If you have ever found yourself juggling three SSH terminals during an incident—frantically copying and pasting kubectl get, kubectl logs, and kubectl describe while the clock ticks—you know the pain. Manual capture is slow, inconsistent, and prone to errors, especially on large clusters. Enter GROOT, a small open-source Go CLI that automates this workflow, turning chaos into a single, repeatable command.
The Challenge of Manual Cluster Diagnostics
During troubleshooting or post-incident reviews, teams typically need a bundle of evidence:
- Cluster-wide signals: nodes, events, pod lists
- Namespace-scoped resources and pod logs (sometimes including previous container logs)
- Optional node detail (e.g.,
describe,top) when the incident touches capacity or scheduling - A sanitized snapshot of kube context (not the raw secret file—GROOT writes a summary under
extras/)
Collecting these manually means dozens of commands, inconsistent filenames, and no guarantee the next engineer gathers the same shape of data. GROOT solves this by providing repeatable, fast capture with a single entry point: groot collect.
Introducing GROOT: An Automated Solution
GROOT is a command-line tool written in Go, using Cobra and Viper for commands and configuration. It automates the collection of Kubernetes diagnostics into a neatly packaged archive. Here's what makes it stand out:
- Concurrency: A configurable worker pool runs kubectl jobs in parallel, speeding up I/O-bound phases.
- Scope: Define namespaces, optionally target specific workloads (Deployments, StatefulSets, DaemonSets, or Helm release labels).
- Logs: Capture pod logs with options for
--previous, tail lines (including full logs with tail=0). - Packaging: Outputs a timestamped capture directory, then a single
.tar.gzarchive with prefix paths to avoid extraction collisions. - Configuration: YAML file with environment variable overrides (GROOT_*).
- Notifications: Integrates with Slack, Discord, Teams, PagerDuty, Telegram, and generic JSON webhooks. Multiple endpoints supported via semicolons.
- Operator UX: Flags like
--verbose,--quiet,--no-notify,--test-connection, and--messagefor custom archive names. - Container support: A rootless Dockerfile for air-gapped or locked-down environments.
For a detailed list, see the features overview below.
How GROOT Works
GROOT uses kubectl as its execution engine—no in-cluster agents. This keeps RBAC and behavior aligned with what operators already understand.
Concurrency
The worker pool (collection.worker_concurrency) runs multiple kubectl operations simultaneously, dramatically reducing capture time on large clusters. This is especially useful for I/O-bound tasks like fetching logs from many pods.
Scope and Targeting
You configure namespaces and optionally per-namespace targets (e.g., only certain Deployments). GROOT respects Helm release instance labels if you use Helm. This precision prevents capturing irrelevant data.
Log Collection
Pod logs can be included with or without --previous (for crashed containers). The tail parameter controls how many lines to fetch; set to 0 for full logs. This flexibility is vital for debugging recent failures versus historical issues.
Packaging and Output
Each run creates a directory with a timestamp (e.g., capture-20250320T143000/) containing all collected files. GROOT then compresses it into a .tar.gz archive. The internal directory structure uses the capture folder as a prefix, so extracting multiple archives doesn't overwrite files.
Configuration
Settings are defined in a YAML file, but you can override any value with environment variables prefixed with GROOT_. This enables dynamic configuration in CI/CD or cron jobs.
Notifications
After each collection, GROOT sends a one-line summary (totals, duration, output dir, archive path). Supported channels include Slack, Discord, Teams, PagerDuty Events API v2, Telegram, and generic JSON webhooks. You can specify multiple endpoints by separating URLs or chat IDs with semicolons. Outbound HTTP has a bounded client timeout to prevent a stuck webhook from hanging the entire run.
Getting Started with GROOT
Prerequisites
Before using GROOT, ensure:
kubectlis installed and on your PATH- A valid kubeconfig is present (context with read/list/log RBAC)
- Sufficient permissions for the namespaces you intend to collect
Quick Start
- Download the latest GROOT binary from the releases page, or build from source.
- Create a configuration file (
groot.yaml) with your namespace and workload targets. - Run
groot collectto start a collection. - Optionally add flags like
--verboseto see progress, or--no-notifyfor silent runs. - Find the archive in the current directory (or a custom output path if configured).
For production use, consider setting up a cron job that runs groot collect periodically, with notifications to your team channel. The --message flag lets you add a custom label to the archive name (e.g., --message 'pre-deploy-check').
Production Considerations
GROOT is designed for safe operation in production environments. Key guardrails include:
- Read-only operations: GROOT only uses kubectl read commands (get, describe, logs, top). It never modifies cluster state.
- Configurable concurrency: Adjust worker count to avoid saturating the API server.
- Optional extra commands: The
extra_kubectlfeature is disabled by default and requires explicit enablement, preventing accidental execution of dangerous commands. - Timeout on notifications: Stuck webhooks won't block the collection; a timeout ensures the process completes.
Integrate GROOT with your incident management workflow by combining it with cron and your preferred notification channel. For example, schedule a daily collection that posts a summary to Slack, or trigger it on-demand during an incident to share with a vendor.
Conclusion
Manual diagnostic collection in Kubernetes is error-prone and time-consuming. GROOT offers a repeatable, fast, and configurable solution that packages everything into a single archive. Whether you're responding to an incident, performing a post-mortem, or just keeping a record, GROOT saves time and reduces human error. Give it a try and simplify your cluster diagnostics today.