Kubeval CI/CD: Kubernetes Manifests Validation
I find YAML very tricky to write and maintain, and the Kubernetes schema does not make it any easier due to the large set of configuration options.
I was working on some Kubernetes CI/CD pipelines recently and found that the deployment failed because one of the manifests I had modified had a syntax/lint error. Out of frustration of always forgetting to run
kubectl --dry-run, I decided to automate it. Whilst
--dry-run works fine locally, it requires a connection to the Kubernetes cluster, and it is rather difficult to add to the pipeline. The quest for a better solution, a solution that enables the pipeline to fail fast led me to discover
Kubeval is an open-source Kubernetes manifest validation tool. It can be used locally and works offline, that is, it does not need to be connected to the Kubernetes cluster. It also supports multiple Kubernetes versions and does an excellent job discovering all the silly mistakes I usually make when editing Kubernetes manifests. Kubeval is written in GoLang.
Use this instruction to install it if you may. It worked great locally, then I decided to plug it into the pipeline.
Plugging Kubeval into the pipeline
The next step was to trigger the kubeval validation on each commit to the repository which holds all our Kubernetes files. GitHub Actions is perfect for this sort of task; it makes it easy and convenient to automate pipeline workflows. I love GitHub Actions [because it free :) ]
I went ahead and added kubeval to my CI pipeline using the following steps:
In the projects root folder, create a
yamlfile with the following content
on: push name: Validate jobs: kubeval: runs-on: ubuntu-latest steps: - uses: actions/checkout@master - name: test manifests folder uses: instrumenta/kubeval-action@master with: files: ./manifests
Note that you can customise the
on: push event based on your need. You may choose to trigger it on
pull_request too by adding the following:
# Triggers the workflow on push or pull request events on: [push, pull_request]
You can also take it a bit further by triggering kubeval only when specific files are modified
on: push: paths: - 'folder1/cma/**' - 'folder/cma2/**'
Refer to GitHub Actions Workflow Events for further details
Please refer to this repo for a working example. Feel free to fork and reuse - https://github.com/iogbole/cma-k8s-module
Have you had a similar challenge? Please let me know how you handled it.
- Kubeval actions - https://github.com/instrumenta/kubeval-action
- Kubeval docs - https://www.kubeval.com