README.md

About this reposiroty

This repository contains resources for the blog post:
"A Deep Dive Into Kubernetes Schema Validation"

Misconfigs

This dir contains seven Kubernetes manifest files, each with a different misconfiguration:

api-deprecation.yaml

wrong: apiVersion: apps/v1beta2
correct: apiVersion: apps/v1
reason: apps/v1beta2 was deprecated for resource type "Deployment" in Kubernetes version 1.18.0

invalid-kind-value.yaml

wrong: kind: pod
correct: kind: Pod
reason: resource type must start with a capital letter - Pod

invalid-label-value.yaml

wrong: owner: ---
correct: owner: frodo-baggins
reason: labels values must start and end with an alphanumeric letter

invalid-protocol-type.yaml

wrong: protocol: 22
correct: protocol: TCP
reason: protocol type must be a string

invalid-spec-key.yaml

wrong: Spec:
correct: spec:
reason: spec must start with a small 's'

missing-image.yaml

wrong:

containers:
    - name: web

correct:

containers:
    - name: web
      image: nginx

reason: each container must include an image name

wrong-k8s-indentation.yaml

wrong:

spec:
containers:
  - name: web
    image: nginx
    ports:
      - name: web
        containerPort: 80
        protocol: TCP

correct:

spec:
  containers:
  - name: web
    image: nginx
    ports:
    - name: web
      containerPort: 80
      protocol: TCP

reason: Kubernetes\YAML indentation requires one tab space when listing containers

Misconfigurations coverage summary

Benchmark

This dir contains 100 valid Kubernetes manifest files.
All files contain the same Kubernetes configuration.

Commands

running schema validation tests

kubeval: kubeval --strict misconfigs/*.yaml -v "1.18.0"
kubeconform: kubeconform -strict misconfigs/*.yaml
kubectl dry-run in client mode: kubectl apply -f misconfigs/ --dry-run=client
kubectl dry-run in server mode: kubectl apply -f misconfigs/ --dry-run=server

Running benchmark tests

🔧 prerequisite - hyperfine installed

kubeval: hyperfine --warmup 5 'kubeval --strict benchmark/*.yaml -v "1.18.0"'
kubeconform: hyperfine --warmup 5 'kubeconform -strict benchmark/*.yaml'
kubectl dry-run in client mode: hyperfine --warmup 5 'kubectl apply -f benchmark/ --dry-run=client'
kubectl dry-run in server mode: hyperfine --warmup 5 'kubectl apply -f benchmark/ --dry-run=server'

Resources

• My article about K8s schema validation
• Open an issue here if you have any questions on this topic (k8s schema)
• kubectl --dry-run=client bug - kubernetes/issues/51475
• Datree's CLI tool to ensure K8s manifests and Helm charts follow best practices
• How to check CRDs and schema with Datree - docs