Extending Your Kubernetes CLI: kubectl Plugins and Fixes

#kubernetes #kubectl #troubleshooting #devops

The Power of kubectl Plugins and Fixing Common Errors.

Learn kubectl plugins use cases, how they work, alternatives, and troubleshooting errors like ‘unknown command’.”

As a Kubernetes user, have you ever wished your kubectl could do more? Or hit an error like “error: unknown command ‘oidc-login’ for ‘kubectl’”?

In this Medium story, we’ll break down why plugins are game-changers, how they work, when to (or not to) use them, and alternatives, plus a real fix on Ubuntu 24.04 with Amazon EKS.

What Are kubectl Plugins?

kubectl plugins are CLI extensions that boost the standard kubectl tool with extra features. They’re lightweight, task-focused utilities that blend seamlessly into your Kubernetes routine. They add new commands without touching the core tool.

Basics: Plugins are standalone executables that introduce sub-commands (e.g., kubectl oidc-login).

Use case: When built-in tools fall short, like for custom authentication or debugging.

Why good?: Modular design, simple setup, community-backed, speeds workflows without adding complexity.

Why Use kubectl Plugins?

Kubernetes is built for modularity, and its CLI follows suit. A plugin is an executable named kubectl-.

Typing kubectl triggers the CLI to scan your PATH and run it like a native command.

Use cases:

Custom authentication: like kubectl oidc-login for OIDC (Dex, Keycloak, Azure AD,etc.)
Inspection: kubectl tree, ctx for operators/developers.
Automation: kubectl neat cleans manifests, sort-manifests optimizes.
Security: kubectl who-can for audits, trace for runtime. Benefit: Bridges basic kubectl to robust production setups.

When to Use (or Not)?

Use: For custom gaps in core, boosting efficiency and speed.

Not: When built-in are enough, or avoid untrusted ones (! plugins run with kubectl permissions ! : potential security risk). Better alternatives for scripting (e.g., SDKs).

What Happens When a Plugin Is Missing? (a real use-case)

Real example on Ubuntu 24.04 LTS with Amazon EKS.

I ran this command after I’m imported the relevant kubeconfig file and I got an error:

$ kubectl get nodes - context <YOUR-CLUSTER-CONTEXT> 
error: unknown command "oidc-login" for "kubectl" E1104 07:21:55.470872XXXXX memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: Get \"https://XXXXXXXX.XX.XX-XXXX-X.eks.amazonaws.com/api?timeout=32s\": getting credentials: exec: executable kubectl failed with exit code 1

Reason? The OIDC plugin (kubectl oidc-login) wasn’t installed. Without it, Kubernetes can’t fetch OIDC tokens, failing the API call.

How to Fix It?

Use Krew, the plugin manager.

What is Krew?

Krew is the official plugin manager for the kubectl command-line tool. It lets you discover, install, and manage plugins (update) directly on your system, keeping tools organized and current.

Let’s go and install Krew (follow the official Krew docs or run these commands):

# One-time install of krew 
set -e 
cd "$(mktemp -d)" 
OS="$(uname | tr '[:upper:]' '[:lower:]' )" 
ARCH="$(uname -m | sed -e 's/x86_64/amd64/' -e 's/aarch64/arm64/' -e 's/armv.*/arm/' )" 
curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/krew-${OS}_${ARCH}.tar.gz" 
tar zxvf "krew-${OS}_${ARCH}.tar.gz" 
./krew-"${OS}_${ARCH}" install krew 
# Make krew plugins available on PATH (persist for your shell) 
echo 'export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"' >> ~/.bashrc 
export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"

Then run: kubectl krew install oidc-login

After, kubectl recognizes it, and OIDC authentication should works.

Benefits of Using Plugins via Krew

Krew simplifies management like apt/brew/pip.

Advantages:

Central trusted repositories of trusted plugins,
Easy updates: kubectl krew upgrade,
Per-user installation, no root required,
Seamless PATH integration.

Security Note!

Always verify sources or stick to the official Krew Index to avoid untrusted binaries, as plugins inherit the same access permissions as kubectl.

Alternatives to kubectl Plugins

While plugins enhance functionality flexibly, alternatives exist for extending Kubernetes interaction.

Each for different purposes:

Plugins → Extend kubectl directly, minimal overhead
Wrappers / SDKs → Ideal for CI/CD automation
Cloud CLIs → Best for provider-specific operations

Final Thoughts

kubectl plugins demonstrate Kubernetes’ extensibility, customizing the CLI for any Kubernetes environments, or workflow.

Which is the best plugin?

No “best”: find the most suitable for your use cases!

Let me recommend a few worth trying:

For Ops:

kubectl preq: Analyze apps for bugs, misconfigs, anti-patterns.
kubect tail: Real-time log streaming, aggregate from multiple pods, better than logs -f.
kubens: Switch namespaces instantly, companion to kubectx.

For Devs:

kubectl score: Static analysis for YAML, lints/validates manifests.

For both:

kubectl sniff: Run “tcpdump” inside Pods with Wireshark, capture network traffic.

Learn More!

Kubernetes plugins: Extend kubectl with plugins
Krew: Plugin manager for kubectl
kubelogin: Plugin for Kubernetes OIDC auth

About the Author
I’m Róbert Zsótér, Kubernetes & AWS architect.
If you’re into Kubernetes, EKS, Terraform, and cloud-native security, follow my latest posts here: