├── .github └── workflows │ └── docker-publish.yml ├── CHANGELOG.md ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── Dockerfile ├── LICENSE └── README.md /.github/workflows/docker-publish.yml: -------------------------------------------------------------------------------- 1 | name: Publish Container Image 2 | 3 | on: 4 | push: 5 | # Publish `v1.2.3` tags as releases. 6 | tags: 7 | - v* 8 | 9 | # Run tests for any PRs. 10 | pull_request: 11 | 12 | env: 13 | HUB_NAMESPACE: deck15 14 | REGISTRY: ghcr.io 15 | IMAGE_NAME: kubeval-tools 16 | 17 | jobs: 18 | # Run build test. 19 | # See also https://docs.docker.com/docker-hub/builds/automated-testing/ 20 | test: 21 | runs-on: ubuntu-latest 22 | permissions: 23 | contents: read 24 | packages: write 25 | 26 | steps: 27 | - name: Checkout Repository 28 | uses: actions/checkout@v2 29 | 30 | - name: Run Build 31 | run: | 32 | if [ -f docker-compose.test.yml ]; then 33 | docker-compose --file docker-compose.test.yml build 34 | docker-compose --file docker-compose.test.yml run sut 35 | else 36 | docker build . --file Dockerfile 37 | fi 38 | 39 | # Push image to GitHub Packages. 40 | # See also https://docs.docker.com/docker-hub/builds/ 41 | push: 42 | # Ensure build-image job passes before pushing image. 43 | needs: test 44 | 45 | runs-on: ubuntu-latest 46 | if: github.event_name == 'push' 47 | 48 | permissions: 49 | contents: read 50 | packages: write 51 | 52 | steps: 53 | - name: Checkout the repo 54 | uses: actions/checkout@v2 55 | 56 | - name: Build image 57 | run: docker build . --file Dockerfile --tag $IMAGE_NAME 58 | 59 | - name: Log in to the Container Registry 60 | uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9 61 | with: 62 | registry: ${{ env.REGISTRY }} 63 | username: ${{ github.actor }} 64 | password: ${{ secrets.GITHUB_TOKEN }} 65 | 66 | - name: Log in to Docker Hub 67 | uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9 68 | with: 69 | username: ${{ secrets.DOCKER_USERNAME }} 70 | password: ${{ secrets.DOCKER_PASSWORD }} 71 | 72 | - name: Extract metadata for Github Registry 73 | id: meta 74 | uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 75 | with: 76 | images: | 77 | ${{ env.REGISTRY }}/${{ github.repository }} 78 | ${{ env.HUB_NAMESPACE }}/${{ env.IMAGE_NAME }} 79 | 80 | - name: Build and push Docker images 81 | uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc 82 | with: 83 | context: . 84 | push: true 85 | tags: ${{ steps.meta.outputs.tags }} 86 | labels: ${{ steps.meta.outputs.labels }} 87 | 88 | # - name: Push image 89 | # run: | 90 | # IMAGE_ID=docker.pkg.github.com/${{ github.repository }}/$IMAGE_NAME 91 | 92 | # # Change all uppercase to lowercase 93 | # IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]') 94 | 95 | # # Strip git ref prefix from version 96 | # VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,') 97 | 98 | # # Strip "v" prefix from tag name 99 | # [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//') 100 | 101 | # # Use Docker `latest` tag convention 102 | # [ "$VERSION" == "master" ] && VERSION=latest 103 | 104 | # echo IMAGE_ID=$IMAGE_ID 105 | # echo VERSION=$VERSION 106 | 107 | # docker tag $IMAGE_NAME $IMAGE_ID:$VERSION 108 | # docker push $IMAGE_ID:$VERSION 109 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | v2.7 2 | ---- 3 | ### Features 🚀 4 | * 🚀 **[NEW]** Added **[KubeSec](https://github.com/controlplaneio/kubesec)**, a Security risk analysis for Kubernetes Resources 5 | 6 | ### Additions 7 | * Install Kubesec [v2.11.4](https://github.com/controlplaneio/kubesec/releases/tag/v2.11.4) 8 | 9 | ### Updates 📝 10 | * Upgrade Python from 3.9 to 3.10 11 | * Upgrade Kustomize from 4.1.3 to 4.5.3 12 | * Upgrade Conftest from 0.25 to 0.30 13 | * Upgrade Kube Score from 1.11 to 1.14 14 | * Upgrade Polaris 4.0.2 to 5.1.0 15 | * Upgrade Kube Linter 0.2.2 to 0.2.6 16 | * Upgrade Kube Conform from 0.4.7 to 0.4.13 17 | * Upgrade Kube Audit from 0.14.1 to 0.16.0 18 | * Upgrade Datree from 0.1.431 to 1.0.15 19 | 20 | v2.6 21 | ---- 22 | ### Features 🚀 23 | * 🚀 **[NEW]** Added **[Helm](https://github.com/helm/helm)** is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. 24 | 25 | Use Helm to: 26 | 27 | * Lint and Validate your Helm Charts 28 | * Generate manifests from your Helm Chart Templates 29 | * Find and use popular software packaged as Helm Charts to run in Kubernetes 30 | * Share your own applications as Helm Charts 31 | * Create reproducible builds of your Kubernetes applications 32 | * Intelligently manage your Kubernetes manifest files 33 | * Manage releases of Helm packages 34 | 35 | * 🚀 **[NEW]** Added **[Datree](https://github.com/datreeio/datree)** is a CLI tool that helps prevent Kubernetes misconfigurations from reaching production. Datree is a CLI tool to ensure K8s manifests and Helm charts follow best practices as well as your organization’s policies. 36 | 37 | The Datree CLI integration provides a policy enforcement solution for Kubernetes to run automatic checks on every code change for rule violations and misconfigurations. When rule violations are found, Datree produces an alert which guides the developer to fix the issue inside the CI process — or even earlier as a pre-commit hook — while explaining the reason behind the rule. 38 | 39 | ### Additions 40 | * Install Helm [v3.6.0](https://github.com/helm/helm/releases/tag/v3.6.0) 41 | * Install Datree [v0.1.431](https://github.com/datreeio/datree/releases/tag/0.1.431) 42 | * Install Datree Helm Plugin 43 | 44 | ### Updates 📝 45 | * Kustomize from 4.1.0 to [4.1.3](https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv4.1.3) 46 | * Polaris from 3.2.1 to [4.0.2](https://github.com/FairwindsOps/polaris/releases/tag/4.0.2) 47 | * KubeLinter from 0.2.1 to [0.2.2](https://github.com/stackrox/kube-linter/releases/tag/0.2.2) 48 | * KubeAudit from 0.14.0 to [0.14.1](https://github.com/Shopify/kubeaudit/releases/tag/v0.14.1) 49 | 50 | 51 | v2.5 52 | ---- 53 | 54 | ### Features 🚀 55 | 56 | * 🚀 **[NEW]** Added **[Kubeconform](https://github.com/yannh/kubeconform)**, a Kubernetes manifests validation tool. 57 | 58 | It is inspired by, contains code from and is designed to stay close to Kubeval, but with the following improvements: 59 | 60 | * high performance: will validate & download manifests over multiple routines, caching downloaded files in memory 61 | * configurable list of remote, or local schemas locations, enabling validating Kubernetes custom resources (CRDs) and offline validation capabilities 62 | * uses by default a self-updating fork of the schemas registry maintained by the kubernetes-json-schema project - which guarantees up-to-date schemas for all recent versions of Kubernetes. 63 | 64 | * 🚀 **[NEW]** Added **[Kubeaudit](https://github.com/Shopify/kubeaudit)**, a command line tool and a Go package to audit Kubernetes clusters for various different security concerns. 65 | 66 | ### Additions 67 | * Install Kubeconform [v0.4.7](https://github.com/yannh/kubeconform/releases/tag/v0.4.7) 68 | * Install Kubeaudit [v0.14.0](https://github.com/Shopify/kubeaudit/releases/tag/v0.14.0) 69 | 70 | ### Updates 📝 71 | * Update Python from 3.9.0 to 3.9.5 on Alpine 3.13 72 | * Update Kubectl from 1.19.3 to [v1.21.1](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.21.md), now installed via [Alpine package manager](https://pkgs.alpinelinux.org/package/edge/testing/x86_64/kubectl) 73 | * Update Yamllint from 1.25.0 to [1.26.0](https://github.com/adrienverge/yamllint/blob/master/CHANGELOG.rst#1260-2021-01-29) 74 | * Update Kustomize from 3.8.6 to [v4.1.0](https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv4.1.0) 75 | * Update OPA Conftest from 0.21.0 to [v0.25.0](https://github.com/open-policy-agent/conftest/releases/tag/v0.25.0) 76 | * Update Kube-Score to [v1.11.0](https://github.com/zegl/kube-score/releases/tag/v1.11.0) 77 | * Update Polaris to [3.2.1](https://github.com/FairwindsOps/polaris/releases/tag/3.2.1) 78 | * Update Kube-Linter to [0.2.1](https://github.com/stackrox/kube-linter/releases/tag/0.2.1) 79 | 80 | 81 | v2.4 82 | ---- 83 | * 🚀 **[NEW]** Added [Kube-Score](https://github.com/zegl/kube-score), a tool that performs static code analysis of your Kubernetes object definitions. The output is a list of recommendations of what you can improve to make your application more secure and resilient. 84 | * 🚀 **[NEW]** Added [Polaris](https://github.com/FairwindsOps/polaris), Polaris runs a variety of checks to ensure that Kubernetes pods and controllers are configured using best practices. Polaris is included as a CLI tool to test local YAML files, e.g. as part of a CI/CD process. 85 | * 🚀 **[NEW]** Added [Kube Linter](https://github.com/stackrox/kube-linter), a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices. KubeLinter accepts YAML files as input and runs a series of checks on them. If it finds any issues, it reports them and returns a non-zero exit code. 86 | 87 | ### Updates 88 | * 📝 Updated Python from 3.8.4 to 3.9.0 89 | * 📝 Updated Kubectl from 1.18.6 to 1.19.3 90 | * 📝 Updated Yamllint from 1.24.2 to 1.25.0 91 | * 📝 Updated Kustomize from 3.8.1 to 3.8.6 92 | * 📝 Updated Conftest from 0.20.0 to 0.21.0 93 | 94 | v2.3 95 | ---- 96 | * 🚀 **[NEW]** Added [Config-lint](https://stelligent.github.io/config-lint/#/?id=%f0%9f%94%8d-config-lint-%f0%9f%94%8e), A CLI tool to validate config files (JSON, Terraform, YAML + Kubernetes), using rules specified in YAML. 97 | 98 | ### Updates 99 | * 📝 Updated Kubectl to [v1.18.6](https://kubernetes.io/docs/setup/release/notes/) 100 | * 📝 Updated YAMLLint to [v1.24.2](https://github.com/adrienverge/yamllint/blob/master/CHANGELOG.rst) 101 | * 📝 Updated Kustomize to [v3.8.1](https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv3.8.1) 102 | * 📝 Updated Conftest to [v0.20.0](https://github.com/open-policy-agent/conftest/releases/tag/v0.20.0) 103 | 104 | v2.2 105 | ---- 106 | * Create latest tag on Docker hub 107 | 108 | v2.1 109 | ---- 110 | 111 | ### Updates 112 | * Updated base Python to 3.8.4-alpine3.12 113 | * Updated Kubectl to v1.18.5 114 | * Updated Kustomize to 3.8.0 115 | * Updated Conftest to 0.19.0 116 | * Updated Conftest to new home at open-policy-agent 117 | 118 | v2.0 119 | ---- 120 | 121 | * 🚀 **[NEW]** Added ConfTest v0.18.1 122 | 123 | ### Updates 124 | * Updated base Python to v3.8.2-alpine3.11 125 | * Updated KubeCTL to v1.18.2 126 | * Updated KubeVal to v0.15 127 | * Updated YamlLint to v1.23 128 | * Updated Kustomize to v3.5.4 129 | 130 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | We as members, contributors, and leaders pledge to make participation in our 6 | community a harassment-free experience for everyone, regardless of age, body 7 | size, visible or invisible disability, ethnicity, sex characteristics, gender 8 | identity and expression, level of experience, education, socio-economic status, 9 | nationality, personal appearance, race, religion, or sexual identity 10 | and orientation. 11 | 12 | We pledge to act and interact in ways that contribute to an open, welcoming, 13 | diverse, inclusive, and healthy community. 14 | 15 | ## Our Standards 16 | 17 | Examples of behavior that contributes to a positive environment for our 18 | community include: 19 | 20 | * Demonstrating empathy and kindness toward other people 21 | * Being respectful of differing opinions, viewpoints, and experiences 22 | * Giving and gracefully accepting constructive feedback 23 | * Accepting responsibility and apologizing to those affected by our mistakes, 24 | and learning from the experience 25 | * Focusing on what is best not just for us as individuals, but for the 26 | overall community 27 | 28 | Examples of unacceptable behavior include: 29 | 30 | * The use of sexualized language or imagery, and sexual attention or 31 | advances of any kind 32 | * Trolling, insulting or derogatory comments, and personal or political attacks 33 | * Public or private harassment 34 | * Publishing others' private information, such as a physical or email 35 | address, without their explicit permission 36 | * Other conduct which could reasonably be considered inappropriate in a 37 | professional setting 38 | 39 | ## Enforcement Responsibilities 40 | 41 | Community leaders are responsible for clarifying and enforcing our standards of 42 | acceptable behavior and will take appropriate and fair corrective action in 43 | response to any behavior that they deem inappropriate, threatening, offensive, 44 | or harmful. 45 | 46 | Community leaders have the right and responsibility to remove, edit, or reject 47 | comments, commits, code, wiki edits, issues, and other contributions that are 48 | not aligned to this Code of Conduct, and will communicate reasons for moderation 49 | decisions when appropriate. 50 | 51 | ## Scope 52 | 53 | This Code of Conduct applies within all community spaces, and also applies when 54 | an individual is officially representing the community in public spaces. 55 | Examples of representing our community include using an official e-mail address, 56 | posting via an official social media account, or acting as an appointed 57 | representative at an online or offline event. 58 | 59 | ## Enforcement 60 | 61 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 62 | reported to the community leaders responsible for enforcement at 63 | . 64 | All complaints will be reviewed and investigated promptly and fairly. 65 | 66 | All community leaders are obligated to respect the privacy and security of the 67 | reporter of any incident. 68 | 69 | ## Enforcement Guidelines 70 | 71 | Community leaders will follow these Community Impact Guidelines in determining 72 | the consequences for any action they deem in violation of this Code of Conduct: 73 | 74 | ### 1. Correction 75 | 76 | **Community Impact**: Use of inappropriate language or other behavior deemed 77 | unprofessional or unwelcome in the community. 78 | 79 | **Consequence**: A private, written warning from community leaders, providing 80 | clarity around the nature of the violation and an explanation of why the 81 | behavior was inappropriate. A public apology may be requested. 82 | 83 | ### 2. Warning 84 | 85 | **Community Impact**: A violation through a single incident or series 86 | of actions. 87 | 88 | **Consequence**: A warning with consequences for continued behavior. No 89 | interaction with the people involved, including unsolicited interaction with 90 | those enforcing the Code of Conduct, for a specified period of time. This 91 | includes avoiding interactions in community spaces as well as external channels 92 | like social media. Violating these terms may lead to a temporary or 93 | permanent ban. 94 | 95 | ### 3. Temporary Ban 96 | 97 | **Community Impact**: A serious violation of community standards, including 98 | sustained inappropriate behavior. 99 | 100 | **Consequence**: A temporary ban from any sort of interaction or public 101 | communication with the community for a specified period of time. No public or 102 | private interaction with the people involved, including unsolicited interaction 103 | with those enforcing the Code of Conduct, is allowed during this period. 104 | Violating these terms may lead to a permanent ban. 105 | 106 | ### 4. Permanent Ban 107 | 108 | **Community Impact**: Demonstrating a pattern of violation of community 109 | standards, including sustained inappropriate behavior, harassment of an 110 | individual, or aggression toward or disparagement of classes of individuals. 111 | 112 | **Consequence**: A permanent ban from any sort of public interaction within 113 | the community. 114 | 115 | ## Attribution 116 | 117 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], 118 | version 2.0, available at 119 | https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. 120 | 121 | Community Impact Guidelines were inspired by [Mozilla's code of conduct 122 | enforcement ladder](https://github.com/mozilla/diversity). 123 | 124 | [homepage]: https://www.contributor-covenant.org 125 | 126 | For answers to common questions about this code of conduct, see the FAQ at 127 | https://www.contributor-covenant.org/faq. Translations are available at 128 | https://www.contributor-covenant.org/translations. 129 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing to kubernetes-validation-tools 2 | 3 | 👋 Hey, thanks for taking the time to contribute! Your help is appreciated. 4 | 5 | ## How can I contribute? 6 | 7 | ### Reporting bugs 8 | 9 | Bug reports are always welcome, and should be reported as a [GitHub issue](https://github.com/HighwayofLife/kubernetes-validation-tools/issues/new). 10 | 11 | 12 | ### Feature requests 13 | 14 | Feature requests are always welcome, this should also be done as a [GitHub issue](https://github.com/HighwayofLife/kubernetes-validation-tools/issues/new). 15 | 16 | Describe the feature that you would like to see as clearly as possible. 17 | 18 | ### Contributing code 19 | 20 | Code contributions are welcome as [GitHub Pull Requests](https://github.com/HighwayofLife/kubernetes-validation-tools/pulls). 21 | 22 | #### Good commit messages 23 | 24 | We try to use the same commit message format as [the Go programming language](https://golang.org/doc/contribute.html#commit_messages). 25 | 26 | Example of a good commit message: 27 | 28 | ``` 29 | kube-score: Update kube-score project to v1.2.3 30 | 31 | Fixes #79 32 | ``` 33 | 34 | The first line of the commit message should contain a short description of the change, prefixed by the primary affected package. 35 | 36 | Additional lines can be used if a longer explanation of the change is needed. 37 | 38 | Issues should be referenced with the syntax `Fixes #123` or `Updates #123` to track that this change is related to an issue. 39 | 40 | Make a change to the [CHANGELOG](CHANGELOG.md) to include a line item about your change, fix, or addition/feature. 41 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.10.4-alpine3.15 2 | # https://hub.docker.com/_/python 3 | 4 | ARG APP_VERSION=2.7 5 | 6 | # https://github.com/instrumenta/kubeval/releases 7 | ARG KUBEVAL_VERSION=0.16.1 8 | 9 | # https://github.com/kubernetes-sigs/kustomize/releases 10 | ARG KUSTOMIZE_VERSION=4.5.3 11 | 12 | # https://github.com/open-policy-agent/conftest/releases 13 | ARG CONFTEST_VERSION=0.30.0 14 | 15 | # https://github.com/stelligent/config-lint/releases 16 | ARG CONFIG_LINT_VERSION=1.6.0 17 | 18 | # https://github.com/zegl/kube-score/releases 19 | ARG KUBE_SCORE_VERSION=1.14.0 20 | 21 | # https://github.com/FairwindsOps/polaris/releases 22 | ARG POLARIS_VERSION=5.1.0 23 | 24 | # https://github.com/stackrox/kube-linter/releases 25 | ARG KUBE_LINTER_VERSION=0.2.6 26 | 27 | # https://github.com/yannh/kubeconform/releases 28 | ARG KUBECONFORM_VERSION=0.4.13 29 | 30 | # https://github.com/Shopify/kubeaudit/releases 31 | ARG KUBEAUDIT_VERSION=0.16.0 32 | 33 | # https://github.com/datreeio/datree/releases 34 | ARG DATREE_VERSION=1.0.15 35 | 36 | # https://github.com/controlplaneio/kubesec/releases 37 | ARG KUBESEC_VERSION=2.11.4 38 | 39 | # split layers into distinct components 40 | # Install yamllint and kubectl via the alpine packages repositories 41 | RUN apk add --no-cache --upgrade bash ca-certificates curl tar yamllint git \ 42 | && apk add kubectl helm --no-cache --repository http://dl-3.alpinelinux.org/alpine/edge/testing/ --allow-untrusted 43 | 44 | # Install Kubeval 45 | RUN mkdir /tmp/kubeval \ 46 | && curl -L -o /tmp/kubeval/kubeval.tar.gz \ 47 | https://github.com/instrumenta/kubeval/releases/download/v${KUBEVAL_VERSION}/kubeval-linux-amd64.tar.gz \ 48 | && tar -xzf /tmp/kubeval/kubeval.tar.gz -C /tmp/kubeval \ 49 | && mv /tmp/kubeval/kubeval /usr/local/bin \ 50 | && chmod +x /usr/local/bin/kubeval \ 51 | && rm -rf /tmp/kubeval 52 | 53 | # Install Kustomize 54 | RUN mkdir /tmp/kustomize \ 55 | && curl -L -o /tmp/kustomize/kustomize.tar.gz \ 56 | https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${KUSTOMIZE_VERSION}/kustomize_v${KUSTOMIZE_VERSION}_linux_amd64.tar.gz \ 57 | && tar -xzf /tmp/kustomize/kustomize.tar.gz -C /tmp/kustomize \ 58 | && mv /tmp/kustomize/kustomize /usr/local/bin \ 59 | && chmod +x /usr/local/bin/kustomize \ 60 | && rm -rf /tmp/kustomize 61 | 62 | # Install KubeConform 63 | RUN mkdir /tmp/kubeconform \ 64 | && curl -L -o /tmp/kubeconform/kubeconform.tar.gz \ 65 | https://github.com/yannh/kubeconform/releases/download/v${KUBECONFORM_VERSION}/kubeconform-linux-amd64.tar.gz \ 66 | && tar -xzf /tmp/kubeconform/kubeconform.tar.gz -C /tmp/kubeconform \ 67 | && mv /tmp/kubeconform/kubeconform /usr/local/bin \ 68 | && chmod +x /usr/local/bin/kubeconform \ 69 | && rm -rf /tmp/kubeconform 70 | 71 | # Install Kubeaudit 72 | RUN mkdir /tmp/kubeaudit \ 73 | && curl -L -o /tmp/kubeaudit/kubeaudit.tar.gz \ 74 | https://github.com/Shopify/kubeaudit/releases/download/${KUBEAUDIT_VERSION}/kubeaudit_${KUBEAUDIT_VERSION}_linux_amd64.tar.gz \ 75 | && tar -xzf /tmp/kubeaudit/kubeaudit.tar.gz -C /tmp/kubeaudit \ 76 | && mv /tmp/kubeaudit/kubeaudit /usr/local/bin \ 77 | && chmod +x /usr/local/bin/kubeaudit \ 78 | && rm -rf /tmp/kubeaudit 79 | 80 | # Install Conftest (https://www.conftest.dev/) 81 | RUN mkdir /tmp/conftest \ 82 | && curl -L -o /tmp/conftest/conftest.tar.gz \ 83 | https://github.com/open-policy-agent/conftest/releases/download/v${CONFTEST_VERSION}/conftest_${CONFTEST_VERSION}_Linux_x86_64.tar.gz \ 84 | && tar -xzf /tmp/conftest/conftest.tar.gz -C /tmp/conftest \ 85 | && mv /tmp/conftest/conftest /usr/local/bin \ 86 | && chmod +x /usr/local/bin/conftest \ 87 | && rm -rf /tmp/conftest 88 | 89 | # Install Config Lint (https://stelligent.github.io/config-lint/#/install) 90 | RUN mkdir /tmp/config-lint \ 91 | && curl -L -o /tmp/config-lint/config-lint.tar.gz \ 92 | https://github.com/stelligent/config-lint/releases/download/v${CONFIG_LINT_VERSION}/config-lint_Linux_x86_64.tar.gz \ 93 | && tar -xzf /tmp/config-lint/config-lint.tar.gz -C /tmp/config-lint \ 94 | && mv /tmp/config-lint/config-lint /usr/local/bin \ 95 | && chmod +x /usr/local/bin/config-lint \ 96 | && rm -rf /tmp/config-lint 97 | 98 | # Install Kube Score (https://github.com/zegl/kube-score) 99 | RUN mkdir /tmp/kube-score \ 100 | && curl -L -o /tmp/kube-score/kube-score.tar.gz \ 101 | https://github.com/zegl/kube-score/releases/download/v${KUBE_SCORE_VERSION}/kube-score_${KUBE_SCORE_VERSION}_linux_amd64.tar.gz \ 102 | && tar -xzf /tmp/kube-score/kube-score.tar.gz -C /tmp/kube-score \ 103 | && mv /tmp/kube-score/kube-score /usr/local/bin \ 104 | && chmod +x /usr/local/bin/kube-score \ 105 | && rm -rf /tmp/kube-score 106 | 107 | # Install Polaris (https://github.com/FairwindsOps/polaris) 108 | RUN mkdir /tmp/polaris \ 109 | && curl -L -o /tmp/polaris/polaris.tar.gz \ 110 | https://github.com/FairwindsOps/polaris/releases/download/${POLARIS_VERSION}/polaris_linux_amd64.tar.gz \ 111 | && tar -xzf /tmp/polaris/polaris.tar.gz -C /tmp/polaris \ 112 | && mv /tmp/polaris/polaris /usr/local/bin \ 113 | && chmod +x /usr/local/bin/polaris \ 114 | && rm -rf /tmp/polaris 115 | 116 | # Install Kube Linter (https://github.com/stackrox/kube-linter) 117 | RUN mkdir /tmp/kube-linter \ 118 | && curl -L -o /tmp/kube-linter/kube-linter.tar.gz \ 119 | https://github.com/stackrox/kube-linter/releases/download/${KUBE_LINTER_VERSION}/kube-linter-linux.tar.gz \ 120 | && tar -xzf /tmp/kube-linter/kube-linter.tar.gz -C /tmp/kube-linter \ 121 | && mv /tmp/kube-linter/kube-linter /usr/local/bin \ 122 | && chmod +x /usr/local/bin/kube-linter \ 123 | && rm -rf /tmp/kube-linter 124 | 125 | # Install Datree (https://github.com/datreeio/datree) 126 | RUN mkdir /tmp/datree \ 127 | && curl -L -o /tmp/datree/datree.zip \ 128 | https://github.com/datreeio/datree/releases/download/${DATREE_VERSION}/datree-cli_${DATREE_VERSION}_Linux_x86_64.zip \ 129 | && unzip /tmp/datree/datree.zip -d /tmp/datree/ \ 130 | && mv /tmp/datree/datree /usr/local/bin \ 131 | && chmod +x /usr/local/bin/datree \ 132 | && rm -rf /tmp/datree \ 133 | && helm plugin install https://github.com/datreeio/helm-datree 134 | 135 | # Install KubeSec (https://github.com/controlplaneio/kubesec) 136 | RUN mkdir /tmp/kubesec \ 137 | && curl -L -o /tmp/kubesec/kubesec.tar.gz \ 138 | https://github.com/controlplaneio/kubesec/releases/download/v${KUBESEC_VERSION}/kubesec_linux_amd64.tar.gz \ 139 | && tar -xzf /tmp/kubesec/kubesec.tar.gz -C /tmp/kubesec \ 140 | && mv /tmp/kubesec/kubesec /usr/local/bin \ 141 | && chmod +x /usr/local/bin/kubesec \ 142 | && rm -rf /tmp/kubesec 143 | 144 | CMD ["/bin/bash"] 145 | 146 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) Microsoft Corporation. All rights reserved. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Kubernetes Validation Tools 2 | =========================== 3 | 4 | An all-in-one collection of tools to run linting, common validation, static code analysis, security scanning, configuration tests, auditing, kustomize build, and dry run configuration for structured Kubernetes YAML Manifests. Designed to run in a CI (Continuious Integration) process as part of validation and testing, especially useful for Kubernetes clusters that are managed through GitOps. 5 | 6 | [![Docker](https://github.com/HighwayofLife/kubernetes-validation-tools/actions/workflows/docker-publish.yml/badge.svg)](https://github.com/HighwayofLife/kubernetes-validation-tools/actions/workflows/docker-publish.yml) ![Docker Pulls](https://img.shields.io/docker/pulls/deck15/kubeval-tools?style=plastic) 7 | 8 | Why? 9 | ---- 10 | 11 | I wasn't able to find a single docker image that contained all of the major validation tools (of which there are several!) to validate Kubernetes YAML manifest files as part of a CI/CD process before being automatically deployed to Kubernetes. This repo isn't designed to cover how to use these individual tools, though it does contain some basic usage examples. The links below should lead you to documentation for more details on using each tool. We have found it useful to use several tools during our CI validation and scanning process because some tools check certain aspects that others cannot. 12 | 13 | Usage 14 | ----- 15 | 16 | Grab the latest image from [Github Packages](https://github.com/HighwayofLife?tab=packages&repo_name=kubernetes-validation-tools) or from [Docker Hub](https://hub.docker.com/r/deck15/kubeval-tools). 17 | 18 | You can run the image directly in docker, or see below for CI/CD usage examples. 19 | 20 | ```sh 21 | docker run --rm -it docker.pkg.github.com/highwayoflife/kubernetes-validation-tools/image:latest /bin/bash 22 | ``` 23 | 24 | ```sh 25 | docker run --rm -it deck15/kubeval-tools:latest /bin/bash 26 | ``` 27 | 28 | Tools List 29 | ---------- 30 | | Tool | Version | Purpose | Description | 31 | |-------------|----------|------------|-----------------------------------------------------------------------------------| 32 | | Kubectl | 1.23.5 | CLI | Kubernetes CLI. Can be used with `--dry-run=client` to validate manifests | 33 | | Helm | 3.8.1 | CLI | Helm helps you manage Kubernetes applications — define, install, and upgrade Kubernetes applications as helm charts. Run as a validation tool, can be run as `helm lint`, or `helm template`. | 34 | | Yamllint | 1.26.3 | Linter | Basic linter for YAML files | 35 | | Kubeval | 0.16.1 | Validation | Tool for validating a Kubernetes YAML manifests. Doesn't work with CRDs. | 36 | | Kustomize | 4.5.3 | Compile | Template-free way to customize app configs. Useful to validate kustomize configs. | 37 | | Config Lint | 1.6.0 | Validation | Validate config files using custom rules specified in YAML. | 38 | | Conftest | 0.30.0 | Tests | Utility to help you write tests against structured configuration data. | 39 | | Kube Score | 1.14.0 | Security | Tool that performs **static code analysis** of Kubernetes object definitions. | 40 | | Polaris | 5.1.0 | Validation | Identifies Kubernetes deployment configuration errors | 41 | | Kube Linter | 0.2.6 | Security | Linter and Static analysis tool that checks Kubernetes manifests | 42 | | Kubeconform | 0.4.13 | Validation | Kubernetes manifests validation tool like Kubeval with CRD support | 43 | | Kubeaudit | 0.16.0 | Security | Audit clusters or manifest files for security concerns | 44 | | Datree | 1.0.15 | Policy | Ensure Kubernetes manifests and Helm charts are valid and follow your policies. | 45 | | Kubesec | 2.11.4 | Security | Security risk analysis for Kubernetes resources | 46 | 47 | CI Examples 48 | ----------- 49 | 50 | Ideally the kubernetes-validation-tools container should be used in a CI build process to validate, scan, and lint Kubernetes configs and manifests or helm charts. It's optimal to run these tools as part of a [GitOps](https://www.gitops.tech/) Continuious Integration workflow. 51 | 52 | #### GitHub Actions Example 53 | Use the container specifier to run a step inside a container. Be sure to specify runs-on as the appropriate host environment for your container (ubuntu-latest for Linux containers, windows-latest for Windows containers). For example: 54 | 55 | ```yaml 56 | jobs: 57 | container: 58 | runs-on: ubuntu-latest 59 | container: deck15/kubeval-tools:latest 60 | steps: 61 | - run: | 62 | kubeconform -summary manifests.yaml 63 | name: Run in container 64 | ``` 65 | 66 | #### Jenkinsfile declarative example on Kubernetes 67 | This example is useful if Jenkins is running agents in a Kubernetes cluster: `Jenkinsfile` 68 | 69 | ```groovy 70 | pipeline { 71 | agent { 72 | kubernetes { 73 | cloud 'build-pipeline' 74 | defaultContainer 'validate' 75 | inheritFrom 'jnlp' 76 | yaml """ 77 | apiVersion: v1 78 | kind: Pod 79 | spec: 80 | containers: 81 | - name: validate 82 | image: deck15/kubeval-tools:latest 83 | command: 84 | - cat 85 | tty: true 86 | """ 87 | } // kubernetes 88 | } // agent 89 | 90 | stages { 91 | steps { 92 | container('validate') { 93 | sh 'kubeconform -summary manifests.yaml' 94 | } 95 | } 96 | } 97 | } 98 | ``` 99 | 100 | #### Jenkinsfile declarative example using Docker agents 101 | 102 | ```groovy 103 | pipeline { 104 | agent { 105 | docker { image 'deck15/kubeval-tools:latest' } 106 | } // agent 107 | 108 | ... 109 | } 110 | ``` 111 | 112 | #### Drone example: `.drone.yml` 113 | 114 | ```yaml 115 | kind: pipeline 116 | type: docker 117 | name: default 118 | 119 | steps: 120 | - name: validate 121 | image: deck15/kubeval-tools:latest 122 | commands: 123 | - kubeconform -summary manifests.yaml 124 | ``` 125 | 126 | #### Circle-CI example: `.circleci/config.yml` 127 | 128 | ```yaml 129 | version: 2.0 130 | jobs: 131 | build: 132 | docker: 133 | - image: deck15/kubeval-tools:latest 134 | ``` 135 | 136 | #### Gitlab CI example: `.gitlab-ci.yaml` 137 | You can define an image that’s used for all jobs, and a list of services that you want to use during runtime: 138 | 139 | ```yaml 140 | default: 141 | image: deck15/kubeval-tools:latest 142 | 143 | validate: 144 | script: 145 | - kubeconform -summary manifests.yaml 146 | ``` 147 | Kubeaudit 148 | --------- 149 | [Kubeaudit](https://github.com/Shopify/kubeaudit) is a command line tool and a Go package to audit Kubernetes clusters for various different security concerns, such as: 150 | 151 | * run as non-root 152 | * use a read-only root filesystem 153 | * drop scary capabilities, don't add new ones 154 | * don't run privileged 155 | * and more! 156 | 157 | kubeaudit makes sure you deploy secure containers! 158 | 159 | KubeVal 160 | ------- 161 | 162 | [kubeval](https://kubeval.instrumenta.dev/) is a tool for validating a Kubernetes YAML or JSON configuration file. It does so using schemas generated from the Kubernetes OpenAPI specification, and therefore can validate schemas for multiple versions of Kubernetes. 163 | 164 | KubeConform 165 | ----------- 166 | 167 | [Kubeconform](https://github.com/yannh/kubeconform) is a Kubernetes manifests validation tool. Build it into your CI to validate your Kubernetes configuration! 168 | 169 | It is inspired by, contains code from and is designed to stay close to Kubeval, but with the following improvements: 170 | 171 | * high performance: will validate & download manifests over multiple routines, caching downloaded files in memory 172 | * configurable list of remote, or local schemas locations, enabling validating Kubernetes custom resources (CRDs) and offline validation capabilities 173 | * uses by default a self-updating fork of the schemas registry maintained by the kubernetes-json-schema project - which guarantees up-to-date schemas for all recent versions of Kubernetes. 174 | 175 | #### Usage examples 176 | Validating a single, valid file 177 | 178 | ```sh 179 | kubeconform fixtures/valid.yaml 180 | echo $? 181 | 0 182 | ``` 183 | 184 | Validating a single invalid file, setting output to json, and printing a summary 185 | 186 | ```sh 187 | kubeconform -summary -output json fixtures/invalid.yaml 188 | { 189 | "resources": [ 190 | { 191 | "filename": "fixtures/invalid.yaml", 192 | "kind": "ReplicationController", 193 | "version": "v1", 194 | "status": "INVALID", 195 | "msg": "Additional property templates is not allowed - Invalid type. Expected: [integer,null], given: string" 196 | } 197 | ], 198 | "summary": { 199 | "valid": 0, 200 | "invalid": 1, 201 | "errors": 0, 202 | "skipped": 0 203 | } 204 | } 205 | 206 | echo $? 207 | 1 208 | ``` 209 | 210 | Passing manifests via Stdin 211 | 212 | ```sh 213 | cat fixtures/valid.yaml | kubeconform -summary 214 | Summary: 1 resource found parsing stdin - Valid: 1, Invalid: 0, Errors: 0 Skipped: 0 215 | ``` 216 | 217 | Validating a folder, increasing the number of parallel workers 218 | 219 | ```sh 220 | kubeconform -summary -n 16 fixtures 221 | fixtures/crd_schema.yaml - CustomResourceDefinition trainingjobs.sagemaker.aws.amazon.com failed validation: could not find schema for CustomResourceDefinition 222 | fixtures/invalid.yaml - ReplicationController bob is invalid: Invalid type. Expected: [integer,null], given: string 223 | [...] 224 | Summary: 65 resources found in 34 files - Valid: 55, Invalid: 2, Errors: 8 Skipped: 0 225 | ``` 226 | 227 | ConfTest 228 | -------- 229 | [ConfTest](https://www.conftest.dev/) is a utility to help you write tests against structured configuration data. For instance you could write tests for your Kubernetes configurations, or Tekton pipeline definitions, Terraform code, Serverless configs or any other structured data. 230 | 231 | Conftest relies on the Rego language from Open Policy Agent for writing the assertions. 232 | 233 | YAMLLint 234 | -------- 235 | [yamllint](https://yamllint.readthedocs.io/) is a linter for YAML files. 236 | 237 | yamllint does not only check for syntax validity, but for weirdnesses like key repetition and cosmetic problems such as lines length, trailing spaces, indentation, etc. 238 | 239 | Kustomize 240 | --------- 241 | 242 | [Kustomize](https://kustomize.io/) lets you customize raw, template-free YAML files for multiple purposes, leaving the original YAML untouched and usable as is. 243 | 244 | kustomize targets kubernetes; it understands and can patch kubernetes style API objects. It's like make, in that what it does is declared in a file, and it's like sed, in that it emits edited text. Kustomize traverses a Kubernetes manifest to add, remove or update configuration options without forking. 245 | 246 | Kustomize is particularly useful to use with tools like [ArgoCD](https://argoproj.github.io/argo-cd/user-guide/kustomize/), [FluxCD](https://docs.fluxcd.io/en/latest/references/fluxyaml-config-files/), or [Spinnaker](https://www.spinnaker.io/guides/user/kubernetes-v2/kustomize-manifests/) to enable shared manifests (resources) across multiple clusters or environments without duplicating code. Kustomize allows overrides, merges, and other configuration features. 247 | 248 | KubeCTL 249 | ------- 250 | 251 | [kubectl](https://kubectl.docs.kubernetes.io/) is the Kubernetes cli version of a swiss army knife, and can do many things. One of those things is being able to do a dry-run validate on a yaml file. 252 | 253 | ```sh 254 | $ kubectl create --dry-run --validate -f invalid.yaml 255 | ``` 256 | 257 | Helm 258 | ---- 259 | 260 | Helm commands to use in CI to lint or validate helm charts. 261 | 262 | #### helm lint 263 | examine a chart for possible issues. 264 | 265 | **NOTE:** 266 | > `helm lint` by itself is insufficient to adequately validate a helm chart. It is recommended to use `helm lint` and `helm template` in combination with one of the other manifest validation tools. (See below example) 267 | 268 | This command takes a path to a chart and runs a series of tests to verify that the chart is well-formed. 269 | 270 | If the linter encounters things that will cause the chart to fail installation, it will emit `[ERROR]` messages. If it encounters issues that break with convention or recommendation, it will emit `[WARNING]` messages. 271 | 272 | ```sh 273 | helm lint PATH [flags] 274 | ``` 275 | 276 | #### helm template with kubeconform 277 | 278 | ```sh 279 | helm template ./path/to/chart | kubeconform -strict -ignore-missing-schemas 280 | ``` 281 | 282 | Config-Lint 283 | ----------- 284 | 285 | [config-lint](https://stelligent.github.io/config-lint/) is a command line tool to validate configuration files using rules specified in YAML. The configuration files can be one of several formats: Terraform, JSON, YAML, with support for Kubernetes. There are built-in rules provided for Terraform, and custom files can be used for other formats. 286 | 287 | ```sh 288 | config-lint -rules example-files/rules/kubernetes.yml example-files/config 289 | ``` 290 | 291 | Kube-Score 292 | ---------- 293 | [Kube-Score](https://github.com/zegl/kube-score), a tool that performs static code analysis of your Kubernetes object definitions. The output is a list of recommendations of what you can improve to make your application more secure and resilient. 294 | 295 | kube-score can run in your CI/CD environment and will exit with exit code 1 if a critical error has been found. The trigger level can be changed to warning with the --exit-one-on-warning argument. 296 | 297 | The input to kube-score should be all applications that you deploy to the same namespace for the best result. 298 | 299 | #### Example with Helm 300 | ```sh 301 | helm template my-app | kube-score score - 302 | ``` 303 | 304 | #### Example with Kustomize 305 | ```sh 306 | kustomize build . | kube-score score - 307 | ``` 308 | 309 | #### Example with static YAMLs 310 | ```sh 311 | kube-score score my-app/*.yaml 312 | kube-score score my-app/deployment.yaml my-app/service.yaml 313 | ``` 314 | 315 | Polaris 316 | ------- 317 | [Polaris](https://github.com/FairwindsOps/polaris), Polaris runs a variety of checks to ensure that Kubernetes pods and controllers are configured using best practices. Polaris is included as a CLI tool to test local YAML files, e.g. as part of a CI/CD process. 318 | 319 | Polaris can be run in a few different modes: 320 | 321 | * As a dashboard, so you can audit what's running inside your cluster. 322 | * As a validating webhook, so you can automatically reject workloads that don't adhere to your organization's policies. 323 | * As a command-line tool, so you can test local YAML files, e.g. as part of a CI/CD process. 324 | 325 | You can run audits on the command line and see the output as JSON, YAML, or a raw score: 326 | 327 | ```sh 328 | polaris audit --format yaml > report.yaml 329 | polaris audit --format score 330 | # 92 331 | ``` 332 | 333 | Audits can run against a local directory or YAML file rather than a cluster: 334 | 335 | ```sh 336 | polaris audit --audit-path ./deploy/ 337 | 338 | # or to use STDIN 339 | cat pod.yaml | polaris audit --audit-path - 340 | ``` 341 | You can also run the audit on a single resource instead of the entire cluster: 342 | 343 | ```sh 344 | polaris audit --resource "nginx-ingress/Deployment.apps/v1/default-backend" 345 | ``` 346 | #### Running with CI/CD 347 | You can integrate Polaris into CI/CD for repositories containing infrastructure-as-code. For example, to fail if polaris detects any danger-level issues, or if the score drops below 90%: 348 | 349 | ```sh 350 | polaris audit --audit-path ./deploy/ \ 351 | --set-exit-code-on-danger \ 352 | --set-exit-code-below-score 90 353 | ``` 354 | 355 | For more usage options for CLI, see the [Usage Doc](https://github.com/FairwindsOps/polaris/blob/master/docs/usage.md) 356 | 357 | Kube Linter 358 | ----------- 359 | 360 | [Kube Linter](https://github.com/stackrox/kube-linter) is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices. KubeLinter accepts YAML files as input and runs a series of checks on them. If it finds any issues, it reports them and returns a non-zero exit code. 361 | 362 | Datree 363 | ----------- 364 | 365 | [Datree](https://github.com/datreeio/datree) is a CLI tool that can be used locally or in your CI/CD to ensure Kubernetes manifests and Helm charts follow best practices as well as your organization’s policies. It comes with 30 battle-tested rules to choose from, together with built-in support for YAML and kubernetes schema validation. 366 | 367 | #### Example with static YAMLs 368 | ```sh 369 | datree test my-app/*.yaml 370 | datree test my-app/deployment.yaml 371 | ``` 372 | 373 | #### Example with Helm 374 | ```sh 375 | helm datree test 376 | ``` 377 | 378 | KubeSec 379 | ------- 380 | 381 | [KubeSec](https://github.com/controlplaneio/kubesec) is a security scanning tool for Kubernetes pods, deployments, daemonsets and statefulsets. 382 | 383 | #### Example usage 384 | 385 | ```sh 386 | kubesec scan manifest.yaml 387 | ``` 388 | 389 | #### Example output 390 | 391 | Kubesec returns a returns a JSON array, and can scan multiple YAML documents in a single input file. 392 | 393 | ```json 394 | [ 395 | { 396 | "object": "Pod/security-context-demo.default", 397 | "valid": true, 398 | "message": "Failed with a score of -30 points", 399 | "score": -30, 400 | "scoring": { 401 | "critical": [ 402 | { 403 | "selector": "containers[] .securityContext .capabilities .add == SYS_ADMIN", 404 | "reason": "CAP_SYS_ADMIN is the most privileged capability and should always be avoided", 405 | "points": -30 406 | } 407 | ], 408 | "advise": [ 409 | { 410 | "selector": "containers[] .securityContext .runAsNonRoot == true", 411 | "reason": "Force the running image to run as a non-root user to ensure least privilege", 412 | "points": 1 413 | }, 414 | { 415 | // ... 416 | } 417 | ] 418 | } 419 | } 420 | ] 421 | ``` 422 | 423 | Contributing 424 | ------------ 425 | 426 | PRs welcome! Check out the [CONTRIBUTING](CONTRIBUTING.md) Guidelines for more information. 427 | --------------------------------------------------------------------------------