KubeLinter is an open source static analysis tool—also referred to as alint orlinter—that identifies misconfigurations and programming errors inKubernetes deployments. The command-line tool automatically analyzesYAML files andHelm charts against Kubernetesconfiguration andsecurity best practices.

Kubernetes—also known as K8s—is popular for its ability to deploy, manage, and scale containerized applications but is not known for its ability tosecure containers. Kubernetes configurations are also typically defined in YAML files, which are human-readable yet challenging to understand and produce valid configurations at scale. Static validation alone in complex YAML cannot easily catch errors and violations, which can expose security issues.

And security is essential.

According to Red Hat’sKubernetes adoption, security, and market trends report for 2021, more than half of those surveyed said they delayed deploying Kubernetes applications into production because of security concerns, with 94% experiencing at least 1 Kubernetes-related security incident in 2020. This was primarily due to human error, with manually entered misconfigurations contributing to about 67% of cases reported.

This is where KubeLinter comes in.

The lint tool—created by StackRox in late 2020 shortly before it wasacquired by Red Hat in early 2021—is specifically designed to combat security errors and improve accurate configuration across Kubernetes deployments at the beginning of the development process. It carries out config file checks and can be used with continuous integration (CI) systems to simplify the process of updating YAML files and Helm charts while employingDevSecOps best practices.

As an open source tool available under theApache 2.0 license, KubeLinter also allows users throughout the open source community to contribute to the project.

To verify that Kubernetes clusters are set up correctly and that programming bugs are fixed before deployment, KubeLinter takes a path to a chart and runs a series of tests to verify that the chart is well-formed and error-free. It then sends lint error messages for anything it finds that causes the chart to fail installation or a warning message for anything that doesn't align withKubernetes security best practices.

KubeLinter also was designed to be easy to run. It comes prepackaged with40 built-in lint checks for common K8s misconfigurations like running a container as user, mismatching selectors, and storing sensitivedata only in secrets. It supports configuration of custom checks and lets users treat configurations as code, allowing them to build security into the application development process much earlier.

KubeLinter is highly configurable. Users can create, enable, and disable their own custom rules with minimal changes to workflows and near-instant feedback on misconfigurations andsecurity violations.

KubeLinter can be added to anycontinuous integration/continuous delivery (CI/CD) tool—including GitHub Action, Jenkins,CircleCI, and Travis CI—and can automatically check for and identify errors in application configurations. This helps developers with remediation efforts, and they can automatically see problems throughout the production pipeline.

KubeLinter default checks are also centered around security, so users must manually opt in if they want to configure Kubernetes in a insecure way.

KubeLinter takes a few minutes to download and install. Developed as a self-contained binary using the human-readableGo programming language, it is comparable to kubectl and is made with a few of the same packages.

Toinstall KubeLinter, you can build the command-line interface locally using Go, use pre-built Docker containers, install using Homebrew, or build it yourself from source code. After installation, point the tool to your Helm charts and Kubernetes YAML files to get results almost immediately.

Because it’s an open source tool, developers can and should expect changes to elements of KubeLinter as it’s further developed. Changes can include configuration file formats, flags, and command usage.

• Case study

  Meet the 7 customers innovating with Red Hat technologies

• Blog post

  The Sovereign Cloud Imperative

• Blog post

  How do you beta? With Jasper Wiegratz

• Case study

  Mizuho Securities Achieves VM Provisioning with Red Hat

• What is a Linux container?
• What is container orchestration?
• What is Istio?
• What is CentOS Stream?
• Stateful vs stateless applications
• What is Kubernetes?
• Red Hat OpenShift on VMware
• What is KVM?
• What is KubeVirt?
• Why use Red Hat Ansible Automation Platform with Red Hat OpenShift?
• What is Podman Desktop?
• What is CentOS?
• What are CentOS replacements?
• What is Podman?
• What is the Kubernetes Java client?
• What are hosted control planes?
• What is kubernetes security?
• What is Helm?
• What is InstructLab?
• What is Argo CD?
• Red Hat OpenShift for developers
• Containers vs VMs
• Edge computing with Red Hat OpenShift
• What is MicroShift?
• How Kubernetes can help AI/ML
• OpenJDK versus Oracle JDK
• What is Cloud Foundry?
• What is Kubeflow?
• What are microservices?
• OpenShift vs. OpenStack: What are the differences?
• What is container security?
• What are sandboxed containers
• what is Buildah?
• Kubernetes vs OpenStack
• What are validated patterns?
• Understanding Ansible, Terraform, Puppet, Chef, and Salt
• Ansible vs. Chef: What you need to know
• Ansible vs. Salt: What you need to know
• Kubernetes on AWS: Self-Managed vs. Managed Applications Platforms
• What is Linux?
• What's the best Linux distro for you?
• What is an image builder?
• Ansible vs. Puppet: What you need to know
• Red Hat OpenShift vs. OKD
• Red Hat OpenShift vs. Kubernetes: What's the difference?
• Why run Apache Kafka on Kubernetes?
• What is Apache Kafka?
• What is high availability and disaster recovery for containers?
• Spring on Kubernetes with Red Hat OpenShift
• Ansible vs. Terraform, clarified
• What is a golden image?
• Ansible vs. Red Hat Ansible Automation Platform
• What are Red Hat OpenShift cloud services?
• VNF and CNF, what’s the difference?
• What is a container registry?
• What is Skopeo?
• What are Red Hat OpenShift Operators?
• Using Helm with Red Hat OpenShift
• Kubernetes security best practices
• What is Grafana?
• Orchestrating Windows containers on Red Hat OpenShift
• What is a Kubernetes operator?
• What is open source software?
• Open source vs. proprietary software in vehicles
• High performance computing with Red Hat OpenShift
• Advantages of Kubernetes-native security
• Container and Kubernetes compliance considerations
• Intro to Kubernetes security
• How microservices support IT integration in healthcare
• Kubernetes cluster management
• Red Hat OpenShift on IBM IT infrastructure
• Red Hat OpenShift for business leaders
• How to deploy Red Hat OpenShift
• Cost management for Kubernetes on Red Hat OpenShift
• Why choose Red Hat for Kubernetes?
• What makes Red Hat OpenShift the right choice for SAP?
• Kubernetes-native Java development with Quarkus
• What is enterprise Kubernetes?
• What is RKT?
• What makes Red Hat OpenShift the right choice for IT operations?
• What is Kubernetes role-based access control (RBAC)
• What is Kogito?
• What is containerization?
• What was CoreOS and CoreOS container Linux
• Learning Kubernetes basics
• What is service-oriented architecture?
• What is the Kubernetes API?
• What is Kubernetes cluster management?
• What is a Kubernetes deployment?
• Why choose the Red Hat build of Quarkus?
• Introduction to Kubernetes architecture
• What is CaaS?
• Introduction to Kubernetes patterns
• What is a Kubernetes cluster?
• What is Quarkus?
• What is Jaeger?
• What is open source?
• What is Clair?
• What is Knative?
• What is etcd?
• What is container-native virtualization?
• Why choose Red Hat for microservices?
• Why choose Red Hat for containers?
• What is Docker?
• What is a Kubernetes pod?