Chapter 5. Kubernetes Configuration Testing

Why this step

Catching issues in infra/k8s/*.yaml before kubectl apply is cheap and fast. These tools complement each other:

  • kube-linter: opinionated rules → SARIF (great for PR review).
  • kube-score: human-readable “why” explanations.
  • Checkov: policy-as-code across K8s/Terraform/etc. (already in CI).

Run it

# from repo root
make k8s-audit

What you’ll see

  • kube-linter.sarif with rule IDs & resource paths.
  • kube-score.txt with “critical/objective” hints.
  • checkov.json from earlier CI runs.

Fix-it focus (quick wins)

  • Add securityContext with runAsNonRoot: true, readOnlyRootFilesystem: true, allowPrivilegeEscalation: false.
  • Set resources.requests/limits for each container.
  • Avoid :latest images; pin a tag or digest.
  • Ensure livenessProbe and readinessProbe are present.

Checklist

  • make k8s-audit produced all three reports
  • You fixed at least 2 misconfigs and re-ran the audit
  • SARIF is viewable in your editor (e.g., VS Code SARIF viewer)