Wiz
Todos los artículos

What is a YAML File in Kubernetes?

Equipo de expertos de Wiz
Kubernetes Security Cheat SheetWatch demo
Key takeaways

  • Kubernetes uses YAML as its primary configuration language for defining and managing all cluster resources

  • YAML files serve as declarative manifests that specify the desired state of applications and infrastructure

  • Understanding YAML structure and syntax is essential for effective Kubernetes operations and security

  • Misconfigurations in YAML files can introduce critical security vulnerabilities into production environments

  • Modern cloud security platforms can scan and validate YAML configurations throughout the development lifecycle

Understanding Kubernetes YAML fundamentals

YAML is the primary data serialization format Kubernetes uses to define resources. It stands for "YAML Ain't Markup Language" (a recursive acronym) and acts as a blueprint describing what you want the cluster to run and how it should behave. Unlike programming languages, YAML simply structures data in a human-readable way that Kubernetes can parse.

When you write a YAML file for Kubernetes, you're creating what's called a declarative manifest. This means you're declaring the end state you want, and Kubernetes figures out how to make it happen. You don't tell Kubernetes the step-by-step instructions—you just describe what you want, and it does the work.

Here's how it works: When you apply a YAML file using kubectl apply -f <filename>.yaml, the Kubernetes API server reads your manifest and converts it into API requests. The -f flag tells kubectl which file to read—for example, kubectl apply -f deployment.yaml applies the configuration in that file.

Kubernetes can also understand JSON, but YAML is the preferred format. YAML is easier for humans to read, supports comments, and lets you include multiple resource definitions in a single file. This makes it simpler for teams to write, review, and maintain their configurations.

Take a tour of Wiz

Explore Wiz in this 10 minute interactive guided tour.

Watch now

Core components of Kubernetes YAML manifests

Every Kubernetes YAML file has a few essential sections that define the resource you're creating. Understanding these components is the first step to managing your Kubernetes environment effectively.

Here are the required fields you'll find in nearly every Kubernetes manifest:

  • apiVersion: This specifies which version of the Kubernetes API you're using to create this object. Different resources belong to different API groups, such as apps/v1 for Deployments or v1 for Pods and Services.

  • kind: This defines the type of Kubernetes resource you're creating. Common kinds include Pod, Service, Deployment, ConfigMap, and Secret.

  • metadata: This section contains data that helps uniquely identify the resource. It includes the resource's name, the namespace it belongs to, and labels or annotations for organization and filtering.

  • spec: Short for specification, this is where you describe the desired state of the resource. The content of the spec section varies greatly depending on the kind of resource.

These components work together to form a complete resource definition. For instance, a Deployment manifest uses the spec to define the container image to run and the number of replicas, while a Service manifest uses its spec to define how to expose that Deployment to the network.

To write valid YAML, you need to follow its syntax rules. YAML uses indentation with spaces (not tabs) to denote structure and hierarchy. Lists are denoted by a dash, while mappings are key-value pairs separated by a colon.

You can separate multiple resource definitions in a single file using three hyphens, which is useful for deploying related resources together. For more advanced use cases, you can reuse configuration blocks within a file using anchors and references to avoid repetition.

Security implications of Kubernetes YAML configurations

A single misconfiguration in a YAML file can create a critical vulnerability that exposes your cluster to attacks. These issues often arise from default settings, human error, or a lack of security awareness during development—with 45% of organizations experiencing Kubernetes misconfiguration incidents.

When multiple minor misconfigurations exist, they can create what's called a "toxic combination"—a chain of vulnerabilities that forms a clear attack path for an adversary.

Here are the most common security misconfigurations in YAML files:

  • Overly permissive RBAC rules: Granting broad permissions through Role and RoleBinding definitions can allow a compromised account to escalate privileges and move laterally across the cluster.

  • Exposed secrets: Hardcoding sensitive data like API keys or passwords directly in YAML files is a common mistake. If these files are committed to a public repository, the secrets are immediately compromised.

  • Privileged containers: Setting privileged: true grants the container all Linux capabilities and direct access to host devices (/dev/*), effectively breaking container isolation. This allows processes inside the container to perform kernel-level operations, load kernel modules, and access host resources—creating a critical security risk equivalent to root-level host access.

  • Missing or misconfigured resource limits: Not setting CPU and memory limits allows a single container to consume all node resources, causing denial of service for other workloads. Conversely, overprovisioned requests waste cluster capacity—65% of workloads use less than half their requested resources, according to Komodor's 2025 Enterprise Kubernetes Report. Set both requests (for scheduling) and limits (for enforcement) to balance availability and efficiency.

  • Network exposure: Misconfigured Service or Ingress resources can unintentionally expose internal applications to the public internet, creating an entry point for attackers.

Organizations are adopting a "shift-left security" approach to combat these risks. This involves scanning and validating YAML files during the development process.

Kubernetes Security Best Practices [Cheat Sheet]

This 6 page cheat sheet goes beyond the basics and covers security best practices for Kubernetes pods, components, and network security.

Best practices for writing secure and maintainable YAML

Creating YAML files that are both secure and easy to manage is essential for operating Kubernetes at scale. By following established best practices, you can reduce the risk of misconfigurations and improve the overall stability and security of your Kubernetes clusters.

Start with these security-first practices:

  • Use namespaces: Isolate workloads into different namespaces to create logical security boundaries. This limits the blast radius of a potential compromise and helps organize resources.

  • Implement least privilege: Define minimal RBAC permissions for users and service accounts. Only grant the access required for a specific task to prevent privilege escalation.

  • Externalize configuration: Never hardcode sensitive information. Use ConfigMap objects for non-sensitive configuration data and Secret objects for sensitive data like passwords and API keys.

  • Set resource requests and limits: Always define CPU and memory requests and limits for your containers in the pod spec. Enforce these at the namespace level using LimitRange (default limits per container) and ResourceQuota (aggregate limits for the namespace). For example, a LimitRange can prevent any container from requesting more than 2 CPU cores.

  • Enable security contexts: Configure the security context for your pods and containers to run as a non-root user and with a read-only root filesystem to minimize the potential impact of a compromise.

  • Implement admission control and policy guardrails: Kubernetes 1.25+ includes Pod Security Admission (PSA), which enforces security standards at the namespace level. Apply the restricted profile to production namespaces to block privileged containers, host path mounts, and other risky configurations:

apiVersion: v1 kind: Namespace metadata: name: production labels: pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/warn: restricted

For custom policies, use policy-as-code tools:

  • OPA Gatekeeper – Write Rego policies to enforce organizational standards like mandatory resource limits or approved registries

  • Kyverno – Define policies in YAML to validate, mutate, or generate resources—for example, automatically adding securityContext to pods that lack it

  • CI/CD policy scanners – Integrate tools like Wiz Code into your pipeline to catch misconfigurations before merge

These layers create defense in depth: CI/CD catches issues early, admission controllers block non-compliant resources at deploy time, and runtime monitoring detects drift.

Making your YAML files maintainable is crucial for long-term operational success. Use consistent naming conventions for all your resources. This makes it easier for teams to identify and manage components.

Add meaningful labels and annotations to organize resources and provide additional metadata. This enables better resource filtering, automation, and tracking. For complex applications, choose the right configuration management tool:

  • Kustomize – Use kubectl apply -k for overlay-based customization. Best when you need environment-specific patches (dev vs. prod) without templating logic. Built into kubectl 1.14+.

  • Helm – Use for templated packaging and release management. Best when you need to distribute applications with configurable parameters or manage versioned releases with rollback capability.

Many teams use both: Helm for third-party charts and Kustomize for internal application overlays.

Store all your YAML manifests in a Git repository. This provides a history of all changes, enables peer reviews, and serves as a single source of truth for your cluster's desired state. Use comments within your YAML files to explain complex configurations or non-obvious decisions.

Always validate your YAML files before applying them. Use kubectl apply --dry-run=clientserver -f <file>.yaml to validate against the actual API server without persisting changes—this catches schema errors and admission controller rejections. For offline validation, use --dry-run=client, though it won't catch server-side policies. Add policy-as-code scanners like OPA Gatekeeper or Kyverno to your CI/CD pipeline to enforce organizational security standards.

Academia Wiz

Kubernetes Monitoring Tools and Best Practices to Know

Discover essential Kubernetes monitoring tools and best practices to optimize performance, enhance security, and ensure seamless cluster management.

Leer más

Common YAML configuration challenges and troubleshooting

Writing and managing Kubernetes YAML can be challenging, and even experienced engineers run into common pitfalls—with 79% of production outages stemming from recent system changes. Syntax errors, version incompatibilities, and logical mistakes can prevent resources from being deployed or cause them to behave unexpectedly.

Here are the most frequent YAML pitfalls you'll encounter:

  • Indentation errors: YAML is highly sensitive to indentation. Using tabs instead of spaces or having inconsistent nesting levels is one of the most common sources of syntax errors.

  • API version deprecations: Kubernetes evolves, and API versions are sometimes deprecated and removed. Using an outdated apiVersion will cause the API server to reject the manifest.

  • Schema validation failures: Every Kubernetes resource has a specific schema with required fields and expected value types. Using an incorrect field name or providing a string where a number is expected will lead to validation failure.

  • Namespace conflicts: Attempting to create a resource in a namespace that does not exist or failing to specify a namespace can lead to deployment errors or resources being placed in the default namespace unintentionally.

  • Label selector mismatches: A common issue is when a Deployment's selector does not match the labels on its Pod template. This prevents the Deployment from managing its Pods, leaving them in a pending or error state.

When a resource fails to deploy or run correctly, the first step is to use kubectl describe on the resource to get detailed information and view recent events. This command often provides clear error messages that point to the root cause of the problem.

Follow this troubleshooting workflow when you encounter issues. First, validate YAML syntax with a linter like yamllint to catch indentation and formatting errors. Then validate Kubernetes schema with kubectl apply --dry-run=server -f <file>.yaml to ensure all required fields are present and values match expected types. This two-step approach catches both syntax and semantic errors before deployment.

When deploying a complex application with multiple resources, apply them one at a time. This helps isolate which resource is causing the issue. Use kubectl get events to see cluster-wide events and kubectl logs to view container logs for application-specific errors.

If your cluster uses admission controllers, they may reject a manifest for violating a security policy. The error message from kubectl apply will typically explain why the resource was denied.

Academia Wiz

Kubernetes control plane: What it is and how to secure it

The Kubernetes control plane is the cluster’s management layer that exposes the API, stores cluster state, and continuously reconciles desired configuration—scheduling, scaling, and replacing pods as needed—to keep applications healthy and consistent across nodes.

Leer más

How Wiz secures Kubernetes YAML configurations across the development lifecycle

Wiz provides a unified platform to secure Kubernetes environments by embedding security directly into the development lifecycle. Wiz Code integrates into your CI/CD pipelines to provide automated scanning of Kubernetes YAML files. It checks against a library of over 1,400 misconfiguration rules, flagging potential security issues like overly permissive roles or exposed secrets before they're ever deployed.

Once workloads are running, Wiz Cloud delivers agentless Kubernetes Security Posture Management to continuously monitor your deployed configurations. It detects configuration drift and policy violations in real-time, ensuring your cluster remains compliant with security standards.

The Wiz Security Graph maps all resources and their relationships within your cloud and Kubernetes environments. It analyzes how misconfigurations in YAML files can combine with other risks—like vulnerabilities, network exposures, and excessive permissions—to create exploitable attack paths. This contextual analysis allows you to prioritize the "toxic combinations" that pose a genuine threat.

Wiz surfaces the toxic combinations that represent actual business risk

For the final layer of defense, Wiz Defend's lightweight runtime sensor detects active threats within containers that were instantiated from your YAML manifests. It can identify malicious activities such as malware execution, container escapes, and lateral movement, providing immediate alerts and forensic data.

With code-to-cloud traceability, Wiz connects these runtime threats back to their source YAML files and the developers who own them. This dramatically speeds up remediation and closes the feedback loop between security and development teams. This end-to-end approach ensures that consistent security policies are enforced on your YAML configurations throughout their entire lifecycle.

Want to see these practices in action across code, pipeline, and runtime? Get a hands-on walkthrough of how contextual risk prioritization reduces Kubernetes alert noise and speeds remediation. Get a demo.

See Wiz in Action

Experience how contextual risk prioritization reduces Kubernetes alert fatigue. Get a personalized demo

Para obtener información sobre cómo Wiz maneja sus datos personales, consulte nuestra Política de privacidad.

FAQs about Kubernetes YAML