Add Kubernetes exec support to devcontainer exec

[joris-decombe]

Summary

Adds Kubernetes exec support to the devcontainer exec command, enabling commands to run inside K8s pods via kubectl exec as an alternative to Docker exec.

This addresses a gap where users with Kubernetes-based dev environments (e.g., cloud-hosted sandboxes) cannot use the devcontainer CLI to exec into their pods with proper remoteUser, remoteEnv, and workspaceFolder support from devcontainer.json.

New CLI flags

Flag	Description
--kubectl-path	kubectl CLI path (default: kubectl)
--k8s-context	Kubernetes context from kubeconfig
--k8s-kubeconfig	Path to kubeconfig file (for custom CAs or non-default configs)
--k8s-namespace	Target pod namespace (required with --k8s-pod)
--k8s-pod	Target pod name
--k8s-container	Target container name (required with --k8s-pod)

Example usage

devcontainer exec \
  --k8s-context my-cluster \
  --k8s-namespace dev-envs \
  --k8s-pod sandbox-abc123 \
  --k8s-container dev \
  -- bash

Design decisions

• Exec-only scope: This adds K8s support for exec only — no build/run lifecycle. The assumption is that pods already exist (created by an orchestrator, CI/CD, or platform tooling).
• Shell wrapping for user/env/cwd: Since kubectl exec doesn't support Docker's -u, -e, or -w flags, these are handled by wrapping commands in POSIX shell invocations with proper quoting. A fast path avoids wrapping when none of these are needed (critical for the shell server).
• User switching via su: Non-root remoteUser uses su -s /bin/sh <user> -c (no login shell, matching Docker's -u behaviour). User names are validated against a strict regex.
• Runtime env probing: Pod spec env only contains static values — valueFrom refs (ConfigMaps, Secrets, Downward API) aren't visible. Environment probing uses probeRemoteEnv to capture the actual runtime env inside the container.
• Conservative root escalation: remoteExecAsRoot is only available when the container already runs as root, avoiding failures in pods with runAsNonRoot or without privilege escalation tools.
• Additive architecture: The K8s code path branches early in doExec() when K8s flags are present. No changes to the existing Docker/Podman code paths.

Related issues

• devcontainers/spec#672 — Proposal: Support for Kubernetes/Podman POD as Alternatives to Docker Compose
• microsoft/vscode-remote-release#6413 — Override kubectl exec command

Test plan

• npm run compile — clean
• npm run type-check — clean
• Validation tests pass without K8s cluster (missing flag errors)
• Integration tests skip cleanly when K8s env vars not set
• Smoke tested against live K8s pods (echo, whoami, remote-env, pwd)
• CI pipeline passes

[joris-decombe]

@microsoft-github-policy-service agree company="Trade Me"