README
¶
Static analysis for Kubernetes
What is KubeLinter?
KubeLinter analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security.
KubeLinter runs sensible default checks, designed to give you useful information about your Kubernetes YAML files and Helm charts. This is to help teams check early and often for security misconfigurations and DevOps best practices. Some common examples of these include running containers as a non-root user, enforcing least privilege, and storing sensitive information only in secrets.
KubeLinter is configurable, so you can enable and disable checks, as well as create your own custom checks, depending on the policies you want to follow within your organization.
When a lint check fails, KubeLinter reports recommendations for how to resolve any potential issues and returns a non-zero exit code.
Documentation
Visit https://docs.kubelinter.io for detailed documentation on installing, using and configuring KubeLinter.
Installing KubeLinter
Using Go
To install using Go, run the following command:
GO111MODULE=on go get golang.stackrox.io/kube-linter/cmd/kube-linter
Otherwise, download the latest binary from Releases and add it to your PATH.
Using Homebrew for macOS or LinuxBrew for Linux
To install using Homebrew or LinuxBrew, run the following command:
brew install kube-linter
Building from source
Prerequisites
- Make sure that you have installed Go prior to building from source.
Building KubeLinter
Installing KubeLinter from source is as simple as following these steps:
-
First, clone the KubeLinter repository.
git clone git@github.com:stackrox/kube-linter.git -
Then, complile the source code. This will create the kube-linter binary files for each platform and places them in the
.gobinfolder.make build -
Finally, you are ready to start using KubeLinter. Verify your version to ensure you've successfully installed KubeLinter.
.gobin/kube-linter version
Using KubeLinter
Local YAML Linting
Running KubeLinter to Lint your YAML files only requires two steps in its most basic form.
-
Locate the YAML file you'd like to test for security and production readiness best practices:
-
Run the following command:
kube-linter lint /path/to/your/yaml.yaml
Example
Consider the following sample pod specification file pod.yaml. This file has two production readiness issues and one security issue:
Security Issue:
- The container in this pod is not running as a read only file system, which could allow it to write to the root filesystem.
Production readiness:
-
The container's CPU requests and limits are not set, which could allow it to consume excessive CPU.
-
The container's memory requests and limits are not set, which could allow it to consume excessive memory
apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: securityContext: runAsUser: 1000 runAsGroup: 3000 fsGroup: 2000 volumes: - name: sec-ctx-vol emptyDir: {} containers: - name: sec-ctx-demo image: busybox resources: requests: memory: "64Mi" cpu: "250m" command: [ "sh", "-c", "sleep 1h" ] volumeMounts: - name: sec-ctx-vol mountPath: /data/demo securityContext: allowPrivilegeEscalation: false -
Copy the YAML above to pod.yaml and lint this file by running the following command:
kube-linter lint pod.yaml -
KubeLinter runs its default checks and reports recommendations. Below is the output from our previous command.
pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" does not have a read-only root file system (check: no-read-only-root-fs, remediation: Set readOnlyRootFilesystem to true in your container's securityContext.) pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" has cpu limit 0 (check: unset-cpu-requirements, remediation: Set your container's CPU requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ #requests-and-limits for more details.) pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" has memory limit 0 (check: unset-memory-requirements, remediation: Set your container's memory requests and limits depending on its requirements. See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ #requests-and-limits for more details.) Error: found 3 lint errors
To learn more about using and configuring KubeLinter, visit the documentation page.
Community
If you would like to engage with the KubeLinter community, including maintainers and other users, you can join the Slack workspace here.
To contribute, check out our contributing guide.
As a reminder, all participation in the KubeLinter community is governed by our code of conduct.
WARNING: Alpha release
KubeLinter is at an early stage of development. There may be breaking changes in the future to the command usage, flags, and configuration file formats. However, we encourage you to use KubeLinter to test your environment YAML files, see what breaks, and contribute.
LICENSE
KubeLinter is licensed under the Apache License 2.0.
StackRox
KubeLinter is made with ❤️ by StackRox.
If you're interested in KubeLinter, or in any of the other cool things we do, please know that we're hiring! Check out our open positions. We'd love to hear from you!
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Capture ¶
Capture outputs (Strdout, Stderr) of the functions between e.g.
done := capture()
fmt.Println("Hello")
s, err := done()
func DoLinting ¶
DoLinting performs static checks against Helm Chart .yaml files or a Helm Chart folder
func DoLintingTgz ¶
DoLintingTgz performs static checks against packaged Helm Chart, i.e. tgz
Types ¶
This section is empty.
Source Files
Directories