- Go 1.25 or later
- kubectl (for integration tests)
- kind and Docker (for full integration tests)
git clone https://github.com/Evaneos/kubectl-readonly.git
cd kubectl-readonly# Unit tests only
make test
# Smoke tests (fast, no cluster needed, uses --readonly-check-ok)
make test-smoke
# Full integration tests (requires kind and Docker)
make test-integration
# All tests: unit -> smoke -> integration
make test-all- Unit tests (
main_test.go): Test the command validation logic directly - Smoke tests (
smoke_test.go): Test the binary with--readonly-check-okflag (fast, no cluster) - Integration tests (
integration_test.go): Test against a real kind cluster
# Build binary
make build
# Install to $GOPATH/bin
make installgolangci-lint run ./...
# or
make lintWhen in doubt, block. This tool prefers false negatives (blocking legitimate commands) over false positives (allowing dangerous commands). If a command isn't explicitly in the allowlist, it's blocked.
This tool prevents accidental destructive operations, not malicious attacks. See the README for the full threat model.
- Fork the repository
- Create a feature branch
- Add tests for any new functionality
- Ensure all tests pass (
make test-all) - Submit a pull request
Releases are automated via GitHub Actions when a tag is pushed.
-
Update version (if needed in code):
# Version is injected via ldflags from git tags, no code change needed -
Create and push a tag:
# List existing tags git tag -l # Create a new tag (follow semver) git tag v0.3.0 # Push the tag to trigger the release git push origin v0.3.0
-
Wait for CI: GitHub Actions will:
- Run all tests
- Build binaries for all platforms (Linux, macOS, Windows × amd64, arm64)
- Create a GitHub release with binaries and checksums
- Generate changelog from commits
-
Verify the release: Check the releases page
Follow Semantic Versioning:
v1.0.0- Major: breaking changesv1.1.0- Minor: new features, backward compatiblev1.1.1- Patch: bug fixes
Krew is the kubectl plugin manager. Publishing allows users to install with kubectl krew install readonly.
-
Create a release (see above)
-
Generate the Krew manifest:
# This downloads checksums from the release and generates the manifest make krew-manifest VERSION=v0.3.0 > readonly.yaml
-
Fork and clone krew-index:
git clone https://github.com/YOUR_USERNAME/krew-index.git cd krew-index -
Add the plugin manifest:
cp /path/to/readonly.yaml plugins/readonly.yaml
-
Test locally:
kubectl krew install --manifest=plugins/readonly.yaml kubectl readonly get pods kubectl krew uninstall readonly
-
Submit a PR to kubernetes-sigs/krew-index:
- Title:
Add readonly plugin - Include a description of what the plugin does
- Title:
After each new release:
-
Generate updated manifest:
make krew-manifest VERSION=v0.4.0 > readonly.yaml -
Submit a PR to krew-index updating
plugins/readonly.yaml:- Title:
Update readonly to v0.4.0 - The PR should only change the version and SHA256 checksums
- Title:
A template manifest is available at plugins/readonly.yaml. The make krew-manifest command generates a complete manifest with correct SHA256 checksums from a GitHub release.
If you discover a security vulnerability, please open an issue or contact the maintainers directly.
# Build and test plugin mode
make build
export PATH="$PWD:$PATH"
kubectl readonly get pods# Create a test cluster
kind create cluster --name test
# Run tests
make test-integration
# Cleanup
kind delete cluster --name test
# or
make clean-kind