Performing static code analysis of your Kubernetes object definitions with a Github Action

Cover image

Nowadays, Kubernetes is one of the most popular and loved platforms used by the community, to run and orchestrate container workloads.

It is present in several open-source and private projects as the base of its infrastructure. They trust to use Kubernetes as a platform.

The problem

The world of Kubernetes can be sometimes very complex and if we make use of it, we need to ensure we are doing it right.

One time I tried to explain Kubernetes to someone.
Then we both didn't understand it.

— SwiftOnSecurity (@SwiftOnSecurity) August 6, 2019

There are lots of tools that can ease that work for us to simplify the process to get Kubernetes working correctly as our platform.

As you may know, the Kubernetes workloads are most commonly defined as YAML formatted documents. Sometimes, it is rather hard to express constraints or relationships between manifests files.

What can be done to help ease the process of using Kubernetes correctly?

There are existing tools to integrate static checking allowing catching errors and policy violations closer to the development lifecycle.

These tools gives us the guarantee around the validity and safety of the resource definitions is improved, therefore you can trust that production workloads are following best practices (which is a must nowadays).

As developers, we need to guarantee the validity and safety of our Kubernetes manifests to ensure the security and integrity of our production environments.

Here comes when the tool kube-score can help us.

Kube-score is an open-source tool that performs Kubernetes object analysis with recommendations for improved reliability and security.

How can we introduce kube-score in our CI/CD processes?

GitHub Actions to the rescue!

My Workflow

My developed GitHub action (kube-score check), allows GitHub users to execute kube-score in their workflows along other actions and guarantee the validity and safety of their Kubernetes manifests.

It is very simple to use, you only have to perform a checkout of the project repository and execute the action, which takes as input an array of manifests (or directories with manifests) which you want to validate and test (wildcards supported):

How to use the action

Read the full Readme of the project to see all options.

Submission Category:

Maintainer Must-Haves / DIY Deployments

Please take a look at the action repository, and give any feedback if you want!

Contributions are welcomed too!

piraces/kube-score-ga - GitHub

See the YAML file for the action: action.yml

Additional Resources / Info

In the links below, you can see the GitHub action running with different forks of popular projects, such as the Application Gateway Ingress Controller (AGIC) of Azure, or the examples provided in the official repo of Kubernetes.

Take a look and see how AGIC Custom Resource Definitions (CRDs), are passing all validations and recommendations (as is a ready to use in production controller).

🙏🙏🙏

Since you've made it this far, sharing this article on your favorite social media network would be highly appreciated 😀! For feedback, please ping me on X.

Published