Top Kubernetes YAML Validation Tools
Harshit Mehndiratta
Harshit Mehndiratta
January 04, 2021
/
8 minutes read

Top Kubernetes YAML Validation Tools

Kubernetes configurations are usually defined in YAML files, which describe the constraints and relationships between Kubernetes resources. The Kubernetes community describes YAML as a human-readable format. Yet, it is hard to understand and produce valid configurations at scale. Labels, services, deployments, config maps, CRDs, and the entire cloud-native stack contributes to this complexity.

Static validation alone in complex YAML’s cannot efficiently catch errors and violations of policies, which may cause outages or expose security issues.

To make validation easy and automated, the Kubernetes community has developed tools that can help cross-check resource manifests by easily integrating them into CI/CD pipelines. These Kubernetes validation tools easily enforce security & DevOps best practices and meeting custom compliance requirements.

Let’s have a look at them.

Conftest

Conftest is a Kubernetes validation tool that provides a testing framework for developers to check and verify Kubernetes resources. Conftest not only allows validation against Kubernetes configuration. Users can easily write tests for serverless, Terraform, and other prominent frameworks.

Conftest checks are written using Rego, the query language Kubernetes Open Policy Agent(OPA) uses. OPA has enterprise-wide support due to its ease of enforcement of custom policies on Kubernetes primitives. Conftest being compatible with existing OPA bundles makes it the best resource validation tool for enterprises.

Policies in Conftest are a collection of rules. A rule returns a boolean, which can be true or false depending upon the overall result. The rego query specifies a deny block, which returns true if the rule gets violated.

There can be multiple deny blocks in many scenarios. Conftest checks them one by one, and the overall result is an evaluation of the logic.

All the rules in Conftest are stored in the ./policy directory by default, and users can easily format the output into a table, JSON, or TAP for seamless integration with CI/CD pipeline. Tracing is also available, which outputs how Conftest parses policy files.

Policies created through conftest are shared as artifacts in OCI (Open Container Initiative) registries. Users can easily push and pull artifacts from supported registries of the users’ choice.

Kubeval

Kubeval is one of the top choices for using a tool that can check and validate Kubernetes resources. Kubeval implements an OpenAPI spec, which puts all the validation interaction through a REST API to check whether the given YAML input matches the API schema.

Users can also use custom-built API schemas to test against a specific Kubernetes release. Kubeval supports various Kubernetes versions for specific API support. A list of versions for validation is available on GitHub in the form of a JSON schema.

Kubeval works well with both YAML or JSON configuration. Also, there is no need to access the cluster for running validations. It has the advantage of running offline, which requires users to download the schema that can be run smoothly anywhere for validation against the latest/specific release.

In addition to offline download of schemas, kubeval supports various output formats such as Plain Text, JSON, and Test Anything Protocol (TAP), which comes useful when the output is parsed for use in CI/CD pipelines.

Copper

Copper is another Kubernetes validation tool that checks configuration files through custom checks. Sponsored by Cloud66, Copper tests are not restrictive and are written in Javascript for easy customization.

Developers use helper functions to make changes to YAML files as needed. Copper provides a library of basic ones for extracting the Kubernetes object data. For instance, the name function will read the specified file and creates an object containing the following image name. Image registry, URL, and location can be found through names or labels specifiers.

Using helper functions, users can write sophisticated checks that validate the pod’s privileges, deployment, and domain manifests.

Also, Copper’s development team ensures all configuration files applied on clusters adhere to the specific infrastructure policies through custom helper functions. The entire JavaScript library is made available to develop custom checks and scripts to meet the desired objectives.

Kubevious

Kubevious is unlike anything out there. Kubevious makes Kubernetes safer to use.

Kubevious installs into a cluster using helm and provides validation right out of the box. Kubevious comes with graphical validator for Kubernetes, which identifies misconfigurations and violations with DevOps and Cloud-Native best practices.

Kubevious supports a wide range of configuration validations. It can detect cases where the manifest does not match the defined schema, i.e., pods with escalated privileges, pods with no tags, CPU, and memory requests/limits, and more. Kubevious can also detect things that are misconfigured but also identify areas that need special attention. Some examples are radioactive workloads and clearly identifying change blast radius.

Kubevious has various modes; the dashboard audits what’s running inside your cluster; the rule editor allows complete user customization with simple javascript snippets. The marker editor allows users can assign markers for different checks.

Travelling back in time using Kubevious TimeMachine significantly simplifies root causing downtimes and misconfigurations.

Config-lint

Config-lint by Stelligent is an open-source tool designed to provide easy to use validation features to test against unique compliance requirements. Config-lint contains a list of validation rules that ensures easy cross-checking of configuration objects.

Besides Kubernetes YAML, Config-lint supports various configuration formats like Terraform, JSON, and CSV, enabling developers to validate the different configuration files.

Installing config-lint does not provide any built-in checks for Kubernetes manifests, so users have to write custom rules for performing any validations. Config-lint checks specific use cases against custom requirements by supporting custom rules for various configurations such as JSON, YAML, and Terraform. Each custom rule in Config-lint must have some mandatory attributes defined to be checked against a use case - for example, the id attribute, which is important to define for rule identification. Resource attributes should properly target the resource to apply rules. Assertions must contain a list of relevant conditions to test against a specific resource.

There are various modes of installation available for config-lint on the GitHub repository. Config-lint is also open-source, which means automated releases and contributions to the documentation, bug fixes, and new features are continuous.

KubeLinter

Stackrox KubeLinter provides automated analysis of YAML files to ensure Kubernetes configurations are geared properly towards security and production.

Kubeline checks resource configurations against various security best practices by integrating security-as-a-code and other related processes for automatic enforcement of policies for containerized applications.

Kubelinter implements the Go framework, which is known for ease of deployment and human-readable syntax. Users can easily correct validation errors and run various default checks, such as running containers as a non-root user, enforcing least privilege, and storing sensitive information in secrets to meet compliance requirements.

KubeLinter is also highly configurable. Users can easily create their own custom rules and enable and disable rules depending on the policies required for specific namespaces. Adding custom rules in Kubelinter requires minimal work. It can be integrated easily into your CI/CD tool, such as GitHub Action, Jenkins, or Travis CI, for automated checking and error identification of application configurations.

KubeLibrary

KubeLibrary provides easy to build tests to verify configuration objects state in the Kubernetes cluster. KubeLibrary test resource configurations using python Kubernetes client, which gathers cluster-wide state and configurations.

KubeLibrary implements an extensible Robot Framework, which consists of multiple libraries to verify the status of deployments, nodes, pods, and other Kubernetes objects. Users can easily add their custom test cases using python, which is easily understandable and super easy to write.

RobotFramework Library also utilizes keywords that can be used in test cases to ensure the best security practices. For example, ${POD_NAME_PATTERN} keyword will check for pods matching the name pattern.

There are many other keywords available in documentation within the GitHub repository, and new keywords are added constantly to the library. Building new checks to KubeLibrary is also by writing custom definitions through the python Kubernetes client.

Kube-score

Kube-score is a YAML validation tool that analyses Kubernetes resource configurations for various best practices such as running containers with non-root privileges, correctly specifying resource limits, and health checks.

After running the analysis, Kubescore outputs recommendations and missing limits in the running cluster. All the cluster deficiencies are tagged with a WARNING or CRITICAL tags depending upon the organization’s compliance policies.

The major drawback of Kubescore is cluster deficiencies mentioned in the output of analysis don’t change with the Kubernetes version release, and kube-score is not customizable to add custom polices.

Conclusion

There are many more tools besides the ones mentioned above to check and verify Kubernetes YAML manifests. Still, the one which suits your organization’s needs is dependent on how you want your checks to be in terms of design and performing validations.

For instance, if you are looking for a tool that provides easy and straightforward validations through Kubernetes API schema, Kubeval could be chosen. For cases when you want to identify misconfigurations and violations of DevOps best practices, Kubevious is a great option. Kubevious also comes with a powerful GUI client that displays misconfigurations and areas that may be suspicious or require special attention.

If you perform detailed tests with custom policies, Kube-score and KubeLinter are better choices. If you have different configuration requirements and want a highly customizable validation tool, consider Config-lint, KubeLibrary, Conftest, and Copper. These all support evolved programming language libraries, making the writing of custom checks easier.

Summary Table

Tool Pros Cons
conftest Robust Rego based framework for custom checks/validations. Policy sharing via OCI. Does not come with built-in checks. Steep learning curve
kubeval YAML validation against a specific version of API Schema. Custom resources definitions (CRD) cannot be used to add custom checks to the Kubernetes cluster.
copper Javascript-based framework for writing custom YAML validation rules No inbuilt rules. Users have to create custom checks.
kubevious Visual overview of configurations, errors, best practice violations. Customizable. Has to be deployed on every K8s cluster. But there is a Kubevious Portable edition that doesn’t require installation
config-lint Supports for various configuration formats (Terraform, YAML, JSON) for writing custom checks. Not sufficient built-in rules for standard checks.
Kube Linter Powerful for out of the box security validation Early-stage project. Alpha release
kube-score Does YAML validation against a variety of security best practices. No specific API version support.
Kube library Implements an Extensible Robot Framework for testing. Python for writing custom checks. Learning curve with Keywords based custom checks.
message