Running Static Analysis on Kubernetes Manifests - Isn't Just For Code Anymore

Ed LeGault - Dec 18 '20 - - Dev Community

Running static analysis during a CI/CD pipeline is typically used for the purposes of finding formatting issues, spotting common mistakes and ensuring consistency in code before it is even compiled or tested. There are tools available that are capable of performing similar checks against kubernetes manifests and also helm charts. Adding these checks will allow the team to find problems in kubernetes configuration before they are attempted to be applied or deployed. These tools provide slightly different levels of functional value depending on what they are verifying.

API Based Validation

There are tools available, such as kubeval that validate your kubernetes manifests against a given API schema. It provides the option to pass particular version of kubernetes when doing the validation to ensure that your manifest files conform to that version's schema. Since a tool like this is just validating that the yaml is correct against a particular schema and API it does not do any checking of security issues or allow for customization.

Pre-built Rule Based Validation

Tools such as checkov are more rule based and validate your kubernetes manifests against a set of rules. These are typically industry best practices and also known security issues. These types of tools can also be extended to add your own custom rules to allow for enforcement of any consistent requirements you have in your manifests. An example might be if you require each resource to have a certain label you could add a custom rule to enforce that it always exists.

Helm Linting and Validation

If you are using helm charts you can use most of the tools available to run the same checks but you must first run a helm template command and then send the resulting output yaml to the tool. Helm has a lint command that allows for checking that directory structure and pre-requisite files exist to properly template and package the chart.

Finding Problems Sooner is Good

By adding some sort of static analysis to your kubernetes files to your CI/CD pipeline you can find and address configuration or consistency issues faster and easier. Feel free to search around and look at different tools and options. I have just included a few here to start the journey. You may find that you like one over the other or something meets your needs for different reasons. You also need to decide the types of things you want to check and enforce. Maybe you just want to start with linting your helm charts and a second step is to add an opinion based check. It is all up to what you find value in at the time.


Smart EDJE Image

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .