功能描述

KubeVPN is a cloud-native dev tool to connect local machine to Kubernetes cluster networks. Use this skill when the user mentions: kubevpn, KubeVPN, or any o...

使用说明 (SKILL.md)

KubeVPN

Name: kubevpn
Author: wencaiwulue

KubeVPN bridges a local machine to a remote Kubernetes cluster network. Core workflows: connect (VPN tunnel), proxy (traffic interception), run (local pod simulation), sync (local code → cluster clone).

Installation

brew install kubevpn                              # macOS
curl -fsSL https://kubevpn.dev/install.sh | sh   # Linux/macOS
kubectl krew install kubevpn/kubevpn              # kubectl plugin
scoop bucket add extras && scoop install kubevpn  # Windows

Core Workflows

1. Connect — Access cluster network

kubevpn connect
kubevpn connect -n \x3Cnamespace>
kubevpn connect --context \x3Ccontext-name>
kubevpn disconnect --all

After connecting, access cluster resources directly:

ping \x3Cpod-ip>
curl \x3Cservice-name>:\x3Cport>
curl \x3Cservice-name>.\x3Cnamespace>.svc.cluster.local:\x3Cport>

2. Proxy — Intercept inbound traffic

Intercepts inbound cluster traffic for a workload and forwards to local machine. proxy also auto-connects to the cluster if not already connected.

kubevpn proxy deployment/\x3Cname>
kubevpn proxy deployment/\x3Cname> -n \x3Cnamespace>

# Mesh mode: only requests with matching headers go to local
kubevpn proxy deployment/\x3Cname> --headers foo=bar
kubevpn proxy deployment/\x3Cname> --headers foo=bar --headers env=dev  # AND logic

# Port mapping
kubevpn proxy deployment/\x3Cname> --portmap 9080:8080
kubevpn proxy deployment/\x3Cname> --portmap udp/9080:5000

# Multiple workloads at once
kubevpn proxy deployment/authors deployment/productpage

kubevpn leave deployment/\x3Cname>   # stop proxying, restore workload

3. Run — Simulate pod locally in Docker

Runs a workload in a local Docker container with identical env vars, volumes, and network.

kubevpn run deployment/\x3Cname>
kubevpn run deployment/\x3Cname> --entrypoint /bin/bash   # interactive shell
kubevpn run deployment/\x3Cname> --no-proxy               # no traffic interception
kubevpn run deployment/\x3Cname> --dev-image golang:1.21 --entrypoint bash
kubevpn run deployment/\x3Cname> --headers foo=bar        # mesh mode

4. Sync — Hot-reload local code in cluster

Clones the workload inside the cluster and syncs a local directory into the clone. The clone has the same env/volumes/network as the original. Supports mesh routing via --headers.

kubevpn sync deployment/\x3Cname> --sync ~/code:/app/code
kubevpn sync deployment/\x3Cname> --sync ~/code:/app/code --headers foo=bar

kubevpn unsync deployment/\x3Cname>-sync-xxxxx   # remove sync resource

5. Alias — Named config shortcuts

Define named aliases in ~/.kubevpn/config.yaml to avoid repeating long flags. Supports Needs dependency chains (connect to cluster A before cluster B).

kubevpn alias dev       # runs the flags defined under "dev" in config
kubevpn alias jumper    # connect to jumper cluster only

See commands.md for config file format.

Via SSH Bastion / Jump Host

All connect/proxy/run/sync commands support SSH jump:

kubevpn connect --ssh-addr 192.168.1.100:22 --ssh-username root --ssh-keyfile ~/.ssh/id_rsa
kubevpn connect --ssh-alias dev                           # uses ~/.ssh/config alias
kubevpn proxy deployment/\x3Cname> --ssh-alias dev --headers foo=bar

Reference Files

commands.md — Full flag reference for all kubevpn commands (including alias, connection, route, ssh, image, logs, quit)
architecture.md — How connect/proxy/mesh modes work internally

Common Patterns

Goal	Command
Access cluster IPs/services locally	`kubevpn connect`
Connect using a saved alias	`kubevpn alias \x3Cname>`
Debug a service (receive all its traffic)	`kubevpn proxy deployment/\x3Cname>`
Debug only my requests (don't break others)	`kubevpn proxy deployment/\x3Cname> --headers x-user=me`
Reproduce a pod environment locally	`kubevpn run deployment/\x3Cname> --entrypoint sh`
Hot-reload local code in cluster env	`kubevpn sync deployment/\x3Cname> --sync ~/code:/app`
Check connection status	`kubevpn status`
Force-restore a stuck workload	`kubevpn reset deployment/\x3Cname>`
Fully stop kubevpn (daemon + connections)	`kubevpn quit`
Remove all kubevpn from cluster	`kubevpn uninstall`
Copy image to private registry	`kubevpn image copy \x3Csrc> \x3Cdst>`
Tail daemon logs	`kubevpn logs -f`

Notes

proxy, run, and sync auto-connect to the cluster if not already connected
Multiple clusters can be connected simultaneously; use kubevpn status or kubevpn connection list to inspect
disconnect cleans up DNS/hosts; quit also stops the daemon gRPC server entirely
Server components are auto-deployed on first use (or pre-install: helm install kubevpn kubevpn/kubevpn)
Supports HTTP, gRPC, Thrift, WebSocket, TCP, UDP, ICMP
Use kubevpn reset deployment/\x3Cname> if a workload gets stuck with injected containers
Use kubevpn image copy to mirror images to a private registry when ghcr.io is not accessible

安全使用建议

This skill is coherent with its stated goal (bridging your machine to Kubernetes networks), but it performs high‑privilege actions and references sensitive local credentials and remote installers. Before using or running any commands from this skill: (1) verify the upstream project (GitHub repo, official release artifacts, and Helm chart) and prefer signed releases; (2) review any install script (don’t blindly run curl | sh); (3) do not hand your kubeconfig or SSH private keys to untrusted processes — only use local kubeconfig/keys with tools you trust; (4) be aware that proxy/run/sync injects or modifies cluster workloads (may disrupt production); (5) note that local containers default to privileged=true and the tool can change iptables and create tun devices — test in a staging environment first; (6) avoid using remote config URLs or inline kubeconfig JSON from unknown sources. If you want higher confidence, provide the upstream repo URL, package release checksums/signatures, or the installer script for review.

功能分析

Type: OpenClaw Skill Name: kubevpn Version: 2.9.14 The skill bundle provides documentation and instructions for 'kubevpn', a legitimate open-source cloud-native development tool designed to bridge local machines with Kubernetes clusters. The workflows described—including VPN tunneling (connect), traffic interception (proxy), and local container simulation (run)—align perfectly with the tool's intended purpose. While the tool requires high-privilege access (sudo for TUN devices, Kubernetes cluster-admin permissions, and SSH keys), these are inherent requirements for its functionality. No evidence of malicious intent, data exfiltration, or prompt injection was found in SKILL.md or the reference files.

能力评估

✓ Purpose & Capability

The name/description (connect/proxy/run/sync to Kubernetes clusters) matches the instructions: the SKILL.md explains VPN tunnels, sidecar injection, image transfer, and local Docker pod simulation. The features being requested (kubeconfig, SSH bastion usage, helm/kubectl/ docker interactions) are coherent with this purpose.

ℹ Instruction Scope

Instructions describe actions that require cluster and local host privileges (deploying a traffic-manager, injecting sidecars, altering iptables, creating tun interfaces, attaching Docker containers to cluster network). These actions are expected for the stated functionality, but they are powerful and can modify cluster workloads and local networking. The docs reference local files (~/.kube/config, ~/.ssh/*, ~/.kubevpn/config.yaml) and remote config URLs; those are relevant to operation but should be treated as sensitive.

ℹ Install Mechanism

The skill itself is instruction-only (no install spec). The docs recommend installing from brew, krew, scoop or via curl -fsSL https://kubevpn.dev/install.sh | sh and a Helm repo (https://kubevpn.dev/helm). Pointing to an official domain is normal, but piping a remote install script (curl | sh) and relying on a remote Helm repo are higher-risk practices — verify the upstream project, release signatures, or review the install script before running.

ℹ Credentials

The skill declares no required env vars, which is consistent for an instruction-only skill, but the workflows rely on sensitive local credentials/files: kubeconfig content (which contains cluster credentials), SSH private keys (~/.ssh/id_rsa), and optional inline kubeconfig JSON or remote config URLs. These are appropriate for the tool's purpose but are high-sensitivity and should not be supplied to untrusted code or actors.

✓ Persistence & Privilege

The skill does not request 'always:true' or permanent elevated platform privileges. However, the documented operations themselves require cluster-level and host-level privileges (deployment of server components, sidecar injection, privileged Docker containers by default). Those privileges are consistent with the tool's goals but increase risk if misused.

版本历史

v2.9.14

- Improved documentation in SKILL.md with detailed workflows, usage scenarios, and installation steps. - Added examples and reference commands for connect, proxy, run, sync, and alias workflows. - Documented SSH bastion/jump host support and multi-cluster connectivity. - Included troubleshooting, command reference links, and common usage patterns. - Enhanced clarity for local development, debugging, and cluster access scenarios.

元数据

Slug kubevpn

版本 2.9.14

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

kubevpn 是什么？

KubeVPN is a cloud-native dev tool to connect local machine to Kubernetes cluster networks. Use this skill when the user mentions: kubevpn, KubeVPN, or any o... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 202 次。

如何安装 kubevpn？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install kubevpn」即可一键安装，无需额外配置。

kubevpn 是免费的吗？

是的，kubevpn 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

kubevpn 支持哪些平台？

kubevpn 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 kubevpn？

由 naison（@wencaiwulue）开发并维护，当前版本 v2.9.14。

kubevpn