Kustomize currently supports two kinds of plugins: exec and go.
Unfortunately, it's not possible to run kfilt as a Kustomize exec plugin. An exec plugin works by emitting resources on stdout and the framework merges those into the resources generated by Kustomize. As far as I can tell, there is no way to tell Kustomize to remove resources in an exec plugin. It is possible to run kfilt as a go plugin since it will have access to the full Kustomize API.
However, go plugins are extremely brittle and hard to distribute. Effectively, an end user of the plugin must compile both the plugin and Kustomize itself.
This directory contains an experimental kfilt Kustomize plugin packaged into a Docker image.
You can use make to build the Docker image that contains both the Kustomize binary and the kfilt plugin.
make REGISTRY=gcr.io/my-project
You should specify a valid Docker Hub, GCR, or other Docker registry url for the value of the REGISTRY variable.
The make run target will run a container from the image against the example Kustomize base. This simple example excludes Secrets from a remote Kustomize base.
make run
It is questionable as to how much value there is for a kfilt Kustomize plugin. Excluding resources from Kustomize bases should generally be avoided. When you do need to do it, you can either use a delete strategic merge patch or you can just compose kfilt into your pipeline:
kustomize build | kfilt -K Secret | kubectl apply -f -
No plugins required.
If you have thoughts about this, please file an issue for further discussion.