Thomas Thornton – Microsoft Azure MVP – GitHub Star – HashiCorp Ambassador

Microsoft Azure Blog – Microsoft MVP

Enforcing Kubernetes best practices and simplifying Kubernetes Configuration Validation with Kube-Linter and GitHub Actions

on by Leave a comment

Kubernetes is ever growing and certainly a standard for container orchestration, however with it being picked up more and more by development teams, we want to ensure best practices and correctness of Kubernetes configuration files are valid. This can be tough and challenging to manage, let’s look at a tool that can assist you in this journey. Let’s look at Kubelinter, that will help you to validate Kubernetes YAML files, ensuring best practices are being adhered to and avoid those common pitfalls!

In this blog post, we will explore Kubelinter and how to integrate it into your CI/CD pipeline using GitHub Actions.

So, what is this Kubelinter tool?

Kube-Linter is an open-source project that is developed by StackRox. The tool analyses YAML files and provides feedback on potential issues, security vulnerabilities, and best practices. With its primary goal to help developers catch errors early in the development process, reducing the risk of misconfigurations and security vulnerabilities in production.

You are probably wondering, why should I use KubeLinter?

Well, using this as part of your development CI/CD workflow brings numerous benefits including:

  • Enhancing Security: It will help to identify any potential security vulnerabilities and misconfigurations in your Kubernetes YAML files. It will check for common security issues, even for excessive permissions.
  • Early Issue Detection: Including it as part of your CI/CD GitHub Action workflow, allows for early issue detections – which you can identify and rectify early in the CI/CD process, saving you time and potentially further problems down the development line
  • Consistency across teams: Helping you to adhere to best practices, which will begin to foster consistency across development teams. Ensuring everyone follows the same Kubernetes configuration standards
  • Best Practices: Enforces best practices for Kubernetes configuration files, checking for common mistakes, deprecated APIs and even missing or misconfigured probes
  • Enhancing the code review process: All the above will lead to more effective reviews and improved collaboration

Key features of KubeLinter

  • Linting for best practices

KubeLinter comes equipped with a set of predefined rules based on best practices recommended by the Kubernetes community. It ensures that your manifests align with established guidelines, promoting consistency and reliability.

  • Customisable rules

While it comes with a set of predefined rules, it also provides the flexibility for users to define and enforce custom rules that align with the specific needs of their Kubernetes environment. 

  • Can integrate with your current CI/CD GitHub Actions workflow

Configuring KubeLinter with GitHub Actions

Let me show you how to now configure this, thanks to stackrox for providing this awesome example

Prior, ensure you have enabled this workflow permission as mentioned in this blog post

# Based of https://github.com/stackrox/kube-linter-action/blob/main/.github/workflows/kube-linter-sample.yml
name: Check Kubernetes YAMLs with kube-linter

on:
  push:
    branches: [ main, master ]
  pull_request:

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Create ../results directory for SARIF report files
        shell: bash
        run: mkdir -p ../results

      - name: Scan yaml files with kube-linter
        uses: stackrox/kube-linter-action@v1.0.4
        id: kube-linter-action-scan
        with:
          # Adjust this directory to the location where your kubernetes resources and helm charts are located.
          directory: invalid
          format: sarif
          output-file: ../results/kube-linter.sarif
        continue-on-error: true

      - name: Upload SARIF report files to GitHub
        uses: github/codeql-action/upload-sarif@v3

      - name: Verify kube-linter-action succeeded
        shell: bash
        run: |
          echo "If this step fails, kube-linter found issues. Check the output of the scan step above."
          [[ "${{ steps.kube-linter-action-scan.outcome }}" == "success" ]]

Lets breakdown the 5 steps:

      - uses: actions/checkout@v4

Fetches the repositories code into the workflow’s runner environment

      - name: Create ../results directory for SARIF report files
        shell: bash
        run: mkdir -p ../results

This prepares directory where github/codeql-action/upload-sarif@v3 looks up report files by default.

      - name: Scan yaml files with kube-linter
        uses: stackrox/kube-linter-action@v1.0.4
        id: kube-linter-action-scan
        with:
          # Adjust this directory to the location where your kubernetes resources and helm charts are located.
          directory: invalid
          format: sarif
          output-file: ../results/kube-linter.sarif
        continue-on-error: true

This utilises the “stackrox/kube-linter-action@v1.0.4” GitHub Action to scan YAML files using the kube-linter tool. It specifies the directory where the Kubernetes resources and Helm charts are located (currently set to “invalid”), sets the output format as SARIF, defines the output file path as “../results/kube-linter.sarif“, and continues the workflow even if errors occur. (In this example, is using incorrectly formatted content)

      - name: Upload SARIF report files to GitHub
        uses: github/codeql-action/upload-sarif@v3

Uploads SARIF report files to GitHub using the “github/codeql-action/upload-sarif@v3” GitHub Action.

      - name: Verify kube-linter-action succeeded
        shell: bash
        run: |
          echo "If this step fails, kube-linter found issues. Check the output of the scan step above."
          [[ "${{ steps.kube-linter-action-scan.outcome }}" == "success" ]]

Verifies the success of the kube-linter-action by checking the outcome of the scan step and displaying a message if any issues were found.

The below shows a successful run!

What happens when Kube-Linter validation is not correct?

The GitHub action shows as a failed run, lets look further into this step: Upload SARIF report files to GitHub

Looking below will show you what happens when you see this, its great!

GitHub Security Code Scanning Vulnerability Alerts

As part of the workflow, we have uploaded a SARIF report to the GitHub repository. This report contains the results of the kube-linter scan, including any validation issues that were detected – now once you have a validation issue with kube-linter, it will appear in GitHub as below.

This is awesome, selecting any and going into the vulnerability gives you even more detail and allows you to create an issue – a feature I do find great!

Certainly let Kubelinter streamline your Kubernetes development journey – paving the way for more secure, efficient, and best-practice-compliant deployments to your Kubernetes clusters!

GitHub repository with all example content

Showing the action output from a valid format folder

Showing the action output from an invalid invalid folder

Leave a Reply