ValidKube is a new open-source tool that combines several tools to make it easier to validate, clean, and secure Kubernetes YAML configuration files.
In its initial release, ValidKube integrates three popular tools used with Kubernetes: kubeval, able to validate Kubernetes configuration files; kubectl-neat, which can remove clutter for Kubernetes manifests; and trivy, a scanner for vulnerabilities in container images, file systems, and Git repositories. The three tools were developed in Israel by Aqua Security and Snyk.
According to Itay Shakury, director of open source at Aqua Security and creator of kubectl-neat, ValidKube responds to the current trend of putting more power and responsibility into developers’ hands:
Security is one of those responsibilities that is shifting towards developers. This "shift left" approach encourages applying security practices early in the development lifecycle. ValidKube is a tool that can help developers quickly verify their Kubernetes manifests.
ValidKube is a browser-based tool, which means it is immediately accessible to anyone willing to try it out without needing to install the individual tools.
InfoQ has spoken with Itiel Shwartz, CTO and co-founder of Komodor, creator of ValidKube, to learn more about ValidKube.
InfoQ: ValidKube comes with out-of-the-box integration with AWS. Are you planning to support more Cloud providers?
Itiel Shwartz: We are thinking about this and think the community may very well beat us to it! This is an open-source project after all, and we are using the serverless framework, so branching ValidKube to other cloud providers should be relatively easy.
InfoQ: Could you clarify which "fundamentals and best practices" the tools included in ValidKube are addressing? Have you adopted some reference or standard set of practices for Kubernetes, or rather are you attempting to define those fundamentals and best practices?
Shwartz: Well, the easiest way to answer this is just to run the example code we provide in our tool. By trying to validate it, you'll immediately see how ValidKube can point out syntax errors. Or, if you try to clean the code, the tool will show you how the same YAML could be made much neater. These are Kubectl-neat and Kubeval in action. On the security side, there are several things Trivy will secure, like misconfigured privilege escalation.
InfoQ: What do you envision as a roadmap for ValidKube? What other kind of tools would you like to see integrated in some near future?
Shwartz: Great question. As it happens, we are already looking into adding several new capabilities. For instance, we are looking into integrating with Polaris, which helps with the validation of best practices in Kubernetes clusters. Another cool project we are considering is Kube-Score, which helps with Kubernetes object reliability and security. There are several other projects we find interesting, and the idea is to keep expanding ValidKube’s integrations to deliver more and more value.
InfoQ: Validating, cleaning, and securing is just one step towards successfully managing Kubernetes. What are other key practices?
Shwartz: Going back to the idea of common best practices that are not always observed, I think that it’s important to properly manage your label and annotations. Having a solid CI/CD pipeline is also mission-critical, and if you are not using Argo yet, you definitely should. That said, I believe that the main success factor for efficient Kubernetes management is a cultural one - you have to make sure that you expand Kubernetes knowledge throughout the organization as you drive adoption.
For all readers interested in Kubernetes-related tools, Shwartz also provided a list you should not miss.