Introduction In the , we learned how to create Kubernetes YAML files. Now, let’s see how to ensure that the files we have created are not only valid YAML but more importantly adhere to best practices of Kubernetes development. previous article This article is intended as a guide for validating Kubernetes manifest files. If you are a developer, software architect, security specialist, or simply interested in learning more about the quality assurance process around creating and managing Kubernetes manifests, this article is for you. The Shift Left philosophy The movement or as I like to call it “extend left” started as an idea of empowering developers to be responsible for and own the end-to-end process of the software lifecycle. shift left When done correctly, it means creating tools and the supporting organizational structure that allows  development teams to succeed by allowing them to take full ownership and control over the software they create and maintain. When done incorrectly, it usually means “dumping” all the responsibility on developers and hoping for the best. In the spirit of extending left, the process of authoring and managing Kubernetes artifacts should also be the responsibility of development teams. Kubernetes already has a powerful and sophisticated process of validating resources in the form of the following tools: admission controllers policy enforcement via tools like , or Open Policy Agent Kyverno Kubewarden (deprecated in 1.21) pod security policies Those tools are great, but they belong to the cluster operator layer and are more suited as a platform rather than a tool that fits neatly in a standard developer workflow. What we are going to look at next are various tools and methods that shift the starting point of a validation process to a development workflow and thus greatly improve the quality of the whole system. This is difficult to do with a non-statically typed language like YAML, but with the right tools, it can be done. The holy grail of shifting validation left is to . make illegal states irrepresentable Quality in a service or product is not what you put into it. It is what the client or customer gets out of it. — Peter Drucker What you will learn After reading this article, you will learn: learn about the impact that shifting validation left has on the end product what are the different ways to validate Kubernetes YAML files what are the benefits of automating the validation process in a CI/CD pipeline learn about tools specializing in validating different kinds of YAML files Prerequisites If you would like to follow along and get your hands dirty with YAML, you will need: VS Code with remote development extension or any of the alternatives (need to be able to run containers) docker desktop clone this repository Please note that the repository uses a with all the tools and configuration needed to run the examples built in. Because of this, the image is large, so please modify it accordingly before running the container. devcontainer What do we need to validate? Let’s look a bit closer at the validation process. We can divide the validation process into 3 distinct categories: of YAML syntax. This is the easiest step to validate if the file is a valid YAML. This is always a good starting point, if our file has YAML errors, we want to know as soon as possible or even better, prevent the error altogether. Structural validation of K8s schema. The next step is to validate whether the file is a correct Kubernetes YAML file. This validation is done automatically by Kubernetes, but this is a bit too late in the process. Remember, we want to shift left. An interesting tool in this space is . Semantic validation kubeval of the resource. This last category is where the validation process looks at the file from different contexts. We want to check the file and configuration for security vulnerabilities, performance issues, adherence to best practices, versioning schemes, and many more. The vehicle best suited for performing such validation is In this space, I would like to focus on two tools, trivy and datree. Both bringing a unique perspective and functionality. Pragmatic validation policies. Security checks with trivy Trivy can scan YAML files for security vulnerabilities, misconfiguration and more. Each check has a web page explaining the reason behind it as well as its severity. The only issue here is that the checks are “static”, we cannot influence directly if any of them should be skipped (this is partially possible with setting up severity flag) Policy enforcement with datree takes a different approach, where policies can be switched on and off by the developer. Datree You can see that datree first checked whether the file is a valid YAML and then validated the content against the Kubernetes schema. This satisfies our Structural -> Semantic -> Pragmatic validation flow! Each check is associated with a configurable policy set. Policies can be switched on and off to meet personalized validation scheme needs. This brings us a step closer to shifting the validation process left and empowering developers to take control over the whole process. Automate with CI/CD pipelines The end goal of every repetitive development process is to automate it. Adding validation rules from both datree and trivy to our CI pipeline is easy. They provide rich integration with all major git providers like GitHub, GitLab as well as Helm installation plugins etc. Closing thoughts Kubernetes story for developers still leaves a lot to be desired. I’m happy to see tools created to address some of the pains of developing on Kubernetes. Tools like datree especially focus on and enable the shift left movement. Developers are fully in control of their software lifecycle, tools, and organizational structures geared towards empowering and supporting development teams in their mission of creating amazing software. This is the future that will benefit all of us. Also published on: https://piotrzan.medium.com/how-to-validate-kubernetes-yaml-files-9a17b9a30f08

Flow

Microsoft

2022 - HackerNoon Contributor of the Year - Cloud Computing

2022 - HackerNoon Contributor of the Year - Devops

2022 - HackerNoon Contributor of the Year - Docker

2022 - HackerNoon Contributor of the Year - Github

2022 - HackerNoon Contributor of the Year - Kubernetes

2022 - HackerNoon Contributor of the Year - Open Source

Nominated for 2022 - HackerNoon Contributor of the Year - Open Source

Nominated for 2022 - HackerNoon Contributor of the Year - Github

Nominated for 2022 - HackerNoon Contributor of the Year - Docker

Nominated for 2022 - HackerNoon Contributor of the Year - Devops

Nominated for 2022 - HackerNoon Contributor of the Year - Cloud Computing

Nominated for 2022 - HackerNoon Contributor of the Year - Kubernetes

Too Long; Didn't Read

In your car, at home, or at work — Bosch technology shapes many areas of life.

How to validate Kubernetes YAML files

How to validate Kubernetes YAML files

Too Long; Didn't Read

Company Mentioned

Coin Mentioned

Piotr

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

How to validate Kubernetes YAML files

Too Long; Didn't Read

Company Mentioned

Coin Mentioned

Piotr

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES