An always up to date collection of useful tools for your Kubernetes linting and auditing needs.
Mount a folder containing your Helm or raw Kubernetes manifests:
docker run --rm -it -v $PWD:/root/workspace ghcr.io/chgl/kube-powertools:v2.3.37
The container image is pushed to these two registries:
- docker.io/chgl/kube-powertools:v2.3.37
- ghcr.io/chgl/kube-powertools:v2.3.37
The kube-powertools image includes a few helpful scripts to simplify working with Helm chart repositories.
The image includes a chart-powerlint.sh script which can be used to apply several linters to Helm chart repos.
For example, you can mount this repository into the kube-powertools
container and run the following to lint the sample chart
in the /samples/charts
dir:
$ docker run --rm -it -v $PWD:/root/workspace ghcr.io/chgl/kube-powertools:v2.3.37
bash-5.1# CHARTS_DIR=samples/charts chart-powerlint.sh
You can auto-generate and format Markdown docs from the chart's values.yaml using generate-docs.sh.
This scripts uses either chart-doc-gen
if the chart dir contains a doc.yaml
, or helm-docs
if it doesn't.
You can auto-generate the Helm schema from the chart's values.yaml using generate-schemas.sh.
Finally, there's generate-chart-changelog.sh, which can be used to generate a CHANGELOG.md file from the contents of a Chart.yaml's artifacthub.io/changes annotation.
You can use this file in conjunction with the chart-releaser tool's --release-notes-file
option to produce release notes for a GitHub release. See https://github.com/chgl/charts/blob/master/.github/workflows/release.yaml#L32 and https://github.com/chgl/charts/blob/master/.github/ct/ct.yaml#L16 for a sample workflow.
- kubectl
- helm
- helm push plugin
- helm schema-gen plugin
- helm-local-chart-version
- chart-doc-gen
- kubeval
- kube-score
- chart-testing
- polaris
- pluto
- helm-docs
- kube-linter
- kustomize
- conftest
- nova
- kubesec
- kubeconform
- kube-no-trouble
- trivy
- yq
- kubescape
- gomplate
- cosign
- crane
- checkov
- kubepug
- container-structure-test
- Artifact Hub CLI
- Kyverno CLI
docker build -t kube-powertools:dev .
$ docker run --rm -it -v $PWD:/root/workspace kube-powertools:dev
bash-5.1# CHARTS_DIR=samples/charts scripts/chart-powerlint.sh
Prerequisites:
First, determine the digest of the container image to verify. This digest is also visible on the packages page on GitHub: https://github.com/chgl/kube-powertools/pkgs/container/kube-powertools.
IMAGE=ghcr.io/chgl/kube-powertools:v2.3.37
IMAGE_DIGEST=$(crane digest $IMAGE)
IMAGE_TAG="${IMAGE#*:}"
Verify the container signature:
cosign verify \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity-regexp="https://github.com/chgl/.github/.github/workflows/standard-build.yaml@.*" \
--certificate-github-workflow-name="ci" \
--certificate-github-workflow-repository="chgl/kube-powertools" \
--certificate-github-workflow-trigger="release" \
--certificate-github-workflow-ref="refs/tags/${IMAGE_TAG}" \
"ghcr.io/chgl/kube-powertools@${IMAGE_DIGEST}"
Verify the container SLSA level 3 provenance attestation:
slsa-verifier verify-image \
--source-uri github.com/chgl/kube-powertools \
--source-tag ${IMAGE_TAG} \
--source-branch master \
"ghcr.io/chgl/kube-powertools@${IMAGE_DIGEST}"
See also https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#verification for details on verifying the image integrity using automated policy controllers.