Kubevious CLI is an app-centric assurance and validation tool for Kubernetes. It helps modern teams rapidly release cloud-native applications without disasters, costly outages, and compliance violations by validating changes before they even reach the clusters. Kubevious CLI detects and prevents errors(typos, misconfigurations, conflicts, inconsistencies) and violations of best practices. Our secret sauce is based on the ability to validate across multiple manifests, regardless if they are already in the K8s clusters or are yet to be applied. Kubevious CLI can be used as a standalone tool during the active development of YAML manifests and can also be easily integrated into GitOps processes and CI/CD pipelines to validate changes toward live Kubernetes clusters. Kubevious CLI was created based on the experience and the lessons learned from the Kubevious Dashboard project and uses the evolution of its rules framework.
- β¨ Key Capabilities
- π₯ Installation
- π Usage and Use Cases
- π Guard - Comprehensive Cross-Manifest Semantical Validation
- β Lint - Validation of YAML syntax, K8s schema, and CRD/CR
- βΈοΈ Validating Helm Charts
- βΈοΈ Validating Kustomize Templates
- π©» Troubleshoot Live Cluster
- πΉ Input from a Variety of Sources
- πͺ Git Pre-Commit Hook
- π¦ Running Inside a Container
- βοΈ Writing Custom Rules
- Community-driven Rules Library.
- Validates K8s native manifests and popular projects uses such as CertManager, Traefik, Kong, Istio, etc.
- Your own custom validation rules:
- from the file system
- from live Kubernetes cluster
- Scoped at the cluster level or within the namespace
- Learn more about writing your own validation rules using Kubik.
- Validate YAML syntax
- Validate manifest API correctness
- Validate towards a custom K8s version, or live K8s cluster version
- Validate CRD definitions
- Validate Custom Resources against CRDs in the file system
- Validate Custom Resources against CRDs in the live K8s cluster
Kubevous CLI validates manifests from a variety of sources:
- files & directories
- search patterns
- web URLs
- stdin pipe - used to validate package managers such as Helm, Kustomize, Ytt, etc.
- native support with Helm & Kustomize
- live manifests already present in the Kubernetes cluster
- combination of all of the above
If you have Node.js v14 or higher:
$ npm install -g kubevious
$ kubevious guard samples/
$ brew install kubevious
$ kubevious guard samples/
All-in-one executables for Linux, Alpine, Mac OS, and Windows, including x64 and arm64 architectures. Download from the GitHub Releases or install using:
curl https://get.kubevious.io/cli.sh | bash
The script above would download the binary to /usr/local/bin/
Some environments have the /usr/local/bin/ path owned by root, so it may require running like this:
curl https://get.kubevious.io/cli.sh -o install-kubevious.sh && chmod +x install-kubevious.sh && sudo ./install-kubevious.sh && rm install-kubevious.sh
Run in a container:
$ docker run --rm kubevious/cli --help
Validate the entire manifests directory:
$ docker run --rm -v ${PWD}/samples:/src kubevious/cli guard /src
Validate manifests from pipe stream:
$ cat manifests.yaml | docker run --rm -i kubevious/cli guard --stream
Kubevious CLI Integrates with modern CI/CD platforms. Learn more here.
Try it yourself:
$ git clone https://github.com/kubevious/cli.git kubevious-cli.git
$ cd kubevious-cli.git/samples
The guard command performs linting of YAML syntax & API correctness and checks for violations of best-practices rules.
Will complain about not being able to find the corresponding application matching the label selector:
$ kubevious guard pepsi/service.yaml
π [ClusterRule] service-selector-ref
π WEB: https://raw.githubusercontent.com/kubevious/rules-library/master/k8s/service/service-selector-ref.yaml
β Rule failed
β Namespace: pepsi, API: v1, Kind: Service, Name: emailservice
π FILE: pepsi/service.yaml
π΄ Could not find Applications for Service
Passing the Deployment along with the Service would help the validation pass:
$ kubevious guard pepsi/service.yaml pepsi/deployment.yaml
π [ClusterRule] service-selector-ref
π WEB: https://raw.githubusercontent.com/kubevious/rules-library/master/k8s/service/service-selector-ref.yaml
Rule passed
Namespace: pepsi, API: v1, Kind: Service, Name: emailservice
π FILE: pepsi/service.yaml
Alternatively, if the dependent Deployment is already present in the K8s cluster, the Service can be validated against the live K8s cluster:
$ kubevious guard pepsi/service.yaml --live-k8s
π [ClusterRule] service-selector-ref
π WEB: https://raw.githubusercontent.com/kubevious/rules-library/master/k8s/service/service-selector-ref.yaml
Rule passed
Namespace: pepsi, API: v1, Kind: Service, Name: emailservice
π FILE: pepsi/service.yaml
Although changing pod labels in pepsi/deployment.yaml would break the Service label selector, even though the correct Deployment is already in the K8s cluster:
app: emailserviceX # label is inconsistent with Service label selector
app: emailserviceX # label is inconsistent with Service label selector
$ kubevious guard pepsi/service.yaml pepsi/deployment.yaml --live-k8s
π [ClusterRule] service-selector-ref
π WEB: https://raw.githubusercontent.com/kubevious/rules-library/master/k8s/service/service-selector-ref.yaml
β Rule failed
β Namespace: pepsi, API: v1, Kind: Service, Name: emailservice
π FILE: pepsi/service.yaml
π΄ Could not find Applications for Service
The guard command performs linting underneath, so the guard users don't need to run lint separately.
$ kubevious lint invalid-service-1.yaml
βΉοΈ Linting against Kubernetes Version: 1.25.2
β π FILE: invalid-service-1.yaml
β API: v1, Kind: Service, Name: db
β Required property "port" missing under "/spec/ports/0"
$ kubevious lint hpa.yaml --k8s-version 1.21
βΉοΈ Linting against Kubernetes Version: 1.21.14
β π FILE: hpa.yaml
β Namespace: ordering, API: autoscaling/v2, Kind: HorizontalPodAutoscaler, Name: orderservice
π΄ Unknown API Resource. apiVersion: autoscaling/v2, kind: HorizontalPodAutoscaler.
$ kubevious lint hpa.yaml --k8s-version 1.23
βΉοΈ Linting against Kubernetes Version: 1.23.12
π FILE: hpa.yaml
Namespace: ordering, API: autoscaling/v2, Kind: HorizontalPodAutoscaler, Name: orderservice
$ kubevious lint istio-gateway.yaml --ignore-unknown
β οΈ π FILE: istio-gateway.yaml
β οΈ Namespace: hipster, API: networking.istio.io/v1alpha3, Kind: Gateway, Name: frontend-gateway
β οΈ Unknown API Resource. apiVersion: networking.istio.io/v1alpha3, kind: Gateway.
Lint Succeeded.
$ kubevious lint istio-gateway.yaml --live-k8s
βΉοΈ Linting against Kubernetes Version: v1.24.0
π FILE: data/istio-gateway.yaml
Namespace: hipster, API: networking.istio.io/v1alpha3, Kind: Gateway, Name: frontend-gateway
$ kubevious lint cr-good.yaml crd.yaml
βΉοΈ Linting against Kubernetes Version: 1.25.2
π FILE: cr-good.yaml
Namespace: coke, API: example.com/v1alpha1, Kind: MyPlatform, Name: test-dotnet-app
π FILE: crd.yaml
API: apiextensions.k8s.io/v1, Kind: CustomResourceDefinition, Name: myplatforms.example.com
Kubevious CLI executes the Helm template whenever a Helm chart is discovered.
$ kubevious guard path-to-helm-chart-directory
It is also possible to pass remote Helm repos to validate
$ helm repo add traefik https://helm.traefik.io/traefik
$ kubevious guard @helm@traefik/traefik
Use values to specify Helm overrides file and inline values
$ kubevious guard @helm@traefik/traefik@values=overrides/prod.yaml@set=persistence.enabled=true
Supported Helm parameters:
Key | Description |
values | Path to Helm overrides path |
namespace | The namespace |
release-name | The release name |
crds | Possible values: "include" or "skip" |
set | Inline value overrides "key=value" |
Kubevious CLI executes Kustomize build as soon as it discovers kustomization.yaml files. Every files within that directory will be ignored.
$ kubevious guard path-to-kustomize-directory-or-file
The tool can be used to troubleshoot existing clusters and manifests:
kubevious guard --live-k8s --include-remote-targets --namespace default
$ kubevious guard sveltos/ pepsi/
Primary usage is to validate template outputs such as Helm Charts, Kuztomize, Carvel, etc.
$ ytt -f my-app/ | kubevious guard --stream
β β STREAM: stream
β Namespace: default, API: traefik.containo.us/v1alpha1, Kind: IngressRoute, Name: release-name-traefik-dashboard
π΄ Unknown API Resource. apiVersion: traefik.containo.us/v1alpha1, kind: IngressRoute.
Also can pass additional manifests, such as CRDs, Rules, etc., for validation along with the steam input.
$ ytt -f my-app/ | kubevious guard --stream https://raw.githubusercontent.com/traefik/traefik-helm-chart/master/traefik/crds/ingressroute.yaml
Guard Succeeded.
Mount a local directory to /src in the container. The rest of the arguments are the same.
$ docker run --rm -v ${PWD}/pepsi:/src kubevious/cli guard /src
β Guard Failed
The directory must be mounted to /src in the container to validate individual files. Can pass file names in the command line arguments.
$ docker run --rm -v ${PWD}/pepsi:/src kubevious/cli guard /src/service.yaml /src/deployment.yaml
Guard Succeeded.
Don't forget the -i argument.
$ helm template traefik/traefik | docker run --rm -i kubevious/cli guard --stream
β β STREAM: stream
β Namespace: default, API: traefik.containo.us/v1alpha1, Kind: IngressRoute, Name: release-name-traefik-dashboard
π΄ Unknown API Resource. apiVersion: traefik.containo.us/v1alpha1, kind: IngressRoute.
Passing CRDs as input would fix the issue:
$ helm template traefik/traefik | docker run --rm -i kubevious/cli guard --stream https://raw.githubusercontent.com/traefik/traefik-helm-chart/master/traefik/crds/ingressroute.yaml
Guard Succeeded.
You can get guard and lint commands to execute whenever changes to the GitOps repo are made. Kubevious uses the pre-commit project to set up pre-commit hooks. For convenience, there are commands to install hooks:
$ kubevious install-git-hook guard
βΉοΈ Repository: /Users/django/example.git
βΉοΈ PreCommit Config File: /Users/django/example.git/.pre-commit-config.yaml
βΉοΈ Hook Repo: https://github.com/kubevious/cli
βΉοΈ Hook ID: kubevious-guard
Install Git Hook Succeeded.
Now you can run:
$> cd /Users/django/example.git
$> git add .pre-commit-config.yaml
$> pre-commit autoupdate
$ kubevious install-git-hook lint
Kubevious rules are expressed in a domain-specific language called Kubik. A great way to start writing your own rules is to learn from the community-driven rules library.
Need help writing custom rules or policies? Need help with integration into your CI/CD platforms? Or urgently need a new feature or bug fix? Reach out to us at [email protected]
Join the Kubevious Slack workspace to chat with Kubevious developers and users. This is a good place to learn about Kubevious, ask questions, and share your experiences.
We invite your participation through issues and pull requests! You can peruse the contributing guidelines.
The Kubevious project is created by AUTHORS. Governance policy is yet to be defined.
Kubevious maintains a public roadmap, which provides priorities and future capabilities we are planning on adding to Kubevious.
Learn more about the Kubevious projects in the root repository: https://github.com/kubevious/kubevious
Kubevious CLI is an open-source project licensed under the Apache License, Version 2.0.