Static analysis for Kubernetes
KubeLinter analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security.
KubeLinter runs sensible default checks, designed to give you useful information about your Kubernetes YAML files and Helm charts. This is to help teams check early and often for security misconfigurations and DevOps best practices. Some common examples of these include running containers as a non-root user, enforcing least privilege, and storing sensitive information only in secrets.
KubeLinter is configurable, so you can enable and disable checks, as well as create your own custom checks, depending on the policies you want to follow within your organization.
When a lint check fails, KubeLinter reports recommendations for how to resolve any potential issues and returns a non-zero exit code.
Visit https://docs.kubelinter.io for detailed documentation on installing, using and configuring KubeLinter.
Kube-linter binaries could be found here: https://github.com/stackrox/kube-linter/releases/latest
To install using Go, run the following command:
go install golang.stackrox.io/kube-linter/cmd/kube-linter@latest
Otherwise, download the latest binary from Releases and add it to your PATH.
To install using Homebrew or LinuxBrew, run the following command:
brew install kube-linter
nix-shell -p kube-linter
docker pull stackrox/kube-linter:latest
Installing KubeLinter from source is as simple as following these steps:
First, clone the KubeLinter repository.
git clone git@github.com:stackrox/kube-linter.git
Then, compile the source code. This will create the kube-linter binary files for each platform and places them in the .gobin
folder.
make build
Finally, you are ready to start using KubeLinter. Verify your version to ensure you've successfully installed KubeLinter.
.gobin/kube-linter version
There are several layers of testing. Each layer is expected to pass.
go
unit tests:
make test
end-to-end integration tests:
make e2e-test
and finally, end-to-end integration tests using bats-core
:
make e2e-bats
KubeLinter images are signed by cosign. We recommend verifying the image before using it.
Once you've installed cosign, you can use the KubeLinter public key to verify the KubeLinter image with:
cat kubelinter-cosign.pub
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEl0HCkCRzYv0qH5QiazoXeXe2qwFX
DmAszeH26g1s3OSsG/focPWkN88wEKQ5eiE95v+Z2snUQPl/mjPdvqpyjA==
-----END PUBLIC KEY-----
cosign verify --key kubelinter-cosign $IMAGE_NAME
KubeLinter also provides cosign keyless signatures.
You can verify the KubeLinter image with:
# NOTE: Keyless signatures are NOT PRODUCTION ready.
COSIGN_EXPERIMENTAL=1 cosign verify $IMAGE_NAME
Running KubeLinter to Lint your YAML files only requires two steps in its most basic form.
Run the following command:
kube-linter lint /path/to/your/yaml.yaml
Consider the following sample pod specification file pod.yaml
. This file has two production readiness issues and one security issue:
Security Issue:
Production readiness:
The container's memory limits are not set, which could allow it to consume excessive memory
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: {}
containers:
- name: sec-ctx-demo
image: busybox
resources:
requests:
memory: "64Mi"
cpu: "250m"
command: [ "sh", "-c", "sleep 1h" ]
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: false
Copy the YAML above to pod.yaml and lint this file by running the following command:
kube-linter lint pod.yaml
KubeLinter runs its default checks and reports recommendations. Below is the output from our previous command.
pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) The container "sec-ctx-demo" is using an invalid container image, "busybox". Please use images that are not blocked by the `BlockList` criteria : [".*:(latest)$" "^[^:]*$" "(.*/[^:]+)$"] (check: latest-tag, remediation: Use a container image with a specific tag other than latest.)
pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" does not have a read-only root file system (check: no-read-only-root-fs, remediation: Set readOnlyRootFilesystem to true in the container securityContext.)
pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" has memory limit 0 (check: unset-memory-requirements, remediation: Set memory limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.)
Error: found 3 lint errors
To learn more about using and configuring KubeLinter, visit the documentation page.
The following are tutorials on KubeLinter written by users. If you have one that you would like to add to this list, please send a PR!
If you would like to engage with the KubeLinter community, including maintainers and other users, you can join the Slack workspace here.
To contribute, check out our contributing guide.
As a reminder, all participation in the KubeLinter community is governed by our code of conduct.
KubeLinter is at an early stage of development. There may be breaking changes in the future to the command usage, flags, and configuration file formats. However, we encourage you to use KubeLinter to test your environment YAML files, see what breaks, and contribute.
KubeLinter is licensed under the Apache License 2.0.
KubeLinter is made with ❤️ by StackRox.
If you're interested in KubeLinter, or in any of the other cool things we do, please know that we're hiring! Check out our open positions. We'd love to hear from you!