Restrict sub-commands #400

JimBugwadia · 2026-03-16T22:16:53Z

JimBugwadia
Mar 16, 2026

Any thoughts on providing the ability to restrict sub-commands?

For example, to run kubectl in a sandbox container and only allow get operations.

When running in Kubernetes, RBAC can be used.

But for additional security, is it possible to restrict usage of the CLI to a set of sub-commands?

  "commands": {
    "allow": [
      "kubectl get", 
      "kubectl logs",
      "kubectl describe"
    ]
  },

lukehinds · 2026-03-17T11:13:44Z

lukehinds
Mar 17, 2026
Maintainer

Let me come back to you shortly on this @JimBugwadia , its a tricky one, but I have something experimental which may work. The crux of why this becomes a challenge is that we don't get to see flags that are used, we just see a syscall. So the flags are already ingested into the application by the time it reaches us.

0 replies

kipz · 2026-03-17T11:52:33Z

kipz
Mar 17, 2026

FWIW, my experiment over here supports this: #336

0 replies

lukehinds · 2026-03-28T09:23:11Z

lukehinds
Mar 28, 2026
Maintainer

@JimBugwadia / @kipz sorry for late reply , I need to get better at tracking discussions

@kipz , going to respond as the tool sandboxing is definately something we should get in, I have it working on linux

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Restrict sub-commands #400

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 3 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Restrict sub-commands #400

Uh oh!

Uh oh!

JimBugwadia Mar 16, 2026

Replies: 3 comments

Uh oh!

lukehinds Mar 17, 2026 Maintainer

Uh oh!

kipz Mar 17, 2026

Uh oh!

lukehinds Mar 28, 2026 Maintainer

JimBugwadia
Mar 16, 2026

lukehinds
Mar 17, 2026
Maintainer

kipz
Mar 17, 2026

lukehinds
Mar 28, 2026
Maintainer