Example tool for cleaning up untrusted kubeconfig files. Implements a simple approach, and while it can be used to check kubeconfig files, it's not particularly practical.
In its current state it mainly serves as an illustration for a blog post about The dark side of sharing kubeconfig files
We are happy to discuss the idea and the issue.
You can download, compile and install the tool to your local Go bin directory with the following command:
go get github.com/banzaicloud/kubeconfiger/cmd/kubeconfigerThe tool will either write an error message to stderr, or copy a trustable single-context kubeconfig file to the standard output. Use input redirection for saving the file (beware that it can't directly be used to filter a file in-place).
kubeconfiger < untrusted-config.yaml > trusted-config.yamlAt the time exec authentication helpers are supported only.
To whitelist a command, symlink it to ~/.kube/bin/.
package kubeconfiger // import "github.com/banzaicloud/kubeconfiger"
func CleanConfig(in *clientcmdapi.Config) (*clientcmdapi.Config, error)
func CleanKubeconfig(in []byte) ([]byte, error)