
Validating Kubernetes YAML for best practice and policies - kiyanwang
https://learnk8s.io/validating-kubernetes-yaml
======
default-kramer
> Config-lint is a promising framework that lets you write custom checks for
> Kubernetes YAML manifests using a YAML DSL. But what if you want to express
> more complex logic and checks? Isn't YAML too limiting for that? What if you
> could express those checks with a real programming language?

Having recently worked a little bit with YAML for Kubernetes and HCL for
Terraform, I really wish they had both just used "a real programming language"
right from the start. I'll choose Racket because I know it best, but there are
probably many languages that would work well. You could expose very nearly the
same configuration language, but backed by a real programming language. I bet
this would make some of the tools the author lists at the end (eg copper,
config-lint) much easier to write, or perhaps not necessary at all.

And the author didn't mention Helm, but I will. The part of Helm I saw seemed
to be a lot of work just to add "functions with parameters" to Kubernetes
YAML, something we could have had for free using "a real programming language"
from the start:
[https://helm.sh/docs/chart_template_guide/functions_and_pipe...](https://helm.sh/docs/chart_template_guide/functions_and_pipelines/)

Why are so few configuration languages not backed by a real language?

~~~
Znafon
> Why are so few configuration languages not backed by a real language?

In many cases, not having a full featured language is helpful as you have some
additional guarantees that comes with a non Turing complete language like
guaranteed completion.

In some cases though, you do need a full pledged programming language. For
those cases, HashiCorp recently announced CDK support for Terraform:
[https://www.hashicorp.com/blog/cdk-for-terraform-enabling-
py...](https://www.hashicorp.com/blog/cdk-for-terraform-enabling-python-and-
typescript-support/)

~~~
zelphirkalt
You can bring that argument, but only until you decide to use YAML, instead of
something declarative and simple like JSON.

Once you switch to something as powerful as YAML, you might as well reach for
a real programming language.

~~~
tyfon
Also, YAML is kind of a hack.

Living in Norway I've had quite a few of these situations where no is parsed
to False [1].

[1] [https://hitchdev.com/strictyaml/why/implicit-typing-
removed/](https://hitchdev.com/strictyaml/why/implicit-typing-removed/)

~~~
ithkuil
It has been fixed since yaml 1.2

That said, yeah :facepalm:

------
shahsyed
I'm having some arguments with other developers (devs) on whether or not this
is important. I'm gonna finally try to implement this for my own pipeline this
week, hopefully.

I would much rather have devs double check/validate things locally before they
edit changes.

Modifying config files by using the edit text feature in GitHub (GH), doesn't
enable you to do that.

& Devs are lazy. I'm lazy. They want things easy. Me too.

So let's make it easy. Modify your CI/CD pipeline to validate YAML configs on
any file changes (use GH hooks for example)

Now devs can do whatever they want - if their pre-deployment checks fail, go
back and fix it!

~~~
Znafon
This is a very sensible approach. One pro of having the checks automated
instead of just having the developers check carefully their changes is that
onboarding a new developer is easier, you will spend less time on very small
and specific details and you won't forget to tell some detail.

------
jasonlotito
You are using YAML already. How much do you care about best practices.

Only partially kidding here.

~~~
EdwardDiego
You're currently being downvoted, but I agree, YAML is kinda terrible, not
sure why anyone thought Python's syntactically relevant whitespace was ideal
for a config file.

Classic example:

    
    
      - containerPort: 7173
        name: http
    

I think that's an object in a list? But it's not overly clear.And if I
indented any of those lines wrong...

~~~
aliswe
That's a map as a list element, iirc the terminology. But check out this.

When studying the Yaml spec I discovered that a map property (key: value) can
have not only a string as its key, but any value. Even a list. (cue screams)

~~~
shahsyed
Here's another reason why YAML is bad:

the fact that I have to read the spec to figure out what's going on.

It should have been fairly simple to do this.

Why do I have to know the difference between ":" and "=" ...?

------
pbiggar
I recently had a bug that wouldn't have happened if I'd had these in place:
[https://dev.to/darklang/a-fun-bug-55cl](https://dev.to/darklang/a-fun-
bug-55cl). I added similar checks (and kube-score and polaris seem like good
tools - I might try adding them).

------
shimont
I think that this is a great approach to test out the files. Mistakes in those
files can cause a production outage. I like doing those tests once a PR is
open and before it is merged into master and executed on the production
cluster. (Disclaimer i am a co-founder of datree.io)

------
pjmlp
And so the circle of schema validation does yet another turn, now back to
those XML config files.

~~~
juped
Every time I see a JSON config file I miss those kilobytes of XML.

------
EdwardDiego
I find Intellij's K8s plugin really helpful for identifying issues within a
single K8s YAML file, but it won't find things like a deployment.yaml without
a pdb.yaml but it's a good start.

