• Stars
    star
    2,914
  • Rank 15,559 (Top 0.4 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created about 4 years ago
  • Updated about 1 month ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.

Static analysis for Kubernetes

Go Report Card

What is KubeLinter?

KubeLinter analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security.

KubeLinter runs sensible default checks, designed to give you useful information about your Kubernetes YAML files and Helm charts. This is to help teams check early and often for security misconfigurations and DevOps best practices. Some common examples of these include running containers as a non-root user, enforcing least privilege, and storing sensitive information only in secrets.

KubeLinter is configurable, so you can enable and disable checks, as well as create your own custom checks, depending on the policies you want to follow within your organization.

When a lint check fails, KubeLinter reports recommendations for how to resolve any potential issues and returns a non-zero exit code.

Documentation

Visit https://docs.kubelinter.io for detailed documentation on installing, using and configuring KubeLinter.

Installing KubeLinter

Using Go

To install using Go, run the following command:

go install golang.stackrox.io/kube-linter/cmd/kube-linter@latest

Otherwise, download the latest binary from Releases and add it to your PATH.

Using Homebrew for macOS or LinuxBrew for Linux

To install using Homebrew or LinuxBrew, run the following command:

brew install kube-linter

Building from source

Prerequisites

  • Make sure that you have installed Go prior to building from source.

Building KubeLinter

Installing KubeLinter from source is as simple as following these steps:

  1. First, clone the KubeLinter repository.

    git clone [email protected]:stackrox/kube-linter.git
  2. Then, compile the source code. This will create the kube-linter binary files for each platform and places them in the .gobin folder.

    make build
  3. Finally, you are ready to start using KubeLinter. Verify your version to ensure you've successfully installed KubeLinter.

    .gobin/kube-linter version

Testing KubeLinter

There are several layers of testing. Each layer is expected to pass.

  1. go unit tests:

    make test
  2. end-to-end integration tests:

    make e2e-test
  3. and finally, end-to-end integration tests using bats-core:

    make e2e-bats

Verifying KubeLinter images

KubeLinter images are signed by cosign. We recommend verifying the image before using it.

Once you've installed cosign, you can use the KubeLinter public key to verify the KubeLinter image with:

cat kubelinter-cosign.pub
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEl0HCkCRzYv0qH5QiazoXeXe2qwFX
DmAszeH26g1s3OSsG/focPWkN88wEKQ5eiE95v+Z2snUQPl/mjPdvqpyjA==
-----END PUBLIC KEY-----


cosign verify --key kubelinter-cosign $IMAGE_NAME

KubeLinter also provides cosign keyless signatures.

You can verify the KubeLinter image with:

# NOTE: Keyless signatures are NOT PRODUCTION ready.

COSIGN_EXPERIMENTAL=1 cosign verify $IMAGE_NAME

Using KubeLinter

Local YAML Linting

Running KubeLinter to Lint your YAML files only requires two steps in its most basic form.

  1. Locate the YAML file you'd like to test for security and production readiness best practices:

  2. Run the following command:

    kube-linter lint /path/to/your/yaml.yaml

Example

Consider the following sample pod specification file pod.yaml. This file has two production readiness issues and one security issue:

Security Issue:

  1. The container in this pod is not running as a read only file system, which could allow it to write to the root filesystem.

Production readiness:

  1. The container's memory limits are not set, which could allow it to consume excessive memory

    apiVersion: v1
    kind: Pod
    metadata:
      name: security-context-demo
    spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 3000
        fsGroup: 2000
      volumes:
      - name: sec-ctx-vol
        emptyDir: {}
      containers:
      - name: sec-ctx-demo
        image: busybox
        resources:
          requests:
            memory: "64Mi"
            cpu: "250m"
        command: [ "sh", "-c", "sleep 1h" ]
        volumeMounts:
        - name: sec-ctx-vol
          mountPath: /data/demo
        securityContext:
          allowPrivilegeEscalation: false
  2. Copy the YAML above to pod.yaml and lint this file by running the following command:

    kube-linter lint pod.yaml
  3. KubeLinter runs its default checks and reports recommendations. Below is the output from our previous command.

    pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) The container "sec-ctx-demo" is using an invalid container image, "busybox". Please use images that are not blocked by the `BlockList` criteria : [".*:(latest)$" "^[^:]*$" "(.*/[^:]+)$"] (check: latest-tag, remediation: Use a container image with a specific tag other than latest.)
    
    pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" does not have a read-only root file system (check: no-read-only-root-fs, remediation: Set readOnlyRootFilesystem to true in the container securityContext.)
    
    pod.yaml: (object: <no namespace>/security-context-demo /v1, Kind=Pod) container "sec-ctx-demo" has memory limit 0 (check: unset-memory-requirements, remediation: Set memory limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.)
    
    Error: found 3 lint errors
    

To learn more about using and configuring KubeLinter, visit the documentation page.

Mentions/Tutorials

The following are tutorials on KubeLinter written by users. If you have one that you would like to add to this list, please send a PR!

Community

If you would like to engage with the KubeLinter community, including maintainers and other users, you can join the Slack workspace here.

To contribute, check out our contributing guide.

As a reminder, all participation in the KubeLinter community is governed by our code of conduct.

WARNING: Alpha release

KubeLinter is at an early stage of development. There may be breaking changes in the future to the command usage, flags, and configuration file formats. However, we encourage you to use KubeLinter to test your environment YAML files, see what breaks, and contribute.

LICENSE

KubeLinter is licensed under the Apache License 2.0.

StackRox

KubeLinter is made with ❀️ by StackRox.

If you're interested in KubeLinter, or in any of the other cool things we do, please know that we're hiring! Check out our open positions. We'd love to hear from you!

More Repositories

1

stackrox

The StackRox Kubernetes Security Platform performs a risk analysis of the container environment, delivers visibility and runtime alerts, and provides recommendations to proactively improve security by hardening the environment.
Go
1,119
star
2

Kubernetes_Security_Specialist_Study_Guide

HCL
420
star
3

admission-controller-webhook-demo

Kubernetes admission controller webhook example
Go
245
star
4

go-grpc-http1

A gRPC via HTTP/1 Enabling Library for Go
Go
111
star
5

helm-charts

Helm charts for StackRox Kubernetes Security Platform
Smarty
62
star
6

collector

Runtime data collection for the StackRox Kubernetes Security Platform using eBPF
C++
52
star
7

contributions

Samples for customer implementations & integrations
Python
47
star
8

scanner

Go
42
star
9

bsidessf-2020-workshop

Materials for a live workshop at BSidesSF on deployment-level Kubernetes security controls
Go
36
star
10

network-policy-examples

YAML files accompanying the StackRox Network Policies guide.
34
star
11

kube-linter-action

GitHub action for automating KubeLinter.
33
star
12

blog-examples

Sample code and files from StackRox blog posts
Open Policy Agent
27
star
13

ansible-demo

Create sales demos on k8s/OpenShift with Ansible
Jinja
15
star
14

k8s-i-use

Source for k8siuse, a site in the style of caniuse that visualizes GVKs and their fields over different versions of the Kubernetes API
CSS
14
star
15

acs-fleet-manager

Go
13
star
16

helmtest

helmtest is a Go-based framework for testing helm charts in various configurations
Go
13
star
17

stackrox-env

Stackrox development environment
Nix
8
star
18

berserker

Workload generator for ACS Collector
Rust
7
star
19

jenkins-plugin

The StackRox Jenkins Plugin for image scanning and security
Java
5
star
20

dev-docs

5
star
21

kernel-packer

πŸ“¦ Crawl and repackage kernel headers for collector
Python
5
star
22

roxctl-installer-action

5
star
23

k8s-cves

Curated repo of Kubernetes CVEs
Go
4
star
24

central-login

TypeScript
4
star
25

prometheus-metric-parser

Utility to parse prometheus metrics and compare them against other metrics
Go
3
star
26

workflow

Shell
3
star
27

falcosecurity-libs

Internal Fork of https://github.com/falcosecurity/libs
C
3
star
28

rox-ci-image

Dockerfile
3
star
29

istio-cves

Go
3
star
30

dotnet-scraper

.NET scraper houses .NET vulnerabilities, a primitive scraper and a cron job to ensure that we have all the most updated vulns
Go
3
star
31

image-prefetcher

A utility for pre-fetching images onto k8s nodes in parallel
Go
3
star
32

k8s-istio-cve-pusher

This repo pulls CVEs from NVD, filters them and pushes to stackrox google cloud bucket.
Go
2
star
33

junit-parse

Junit parsing CLI
Go
2
star
34

infra

🌧️ Automated infrastructure and demo provisioning
Go
2
star
35

actions

Various Reusable GitHub Actions
Shell
1
star
36

nvdtools

Go
1
star
37

bleve

Go
1
star
38

goland-indexes

Shared indexes for stackrox project
1
star
39

automation-standard

πŸ€– A micro-framework for building standardized cluster automation entrypoints
Go
1
star
40

docker-registry-client

Public fork of github.com/heroku/docker-registry-client
Go
1
star
41

release-registry

A mechanism to mark, identify and search release artifacts using Quality Milestones.
Go
1
star