Kubeval CI/CD: Kubernetes Manifests Validation

I find YAML very tricky to write and maintain, and the Kubernetes schema does not make it any easier due to the large set of configuration options.

I was working on some Kubernetes CI/CD pipelines recently and found that the deployment failed because one of the manifests I had modified had a syntax/lint error. Out of frustration of always forgetting to run kubectl --dry-run, I decided to automate it. Whilst --dry-run works fine locally, it requires a connection to the Kubernetes cluster, and it is rather difficult to add to the pipeline. The quest for a better solution, a solution that enables the pipeline to fail fast led me to discover kubeval

Kubeval is an open-source Kubernetes manifest validation tool. It can be used locally and works offline, that is, it does not need to be connected to the Kubernetes cluster. It also supports multiple Kubernetes versions and does an excellent job discovering all the silly mistakes I usually make when editing Kubernetes manifests. Kubeval is written in GoLang.

Use this instruction to install it if you may. It worked great locally, then I decided to plug it into the pipeline.

Plugging Kubeval into the pipeline

The next step was to trigger the kubeval validation on each commit to the repository which holds all our Kubernetes files. GitHub Actions is perfect for this sort of task; it makes it easy and convenient to automate pipeline workflows. I love GitHub Actions [because it free :) ]

I went ahead and added kubeval to my CI pipeline using the following steps:

  1. In the projects root folder, create a .github/workflows folder

  2. Add a yaml file with the following content


on: push
name: Validate
jobs:
  kubeval:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@master
    - name: test manifests folder
      uses: instrumenta/kubeval-action@master
      with: 
       files: ./manifests

Note that you can customise the on: push event based on your need. You may choose to trigger it on pull_request too by adding the following:

# Triggers the workflow on push or pull request events
on: [push, pull_request]

You can also take it a bit further by triggering kubeval only when specific files are modified

on:
  push:
    paths:
      - 'folder1/cma/**'
      - 'folder/cma2/**'

Refer to GitHub Actions Workflow Events for further details

Working Example

Please refer to this repo for a working example. Feel free to fork and reuse - https://github.com/iogbole/cma-k8s-module

Have you had a similar challenge? Please let me know how you handled it.

Refs:

  • Kubeval actions - https://github.com/instrumenta/kubeval-action
  • Kubeval docs - https://www.kubeval.com