How to check your Kubernetes YAML files for best practices

Jack Wallen shows you how to install a YAML linter that helps you craft container and pod manifests that adhere to best practices.

firebase.jpg

Image: iStock/sarinyapinngam

Kubernetes isn't easy. With many moving parts and so many points of entry, the list of what can go wrong is staggering. If you're not creating pod and container manifests that adhere to standard best practices, the likelihood of error increases exponentially. That's why you need to write YAML files that are as solid as possible.

When you have a large amount of elements at play, each of which configure various resources, it can be a real challenge to get it right. That's why you should take advantage of the available tools, so you're not writing manifests that go against best practices.

One way to check those YAML files is with kube-linter. The kube-linter command is a static analysis tool that checks your Kubernetes YAML files to ensure the configured applications within adhere to best practices.

I want to walk you through the process of installing kube-linter on Ubuntu Server. Once installed, we'll go through the process of "linting" a sample YAML file.

SEE: Top cloud providers in 2020: AWS, Microsoft Azure, and Google Cloud, hybrid, SaaS players (TechRepublic)

What you'll need

The kube-linter tool can be installed on Linux or macOS. I'm going to be demonstrating on Linux. You don't have to install this software on your Kubernetes cluster, as you can always "lint" your YAML files on a separate machine and then move them to the Kubernetes cluster for deployment.

If you opt to use kube-lint on your cluster, you'll want to install it on your controller. This cluster can be self-hosted or hosted on one of the many cloud providers, such as Google Cloud, AWS, or Microsoft Azure.

How to install Go

The first thing you must do is install Go on your Linux machine. We'll install Go 1.15.4. To do that, download the necessary file with the command:

wget https://golang.org/dl/go1.15.4.linux-amd64.tar.gz

Unpack and move the newly created directory with the command:

sudo tar -C /usr/local -xzf go1.15.4.linux-amd64.tar.gz

Finally, add the go directory to your $PATH with the command:

export PATH=$PATH:/usr/local/go/bin

How to install kube-linter

Now we can install kube-linter. To do this, clone it from the Git repository with the command:

git clone https://github.com/stackrox/kube-linter.git

Change into the newly created directory with the command:

cd kube-linter

Build kube-linter with the command:

make build

If you find the make command isn't available, install it with the command:

sudo apt-get install make -y

The make build command will take between five to 10 minutes to complete. When it does finally finish, you need to copy the kube-linter executable into the necessary dorectpru. Do that with the command:

sudo cp .gobin/kube-linter /usr/bin/

Also copy the packr command into the same directory with:

sudo cp .gobin/packr /usr/bin/

How to test your YAML file

It's now time to test that first YAML file. Let's use the sample from the official kube-linter git page--it offers some good insight into best practices. Create that file with the command:

nano pod.yaml

Paste the following into that file:

apiVersion: v1

kind: Pod

metadata:

  name: security-context-demo

spec:

  securityContext:

    runAsUser: 1000

    runAsGroup: 3000

    fsGroup: 2000

  volumes:

  - name: sec-ctx-vol

    emptyDir: {}

  containers:

  - name: sec-ctx-demo

    image: busybox

    resources:

      requests:

        memory: "64Mi"

        cpu: "250m"

    command: [ "sh", "-c", "sleep 1h" ]

    volumeMounts:

    - name: sec-ctx-vol

      mountPath: /data/demo

    securityContext:

      allowPrivilegeEscalation: false

Save and close the file.

Run the test with the command:

kube-linter lint pod.yaml

The linter will come back (almost immediately) with the results (Figure A).

Figure A

kubelinterresults.jpg

The results of our linting the pod.yaml file.

Now that you see how well this tool can check YAML files against best practices, run it with your own manifests to see how well you've done. If kube-linter finds issues (which it probably will), make sure to address them and then deploy or redeploy your pods or containers.

This tool should be considered a must-use in your DevOps pipeline. You don't want to be deploying pods and containers that don't adhere to best practices to your cloud providers--especially when those applications and services could cause your deployments to cost you considerable resources and money. With a little extra work, you can deploy pods and containers that are much better suited for your company needs and bottom line.

Subscribe to TechRepublic's How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.

Also see