TL;DR - What is Kubeconform?
Kubeconform is a command-line interface (CLI) tool built to validate your Kubernetes manifest files against the schemas derived from the official Kubernetes OpenAPI.
In any CI/CD pipeline, we know that Kubernetes YAML configurations can be notoriously prone to human error. Simple typos, incorrect indentation, or using deprecated API fields often lead to deployment failures that you only discover when `kubectl apply` fails. Kubeconform addresses this by empowering your teams to "shift left" and perform Kubernetes schema validation early in the development lifecycle. When you integrate it into your manifest validation workflows, it provides a fast, reliable check that prevents invalid configurations from ever reaching a cluster. The end result? Your manifests are syntactically correct for any specific Kubernetes version you're targeting.
ITL;DR: Kubeconform is a dedicated and efficient YAML linter that gives developers, SREs, and DevOps engineers a powerful tool to enforce configuration quality and improve deployment reliability.
Kubernetes Security Best Practices [Cheat Sheet]
This 6 page cheat sheet goes beyond the basics and covers security best practices for Kubernetes pods, components, and network security.
At-a-Glance
License: Apache-2.0
Primary Language: Go
Stars: 2.7k
Last Release: May, 2025
Topics/Tags: kubernetes, validation, compliance
Common use cases
1. CI/CD Pipeline Gate: Use it as an automated quality gate in your CI/CD pipelines to validate Kubernetes manifests on every commit. Kubeconform will fail the build and block merges if any configuration is syntactically invalid.
2. Local Development Pre-Commit Hook: To provide instant feedback to developers and ensure only valid manifests enter the repository, integrate it into your local development workflow via pre-commit hooks to automatically validate staged YAML files.
3. GitOps Pre-Flight Validation: Let Kubeconform act as a pre-flight check in your CI pipelines to validate the output of Helm or Kustomize before it gets committed to a GitOps repository used by tools like Argo CD or Flux.
4. Auditing Existing Configurations: Run it against your entire directories of existing Kubernetes manifests to perform a comprehensive audit. This helps you identify legacy or non-compliant configurations across a large codebase as part of a compliance check.
5. Validating Dynamic Chart Outputs: Use Kubeconform interactively to validate the YAML output of `helm template` or `kustomize build` commands. This is a great way to debug complex templating logic quickly before you commit changes.
How does Kubeconform work?
Kubeconform operates as a single, stateless Go binary, which makes it incredibly fast and easy for you to integrate into any workflow. The process starts when it ingests your Kubernetes manifests from various sources, like standard input, individual files, or entire directories.
For each resource, it identifies the `apiVersion` and `kind` to determine the correct schema to use. It then downloads the OpenAPI specification for the target Kubernetes version and aggressively caches it locally to speed up future runs. Finally, it validates your manifest against this schema, reporting any errors with a non-zero exit code—perfect for automated CI/CD checks.
Let's break down the key steps:
Schema Identification & Caching: Kubeconform uses a resource's `apiVersion` and `kind`, along with the Kubernetes version you specify, to locate and download the correctOpenAPI schema. It intelligently caches these schemas locally to minimize network latency and boost performance on subsequent validations.
Flexible Input & Integration: The tool is designed for versatility, accepting manifests directly from standard input (stdin) or by scanning your files and directories. This allows you to easily chain it with other tools like `helm template ./chart | kubeconform -summary` or `kustomize build | kubeconform -summary -output junit > kubeconform.xml` right inside your CI/CD pipelines.
Stateless Validation Engine: With the appropriate schema loaded, the validation engine meticulously compares your input manifest against the specification. It checks for valid fields, correct data types, and the presence of all required properties, ensuring strict adherence to the Kubernetes API structure.
CI-Friendly Reporting: Validation results are reported with clear, human-readable error messages. Critically for automation, Kubeconform uses exit codes to signal success (0) or failure (non-zero), allowing your automated systems to immediately pass or fail a build based on the outcome.
Core Capabilities
1. Up-to-Date Kubernetes Schema Validation: Kubeconform validates your manifests against official OpenAPI specifications sourced from an up-to-date JSON Schema registry derived from the official Kubernetes OpenAPI ensuring accuracy against your target cluster's API server and helping you correctly handle new features or deprecations.
2. Comprehensive Custom Resource (CRD) Validation: Kubeconform excels at validating your custom resources by fetching them from URLs or by using local files. This applies rigorous standards to configurations for operators like Istio or Prometheus.
3. Seamless Toolchain Integration: You can integrate Kubeconform with tools like Helm and Kustomize by processing manifest streams from standard input, enabling your developers to pipe templated output directly for on-the-fly validation.
4. High Performance and Portability: Distributed as a single, dependency-free Go binary, Kubeconform offers exceptionally fast execution with a low resource footprint. This makes it ideal for any CI/CD pipeline and easy to install on a developer machine or build runner.
5. Flexible CI/CD Reporting: Kubeconform supports multiple output formats beyond just text, including JSON, TAP, and JUnit. As a result, validation results can be programmatically parsed by your CI/CD systems for automated reporting and integration with quality dashboards.
Kubernetes Security for Dummies
Everything you need to know about securing Kubernetes
Limitations
While Kubeconform is a fantastic tool for schema validation, it's important for security teams to understand what it doesn't do:
1. It Does Not Enforce Best Practices: The tool only performs schema validation. It won't check for security misconfigurations, operational best practices, or logical errors, such as a container running as root or a deployment missing readiness probes.
2. It's Dependent on CRD Schema Quality: The accuracy of custom resource validation depends entirely on the quality of the schema provided by the CRD author. If the schema is missing, incomplete, or inaccurate, the validation will be ineffective or even misleading.
3. It Lacks Runtime Cluster Context: Kubeconform operates on static files without any knowledge of the live cluster state. In other words, it can’t validate runtime dependencies, like the existence of a required secret or an available StorageClass, which can still cause deployment failures.
4. It's Not a Policy Enforcement Tool: You can't use it to enforce organizational policies, like requiring resource limits on all deployments or restricting ingress hostnames. This requires a dedicated policy engine like OPA Gatekeeper or Kyverno to be used alongside it.
5. It Requires Manual Schema Management for Offline Use: To use Kubeconform in air-gapped or offline environments, you'll need to manually download, store, and point the tool to local schema files. This adds some operational overhead for managing schema distribution and versioning.
Getting Started with Kubeconform
Step 1:
Ready to give it a try? Getting started with Kubeconform is easy. First, install it for your platform. If you use Homebrew (macOS/Linux), run:
brew install kubeconformFor Windows, you can install it via winget:
winget install YannHamon.kubeconformAlternatively, to install via Go (this requires Go 1.17+):
go install github.com/yannh/kubeconform/cmd/kubeconform@latestOr you can always download a prebuilt binary from the GitHub releases page: https://github.com/yannh/kubeconform/releases
Step 2:
Once installed, you can validate a Kubernetes manifest by running:
kubeconform path/to/your-manifest.yamlA return code of 0 means success! To see a summary of results or use JSON output, you can try:
kubeconform -summary -output json path/to/your-manifest.yamlYou can also validate all the YAML files in a folder at once:
kubeconform -summary path/to/your/folderStep 3:
For help and a full list of options, just run:
kubeconform -hNow you can start integrating Kubeconform into your CI to validate configuration files before they ever get deployed.
Alternatives
| Feature / Tool | Kubeconform | kubectl-validate | ValidKube |
|---|---|---|---|
| Schema Source | Kubernetes OpenAPI (self-updating fork, supports all recent versions) | Built-in schemas for native types; CRDs from cluster or local file | Web UI that uses multiple tools; uses Kubeconform for validation |
| CRD Validation | Robust out-of-the-box CRD support, multiple schema sources (local/remote), CRD catalogue | Downloads CRDs from cluster; supports local schemas | Limited; front-end to other tools |
| Performance | High (parallel processing, caching) | Aligned with API server | N/A (web app) |
| Offline Validation | Yes (support for local schemas and schema cache) | Yes with local schemas | No (web) |
| Schema Timeliness | Always up-to-date: fetches schemas directly from maintained fork of schemas | Tied to live Kubernetes API | Depends on embedded tools |
| Use in CI/CD | Yes (Docker image, Github Actions, Gitlab CI, Homebrew, Go module, etc) | Yes, but requires API access | Mainly manual UI; not typical CI |
| Helm Support | Supported via third-party Helm plugin and pre-commit hooks | Validate helm template output (no dedicated plugin) | Unknown |
Secure Kubernetes at scale
Validation is only step one. Wiz provides full-stack Kubernetes visibility – identities, workloads, and data – so you can prevent breaches before they happen.
