MCPcopy
hub / github.com/stackrox/kube-linter

github.com/stackrox/kube-linter @v0.8.3 sqlite

repository ↗ · DeepWiki ↗ · release v0.8.3 ↗
1,265 symbols 4,791 edges 374 files 624 documented · 49%
README

Static analysis for Kubernetes

Go Report Card

What is KubeLinter?

KubeLinter analyzes Kubernetes YAML files, Helm charts, and Kustomize manifests, and checks them against a variety of best practices, with a focus on production readiness and security.

KubeLinter runs sensible default checks, designed to give you useful information about your Kubernetes YAML files, Helm charts, and Kustomize manifests. This is to help teams check early and often for security misconfigurations and DevOps best practices. Some common examples of these include running containers as a non-root user, enforcing least privilege, and storing sensitive information only in secrets.

KubeLinter is configurable, so you can enable and disable checks, as well as create your own custom checks, depending on the policies you want to follow within your organization.

When a lint check fails, KubeLinter reports recommendations for how to resolve any potential issues and returns a non-zero exit code.

Documentation

Visit https://docs.kubelinter.io for detailed documentation on installing, using and configuring KubeLinter.

Installing KubeLinter

Kube-linter binaries could be found here: https://github.com/stackrox/kube-linter/releases/latest

Using Go

To install using Go, run the following command:

go install golang.stackrox.io/kube-linter/cmd/kube-linter@latest

Otherwise, download the latest binary from Releases and add it to your PATH.

Using Homebrew for macOS or LinuxBrew for Linux

To install using Homebrew or LinuxBrew, run the following command:

brew install kube-linter

Using nix-shell

nix-shell -p kube-linter

Using docker

docker pull stackrox/kube-linter:latest

Development

Prerequisites

  • Make sure that you have installed Go prior to building from source.

Building KubeLinter

Installing KubeLinter from source is as simple as following these steps:

  1. First, clone the KubeLinter repository.

bash git clone git@github.com:stackrox/kube-linter.git

  1. Then, compile the source code. This will create the kube-linter binary files for each platform and places them in the .gobin folder.

bash make build

  1. Finally, you are ready to start using KubeLinter. Verify your version to ensure you've successfully installed KubeLinter.

bash .gobin/kube-linter version

Testing KubeLinter

There are several layers of testing. Each layer is expected to pass.

  1. go unit tests:

bash make test

  1. end-to-end integration tests:

bash make e2e-test

  1. and finally, end-to-end integration tests using bats-core:

bash make e2e-bats

Verifying KubeLinter images

KubeLinter images are signed by cosign. We recommend verifying the image before using it.

Once you've installed cosign, you can use the KubeLinter public key to verify the KubeLinter image with:

cat kubelinter-cosign.pub
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEl0HCkCRzYv0qH5QiazoXeXe2qwFX
DmAszeH26g1s3OSsG/focPWkN88wEKQ5eiE95v+Z2snUQPl/mjPdvqpyjA==
-----END PUBLIC KEY-----


cosign verify --key kubelinter-cosign $IMAGE_NAME

KubeLinter also provides cosign keyless signatures.

You can verify the KubeLinter image with:

# NOTE: Keyless signatures are NOT PRODUCTION ready.

COSIGN_EXPERIMENTAL=1 cosign verify $IMAGE_NAME

Using KubeLinter

Local YAML Linting

Running KubeLinter to Lint your YAML files only requires two steps in its most basic form.

  1. Locate the YAML file you'd like to test for security and production readiness best practices:
  2. Run the following command:

bash kube-linter lint /path/to/your/yaml.yaml

Example

Consider the following sample pod specification file pod.yaml. This file has two production readiness issues and one security issue:

Security Issue: 1. The container in this pod is not running as a read only file system, which could allow it to write to the root filesystem.

Production readiness: 1. The container's memory limits are not set, which could allow it to consume excessive memory

yaml apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: securityContext: runAsUser: 1000 runAsGroup: 3000 fsGroup: 2000 volumes: - name: sec-ctx-vol emptyDir: {} containers: - name: sec-ctx-demo image: busybox resources: requests: memory: "64Mi" cpu: "250m" command: [ "sh", "-c", "sleep 1h" ] volumeMounts: - name: sec-ctx-vol mountPath: /data/demo securityContext: allowPrivilegeEscalation: false

  1. Copy the YAML above to pod.yaml and lint this file by running the following command:

bash kube-linter lint pod.yaml 1. KubeLinter runs its default checks and reports recommendations. Below is the output from our previous command.

`` pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) The container "sec-ctx-demo" is using an invalid container image, "busybox". Please use images that are not blocked by theBlockList` criteria : [".:(latest)$" "^[^:]$" "(.*/[^:]+)$"] (check: latest-tag, remediation: Use a container image with a specific tag other than latest.)

pod.yaml: (object: /security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" does not have a read-only root file system (check: no-read-only-root-fs, remediation: Set readOnlyRootFilesystem to true in the container securityContext.)

pod.yaml: (object: /security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" has memory limit 0 (check: unset-memory-requirements, remediation: Set memory limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.)

Error: found 3 lint errors ```

Multiple Output Formats

KubeLinter supports generating multiple output formats in a single run. This is useful for generating both human-readable and machine-readable reports simultaneously:

kube-linter lint \
  --format sarif --output kube-linter.sarif \
  --format json --output kube-linter.json \
  --config .kube-linter.yaml \
  pod.yaml

This command will: - Generate a SARIF format report in kube-linter.sarif - Generate a JSON format report in kube-linter.json - Process the files only once, improving efficiency

Note: Multiple formats require explicit --output flags. For single format output to stdout, use just one --format flag without --output.

For more details on using multiple output formats, see the documentation.

To learn more about using and configuring KubeLinter, visit the documentation page.

Mentions/Tutorials

The following are tutorials on KubeLinter written by users. If you have one that you would like to add to this list, please send a PR!

LICENSE

KubeLinter is licensed under the Apache License 2.0.

Community

If you would like to engage with the KubeLinter community, including maintainers and other users, you can join the Slack workspace here.

There may be breaking changes in the future to the command usage, flags, and configuration file formats. However, we encourage you to use KubeLinter to test your environment YAML files, see what breaks, and contribute.

As a reminder, all participation in the KubeLinter community is governed by our code of conduct.


KubeLinter is created with ❤️ by StackRox and is now powered by Red Hat.

Extension points exported contracts — how you extend this code

LintContext (Interface)
A LintContext represents the context for a lint run. [2 implementers]
pkg/lintcontext/context.go
FormatFunc (FuncType)
FormatFunc sets contract formatter of each FormatType should follow.
pkg/command/common/format_wrapper.go
Matcher (Interface)
A Matcher selects a certain subset of GVKs.
pkg/objectkinds/types.go
Object (Interface)
Object is a combination of `runtime.Object` and `metav1.Object`.
pkg/k8sutil/object.go
CheckRegistry (Interface)
A CheckRegistry is a registry of checks. It is not thread-safe. It is anticipated that checks will all be registered ahe
pkg/checkregistry/check_registry.go
Func (FuncType)
A Func is a specific lint-check, which runs on a specific objects, and emits diagnostics if problems are found. Checks h
pkg/check/template.go
MatcherFunc (FuncType)
MatcherFunc takes in a GVK and decides if it matches an object kind
pkg/objectkinds/types.go

Core symbols most depended-on inside this repo

Register
called by 66
pkg/templates/registry.go
DecodeMapStructure
called by 65
pkg/templates/util/map_structure.go
MustParseParameterDesc
called by 57
pkg/templates/util/json.go
AddMockDeployment
called by 55
pkg/lintcontext/mocks/pod.go
Equal
called by 38
internal/set/gen-string-generic.go
NewMockContext
called by 37
pkg/lintcontext/mocks/context.go
String
called by 35
pkg/lintcontext/context.go
Init
called by 33
pkg/templates/templates_testutils.go

Shape

Method 557
Function 494
Struct 191
TypeAlias 16
Interface 4
FuncType 3

Languages

Go100%

Modules by API surface

pkg/crds/keda/v1alpha1/zz_generated.deepcopy.go112 symbols
internal/set/gen-string-generic.go41 symbols
pkg/crds/keda/v1alpha1/triggerauthentication_types.go37 symbols
pkg/templates/envvarvaluefrom/template_test.go24 symbols
pkg/templates/danglingingress/template_test.go24 symbols
pkg/templates/updateconfig/template_test.go22 symbols
pkg/crds/keda/v1alpha1/scaledobject_types.go20 symbols
pkg/lintcontext/parse_yaml.go18 symbols
pkg/lintcontext/context.go17 symbols
pkg/templates/danglingservicemonitor/template_test.go13 symbols
pkg/templates/danglingnetworkpolicypeer/template_test.go13 symbols
pkg/templates/accesstoresources/template_test.go13 symbols

Dependencies from manifests, versioned

4d63.com/gocheckcompilerdirectivesv1.3.0 · 1×
4d63.com/gochecknoglobalsv0.2.2 · 1×
al.essio.dev/pkg/shellescapev1.6.0 · 1×
cel.dev/exprv0.25.1 · 1×
cloud.google.com/gov0.121.6 · 1×
cloud.google.com/go/auth/oauth2adaptv0.2.8 · 1×
cloud.google.com/go/compute/metadatav0.9.0 · 1×
cloud.google.com/go/kmsv1.23.2 · 1×
cloud.google.com/go/longrunningv0.7.0 · 1×
cloud.google.com/go/monitoringv1.24.3 · 1×

For agents

$ claude mcp add kube-linter \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact