt: A kubectl plugin that displays a warning prompt when issuing commands in a flagged cluster or namespace
kubectl-safe: A kubectl plugin to prevent shooting yourself in the foot with edit commands.

License

This project is licensed under the Apache License. See the LICENSE file for details.