kubeletctl
Kubeletctl is a command-line tool that provides direct access to the kubelet API on Kubernetes nodes, supporting both documented and undocumented endpoints. It enables auditing, debugging, and administrative operations on containers and pods at the node level, including command execution, log retrieval, and service account extraction.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | cyberark/kubeletctl |
| Owner | cyberark |
| Primary language | Go |
| License | Apache-2.0 — OSI-approved |
| Stars | 899 |
| Forks | 89 |
| Open issues | 6 |
| Latest release | v1.13 (2025-01-12) |
| Last updated | 2025-08-06 |
| Source | https://github.com/cyberark/kubeletctl |
What kubeletctl is
Written in Go, kubeletctl implements a client that communicates with the kubelet API (default port 10250) over HTTPS with certificate-based authentication. It exposes commands for container execution, metrics collection, pod enumeration, and network scanning, abstracting the complexity of direct kubelet API interactions.
Get the kubeletctl source
Clone the repository and explore it locally.
git clone https://github.com/cyberark/kubeletctl.gitcd kubeletctl# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires direct network access to kubelet port (default 10250) on target nodes; plan firewall and RBAC rules accordingly.
- Authentication via client certificates or kubeconfig is required; manage certificate distribution and rotation securely.
- Understanding of kubelet API surface is essential; refer to the API_TABLE.md in the repo or use the built-in help to enumerate available endpoints.
- Container runtime interface (CRI) operations are supported; compatibility depends on the container runtime and kubelet configuration.
- Service account token extraction is possible; implement controls to prevent unauthorized token harvest in sensitive environments.
When to avoid it — and what to weigh
- Multi-cluster management is primary use case — Kubeletctl operates on individual nodes; it is not designed for coordinated cluster-wide operations. Use kubectl or cluster APIs for higher-level orchestration.
- Production environment with strict change control — The tool enables direct node API access and command execution; organizations with strict change control and audit requirements should restrict use and implement additional governance layers.
- Need for automated reconciliation or declarative management — Kubeletctl is imperative and read-focused; it does not manage resource state or perform declarative updates. Use kubectl apply or operators for declarative infrastructure.
- Undocumented API dependency in production workflows — The README states most kubelet API endpoints are undocumented; relying on these in production workflows risks breakage across Kubernetes version upgrades.
License & commercial use
Licensed under Apache License 2.0 (SPDX: Apache-2.0), a permissive OSI-approved license. Allows commercial use, modification, and distribution with attribution and license notice requirements.
Apache-2.0 permits commercial use without additional license fees. Ensure compliance by including the original license notice and documenting any modifications. No warranty is provided; use is at your own risk. Consult legal counsel for mission-critical deployments.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
Kubeletctl provides direct access to node-level APIs; its power introduces operational risk. Key considerations: (1) Restrict deployment and use to authorized personnel only; (2) Audit and log all invocations; (3) Use strong certificate-based authentication; (4) Be aware that extracted service account tokens grant pod-scoped permissions; (5) Test in non-production first to understand exposure. The tool does not sanitize or validate user input beyond standard Go practices; standard CLI injection risks apply.
Alternatives to consider
kubectl debug / kubectl exec
Standard Kubernetes tools for pod-level debugging; require control-plane access and RBAC but are simpler and safer for most use cases.
kubelet API via curl + client certificates
Direct HTTP/HTTPS calls to kubelet; lower-level and more transparent but requires manual endpoint knowledge and error handling.
Container runtime CLI (crictl, docker exec)
Direct container runtime interfaces; avoid the kubelet layer but require node shell access and runtime-specific knowledge.
Build on kubeletctl with DEV.co software developers
Download kubeletctl or review the source code on GitHub. Start with a security scan of your cluster to identify exposed kubelet endpoints, then plan remediation.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
kubeletctl FAQ
Can I use kubeletctl without a kubeconfig file?
What is the difference between 'exec' and 'cri' commands?
Can kubeletctl run on Windows?
Does kubeletctl support kubelet API scanning without credentials?
Software developers & web developers for hire
Adopting kubeletctl is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source devops software in production.
Ready to audit your Kubernetes nodes?
Download kubeletctl or review the source code on GitHub. Start with a security scan of your cluster to identify exposed kubelet endpoints, then plan remediation.