Automic VaultAutomic Vault

brew / protected-tool coverage

Install kubernetes-cli with Homebrew, chocolatey, winget, apk, apt, MacPorts, Nix, pacman, scoop

Kubernetes command-line interface. Version 1.36.2 via Homebrew; verified 2026-06-12.

agent safety

Agent safety answer

kubernetes-cli provides kubectl, which controls Kubernetes clusters and workloads.

Credential access

Reads kubeconfig, exec credentials, cluster tokens, and namespace context.

Remote mutation

Can create, patch, delete, scale, and exec into cluster workloads.

Publish/artifact risk

Can apply manifests that deploy or expose application artifacts.

Recommended control

Gate kubectl apply, delete, patch, exec, port-forward, and context changes.

Agent-use guidance

Allow get/describe with safe contexts; require approval for cluster writes and secret reads.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install kubernetes-cli

local Homebrew formula metadata

MacPortsverified · 94%
sudo port install kubectl

MacPorts ports tree · sysutils/kubectl/Portfile · source: api.github.com

Linux

Alpine Linux apkverified · 92%
sudo apk add kubectl

Alpine Linux edge package indexes · kubectl · source: dl-cdn.alpinelinux.org

Debian aptverified · 92%
sudo apt install kubectl

Debian stable package indexes · kubectl · source: deb.debian.org

Nixverified · 92%
nix profile install nixpkgs#kubectl

nixpkgs package indexes · pkgs/by-name/ku/kubectl/package.nix · source: api.github.com

Arch Linux pacmanverified · 92%
sudo pacman -S kubectl

Arch Linux sync databases · kubectl · source: geo.mirror.pkgbuild.com

Windows

Chocolateyverified · 92%
choco install kubernetes-cli

Chocolatey community package catalog · kubernetes-cli · source: community.chocolatey.org

Windows Package Managerverified · 92%
winget install --id Kubernetes.kubectl -e

Windows Package Manager source index · Kubernetes.kubectl · source: cdn.winget.microsoft.com

Scoopverified · 92%
scoop install main/kubectl

Scoop official bucket manifest trees · bucket/kubectl.json · source: api.github.com

overview

Package summary

Kubernetes command-line interface

Commands and aliases

  • kubectl

history

Project history and usage

kubectl is the Kubernetes command-line client and the binary packaged by Homebrew as kubernetes-cli. It is the standard local interface for sending requests to the Kubernetes control plane, reading and writing objects, inspecting resources, and driving day-to-day cluster operations.

Project history

Kubernetes began as an open source Google project in 2014 and reached version 1.0 on July 21, 2015, alongside Google's announcement that the project would be donated to the newly formed Cloud Native Computing Foundation. kubectl evolved with the project as the human-facing client for the Kubernetes API.

Adoption history

As Kubernetes became the common substrate for cloud-native infrastructure, kubectl became one of the most widely installed operations binaries in developer and platform-engineering toolchains. Its packaging across Homebrew, Linux distributions, Chocolatey, Scoop, winget, Nix, MacPorts, and other systems reflects that it is both a developer tool and an infrastructure administration tool.

How it is used

kubectl reads kubeconfig data to select a cluster, user, namespace, and context, then communicates with the API server. Kubernetes documentation says kubectl looks for config in $HOME/.kube/config by default, while KUBECONFIG and --kubeconfig allow explicit or merged configuration files.

Why package nerds care

The kubernetes-cli package is significant because it decouples the local client from a full Kubernetes installation. Package managers let users pin or upgrade the client, match cluster version-skew policy, and keep scripts using a predictable kubectl binary without installing control-plane components.

Timeline

  • 2014: Kubernetes was released as an open source project.
  • 2015-07-21: Kubernetes 1.0 was released and the project was donated to the CNCF.
  • 2023-08-15: Kubernetes documented pkgs.k8s.io as community-owned package repositories for Kubernetes packages.
  • 2025-04-23: Kubernetes v1.33 was released.
  • 2025-08-27: Kubernetes v1.34 was released.

Related projects

  • kubectl is related to the Kubernetes API server, kubeconfig, client-go, kubeadm, kustomize, Helm, kubectl plugins, and the broader SIG CLI tooling ecosystem.

protected-tool coverage

Plain Text Kubeconfig Secrets

`kubectl` reads kubeconfig files that commonly contain bearer tokens or embedded client private keys. Our isotope stores supported user credentials in the macOS keychain, rewrites kubeconfig user entries to Kubernetes exec credential plugins, and exposes credentials through `av credential-helper kubernetes` only while `kubectl` runs.

Risk classifier

orange risk · high confidence · infrastructure

Why

  • cluster orchestration infrastructure

Signals

  • override:kubernetes-cli

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 3 build dependencies.

Local README excerpt

kubernetes-cli Protected-tool coverage

kubectl reads kubeconfig files that commonly contain bearer tokens, passwords, client key paths, or embedded client key data.

This protected-tool coverage migrates the default kubeconfig into the Automic Vault keychain and rewrites supported user entries to Kubernetes exec credential plugins that call av credential-helper kubernetes. The wrapper provides a short-lived approval token while kubectl is running.

Caveats

  • We currently migrate the default ~/.kube/config file only.
  • Multi-file KUBECONFIG setups must be migrated manually.
  • Only bearer-token and embedded client-certificate user credentials are

migrated to the exec helper.

  • Passwords, auth-provider refresh credentials, and client-key file paths must

be migrated manually.

  • Kubeconfigs that rely entirely on exec auth plugins may not contain

migratable secrets.

Source: local coverage notes

Coverage source

Local secret-handling manifest

Caveats

  • We currently migrate the default ~/.kube/config file only.
  • Multi-file KUBECONFIG setups must be migrated manually.
  • Passwords, auth-provider refresh credentials, and client-key file paths must be migrated manually.
  • Exec-plugin-only kubeconfigs may not contain migratable secrets.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
~/.kube/config

Credential files

Credential-bearing paths to review before unattended agent runs.

Unix
~/.kube/config

executables

Installed executables

CommandKindExposureNote
kubectlcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-07
manager version1.36.2
manager updated2026-06-12
local dataok
upstreamnot checked
latest detectednot detected

https://github.com/kubernetes/kubernetes

install metadata

Package metadata

Package keybrew:kubernetes-cli
Version1.36.2
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/kubernetes-cli
Homepagehttps://kubernetes.io/docs/reference/kubectl/
Repositoryhttps://github.com/kubernetes/kubernetes
Upstream docshttps://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig
LicenseApache-2.0
Source archivehttps://github.com/kubernetes/kubernetes.git
Last updated2026-06-12T13:38:45Z
Pulseupdated
Build dependenciesbash, coreutils, go
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namekubernetes-cli
Aliases
  • kubectl
  • kubernetes-cli@1.36
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Chocolatey95%

kubernetes-cli

choco install kubernetes-cli
  • normalized package name match
  • Matched by: Kubernetes Cli
Chocolatey community package catalog · community.chocolatey.org · Chocolatey community package catalog: kubernetes-cli from http://community.chocolatey.org/api/v2/Packages?$filter=IsLatestVersion&$select=Id&$top=1000&$skiptoken='11','kubectx'
winget95%

Kubernetes.kubectl

winget install --id Kubernetes.kubectl -e
  • normalized package name match
  • Matched by: Kubernetes Cli
Windows Package Manager source index · cdn.winget.microsoft.com · Windows Package Manager source index: Kubernetes.kubectl from https://cdn.winget.microsoft.com/cache/source.msix
MacPorts94%

kubectl

sudo port install kubectl
  • installed executable or alias match
  • Matched by: Kubectl
MacPorts ports tree · api.github.com · MacPorts ports tree: sysutils/kubectl/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
Debian apt92%

kubectl 1.32.3+ds-2

Command-line tool for controlling Kubernetes clusters

https://kubernetes.io/

sudo apt install kubectl
  • Section: admin
  • Architecture: amd64
  • Source Package: kubernetes
  • 1 dependencies
  • installed executable or alias match
  • Matched by: Kubectl
Debian stable package indexes · deb.debian.org · Debian stable package indexes: kubectl from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz
Nix92%

kubectl

nix profile install nixpkgs#kubectl
  • installed executable or alias match
  • Matched by: Kubectl
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/ku/kubectl/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
apk92%

kubectl 1.36.1-r0

Kubernetes - kubectl

https://kubernetes.io/

sudo apk add kubectl
  • License: Apache-2.0
  • Architecture: x86_64
  • Source Package: kubernetes
  • 1 provides
  • installed executable or alias match
  • Matched by: Kubectl
Alpine Linux edge package indexes · dl-cdn.alpinelinux.org · Alpine Linux edge package indexes: kubectl from https://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz
pacman92%

kubectl 1.36.1-1

A command line tool for communicating with a Kubernetes API server

https://kubernetes.io/

sudo pacman -S kubectl
  • License: Apache-2.0
  • Architecture: x86_64
  • 1 dependencies
  • installed executable or alias match
  • Matched by: Kubectl
Arch Linux sync databases · geo.mirror.pkgbuild.com · Arch Linux sync databases: kubectl from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz
Scoop92%

main/kubectl

scoop install main/kubectl
  • installed executable or alias match
  • Matched by: Kubectl
Scoop official bucket manifest trees · api.github.com · Scoop official bucket manifest trees: bucket/kubectl.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated agent safety answer
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • local coverage README
  • package relationship graph
  • package version freshness
  • package-page enrichment
  • secret-handling manifest