Kubernetes environments keep getting more complex. Between multi-cloud setups, edge deployments, and a growing list of compliance requirements, keeping your clusters locked down is no small task. Security teams need to move fast, catch misconfigurations early, and spot threats before they become incidents.
That’s where kubectl plugins come in.
These tools extend kubectl with extra functionality—everything from digging into RBAC permissions to sniffing network traffic or pulling in secrets from your cloud provider. They help you move faster, see more, and tighten up security across your clusters.
In this post, we’ve rounded up the top kubectl plugins for security teams in 2025. Whether you’re chasing down suspicious behavior, trying to get better visibility into access controls, or just looking to automate the boring stuff, there’s something here for you.
What are Kubectl plugins (and why should security teams care)?
Kubectl plugins are command-line extensions that add extra functionality to the standard kubectl tool. They’re usually small, purpose-built tools that integrate directly into your workflow. Instead of switching between tools or writing custom scripts, you can run something like kubectl access-matrix or kubectl sniff right from your terminal and get targeted output fast.
For security engineers, these plugins are especially useful. They can help you:
- Audit permissions and visualize RBAC configs
- Trace network activity or pod-level syscalls for suspicious behavior
- Manage secrets more securely (and with fewer manual steps)
- Speed up incident response with real-time visibility
- Stay compliant by making policy enforcement and access reviews easier
In short, the top kubectl plugins for security engineers aren’t just nice to have—they’re essential for working efficiently and reducing risk across your Kubernetes environment.
That said, plugins come with some caveats. Not all plugins are maintained regularly, and some may not be officially audited. Installing them often means granting access to your cluster’s data or credentials. So before rolling them out, it’s worth checking:
- Is the plugin actively maintained and open source?
- Does it align with your org’s security policies?
- Can it be restricted or sandboxed in CI/CD pipelines?
- Does it expose sensitive data or logs?
Used carefully, kubectl plugins can be a huge force multiplier for security teams. The key is choosing the right ones for your needs—and knowing how to use them safely.
Top Kubectl plugins for security engineers (2025 edition)
| Plugin Name | Maintained (2025) | K8s Support | Security Use Case | Notes |
| access-matrix | ✅ Yes | 1.30+ | RBAC auditing | Visualizes access rights across resources. (GitHub) |
| rolesum | ✅ Yes | 1.28+ | Role summaries & access reviews | Summarizes roles for users, groups, or service accounts. (GitHub) |
| kubectl-trace | ⚠️ Partial | 1.29+ | Syscall tracing (eBPF) | Schedules bpftrace programs; last release in 2021. (GitHub) |
| kubectl-capture | ✅ Yes | 1.30+ | Pod-level syscall capture | Triggers system call captures using Sysdig. (GitHub) |
| ksniff | ⚠️ Partial | 1.27+ | Packet capture | Utilizes tcpdump and Wireshark; last release in 2020. (GitHub) |
| np-viewer | ✅ Yes | 1.31+ | Network policy visualization | Visualizes network policy rules. (GitHub) |
| kubectl-cilium | ⚠️ Partial | 1.30+ | CNI-level network observability | Interacts with Cilium; last release in 2021. (GitHub) |
| kubelogin | ✅ Yes | 1.28+ | OIDC login helper | Facilitates Azure authentication. (GitHub) |
| rbac-tool | ⚠️ Partial | 1.26+ | Role-based access analysis | May need updates for latest APIs. |
| kubectl-whisper-secret | ⚠️ Partial | 1.30+ | Encrypted secret management | Creates secrets via secure input; last updated in 2021. (GitHub) |
| kubectl-ssm-secret | ⚠️ Partial | 1.29+ | AWS Parameter Store integration | Imports secrets from AWS SSM; last updated in 2019. (GitHub) |
| cert-managerplugin | ✅ Yes | 1.30+ | Certificate lifecycle management | Manages cert-manager resources. (Docs) |
| inspektor-gadget | ✅ Yes | 1.31+ | eBPF-based observability & debugging | Transitioning to image-based gadgets; built-in gadgets deprecated. (Blog) |
| kube-policy-advisor | ✅ Yes | 1.30+ | Policy linting & least privilege checks | Generates Pod Security Policies or OPA policies. (GitHub) |
| stern | ✅ Yes | 1.28+ | Multi-pod log tailing | Tails logs from multiple pods and containers. (GitHub) |
Access control & RBAC auditing
These plugins make it easier to understand, audit, and troubleshoot Kubernetes RBAC configurations. Whether you’re trying to tighten permissions, investigate misconfigurations, or prepare for a compliance review, these tools give you the visibility you need.
1. access-matrix – Visualize who has access to what
Why it’s useful: When debugging security incidents or doing access reviews, it helps to see—at a glance—what users and service accounts can do across the cluster. access-matrix (formerly rakkess) gives you a matrix-style view of RBAC permissions by resource type.
Security use cases:
- Quickly audit permissions for least-privilege compliance
- Detect over-permissive roles or cluster-admin sprawl
- Validate access scopes during onboarding/offboarding
Example usage:
kubectl access-matrix --user dev-team --namespace prodCode language: PHP (php)2. rolesum – Summarize RBAC roles for any identity
Why it’s useful: rolesum is a simple but powerful plugin that outputs all effective permissions granted to a user, group, or service account—including cluster roles and bindings. It’s great for quick reviews and debugging unexpected access issues.
Security use cases:
- Validate what a service account can actually do
- Troubleshoot privilege escalation vectors
- Perform targeted access reviews
Example usage:
kubectl rolesum -u system:serviceaccount:prod:api-saCode language: CSS (css)GitHub: Ladicle/kubectl-rolesum
3. rbac-tool – Explore RBAC configs in detail
Why it’s useful: rbac-tool offers a CLI and UI to explore roles, cluster roles, and bindings in your cluster. It’s helpful when doing deeper permission audits or preparing documentation for compliance.
Security use cases:
- Navigate complex RBAC trees
- Identify unused or duplicate roles
- Prepare for access reviews
Example:
kubectl rbac-tool who-can get podsCode language: JavaScript (javascript)GitHub: FairwindsOps/rbac-tool
⚠️ Note: While still useful, rbac-tool hasn’t seen active updates recently. Test in staging before using in newer clusters.
4. kube-policy-advisor – Spot overly permissive RBAC
Why it’s useful: This plugin scans existing RBAC permissions and generates recommendations for more secure policies. It’s great for enforcing least privilege and identifying potential risks early.
Security use cases:
- Flag roles with wildcards (*)
- Generate more restrictive policies
- Integrate with OPA or Kyverno
Example:
kubectl policy-advisor -n devGitHub: sysdiglabs/kube-policy-advisor
Runtime observability & incident response
When something goes wrong—or looks suspicious—you need fast, low-level visibility into what’s happening inside your pods. These plugins make it easier to trace syscalls, capture traffic, or dig into container behavior without slowing things down.
5. kubectl-capture – Capture container syscalls with Sysdig
Why it’s useful: Built by Sysdig Labs, kubectl-capture is a CLI tool for triggering syscall captures from live Kubernetes pods. It integrates with Falco and Sysdig to produce rich trace data without needing sidecars or persistent agents.
Security use cases:
- Investigate a potentially compromised workload
- Audit unexpected behavior in real time
- Collect forensic evidence during incident response
Example:
kubectl capture start -n prod -p web-podGitHub: sysdiglabs/kubectl-capture
6. kubectl-trace – Run dynamic BPF tracing on demand
Why it’s useful: This plugin lets you launch bpftrace programs directly on Kubernetes pods to trace system calls, file access, and network behavior. While not updated recently, it still serves as a powerful tool for one-off investigations.
Security use cases:
- Capture granular runtime behavior (e.g. execve, open)
- Monitor for signs of malware or suspicious shell activity
- Trace performance bottlenecks or syscall misuse
Example:
kubectl trace run nginx --e 'tracepoint:syscalls:sys_enter_execve'Code language: JavaScript (javascript)⚠️ Note: kubectl-trace has limited maintenance; test carefully in modern clusters.
7. inspektor-gadget – Powerful eBPF-based visibility suite
Why it’s useful: inspektor-gadget is a collection of eBPF tools bundled into a single CLI plugin for Kubernetes. It supports tracing syscalls, profiling containers, and inspecting network behavior. Though heavier than other tools, it’s actively maintained and rapidly evolving.
Security use cases:
- Monitor pod/container behavior without agents
- Detect spikes in system call usage
- Capture detailed runtime telemetry for threat hunting
Example:
kubectl gadget top syscalls -n dev✅ In 2025, the project is migrating to image-based gadgets for easier deployment.
Network security & traffic visibility
Network misconfigurations and over-permissive connections are a common source of security risk in Kubernetes. These kubectl plugins help security teams visualize traffic, capture packets, and enforce network policies with confidence.
8. ksniff – Capture network packets from pods
Why it’s useful: ksniff bridges the gap between Kubernetes and classic networking tools. It uses tcpdump inside a target pod and streams packets to your local Wireshark instance. While it’s not frequently maintained, it still works well for targeted, real-time debugging.
Security use cases:
- Investigate lateral movement across services
- Capture payloads for incident response or malware analysis
- Validate network policies by seeing what’s actually flowing
Example:
kubectl sniff auth-service-123 -n staging⚠️ Not actively maintained—check compatibility with your CNI and runtime.
9. np-viewer – Visualize Kubernetes network policies
Why it’s useful: Writing and debugging Kubernetes network policies can be tricky. np-viewer makes it easier by visualizing the relationships between pods, services, and rules. It’s a lightweight way to catch misconfigurations before they become outages or exposures.
Security use cases:
- Validate that policies enforce least privilege
- Detect gaps or overly permissive ingress/egress
- Review policy impact during rollout
Example:
kubectl np-viewer -n productionGitHub: runoncloud/kubectl-np-viewer
10. kubectl-cilium – Manage and observe Cilium network policies
Why it’s useful: If your cluster uses Cilium as a CNI, this plugin gives you CLI-level access to Cilium-specific features like network flow inspection and policy management. Note that the plugin itself hasn’t been updated recently—Cilium’s Helm charts and CLI are more actively maintained.
Security use cases:
- Inspect service-to-service flows at Layer 7
- Manage Cilium network policies via kubectl
- Debug dropped or misrouted traffic
Example:
kubectl cilium monitorGitHub: bmcustodio/kubectl-cilium
⚠️ Maintenance uncertain; newer alternatives may offer broader functionality.
Secrets management & identity plugins
Hardcoding secrets or manually managing certs can lead to serious security issues. These plugins help teams automate, encrypt, and externalize secret handling—so credentials stay safe and clusters stay clean.
11. kubectl-whisper-secret – Encrypt secrets before storing them
Why it’s useful: This plugin helps you avoid committing plaintext secrets to Git or injecting them directly into manifests. It integrates with Mozilla SOPS to create encrypted Kubernetes secrets locally, then safely applies them to your cluster.
Security use cases:
- Encrypt secrets with KMS, GPG, or age before committing
- Manage sensitive data in GitOps workflows
- Reduce secret exposure during deployment
Example:
kubectl whisper-secret apply -f secret.yamlCode language: CSS (css)GitHub: rewanthtammana/kubectl-whisper-secret
⚠️ Last updated in 2021 — still useful but test with current SOPS versions.
12. kubectl-ssm-secret – Pull secrets from AWS SSM
Why it’s useful: Avoid hardcoding secrets into manifests by fetching them directly from AWS Systems Manager Parameter Store. This is especially helpful in cloud-native setups where you want centralized secrets without running a secrets manager inside Kubernetes.
Security use cases:
- Pull credentials securely from AWS at deployment time
- Eliminate in-cluster secret sprawl
- Integrate with IAM roles for fine-grained access
Example:
kubectl ssm-secret deploy /app/db-password --name db-secretGitHub: pr8kerl/kubectl-ssm-secret
⚠️ Plugin hasn’t been updated recently; test before production use.
13. cert-manager kubectl plugin – Manage TLS certs in Kubernetes
Why it’s useful: If you’re using cert-manager for automated certificate provisioning, this plugin gives you quick access to inspect CertificateRequests, Issuers, and Certificates via kubectl. It’s lightweight and actively maintained.
Security use cases:
- Troubleshoot failed certificate renewals
- Monitor expiration dates and issuer issues
- Integrate cert status into CI/CD checks
Example:
kubectl cert-manager status certificate prod-app-tls14. kubelogin – Authenticate via OIDC (e.g. Azure AD)
Why it’s useful: If your cluster uses OIDC-based authentication (e.g., Azure AD, Google Cloud), kubelogin helps users generate and renew their credentials from the terminal. It simplifies federated access without needing a browser.
Security use cases:
- Automate developer logins via OAuth2 flows
- Replace static kubeconfigs with short-lived tokens
- Enforce identity-based access via cloud IAM
Example:
kubelogin get-token --login azurecliCode language: JavaScript (javascript)15. stern – Tail logs across multiple pods in real time
Why it’s useful: stern is a kubectl plugin that lets you stream logs from multiple pods and containers at once, with built-in support for regex filtering, JSON parsing, and colored output. It’s incredibly useful during incident response, letting you quickly zero in on noisy or anomalous behavior across a deployment.
Security use cases:
- Monitor for recurring error patterns or exploit attempts
- Trace log events across pods during a suspected attack
- Correlate workload behaviors across namespaces during an incident
Example:
stern payment-api -n prodWith these plugins in your toolbox, you’ll be better equipped to secure your clusters without slowing down development.
DIY kubectl plugins
You can write a plugin in any programming language or script that allows you to write command-line commands. There is no plugin installation or pre-loading required, which makes compiling these plugins rather simple.
Plugin executables receive the inherited environment from the kubectl binary.
The plugin will then determine which command path it wishes to implement based on the name – for example, a plugin named kubectl-sysdig provides a command kubectl sysdig.
You must install the plugin executable somewhere in your PATH.
A plugin script would look something like this:
#!/bin/bash
# optional argument handling
if [[ "$1" == "version" ]]
then
echo "1.0.0"
exit 0
fi
# optional argument handling
if [[ "$1" == "config" ]]
then
echo "$KUBECONFIG"
exit 0
fi
echo "I am a plugin named kubectl-sysdig"
Top 15 kubectl plugins – Wrapping up
That’s our roundup of the top kubectl plugins for security engineers in 2025. From access control to network visibility and secrets management, these tools help you go deeper with kubectl and tighten up your Kubernetes security posture without slowing down delivery.
At Sysdig, we’re big believers in shifting security left—embedding runtime insights, threat detection, and compliance directly into your DevOps workflows. Whether you’re investigating suspicious behavior with kubectl-capture, reviewing RBAC configs, or hardening your network policies, plugins like these are a great first step. If you’re looking to go even further with real-time detection, audit trails, and cloud-native forensics – Sysdig can help.
Note: This is a rewrite of an earlier 2023 article written by Nigel Douglas.