An all-in-one collection of tools to run linting, common validation, static code analysis, security scanning, configuration tests, auditing, kustomize build, and dry run configuration for structured Kubernetes YAML Manifests. Designed to run in a CI (Continuious Integration) process as part of validation and testing, especially useful for Kubernetes clusters that are managed through GitOps.
I wasn't able to find a single docker image that contained all of the major validation tools (of which there are several!) to validate Kubernetes YAML manifest files as part of a CI/CD process before being automatically deployed to Kubernetes. This repo isn't designed to cover how to use these individual tools, but the links below should lead you to documentation for using each tool. We have found it useful to use several tools during our CI process because some check certain aspects that others cannot.
Grab the latest image from Github Packages
docker run --rm -it docker.pkg.github.com/highwayoflife/kubernetes-validation-tools/image:2.5 /bin/bashIdeally the kubeval-tools container should be used in a CI process to validate and lint Kubernetes configs and manifests. It's optimal to run these tools as part of a GitOps CI workflow.
| Tool | Version | Purpose | Description |
|---|---|---|---|
| Kubectl | 1.21.1 | CLI | Kubernetes CLI. Can be used with --dry-run=client to validate manifests |
| Yamllint | 1.26.0 | Linter | Basic linter for YAML files |
| Kubeval | 0.16.1 | Validation | Tool for validating a Kubernetes YAML manifests. Doesn't work with CRDs. |
| Kustomize | 4.1.0 | Compile | Template-free way to customize app configs. Useful to validate kustomize configs. |
| Config Lint | 1.6.0 | Validation | Validate config files using custom rules specified in YAML. |
| Conftest | 0.25.0 | Tests | Utility to help you write tests against structured configuration data. |
| Kube Score | 1.11.0 | Security | Tool that performs static code analysis of Kubernetes object definitions. |
| Polaris | 3.2.1 | Validation | Identifies Kubernetes deployment configuration errors |
| Kube Linter | 0.2.1 | Security | Linter and Static analysis tool that checks Kubernetes manifests |
| Kubeconform | 0.4.7 | Validation | Kubernetes manifests validation tool like Kubeval with CRD support |
| Kubeaudit | 0.14.0 | Security | Audit clusters or manifest files for security concerns |
| Datree | 0.1.382 | Policy | Ensure Kubernetes manifests and Helm charts are valid and follow your policies. |
Kubeaudit is a command line tool and a Go package to audit Kubernetes clusters for various different security concerns, such as:
- run as non-root
- use a read-only root filesystem
- drop scary capabilities, don't add new ones
- don't run privileged
- and more!
kubeaudit makes sure you deploy secure containers!
kubeval is a tool for validating a Kubernetes YAML or JSON configuration file. It does so using schemas generated from the Kubernetes OpenAPI specification, and therefore can validate schemas for multiple versions of Kubernetes.
ConfTest is a utility to help you write tests against structured configuration data. For instance you could write tests for your Kubernetes configurations, or Tekton pipeline definitions, Terraform code, Serverless configs or any other structured data.
Conftest relies on the Rego language from Open Policy Agent for writing the assertions.
yamllint is a linter for YAML files.
yamllint does not only check for syntax validity, but for weirdnesses like key repetition and cosmetic problems such as lines length, trailing spaces, indentation, etc.
Kustomize lets you customize raw, template-free YAML files for multiple purposes, leaving the original YAML untouched and usable as is.
kustomize targets kubernetes; it understands and can patch kubernetes style API objects. It's like make, in that what it does is declared in a file, and it's like sed, in that it emits edited text. Kustomize traverses a Kubernetes manifest to add, remove or update configuration options without forking.
Kustomize is particularly useful to use with tools like ArgoCD, FluxCD, or Spinnaker to enable shared manifests (resources) across multiple clusters or environments without duplicating code. Kustomize allows overrides, merges, and other configuration features.
kubectl is the Kubernetes cli version of a swiss army knife, and can do many things. One of those things is being able to do a dry-run validate on a yaml file.
$ kubectl create --dry-run --validate -f invalid.yamlconfig-lint is a command line tool to validate configuration files using rules specified in YAML. The configuration files can be one of several formats: Terraform, JSON, YAML, with support for Kubernetes. There are built-in rules provided for Terraform, and custom files can be used for other formats.
config-lint -rules example-files/rules/kubernetes.yml example-files/configKube-Score, a tool that performs static code analysis of your Kubernetes object definitions. The output is a list of recommendations of what you can improve to make your application more secure and resilient.
kube-score can run in your CI/CD environment and will exit with exit code 1 if a critical error has been found. The trigger level can be changed to warning with the --exit-one-on-warning argument.
The input to kube-score should be all applications that you deploy to the same namespace for the best result.
helm template my-app | kube-score score -kustomize build . | kube-score score -kube-score score my-app/*.yaml
kube-score score my-app/deployment.yaml my-app/service.yamlPolaris, Polaris runs a variety of checks to ensure that Kubernetes pods and controllers are configured using best practices. Polaris is included as a CLI tool to test local YAML files, e.g. as part of a CI/CD process.
Polaris can be run in a few different modes:
- As a dashboard, so you can audit what's running inside your cluster.
- As a validating webhook, so you can automatically reject workloads that don't adhere to your organization's policies.
- As a command-line tool, so you can test local YAML files, e.g. as part of a CI/CD process.
You can run audits on the command line and see the output as JSON, YAML, or a raw score:
polaris audit --format yaml > report.yaml
polaris audit --format score
# 92Audits can run against a local directory or YAML file rather than a cluster:
polaris audit --audit-path ./deploy/
# or to use STDIN
cat pod.yaml | polaris audit --audit-path -You can also run the audit on a single resource instead of the entire cluster:
polaris audit --resource "nginx-ingress/Deployment.apps/v1/default-backend"You can integrate Polaris into CI/CD for repositories containing infrastructure-as-code. For example, to fail if polaris detects any danger-level issues, or if the score drops below 90%:
polaris audit --audit-path ./deploy/ \
--set-exit-code-on-danger \
--set-exit-code-below-score 90For more usage options for CLI, see the Usage Doc
Kube Linter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices. KubeLinter accepts YAML files as input and runs a series of checks on them. If it finds any issues, it reports them and returns a non-zero exit code.
Datree is a CLI tool that can be used locally or in your CI/CD to ensure Kubernetes manifests and Helm charts follow best practices as well as your organization’s policies. It comes with 30 battle-tested rules to choose from, together with built-in support for YAML and kubernetes schema validation.
datree test my-app/*.yaml
datree test my-app/deployment.yamlFirst, you need to install Datree's helm plugin
helm datree test <CHART_DIRECTORY>PRs welcome! Check out the CONTRIBUTING Guidelines for more information.