brew package intelligence

kubernetes-cli

Automic Vault tracks kubernetes-cli because plain text kubeconfig secrets matters when AI agents run command-line tools on macOS.

Read docs Run scanner

overview

What Automic Vault knows about kubernetes-cli

Kubernetes command-line interface

Homepage

Not present in the local metadata.

Commands and aliases

No executable aliases were found in the local package database.

radioisotope

Plain Text Kubeconfig Secrets

`kubectl` reads kubeconfig files that commonly contain bearer tokens, passwords, or embedded client private keys. Our isotope stores the kubeconfig in the macOS keychain and exposes it through a temporary KUBECONFIG file only while `kubectl` runs.

Local README excerpt

kubernetes-cli Radioisotope

kubectl reads kubeconfig files that commonly contain bearer tokens, passwords, client key paths, or embedded client key data.

This radioisotope migrates the default kubeconfig into the Automic Vault keychain and rewrites supported user entries to Kubernetes exec credential plugins that call av credential-helper kubernetes. The wrapper provides a short-lived approval token while kubectl is running.

Caveats

We currently migrate the default ~/.kube/config file only.
Multi-file KUBECONFIG setups must be migrated manually.
Only bearer-token and embedded client-certificate user credentials are

migrated to the exec helper.

Passwords, auth-provider refresh credentials, and client-key file paths must

be migrated manually.

Kubeconfigs that rely entirely on exec auth plugins may not contain

migratable secrets.

Source: data/radioisotopes/kubernetes-cli/README.md

Coverage source

https://formulae.brew.sh/formula/kubernetes-cli

Caveats

We currently migrate the default ~/.kube/config file only.
Multi-file KUBECONFIG setups must be migrated manually.
Exec-plugin-only kubeconfigs may not contain migratable secrets.

install metadata

Resolver facts

Package key	brew:kubernetes-cli
Last updated	2026-05-12T19:04:48Z
Pulse	updated

source trail

Generated from repository data

This page is regenerated by scripts/generate-pkg-pages.py. Deployments refuse to publish if www/pkg/ is stale relative to local package data.

Used sources

Nucleus package database
local isotope README
radioisotope security manifest