DEV.co
Open-Source DevOps · cyberark

kubeletctl

Kubeletctl is a command-line tool that provides direct access to the kubelet API on Kubernetes nodes, supporting both documented and undocumented endpoints. It enables auditing, debugging, and administrative operations on containers and pods at the node level, including command execution, log retrieval, and service account extraction.

Source: GitHub — github.com/cyberark/kubeletctl
899
GitHub stars
89
Forks
Go
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorycyberark/kubeletctl
Ownercyberark
Primary languageGo
LicenseApache-2.0 — OSI-approved
Stars899
Forks89
Open issues6
Latest releasev1.13 (2025-01-12)
Last updated2025-08-06
Sourcehttps://github.com/cyberark/kubeletctl

What kubeletctl is

Written in Go, kubeletctl implements a client that communicates with the kubelet API (default port 10250) over HTTPS with certificate-based authentication. It exposes commands for container execution, metrics collection, pod enumeration, and network scanning, abstracting the complexity of direct kubelet API interactions.

Quickstart

Get the kubeletctl source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/cyberark/kubeletctl.gitcd kubeletctl# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Kubernetes Cluster Auditing & Security Assessment

Scan for exposed kubelet APIs across nodes and verify API security posture, identifying misconfigured nodes that allow unauthenticated or unauthorized access.

Node-Level Debugging & Troubleshooting

Execute commands directly on containers, retrieve logs, collect metrics, and inspect pod metadata without relying on kubectl or control-plane access, useful when the API server is unavailable or for low-level diagnostics.

Incident Response & Forensics

Extract service account tokens, capture container snapshots, and retrieve runtime information for post-incident analysis and threat investigation at the node level.

Implementation considerations

  • Requires direct network access to kubelet port (default 10250) on target nodes; plan firewall and RBAC rules accordingly.
  • Authentication via client certificates or kubeconfig is required; manage certificate distribution and rotation securely.
  • Understanding of kubelet API surface is essential; refer to the API_TABLE.md in the repo or use the built-in help to enumerate available endpoints.
  • Container runtime interface (CRI) operations are supported; compatibility depends on the container runtime and kubelet configuration.
  • Service account token extraction is possible; implement controls to prevent unauthorized token harvest in sensitive environments.

When to avoid it — and what to weigh

  • Multi-cluster management is primary use case — Kubeletctl operates on individual nodes; it is not designed for coordinated cluster-wide operations. Use kubectl or cluster APIs for higher-level orchestration.
  • Production environment with strict change control — The tool enables direct node API access and command execution; organizations with strict change control and audit requirements should restrict use and implement additional governance layers.
  • Need for automated reconciliation or declarative management — Kubeletctl is imperative and read-focused; it does not manage resource state or perform declarative updates. Use kubectl apply or operators for declarative infrastructure.
  • Undocumented API dependency in production workflows — The README states most kubelet API endpoints are undocumented; relying on these in production workflows risks breakage across Kubernetes version upgrades.

License & commercial use

Licensed under Apache License 2.0 (SPDX: Apache-2.0), a permissive OSI-approved license. Allows commercial use, modification, and distribution with attribution and license notice requirements.

Apache-2.0 permits commercial use without additional license fees. Ensure compliance by including the original license notice and documenting any modifications. No warranty is provided; use is at your own risk. Consult legal counsel for mission-critical deployments.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Kubeletctl provides direct access to node-level APIs; its power introduces operational risk. Key considerations: (1) Restrict deployment and use to authorized personnel only; (2) Audit and log all invocations; (3) Use strong certificate-based authentication; (4) Be aware that extracted service account tokens grant pod-scoped permissions; (5) Test in non-production first to understand exposure. The tool does not sanitize or validate user input beyond standard Go practices; standard CLI injection risks apply.

Alternatives to consider

kubectl debug / kubectl exec

Standard Kubernetes tools for pod-level debugging; require control-plane access and RBAC but are simpler and safer for most use cases.

kubelet API via curl + client certificates

Direct HTTP/HTTPS calls to kubelet; lower-level and more transparent but requires manual endpoint knowledge and error handling.

Container runtime CLI (crictl, docker exec)

Direct container runtime interfaces; avoid the kubelet layer but require node shell access and runtime-specific knowledge.

Software development agency

Build on kubeletctl with DEV.co software developers

Download kubeletctl or review the source code on GitHub. Start with a security scan of your cluster to identify exposed kubelet endpoints, then plan remediation.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

kubeletctl FAQ

Can I use kubeletctl without a kubeconfig file?
Yes. Use --ignore-config flag, then specify --server, --port, --cert, --key, and optionally --cacert to connect directly to a node's kubelet API.
What is the difference between 'exec' and 'cri' commands?
Not explicitly documented in the provided data. Refer to 'kubeletctl exec --help' and 'kubeletctl cri --help' for command-specific details or the GitHub repo documentation.
Can kubeletctl run on Windows?
Yes. The build process and releases include windows/amd64 and windows/386 binaries. However, functionality is tested primarily on Linux; Windows compatibility not explicitly detailed.
Does kubeletctl support kubelet API scanning without credentials?
Yes, the 'scan' command can attempt unauthenticated connections to detect exposed kubelet APIs; specify a CIDR range with --cidr flag. Success depends on kubelet's authentication policy.

Software developers & web developers for hire

Adopting kubeletctl is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source devops software in production.

Ready to audit your Kubernetes nodes?

Download kubeletctl or review the source code on GitHub. Start with a security scan of your cluster to identify exposed kubelet endpoints, then plan remediation.