⚠️ Disclaimer: This tool is under active development. Features are limited, APIs may change, and code may undergo drastic revisions.
The kubectl-tenant plugin extends kubectl with the tenant command group, enabling secure, close-to-native interactions with Stakater's Multi Tenant Operator.
It provides tenant-scoped Kubernetes operations to simplify cluster multi-tenancy and improve security by filtering results according to tenant context.
# List all tenant-scoped resources
kubectl tenant get <resource> <tenant>
# Get a specific tenant-scoped resource
kubectl tenant get <resource> <tenant> <resource-name>
# Examples
kubectl tenant get storageclasses my-tenant # List all storage classes
kubectl tenant get namespaces my-tenant my-namespace # Get specific namespace- Adds a
kubectl tenantsubcommand set. - Functions like
kubectl get <resource>but filters output for the specified tenant. - Ensures tenants can only discover their own resources instead of all resources available in the cluster (limitation of native RBAC on
list). - Supports both listing all tenant resources and getting specific resources with tenant access validation.
| Resource | Command Keyword |
|---|---|
| Storage Classes | storageclasses |
| Namespaces | namespaces |
- A running cluster with Multi Tenant Operator installed.
kubectl(orocon OpenShift).
Download the prebuilt binary for your platform from the GitHub Releases, place it somewhere on your system, and make sure that directory is in your $PATH.
# Download for your OS/Arch
curl -L https://github.com/stakater/kubectl-tenant/releases/download/v0.0.1/kubectl-tenant-linux-amd64 -o kubectl-tenant
chmod +x kubectl-tenant
mv kubectl-tenant ~/.local/bin/ # ensure this path is in your $PATHStorage Classes
List all storage classes for a tenant:
kubectl tenant get storageclasses my-tenantExample output:
NAME PROVISIONER AGE
my-tenant-sc kubernetes.io/no-provisioner 5d
my-tenant-fast kubernetes.io/aws-ebs 3dGet a specific storage class:
kubectl tenant get storageclasses my-tenant my-tenant-scExample output:
NAME PROVISIONER AGE
my-tenant-sc kubernetes.io/no-provisioner 5dNamespaces
List all namespaces for a tenant:
kubectl tenant get namespaces my-tenantExample output:
NAME AGE
my-tenant-prod 5d
my-tenant-staging 7d
my-tenant-sandbox 10dGet a specific namespace:
kubectl tenant get namespaces my-tenant my-tenant-prodExample output:
NAME STATUS AGE
my-tenant-prod Active 5d
If you prefer to build the plugin yourself:
# Clone the repository
git clone https://github.com/stakater/kubectl-tenant.git
cd kubectl-tenant
# Build and install the plugin
go build -o kubectl-tenant
mv kubectl-tenant ~/.local/bin/make testE2E tests run against a real Kubernetes cluster with Multi Tenant Operator installed.
Prerequisites:
Run all steps manually:
| Target | Description |
|---|---|
make e2e-setup |
Creates a k3d cluster, installs cert-manager, MTO, and creates a TenantQuota |
make e2e |
Runs the e2e tests against the cluster |
make e2e-cleanup |
Deletes the k3d cluster |
Run everything in one command:
make e2e-fullThis will create the cluster, run tests, and delete the cluster automatically.
This plugin includes built-in documentation generation using Cobra's doc generator. The generated Markdown files provide a complete CLI reference that is suitable for users, maintainers, and AI/LLM indexing.
Generate documentation:
kubectl-tenant docs # Generates in ./docs/
kubectl-tenant docs -o /custom/path # Custom output directoryThe documentation is automatically generated and updated during releases, and can be found in the docs/ directory.
- Multi Tenant Operator: https://www.stakater.com/multi-tenant-operator
- Tenant Operator Docs: https://docs.stakater.com/mto/latest/index.html
- kubectl Plugin Mechanism: https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/
- OpenShift
ocPlugin Docs: https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/cli_tools/openshift-cli-oc#cli-extend-plugins
- Additional tenant-scoped resources (IngressClasses, etc.).
Apache 2.0