Production-Safe, Auditable, Read-Only File Exploration for Kubernetes Pods
Pulsaar solves the security challenge of inspecting container filesystems in production environments. It provides developers with safe, read-only access to troubleshoot issues without requiring kubectl exec, interactive shells, or elevated cluster privileges.
- Zero Executive Footprint: Eliminates interactive root shell risks inside live production environments.
- Granular Access Control: Lock down exploration to specific folders (e.g., only
/var/logor/app/config). - Compliance-Ready: Every list, read, or stat attempt is audited and sent to a central logging aggregator.
Pulsaar consists of a client CLI, a mutating webhook for sidecar injection, a lightweight gRPC agent (deployed as a sidecar or injected as an ephemeral container), and an audit logging aggregator.
flowchart TD
subgraph Client [Developer Client]
CLI[pulsaar-cli]
end
subgraph Control [K8s Control Plane]
K8S[Kube API Server]
WEB[pulsaar-webhook]
end
subgraph Pod [Target Pod]
AGENT[pulsaar-agent]
FS[(Container Filesystem)]
end
subgraph Logging [Compliance & Audit]
AGG[pulsaar-aggregator]
end
CLI -- gRPC over TLS/Port-Forward --> AGENT
CLI -- K8s Authentication --> K8S
K8S -- Mutate Pod / Inject Agent --> WEB
AGENT -- Read-Only Stat/Read --> FS
AGENT -- Send JSON Audits --> AGG
| Feature | Description | Benefit |
|---|---|---|
| Read-Only Safety | Enforces read-only filesystem calls (List, Read, Stat) at the API layer. | Prevent accidental data loss or config editing. |
| mTLS Encryption | End-to-end encryption with dynamically generated TLS keypairs. | Secure data transit over the cluster network. |
| RBAC Integration | Interacts with K8s SubjectAccessReview to enforce pod permissions. | Reuses existing Kubernetes namespace RBAC rules. |
| Flexible Sidecar / Ephemeral | Deploy as a permanent sidecar or inject on-demand via Ephemeral Containers. | Zero-overhead when not troubleshooting. |
Download the pre-compiled binary for your system from the Releases Page or install via Homebrew:
# Tap the Homebrew repository
brew tap VrushankPatel/homebrew-pulsaar
# Install the Pulsaar CLI client
brew install pulsaar-cliInstall the Pulsaar Webhook, Agent templates, and central Audit Aggregator via Helm:
# Add the Pulsaar repository
helm repo add pulsaar https://vrushankpatel.github.io/pulsaar
# Install the Helm chart
helm install pulsaar pulsaar/pulsaar \
--namespace pulsaar-system \
--create-namespaceOnce installed, use the CLI client to explore files inside any pod you have read access to.
List files and subdirectories within allowed roots:
pulsaar explore --pod my-production-pod -n default --path /var/logRetrieve contents of text configuration files safely (up to 1MB size limit):
pulsaar read --pod my-production-pod -n default --path /app/config/settings.jsonRetrieve metadata (size, permissions, modification times) for any file or directory:
pulsaar stat --pod my-production-pod -n default --path /tmp/app.lockCheck connection state and health details of the agent inside the pod:
pulsaar health --pod my-production-pod -n defaultLaunch a gorgeous K9s-style interactive Terminal User Interface to select namespaces, pods, and explore/view files interactively:
pulsaar tuiExplicitly block specific directories (e.g. secret files) on a pod from the CLI:
pulsaar config set-denylist --pod my-production-pod -n default --paths /app/certs,/app/.envSecure pod access by configuring standard annotations in your Pod specifications:
apiVersion: v1
kind: Pod
metadata:
name: my-app
namespace: default
annotations:
# Trigger automatic sidecar injection
pulsaar.io/inject: "true"
# Define directories developers are allowed to inspect
pulsaar.io/allowed-roots: "/var/log,/app/config"
# Define directories developers are explicitly forbidden from inspecting
pulsaar.io/denied-paths: "/app/config/secrets.json"
spec:
containers:
- name: app
image: my-app:latestPulsaar is designed to meet strict enterprise compliance frameworks:
- Audit logs: Logged locally and aggregated at
pulsaar-aggregator. Failures in logging block the gRPC action. - Access Control: Developer credentials are validated via Kubernetes TokenReviews & SubjectAccessReviews against the namespace's
get podsverb. - For reporting security vulnerabilities, please refer to our Security Policy.
We welcome contributions from the community! Please read our Contribution Guidelines and Code of Conduct before submitting a Pull Request.
Pulsaar is licensed under the Apache 2.0 License. See the LICENSE file for details.
