Install kubectl Plugins with Krew [Step-by-Step]

Krew is the plugin manager for kubectl – the Kubernetes command-line tool. It works like apt or brew but specifically for kubectl plugins, letting you discover, install, and manage plugins from a centralized plugin index with a single command. As of version 0.5.0, Krew hosts over 200 plugins that extend kubectl with capabilities ranging from context switching to network traffic sniffing.

Original content from computingforgeeks.com - post 78765

This guide walks through installing Krew, searching and managing plugins, and covers the most useful kubectl plugins every Kubernetes admin should have. We also cover creating custom plugins and compare Krew-managed installs to manual plugin management.

Prerequisites

Before you begin, make sure you have the following in place:

A working Kubernetes cluster – if you need one, follow our guide on deploying a Kubernetes cluster with Kubeadm
kubectl installed and configured (v1.12 or later) – see our kubectl guide if needed
git installed on your local machine (Krew uses git to fetch the plugin index)
curl or wget for downloading the Krew binary

Step 1: Install Krew Plugin Manager

Krew installs as a kubectl plugin itself. The installation script downloads the correct binary for your OS and architecture, then bootstraps Krew by installing itself.

Run the following one-liner to install Krew on Linux or macOS:

(
  set -x; cd "$(mktemp -d)" &&
  OS="$(uname | tr '[:upper:]' '[:lower:]')" &&
  ARCH="$(uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/')" &&
  KREW="krew-${OS}_${ARCH}" &&
  curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/${KREW}.tar.gz" &&
  tar zxvf "${KREW}.tar.gz" &&
  ./"${KREW}" install krew
)

After the script completes, add the Krew binary directory to your PATH. Open your shell configuration file:

vi ~/.bashrc

Add this line at the end:

export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"

For Zsh users, add the same line to ~/.zshrc instead. Then reload your shell:

source ~/.bashrc

Verify the installation by checking the Krew version:

kubectl krew version

You should see output confirming Krew v0.5.0 (or later) is installed:

OPTION            VALUE
GitTag            v0.5.0
GitCommit         xxxxxxx
IndexURI          https://github.com/kubernetes-sigs/krew-index.git
BasePath          /home/user/.krew
IndexPath         /home/user/.krew/index/default
InstallPath       /home/user/.krew/store
BinPath           /home/user/.krew/bin
DetectedPlatform  linux/amd64

Step 2: Search for kubectl Plugins

Krew maintains a curated index of plugins. Before installing anything, update the local plugin index to get the latest list:

kubectl krew update

Search for plugins by keyword. For example, to find plugins related to namespaces:

kubectl krew search ns

This returns a list of matching plugins with their descriptions and installation status:

NAME       DESCRIPTION                                      INSTALLED
ns         Switch between Kubernetes namespaces              no
rbac-tool  Plugin to analyze RBAC permissions and generate   no
access-matrix  Show an RBAC access matrix for server...     no

To list all available plugins in the Krew index:

kubectl krew search

To get detailed information about a specific plugin before installing:

kubectl krew info ctx

The info output shows the plugin version, homepage, description, and supported platforms.

Step 3: Install kubectl Plugins with Krew

Installing a plugin is a single command. Krew downloads the binary, verifies its checksum, and places it in your PATH automatically.

kubectl krew install ctx

After installation, the plugin is immediately available as a kubectl subcommand:

kubectl ctx

This lists all available Kubernetes contexts from your kubeconfig. To install multiple plugins in one command:

kubectl krew install ns neat whoami tree

List all currently installed plugins to confirm:

kubectl krew list

The output shows each installed plugin with its version:

PLUGIN  VERSION
ctx     v0.9.5
krew    v0.5.0
neat    v2.0.4
ns      v0.9.5
tree    v0.4.3
whoami  v0.0.51

Step 4: Essential kubectl Plugins Every Admin Needs

Out of the 200+ plugins in the Krew index, these eight are the ones we use daily in production Kubernetes environments. If you manage clusters regularly, these save real time.

ctx – Switch Kubernetes Contexts

The ctx plugin switches between Kubernetes contexts without typing long kubectl config use-context commands. Essential when managing multiple clusters.

kubectl krew install ctx

List all contexts and switch interactively:

kubectl ctx

Switch directly to a named context:

kubectl ctx my-production-cluster

ns – Switch Kubernetes Namespaces

The ns plugin sets the default namespace for your current context. No more adding -n namespace to every command.

kubectl krew install ns

Switch to the monitoring namespace:

kubectl ns monitoring

Run kubectl ns without arguments to list all namespaces and pick one interactively.

neat – Clean Up kubectl Output

When you export a resource with kubectl get -o yaml, the output is cluttered with managed fields, status blocks, and annotations you do not need. The neat plugin strips all that out, giving you a clean YAML manifest ready for version control.

kubectl krew install neat

Export a clean deployment manifest:

kubectl get deployment nginx -o yaml | kubectl neat

The output is a minimal YAML file with only the fields you originally defined – no metadata noise.

whoami – Check Current User Identity

The whoami plugin shows which user or service account your current kubeconfig is authenticated as. Useful for debugging RBAC issues when you are not sure which identity is making API calls.

kubectl krew install whoami

Check your current identity:

kubectl whoami

The output shows the username, groups, and authentication method for your current context.

access-matrix – Visualize RBAC Permissions

The access-matrix plugin displays a matrix of RBAC permissions showing which actions (get, list, create, delete) are allowed for each resource type. This is far more readable than parsing kubectl auth can-i output one resource at a time. For more on Kubernetes access management, see our guide on Active Directory authentication for kubectl.

kubectl krew install access-matrix

Show RBAC access matrix for the current namespace:

kubectl access-matrix

Show permissions for a specific service account:

kubectl access-matrix --sa default:my-service-account

tree – View Resource Ownership Hierarchy

The tree plugin shows parent-child relationships between Kubernetes resources. Pass it a resource and it displays all owned objects in a tree structure – Deployment to ReplicaSet to Pods, for example.

kubectl krew install tree

View the resource tree for a deployment:

kubectl tree deployment nginx

The output clearly shows which ReplicaSets and Pods belong to the deployment, making it easy to trace issues through the ownership chain.

images – List Container Images in a Cluster

The images plugin lists all container images running across your cluster or in a specific namespace. Useful for security audits, finding outdated images, or tracking what is deployed where.

kubectl krew install images

List all images running in the cluster:

kubectl images --all-namespaces

The output shows each pod, its namespace, and the container images it runs – sorted for easy scanning.

sniff – Capture Pod Network Traffic

The sniff plugin captures network traffic from a running pod using tcpdump and streams it to your local Wireshark instance. This is the fastest way to debug network issues in Kubernetes without exec-ing into containers.

kubectl krew install sniff

Capture traffic from a pod (requires Wireshark installed locally):

kubectl sniff my-pod -n default

This injects a tcpdump sidecar, captures packets, and opens them in Wireshark on your machine. Add -f "port 80" to filter by port.

Step 5: Update Krew Plugins

Plugins receive updates independently. First update the Krew index to get the latest plugin versions, then upgrade installed plugins.

Update the plugin index:

kubectl krew update

Upgrade all installed plugins to their latest versions:

kubectl krew upgrade

To upgrade a specific plugin only:

kubectl krew upgrade ctx

Run kubectl krew update && kubectl krew upgrade periodically – once a week or before major cluster operations – to keep plugins current.

Step 6: Uninstall kubectl Plugins

Remove plugins you no longer need with the uninstall command. This deletes the plugin binary from your Krew store.

kubectl krew uninstall sniff

Confirm the plugin was removed:

kubectl krew list

The uninstalled plugin should no longer appear in the list. You can reinstall it later with kubectl krew install sniff if needed.

Step 7: Create a Custom kubectl Plugin

Any executable file in your PATH named kubectl-<name> becomes a kubectl plugin automatically. Krew is not required for custom plugins – kubectl discovers them by naming convention. This is useful for team-specific workflows that do not belong in the public Krew index.

Create a simple plugin that lists pods sorted by restart count:

vi ~/.krew/bin/kubectl-restarts

Add the following script content:

#!/bin/bash
# kubectl plugin: show pods sorted by restart count
NAMESPACE="${1:---all-namespaces}"
if [ "$NAMESPACE" != "--all-namespaces" ]; then
  NAMESPACE="-n $1"
fi
kubectl get pods $NAMESPACE -o jsonpath='{range .items[*]}{.metadata.namespace}{"\t"}{.metadata.name}{"\t"}{range .status.containerStatuses[*]}{.restartCount}{"\t"}{end}{"\n"}{end}' | sort -t$'\t' -k3 -rn | head -20

Make it executable:

chmod +x ~/.krew/bin/kubectl-restarts

Verify kubectl discovers your custom plugin:

kubectl plugin list

Your plugin should appear in the output. Now use it:

kubectl restarts kube-system

This shows the top 20 pods in the kube-system namespace sorted by restart count – a quick way to spot unstable pods. You can write plugins in any language (Bash, Python, Go) as long as the binary is executable and named correctly.

Step 8: Krew vs Manual Plugin Installation

You can install kubectl plugins without Krew by downloading binaries and placing them in your PATH manually. Both approaches work, but they differ in important ways for day-to-day operations.

Krew-managed installation gives you centralized updates (krew upgrade updates everything at once), checksum verification on download, and a single command to discover available plugins. The tradeoff is that only plugins listed in the Krew index are available this way.

Manual installation means downloading the binary from the plugin’s GitHub releases page, placing it in a directory on your PATH, and managing updates yourself. This works for any plugin regardless of whether it is in the Krew index, and gives you full control over versions. The downside is you must track updates manually across every plugin.

For teams managing production clusters, we recommend Krew for standard plugins and manual installation only for private or custom plugins not in the Krew index. If you manage your cluster with Helm, you will find Krew fits naturally into the same workflow of declarative tool management.

Feature	Krew	Manual Install
Discovery	`krew search` – browse 200+ plugins	Search GitHub/docs yourself
Installation	Single command with checksum verification	Download, extract, move to PATH
Updates	`krew upgrade` – batch update all	Check each project individually
Private plugins	Not supported (public index only)	Full support
Version pinning	Limited – uses latest in index	Full control over versions
Uninstall	`krew uninstall name`	Manually delete the binary

Top 15 kubectl Plugins Reference

This table covers the most widely used kubectl plugins available through Krew. These are the plugins we have seen used most across production Kubernetes environments and our own kubectl workflows.

Plugin	Install Command	Purpose
ctx	`kubectl krew install ctx`	Switch between Kubernetes contexts quickly
ns	`kubectl krew install ns`	Switch default namespace for current context
neat	`kubectl krew install neat`	Clean up verbose YAML output from kubectl get
whoami	`kubectl krew install whoami`	Show current authenticated user and groups
access-matrix	`kubectl krew install access-matrix`	Display RBAC access matrix for resources
tree	`kubectl krew install tree`	Show resource ownership tree (Deployment to Pod)
images	`kubectl krew install images`	List container images running in the cluster
sniff	`kubectl krew install sniff`	Capture pod network traffic with tcpdump/Wireshark
tail	`kubectl krew install tail`	Stream logs from multiple pods simultaneously
node-shell	`kubectl krew install node-shell`	Open a shell directly on a Kubernetes node
resource-capacity	`kubectl krew install resource-capacity`	Show resource requests and limits per node
view-secret	`kubectl krew install view-secret`	Decode and display Kubernetes secrets
cert-manager	`kubectl krew install cert-manager`	Manage cert-manager resources and certificates
rbac-tool	`kubectl krew install rbac-tool`	Analyze and generate RBAC policies
stern	`kubectl krew install stern`	Multi-pod log tailing with color-coded output

Conclusion

Krew makes kubectl plugin management straightforward – install, update, and remove plugins with single commands instead of tracking binaries manually. The eight essential plugins covered here (ctx, ns, neat, whoami, access-matrix, tree, images, sniff) cover the most common gaps in kubectl’s built-in functionality for cluster administration.

For production environments, combine Krew plugins with proper RBAC policies so team members have the right access levels. Keep plugins updated regularly, and consider writing custom plugins for repetitive team-specific tasks that are not covered by the Krew index.