Skip to content

kubeconform

GitHub stars GitHub release (latest SemVer) GitHub last commit GitHub commit activity GitHub contributors

kubeconform is a schema-aware Kubernetes manifest validation tool, that tends to have more up-to-date schema definitions than kubeval.

kubeconform documentation

kubeconform - GitHub

Configuration in MegaLinter

Variable Description Default value
KUBERNETES_KUBECONFORM_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
KUBERNETES_KUBECONFORM_FILTER_REGEX_INCLUDE Custom regex including filter
Ex: (src\|lib)
Include every file
KUBERNETES_KUBECONFORM_FILTER_REGEX_EXCLUDE Custom regex excluding filter
Ex: (test\|examples)
Exclude no file
KUBERNETES_KUBECONFORM_CLI_LINT_MODE Override default CLI lint mode
- file: Calls the linter for each file
- list_of_files: Call the linter with the list of files as argument
- project: Call the linter from the root of the project
list_of_files
KUBERNETES_KUBECONFORM_FILE_EXTENSIONS Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all files
Ex: [".py", ""]
[".yml", ".yaml", ".json"]
KUBERNETES_KUBECONFORM_FILE_NAMES_REGEX File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files
Ex: ["Dockerfile(-.+)?", "Jenkinsfile"]
Include every file
KUBERNETES_KUBECONFORM_PRE_COMMANDS List of bash commands to run before the linter None
KUBERNETES_KUBECONFORM_POST_COMMANDS List of bash commands to run after the linter None
KUBERNETES_KUBECONFORM_DISABLE_ERRORS Run linter but consider errors as warnings false
KUBERNETES_KUBECONFORM_DISABLE_ERRORS_IF_LESS_THAN Maximum number of errors allowed 0
KUBERNETES_DIRECTORY Directory containing KUBERNETES files kubernetes

MegaLinter Flavours

This linter is available in the following flavours

Flavor Description Embedded linters Info
all Default MegaLinter Flavor 114 Docker Image Size (tag) Docker Pulls
cupcake MegaLinter for the most commonly used languages 82 Docker Image Size (tag) Docker Pulls
documentation MegaLinter for documentation projects 48 Docker Image Size (tag) Docker Pulls
dotnet Optimized for C, C++, C# or VB based projects 60 Docker Image Size (tag) Docker Pulls
go Optimized for GO based projects 50 Docker Image Size (tag) Docker Pulls
java Optimized for JAVA based projects 51 Docker Image Size (tag) Docker Pulls
javascript Optimized for JAVASCRIPT or TYPESCRIPT based projects 57 Docker Image Size (tag) Docker Pulls
php Optimized for PHP based projects 51 Docker Image Size (tag) Docker Pulls
python Optimized for PYTHON based projects 59 Docker Image Size (tag) Docker Pulls
ruby Optimized for RUBY based projects 48 Docker Image Size (tag) Docker Pulls
rust Optimized for RUST based projects 48 Docker Image Size (tag) Docker Pulls
salesforce Optimized for Salesforce based projects 51 Docker Image Size (tag) Docker Pulls
security Optimized for security 22 Docker Image Size (tag) Docker Pulls
swift Optimized for SWIFT based projects 48 Docker Image Size (tag) Docker Pulls
terraform Optimized for TERRAFORM based projects 53 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • Activated only if sub-directory kubernetes is found. (directory name can be overridden with KUBERNETES_DIRECTORY)
  • File extensions: .yml, .yaml, .json
  • Detected file content (regex): apiVersion:, kustomize\.config\.k8s\.io, tekton

How the linting is performed

  • kubeconform is called once with the list of files as arguments (list_of_files CLI lint mode)

Example calls

kubeconform myfile.yml
kubeconform -ignore-missing-schemas -skip SomeCRD,AnotherCRD -kubernetes-version '1.18.0' -strict myfile.yml

Help content

Usage: kubeconform [OPTION]... [FILE OR FOLDER]...
  -cache string
      cache schemas downloaded via HTTP to this folder
  -debug
      print debug information
  -exit-on-error
      immediately stop execution when the first error is encountered
  -h  show help information
  -ignore-filename-pattern value
      regular expression specifying paths to ignore (can be specified multiple times)
  -ignore-missing-schemas
      skip files with missing schemas instead of failing
  -insecure-skip-tls-verify
      disable verification of the server's SSL certificate. This will make your HTTPS connections insecure
  -kubernetes-version string
      version of Kubernetes to validate against, e.g.: 1.18.0 (default "master")
  -n int
      number of goroutines to run concurrently (default 4)
  -output string
      output format - json, junit, tap, text (default "text")
  -reject string
      comma-separated list of kinds or GVKs to reject
  -schema-location value
      override schemas location search path (can be specified multiple times)
  -skip string
      comma-separated list of kinds or GVKs to ignore
  -strict
      disallow additional properties not in schema or duplicated keys
  -summary
      print a summary at the end (ignored for junit output)
  -v  show version information
  -verbose
      print results for all resources (ignored for tap and junit output)

Installation on mega-linter Docker image

  • Dockerfile commands :
RUN ML_THIRD_PARTY_DIR="/third-party/kubeconform" \
    && KUBECONFORM_VERSION=v0.5.0 \
    && mkdir -p ${ML_THIRD_PARTY_DIR} \
    && wget -P ${ML_THIRD_PARTY_DIR} -q https://github.com/yannh/kubeconform/releases/download/$KUBECONFORM_VERSION/kubeconform-linux-amd64.tar.gz \
    && tar xf ${ML_THIRD_PARTY_DIR}/kubeconform-linux-amd64.tar.gz --directory ${ML_THIRD_PARTY_DIR} \
    && mv ${ML_THIRD_PARTY_DIR}/kubeconform /usr/local/bin \
    && rm ${ML_THIRD_PARTY_DIR}/kubeconform-linux-amd64.tar.gz \
    && find ${ML_THIRD_PARTY_DIR} -type f -not -name 'LICENSE*' -delete -o -type d -empty -delete