How to validate and clean your YAML files using Kubeval and ValidKube

25 minute read     Updated:

Boemo Wame Mmopelwa %
Boemo Wame Mmopelwa

Table of Contents

The article focuses on Kubeval’s importance in validating Kubernetes manifests. Earthly strengthens CI pipelines through reproducible builds, which complements Kubeval’s functions. Learn more about Earthly.

Kubeval is a command line tool that validates Kubernetes manifests and YAML files using the Kubernetes API schema. Behind the scenes, Kubeval compares API schemas with objects provided in your YAML file to find any errors. Cleaning and validating your files is imperative because it helps you to spot misconfigurations that can introduce flaws to your cluster. All you have to do is run the Kubeval command which specifies your YAML file. Kubeval is a free and open-source project developed by instrumenta.

Kubeval is an important tool if you are writing YAML files on a daily basis. You should use it to validate your files before applying them to your cluster. In this tutorial, you will learn how to validate your YAML files using Kubeval and ValidKube which is a web tool that cleans YAML files.

We Will Cover the Following Points in This Article

  1. How to install Kubeval on Linux
  2. Validating files using Kubeval
  3. Validating files using a specific schema
  4. Skipping and ignoring commands
  5. How to clean your files using Validkube
  6. Conclusion

Installing Kubeval on Linux

Use the following command to install Kubeval on your Linux machine:

wget https://github.com/instrumenta/kubeval/releases/latest/download \
/kubeval-linux-amd64.tar.gz
tar xf kubeval-linux-amd64.tar.gz
sudo cp kubeval /usr/local/bin

If you’re not using a Linux distribution you can check the Kubeval docs for information on how to install the CLI on Windows or macOS.

Once the download is complete, you can confirm Kubeval has been installed successfully by using the following command:

kubeval --version

You will get the following output message that shows the Kubeval version:

Version: 0.15.0
Commit: df50ea7fd4fd202458002a40a6a39ffbb3125bad
Date: 2020-04-14T09:32:29Z

If you get stuck while using Kubeval, use the following command to get all available Kubeval commands:

 kubeval --help

Validating Yaml Files Using Kubeval

Kubeval allows you to validate Kubernetes objects or resources stated in a YAML file. In this tutorial, you will learn to validate files by validating a ClusterRole. Create a file called secret-reader.yaml and add the following contents:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  namespace: organization
  name: secret-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

The above ClusterRole gives the user the right to get, watch and list secrets. Use the following command to validate the file:

kubeval secret-reader.yaml

You will get the following output:

←[32mPASS←[0m - secret-reader.yaml contains a valid ClusterRole \
(organization.secret-reader)

Underneath the hood, Kubeval compared the secret-reader.yaml file to this Jsonschema. As you can see, we provided it a valid file, so the scan passed with no errors or insecurities.

Now, let’s use a YAML file that has missing metadata and see if Kubeval will spot the error. Here is the full file with the error:

apiVersion: v1
kind: Service
spec:
  externalTrafficPolicy: Local
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 80
  selector:    
    app: nginx
  type: NodePort

Use the following command to validate the above YAML file.

kubeval service-ingress.yml

You will get the following output that shows that the missing key error has been detected:

←[31mERR ←[0m - service-ingress.yml: Missing 'metadata' key

When Kubeval gives you scan results that have errors, don’t execute the YAML file, rather correct it using ValidKube or Kubescape. In this way, you will secure your cluster and prevent errors that could cost you hours to fix.

To correct the previous issue, add the metadata key that Kubeval had indicated as missing. The metadata segment in a Kubernetes resource file contains the name of the object, namespace, and other details. Here is the complete service YAML file that has metadata:

apiVersion: v1
kind: Service
metadata:
  name: my-service
  namespace: newmetric
  labels:
    app: nginx
spec:
  externalTrafficPolicy: Local
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 80
  selector:    
    app: nginx
  type: NodePort

If you scan the above contents using Kubeval again you will get the following output:

←[32mPASS←[0m - service.yaml contains a valid Service (newmetric.my-service)

Converting Kubeval Results to Json and Tap Format

If you are more familiar with JSON or TAP, Kubeval allows you to output the results in JSON or TAP format. This will help you analyze results better since you understand the JSON format much better.

Use the following command to get the validation results in JSON format:

 kubeval secret-reader.yaml -o json

You will get the scan results in JSON format:

[
        {
                "filename": "secret-reader.yaml",
                "kind": "ClusterRole",
                "status": "valid",
                "errors": []
        }
]

Use the following command to get the validation results in TAP format:

kubeval secret-reader.yaml -o tap

You will get the following output:

1..1
ok 1 - secret-reader.yaml (ClusterRole)

Validating Files Using a Specific Kubernetes Version

Kubeval has the --kubernetes-version flag which allows you to choose a specific version of a Kubernetes schema. For example:

kubeval --kubernetes-version 1.16.1 service-ingress.yml

You can also use the OpenShift JSON Schemas to validate your YAML files. Use the following flag to specify the version of OpenShift schema you want to use:

kubeval --openshift -v 1.5.1   service-ingress.yml

How To Ignore Missing Schemas

The --ignore-missing-schemas flag should be used when validating resources using Custom Resource Definitions(CRDs). Currently, Kubeval relies on schemas generated from the Kubernetes API. This means it’s not possible to validate resources using CRDs. Kubeval currently supports schemas created by the Kubernetes API only.

kubeval --ignore-missing-schemas service-ingress.yml

You will get the following output:

←[33mWARN←[0m - Set to ignore missing schemas
←[31mERR ←[0m - service-ingress.yml: Missing 'metadata' key

How to Clean Your Files Using Validkube

After validating your files using Kubeval, it is important to remove clutter from the YAML files using Validkube which is an online web tool that uses Kube-neat to clean your files. You don’t have to install anything to use it, all you have to do is copy and paste your files on ValidKube.

Let’s clean the following deployment object using ValidKube:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  namespace: example
  labels:
    app: nginx
spec:
  replicas: "Wrong"
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        args: []
        ports:
        - containerPort: 80
        resources: {}

Go to the ValidKube website and paste the above content. Click on the “Clean” button to remove clutter from the deployment file:

ValidKube dashboard

You will get the following results that show a clutter-free YAML file. The resources: {}field has been removed since it was making the YAML file longer and it was not assigned any values. Also, the "" around Wrong were removed for the value of replicas.

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx
  name: nginx-deployment
  namespace: example
spec:
  replicas: Wrong
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx:1.14.2
        name: nginx
        ports:
        - containerPort: 80

Conclusion

In this tutorial, we covered using Kubeval and ValidKube for file validation and YAML clean up in Kubernetes. Using these tools will bolster your Kubernetes security, simplify tasks, and catch cluster errors. They help uncover hidden flaws in your manifests which can significantly improve your cluster’s health over time. Remember, in Kubernetes, security isn’t an afterthought but a priority.

Also if you’re also looking for consistent build automation in your development process, you might want to give Earthly a shot. It could be the tool you need to streamline your builds and ensure consistency across different environments.

Earthly Cloud: Consistent, Fast Builds, Any CI
Consistent, repeatable builds across all environments. Advanced caching for faster builds. Easy integration with any CI. 6,000 build minutes per month included.

Get Started Free

Boemo Wame Mmopelwa %
Boemo Wame Mmopelwa
Boemo is a software developer who embraces innovative approaches. He likes diving deep into complex concepts in order to learn and write articles that can help the reader understand complex methodologies in a simple and fun way.

Updated:

Published:

Get notified about new articles!
We won't send you spam. Unsubscribe at any time.
You May Also Enjoy
Using Kubescape to Scan Kubernetes

20 minute read

Learn how to improve the security of your Kubernetes cluster with Kubescape, a free tool that scans for non-compliant YAML files and image vulnerabilities. F...

Validate Your YAML (with CUE)

15 minute read

Learn how to use Cuelang, an extension of YAML, to validate your YAML configurations and prevent runtime errors. Discover how to define types, add constraint...

Securing Kubernetes Secrets Effectively

22 minute read

Learn how to secure your Kubernetes secrets effectively by enabling encryption at rest, implementing role-based access control, and securing the ETCD data st...

Kube-Bench

10 minute read

Learn how to benchmark your Kubernetes cluster against CIS benchmarks using Kube-Bench. This tutorial provides step-by-step instructions on installing and co...

Developer Tools for Kubernetes

13 minute read

Learn about the essential developer tools for Kubernetes that can help you become more efficient and productive in your workload. From integrated development...

An Introduction to Kubernetes Secrets

22 minute read

Learn how to manage sensitive data in Kubernetes using secrets. This tutorial covers creating secrets, using them as environment variables or volume mounts, ...