Epic | Manifest Validation

[iliapolo]

Discussion resulted in the following tasks:

• [x] https://github.com/cdk8s-team/cdk8s-core/issues/688
• [x] https://github.com/cdk8s-team/cdk8s-cli/issues/460

Discussed in https://github.com/cdk8s-team/cdk8s/discussions/936

^{Originally posted by **iliapolo** June 9, 2022} Ability to define manifest validators to be executed after synthesis There are plenty of pitfalls users may fall into when defining their manifests. Validation tools exist that will help users avoid those. For example: - https://github.com/datreeio/datree - https://github.com/zegl/kube-score - https://github.com/FairwindsOps/polaris - https://www.checkov.io/ - https://www.aquasec.com/ - https://docs.snyk.io/ - https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/install/install_kubernetes Since cdk8s allows us to run code during manifest generation, we can integrate these tools into the process, without users having to invoke them explicitly. Our init templates can offer these validations by default, and allow users to opt out, or vise versa. Add a key in `cdk8s.yaml` to describe what validation should take place: ```yaml app: ts-node main.ts validations: - datree test ``` ### Open questions - Should we be doing this? why and why not? - Should these only happen when synthesizing with the CLI? Maybe in-process as well? - What configuration should be exposed? the entire validation command? the validator type?

[iliapolo]

Done