CLI Command Reference

tui

kb tui

Launch the interactive terminal UI. The TUI provides a live cluster view with keyboard navigation for browsing resources, viewing logs, and executing actions without leaving the terminal.

k — kubectl wrappers

kb k <subcommand> groups kubectl operations behind fuzzy pickers. Every command that takes a resource name also accepts --i to force the fzf picker, and -n / --namespace (default: default) to target a specific namespace.

k apply

kb k apply <path>

Build a Kustomize overlay and apply it directly to the cluster. Before applying, suspends all Flux kustomizations so Flux does not immediately revert the change. Resumes them on exit, even if the apply fails.

path — Kustomize overlay path, e.g. apps/overlays/dev/docs (required)

k describe

kb k describe [kind] [name] [-n namespace] [--i]

Run kubectl describe on a resource. Omit kind and name to pick interactively with fzf.

k yaml

kb k yaml [kind] [name] [-n namespace] [--i]

Print a resource’s live manifest as YAML (kubectl get -o yaml). Omit kind and name to pick interactively.

k edit

kb k edit [kind] [name] [-n namespace] [--i]

Open a resource’s manifest in $EDITOR (kubectl edit). Omit kind and name to pick interactively.

k delete

kb k delete [kind] [name] [-n namespace] [--force] [--i]

Delete a resource with a confirmation prompt. Pass --force to skip the prompt. Omit kind and name to pick interactively. If the deleted resource is a pod, the CLI notes that its controller will recreate it.

k ns

kb k ns [name]

List all namespaces, or switch the current context’s default namespace. Omit name to list; provide a name to run kubectl config set-context --current --namespace=<name>.

k secrets

kb k secrets <decrypt|edit|init> ...

Manage SOPS-encrypted secrets backed by an age key stored in the cluster.

k secrets decrypt

kb k secrets decrypt <file> [--namespace flux-system] [--secret-name sops-age]

Decrypt a SOPS-encrypted file and print it to stdout. Fetches the age key from a Kubernetes secret.

k secrets edit

kb k secrets edit <file> [--namespace flux-system] [--secret-name sops-age]

Open a SOPS-encrypted file for editing. Fetches the age key, sets SOPS_AGE_KEY, and invokes sops.

k secrets init

kb k secrets init [--force] [--namespace flux-system] [--secret-name sops-age]

Generate a new age key pair, store it as a Kubernetes secret, and update .sops.yaml with the new public key. Pass --force to overwrite an existing secret.

k tls

kb k tls mkcert-setup

Install the mkcert CA into the system and Firefox trust stores, then create a wildcard TLS secret in the cluster for Traefik. See mkcert-setup below.

logs

kb logs [pod] [-n namespace] [-c container] [-f] [--tail 100] [--i]

Stream or print pod logs. Omit pod or pass --i to pick from a fzf list.

Flag	Default	Description
`-n`, `--namespace`	`default`	Namespace
`-c`, `--container`	—	Container name (for multi-container pods)
`-f`, `--follow`	false	Follow log output
`--tail`	`100`	Lines to show from the end
`--i`	false	Force interactive picker

exec

kb exec [pod] [-n namespace] [-c container] [--command /bin/sh] [--i]

Open an interactive shell in a pod. Omit pod or pass --i to pick with fzf. The default command is /bin/sh.

pf

kb pf [resource] [ports] [-n namespace] [--i]

Forward a local port to a pod or service. resource takes the form pod/mypod or svc/mysvc. ports takes the form 8080:80. Omit either argument to be prompted interactively.

flux

kb flux <bootstrap|pause|resume|reconcile>

flux bootstrap

kb flux bootstrap --secrets-file <path> [--owner RyanGreenup] [--repository kubernetes-template] [--branch main] [--path clusters/vale]

Bootstrap Flux with a GitHub repository. Reads GITHUB_TOKEN from the decrypted JSON file at --secrets-file.

flux pause

kb flux pause

Suspend all Flux kustomizations in the flux-system namespace (flux suspend kustomization --all).

flux resume

kb flux resume

Resume all Flux kustomizations in flux-system (flux resume kustomization --all).

flux reconcile

kb flux reconcile [name]

Trigger an immediate reconciliation for a kustomization. Defaults to infrastructure.

infra

kb infra <do|gke> <subcommand>

Provision and manage cloud infrastructure via OpenTofu. Both providers share the same subcommand set.

infra do

Manages a DigitalOcean Kubernetes cluster. Requires DIGITALOCEAN_TOKEN or DIGITALOCEAN_ACCESS_TOKEN in the environment before running plan, apply, or destroy.

infra gke

Manages a GKE cluster on Google Cloud. Requires TF_VAR_project_id or GOOGLE_PROJECT in the environment.

Shared infra subcommands

Subcommand	Description
`setup`	Authenticate the provider CLI (`doctl auth init` or `gcloud auth login`)
`clusters`	List clusters with node pool details and pricing. Accepts `--json` or `--yaml`
`init`	Initialize OpenTofu providers
`validate`	Validate OpenTofu configuration
`plan`	Preview infrastructure changes
`apply`	Apply infrastructure changes. `--auto-approve` skips the confirmation prompt
`destroy`	Destroy the cluster. Requires `--i-am-sure`; also accepts `--auto-approve`
`output`	Show OpenTofu outputs. `--json` for machine-readable format
`kubeconfig`	Fetch and merge cluster credentials into `~/.kube/config`

dev

kb dev <fmt|skaffold>

Developer tooling for local workflows.

dev fmt

kb dev fmt

Format the codebase with oxfmt.

dev skaffold

kb dev skaffold <dev|run|debug|delete>

Skaffold workflows for building and deploying to the cluster.

Subcommand	Description
`dev`	Start the continuous dev loop — builds, deploys, and watches for changes. Enables `--tail` and `--port-forward` by default. Accepts `--profile` and `--port-forward false`
`run`	One-off build and deploy without file watching. Accepts `--profile` and `--tail`
`debug`	Dev loop with debug ports forwarded. Accepts `--profile`
`delete`	Tear down everything deployed by Skaffold

mkcert-setup

kb k tls mkcert-setup

Install the local mkcert CA into the system trust store and all detected Firefox profiles, then create a wildcard TLS Kubernetes secret for use with Traefik. Run this once when setting up a new development machine.