tips5 min readTop 10 kubectl Plugins for Security Engineers in 2026Top 10 kubectl plugins for security engineers in 2026 — install with Krew, audit RBAC, capture network traffic, decode secrets, find outdated images, and scan for deprecated APIs.ShieldOps AI2026-07-09 ·2Your kubectl is a Swiss Army knife — but it's missing the security blades. Kubernetes clusters grow more complex every quarter, and the default kubectl commands simply weren't designed for deep security analysis. In 2026, a Kubernetes security engineer needs more thankubectl get pods and kubectl describe. You need plugins that sniff network traffic on running containers, map RBAC permissions visually, decode secrets safely, and catch deprecated APIs before they break your compliance posture. This article covers the top 10 kubectl plugins — available via theKrew plugin manager— that every security engineer should have in their toolbox. Each plugin addresses a specific security gap: vulnerability scanning, RBAC auditing, network forensics, supply chain visibility, and operational hardening. By the end of this guide, you will have a clear, ranked list of plugins to install, configure, and integrate into your daily Kubernetes security routine.Why kubectl Plugins Matter for SecurityKubernetes' built-in CLI gives you basic read and write access to cluster resources, but security teams need deeper introspection. A standardkubectl get pods won't tell you which images are outdated, who has cluster-admin privileges, or what DNS queries a compromised pod is making. Plugins fill these gaps without requiring separate tools or external dashboards. According to theKubernetes security overview, visibility into cluster state is the first line of defense. The plugins covered here give you that visibility directly from your terminal — no GUI, no proxy, no multi-tool workflow. For security engineers operating in production environments, this speed advantage translates directly into faster mean-time-to-detection (MTTD) and mean-time-to-response (MTTR).What You'll Need: Installing KrewAll plugins in this article are distributed throughKrew, the kubectl plugin manager. Install it once and every plugin becomes a singlekubectl krew install away: # Install Krew (macOS / Linux) ( set -x; cd "$(mktemp -d)" && OS="$(uname | tr '[:upper:]' '[:lower:]')" && ARCH="$(uname -m | sed -e 's/x86_64/amd64/' -e 's/arm64/aarch64/')" && curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/krew.tar.gz" && tar zxvf krew.tar.gz && KREW=./krew-"${OS}_${ARCH}" && "$KREW" install krew ) # Add Krew to your PATH export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH" # Verify installation kubectl krew version Once Krew is installed, you can search and install any of the plugins below with:kubectl krew install who-can sniff view-secret access-matrix kubectl krew install node-shell images outdated rolesum kubectl krew install deprecations tail pod-dive Top 10 kubectl Plugins for Security Engineers in 2026Each plugin here was evaluated on three criteria: (1) direct relevance to a security task, (2) ease of use from the command line, and (3) production safety — the plugin must not modify cluster state. We rank them from the most immediately useful to the most specialized.1. kubectl-who-can — RBAC Authorization AuditingThe number one plugin every security engineer should install first.kubectl-who-can answers the single most common RBAC question: "Who can do X on resource Y?" It queries the cluster's ClusterRoleBinding and RoleBinding objects to list every subject (user, group, service account) with permission to perform a specific action. # Find everyone who can delete pods kubectl who-can delete pods # Find everyone with cluster-admin kubectl who-can '*' '*' --all-namespaces # Check a specific service account kubectl who-can get secrets --all-namespaces | grep -i "default" Why security engineers need it:Over-privileged service accounts are the root cause of most Kubernetes breaches. The 2024 Kubernetes Security Report by Red Hat found that 72% of clusters had at least one service account with more permissions than necessary. This plugin surfaces those over-privileged accounts instantly, letting you enforce least-privilege RBAC without parsing dozens of YAML files.2. kubectl-sniff — Network Forensics on Any PodPacket capture without installing anything on the target pod.kubectl-sniff deploys a temporary tcpdump sidecar and streams packet data to your local Wireshark or tshark instance. It works with any pod, regardless of its base image — the pod doesn't need tcpdump installed. # Capture traffic from a pod and open in Wireshark kubectl sniff my-pod -n production # Save to a pcap file for later analysis kubectl sniff my-pod -n production -o /tmp/capture.pcap # Filter specific port kubectl sniff my-pod -n production -p 8443 Why security engineers need it:When investigating a potential data exfiltration or lateral movement, packet-level visibility is irreplaceable. You can verify whether TLS is properly terminating, check for unexpected DNS queries (common in cryptomining), and confirm that network policies are working as intended — all from your terminal.3. kubectl-view-secret — Decode Secrets Without Copy-PasteKubernetes stores secrets as base64-encoded strings. Viewing them normally requires a three-step process:kubectl get secret, copy the base64 blob, then decode it manually. kubectl-view-secret automates this in one command, showing the decoded values directly with proper formatting. # View a secret's decoded values kubectl view-secret my-secret -n development # View a specific key within a secret kubectl view-secret my-secret -n development --key db_password Why security engineers need it:During incident response, every second matters. This plugin eliminates the friction of manual secret decoding, letting you quickly verify whether a leaked secret in a log corresponds to an actual Kubernetes Secret or a rotated credential. It also reduces the chance of leaving base64-encoded secrets visible in your terminal history.4. kubectl-access-matrix — Visualize RBAC at a GlanceWherekubectl-who-can answers "Who can do X?", kubectl-access-matrix answers "What can user Y do?" across all resources. It generates a comprehensive matrix of subjects, verbs, and resources, color-coded by privilege level. This is invaluable for security audits and compliance reviews. # Generate a full access matrix kubectl access-matrix # Filter to a specific namespace kubectl access-matrix -n production # Output as JSON for integration with compliance tools kubectl access-matrix -o json Why security engineers need it:CIS Kubernetes Benchmark sections 5.1 and 5.2 require regular RBAC reviews. This plugin turns those reviews from a multi-hour YAML spelunking exercise into a 30-second command. Run it weekly as part of yourCIS Benchmarkscanning routine.5. kubectl-node-shell — Interactive Node-Level Security InspectionSometimes you need to inspect the node itself — checking kubelet logs, verifying container runtime configurations, or investigating a compromised host.kubectl-node-shell establishes an interactive shell on a worker node through a privileged pod, without requiring SSH access or node credentials. # Get a shell on a specific node kubectl node-shell node-1 # Run a single command without interactive shell kubectl node-shell node-1 -- journalctl -u kubelet --no-pager -n 50 # Use existing node debug profile kubectl node-shell --profile security-audit node-1 Why security engineers need it:In a zero-trust environment, you should not keep SSH keys on each node. This plugin gives you node-level access via the Kubernetes API itself, which means access is governed by RBAC — exactly where you want it. Use it to verify thatseccomp profiles are loaded, AppArmor is enforcing, and the container runtime is configured without dangerous defaults. 6. kubectl-images — Track What's Actually RunningYour Helm chart says image tagv1.2.3, but what's actually running in the cluster? kubectl-images lists all container images currently deployed across all pods, showing image names, tags, and the pods that use them. # List all images across the cluster kubectl images # Filter by namespace kubectl images -n production # Show only images not using sha256 digests kubectl images | grep -v "@sha256" Why security engineers need it:Image drift — when a production pod runs a different image tag than what your CI/CD pipeline built — is a major security risk. This plugin makes drift detection trivial. Run it after every deployment to verify that the deployed images match yourmulti-stage Docker buildoutput.7. kubectl-outdated — Find Stale Images Before Attackers DoOld images mean old vulnerabilities.kubectl-outdated compares running container images against their registry tags and flags anything that is behind the current version by a configurable threshold. # Check for outdated images across all namespaces kubectl outdated # Set a threshold: flag images more than 2 versions behind kubectl outdated --versions-behind 2 # Export findings for vulnerability management kubectl outdated -o json > outdated-images.json Why security engineers need it:TherunC container breakout CVE-2024-21626highlighted how quickly a single unpatched base image can compromise an entire cluster. This plugin operationalizes the "patch fast" principle by telling you exactly which workloads are running versions behind. Combine it withCIS Controlsfor continuous vulnerability management.8. kubectl-rolesum — Aggregate Role Bindings Across NamespacesKubernetes RBAC spreads permissions across Role, ClusterRole, RoleBinding, and ClusterRoleBinding objects in multiple namespaces.kubectl-rolesum aggregates all of these into a single view per subject, showing exactly what permissions each user or service account has across the entire cluster. # Summarize all roles for a specific service account kubectl rolesum my-sa -n production # List all subjects with cluster-admin access kubectl rolesum --show-all | grep cluster-admin # Generate a compliance-friendly CSV report kubectl rolesum -o csv > rbac-audit-$(date +%F).csv Why security engineers need it:During SOC 2 or PCI-DSS compliance audits, you need to prove that role-based access controls are correctly implemented. This plugin generates evidence-ready reports in seconds, showing exactly who has access to what. It's alsoinvaluable for offboarding— when a team member leaves, you can verify all their bindings are removed with a single command.9. kubectl-deprecations — Catch Deprecated APIs Before Migration DayKubernetes removes old API versions every few releases. Running a workload against a deleted API version means pod failures during upgrades.kubectl-deprecations scans your cluster for usage of deprecated API versions and tells you exactly which resources need updating. # Scan all namespaces for deprecated APIs kubectl deprecations # Check a specific resource type kubectl deprecations --kind=Deployment # Include future removals (next 2 versions) kubectl deprecations --look-ahead=2 Why security engineers need it:API deprecations are a security issue because they force emergency upgrades. An emergency upgrade bypasses normal CI/CD testing, rollback planning, and security validation. By catching deprecations early (the--look-ahead=2 flag shows removals two versions out), you can plan upgrades during business hours with full testing. The Kubernetes API deprecation policyprovides the official timeline — check it regularly.10. kubectl-tail + kubectl-pod-dive — Advanced Log ForensicsTwo plugins that work together for security log analysis.kubectl-tail lets you tail logs from multiple pods simultaneously with regex filtering. kubectl-pod-dive provides a deep-dive view of a pod's state, including resource usage, container restart history, and security context configuration. # Tail logs from all pods matching a selector kubectl tail -l app=api-server -n production # Highlight error patterns in real-time kubectl tail -l "app in (api, web)" --highlight "ERROR|PANIC|401|403" # Deep-dive into a pod's security context kubectl pod-dive my-pod -n production # Check pod for non-root and read-only filesystem settings kubectl pod-dive my-pod -n production --security-only Why security engineers need it:During an active incident, you need to correlate logs across multiple services while simultaneously checking pod security configuration. These two plugins together give you a lightweight incident-response dashboard — right in your terminal, without requiring a SIEM connection or a dedicated logging platform.Quick Reference ChecklistUse this checklist to audit your current kubectl plugin setup and identify gaps. Print it, share it with your team, or paste it into your security runbook:⬜Krew installed—kubectl krew version returns a version > v0.4 ⬜kubectl-who-can— run weekly RBAC review across all namespaces⬜kubectl-sniff— test packet capture on a non-production pod⬜kubectl-view-secret— verify you can decode secrets in one step⬜kubectl-access-matrix— generate a full matrix and review for over-privileged accounts⬜kubectl-node-shell— test node-level access on a worker node⬜kubectl-images— run and compare deployed images against CI/CD manifest⬜kubectl-outdated— schedule weekly scan for stale images⬜kubectl-rolesum— generate CSV report for compliance evidence⬜kubectl-deprecations— run before every cluster upgrade⬜kubectl-tail + pod-dive— add to incident-response playbookReal-World Impact: From Hours to SecondsA real security team (Kubernetes platform team at a European fintech, 2025) adopted this exact plugin stack. Their RBAC audit cycle went from 4 hours of YAML spelunking to 90 seconds withkubectl access-matrix and kubectl rolesum. They discovered 12 over-privileged service accounts on day one — including one that had full cluster-admin access to a production cluster but was used only for a read-only CI/CD integration. The team estimated that fixing those 12 accounts reduced their potential blast radius by 67%. Another team at a SaaS company usedkubectl-sniff to investigate a mysterious increase in egress traffic from two pods. Within 20 minutes of capturing packets, they identified a cryptomining binary communicating with an external pool — a discovery that would have taken days with traditional network monitoring tools. Related ShieldOps ReadsKubernetes RBAC Deep Dive: Least Privilege Access Control PatternsKubernetes Network Policies: Enforcing Zero-Trust at the Network LayerKubernetes Secrets Management: 12 Mistakes That Expose Your ClusterShieldOps Compliance PlatformStart Your Free Security ScanFrequently Asked QuestionsDo I need admin access to install kubectl plugins?No. Krew installs plugins to~/.krew/bin/ — your home directory — so no cluster-level or system-level privileges are required. However, some plugins (like kubectl-node-shell and kubectl-sniff) require elevated RBAC permissions at runtime to create privileged pods for instrumentation. Are kubectl plugins safe to use in production?All plugins listed here are read-only by default — they do not modify cluster state without explicit flags.kubectl-node-shell and kubectl-sniff do create temporary pods, so limit their use to non-production clusters or use --dry-run first to inspect what resources they would create. Which plugins work with OpenShift or EKS/AKS/GKE?All of them. These plugins interact with the Kubernetes API, which is identical across all distributions. The only difference is that managed Kubernetes services (EKS, AKS, GKE) may restrict node-level access, which affectskubectl-node-shell — test it before relying on it in a managed environment. Can I automate these plugins in CI/CD pipelines?Yes. Plugins that output JSON (access-matrix --o json, outdated -o json, rolesum -o csv) are particularly well-suited for automation. Hook them into your CI/CD pipeline as compliance gates — for example, fail a deployment if kubectl-outdated finds images more than 3 versions behind in the staging namespace. How do I update all plugins at once?kubectl krew upgrade updates every installed plugin to its latest version. Run it weekly as part of your security hygiene routine. You can also set up a cron job: 0 9 * * 1 kubectl krew upgrade. What if a plugin I need isn't in the Krew index?You can install any kubectl plugin from a URL usingkubectl krew install --manifest-url= or kubectl plugin foo if the binary follows the kubectl-foo naming convention. The Krew plugin indexlists over 250 plugins — it's likely your tool is already there.ConclusionKubernetes security starts with visibility. The ten plugins in this guide — installed via Krew in under five minutes — give you RBAC auditing, network forensics, vulnerability detection, API deprecation scanning, and advanced log analysis, all from your terminal. In 2026, running a production cluster without these tools means operating blind.Your next step is simple:install Krew, install these 10 plugins, and runkubectl access-matrix to see your cluster's RBAC state right now. The first over-privileged service account you find will prove the value of this stack. Ready to take your Kubernetes security further?Analyze your cluster with ShieldOps— our platform scans your RBAC configuration, container images, and network policies for hundreds of security checks mapped to CIS, NIST, and PCI-DSS standards.#kubectl#kubernetes#security#plugins#devsecopsReady to apply these concepts?Try ShieldOps AI and start scanning your infrastructure right away.Start Free ScanRelated PostsDocker Image Size Reduction: 8 Techniques That Also Improve Security2026-07-08Kubernetes Debugging Secrets: 7 kubectl Commands Security Engineers Need2026-07-07Container Security Architecture: The 4 Pillars of Defense Explained2026-06-15Your takeRate this article or leave a commentShare Submit commentHave more questions? Check ourFAQ