kubectl-validate is a SIG-CLI subproject to support the local validation of resources for native Kubernetes types and CRDs.
This project has two goals:
1.) Shift-left validation of resources with as close to parity to server-side Kubernetes as possible. 2.) Improve declarative validation support in upstream Kubernetes over time, making those improvements available for kubectl-validate users early.
kubectl-validate
distinguishes itself among other OpenAPI-based validators by
to its deep integration with Kubernetes upstream validation. kubectl-validate
is written by Kubernetes apiserver authors using the same code as the server-side.
This allows kubectl-validate
to give the most accurate error messages and support
the Kubernetes-specific validations often ignored by other tools.
kubectl-validate
suffers from similar drawbacks to other OpenAPI-based validation tools.
For CRDs, users should expect a first class experience likely identical to how the server treats CRDs.
For Native Types, the OpenAPI definitions are a best-effort replication of the handwritten validation rules conducted by the apiserver. There is an ongoing effort to improve the quality of native type definitions, and eventually replace the handwritten rules. As the improvements are made upstream, kubectl-validate will integrate them to make them available to all users.
Bottom line is that users should expect nearly a seamless experience with CRDs, and great but constantly improving support for the builtin Kubernetes types.
You can get started using kubectl-validate right away with an existing installation of Go:
go install sigs.k8s.io/kubectl-validate@latest
Once installed, you have the option of invoking kubectl-validate
through
kubectl
or directly:
kubectl validate ./path/to/file.yaml
is equivalent to
kubectl-validate ./path/to/file.yaml
Native types can be validated out of the box with kubectl-validate
. The tool
has built-in schemas for Kubernetes 1.23-1.27 which are kept up to date with releases.
By default the tool will validate native types with the latest builtin version it ships with. You can specify a specify Kubernetes version to validate against using the version argument:
kubectl validate ./my_pod.yaml --version 1.27
If the version is not recognized, kubectl-validate
will attempt to look up
the schemas for the selected version in the official upstream Kubernetes repository
on GitHub.
kubectl-validate
is also capable of validating CRDs. To do that, it needs to be
aware of their definitions. There are two ways to provide this:
If you have access to a cluster with the CRDs already installed, then kubectl-validate will automatically connect to the cluster to download the definitions.
This is done automatically if your cluster is the currently active context, or you can supply the name of the context for the cluster you'd like to use:
kubectl validate ./my_crd.yaml --context <cluster_context>
If you are working offline or do not have access to a cluster with the CRDs installed, you may supply a directory to use as a search path for types:
kubectl validate ./my_crd.yaml --local-crds ./path/to/folder/with/crds
If you are working offline or do not have access to a cluster to load openapi schemas, you may supply a directory to use as a search path for schemas:
kubectl validate ./my_crd.yaml --local-schemas ./path/to/folder/with/schemas
Directory should have openapi files following directory layout:
/<apis>/<group>/<version>.json
/api/<version>.json
By default the output of the tool is human readable, but you may also request JSON structured output for easier integration with other software:
kubectl-validate ./testcases/error_array_instead_of_map.yaml --output json
Example output:
{
"./testcases/error_array_instead_of_map.yaml": {
"metadata": {},
"status": "Failure",
"message": "ConfigMap.core \"my-deployment\" is invalid: data: Invalid value: \"array\": data in body must be of type object: \"array\"",
"reason": "Invalid",
"details": {
"name": "my-deployment",
"group": "core",
"kind": "ConfigMap",
"causes": [
{
"reason": "FieldValueTypeInvalid",
"message": "Invalid value: \"array\": data in body must be of type object: \"array\"",
"field": "data"
}
]
},
"code": 422
}
}
🚧 COMING SOON 🚧
Learn how to engage with the Kubernetes community on the community page.
You can reach the maintainers of this project at:
- Kubernetes Slack in the #kubectl-validate channel.
- Mailing List
Participation in the Kubernetes community is governed by the Kubernetes Code of Conduct.