Have you ever hopped inside a pod and swiftly debugged something using kubectl exec? It's useful, but it has a big flaw: there is no audit trail. Kubectl-rexec can help with that. The Kubectl exec Issue When you're running: kubectl exec -it mypod -- bash kubectl exec -it mypod -- bash You're doing things live inside the container. However, Kubernetes doesn't keep track of your actions within the system, including the commands you typed, the files you handled, and the logs you viewed. This poses a significant risk to production systems. You're looking for security, traceability, and observability. A plugin called kubectl-rexec adds auditing and takes the place of kubectl exec. Everything you do within the container is recorded, including commands and, if you allow it, keystrokes. It works particularly well in controlled settings. Imagine Kubectl exec with a security camera turned on. Quick Setup Guide Here's how to give it a quick try. Set up the webhook and proxy Set up the webhook and proxy This installs the rexec backend service and turns off the built-in kubectl exec. kustomize build manifests/ | kubectl -n kube-system apply -f - kustomize build manifests/ | kubectl -n kube-system apply -f - Installing the kubectl-rexec plugin Installing the kubectl-rexec plugin Ensure that your GOBIN is in the PATH and that Go is installed. go install github.com/adyen/kubectl-rexec@latest go install github.com/adyen/kubectl-rexec@latest Execute it similarly to kubectl exec Execute it similarly to kubectl exec kubectl rexec exec -ti some-pod -- bash kubectl rexec exec -ti some-pod -- bash It functions similarly to kubectl exec, but with complete logging! Watch It Happen To see what's happening, you can view the rexec proxy's tail logs: kubectl -n kube-system logs -l app=rexec -f kubectl -n kube-system logs -l app=rexec -f You can see from the logs which commands were executed by whom and inside which pods. Important Configuration Settings Here are a few helpful indicators: --audit-trace: Records each keystroke (for TTY sessions). --audit-trace --by-pass-user: Allows you to omit auditing for system users (such as system:admin). --by-pass-user --by-pass-shared-key: Provides secure communication and is required when running multiple replicas. --by-pass-shared-key --max-strokes-per-line: Modify the frequency of keystroke flushing (defaults are typically acceptable). --max-strokes-per-line Important Information TranslateStreamCloseWebsocketRequests=true and Kubernetes v1.30+ or v1.29 are required. Versions older than 1.29 are not supported. SPDY is not supported by this tool; it only functions over WebSockets. TranslateStreamCloseWebsocketRequests=true and Kubernetes v1.30+ or v1.29 are required. Versions older than 1.29 are not supported. SPDY is not supported by this tool; it only functions over WebSockets. Real-World Applications Examining internal developer activities in the production environment. Regulatory adherence in healthcare or fintech. Full visibility debugging. Examining internal developer activities in the production environment. Regulatory adherence in healthcare or fintech. Full visibility debugging. Synopsis A drop-in substitute for kubectl exec, kubectl-rexec offers improved control, auditing, and visibility. This plugin is essential if you work in settings where accountability is crucial. Try it out, audit your shell access, and maintain the security of your Kubernetes! Prefer watching instead of reading? Here’s a quick video guide Prefer watching instead of reading? Here’s a quick video guide Prefer watching instead of reading? Here’s a quick video guide Prefer watching instead of reading? Here’s a quick video guide https://youtu.be/5USr9LLKBCU?embedable=true https://youtu.be/5USr9LLKBCU?embedable=true