kube-powertools
An always up to date collection of useful tools for your Kubernetes linting and auditing needs.
APACHE-2.0 License
kube-powertools
An always up to date collection of useful tools for your Kubernetes linting and auditing needs.
Usage
Mount a folder containing your Helm or raw Kubernetes manifests:
docker run --rm -it -v $PWD:/root/workspace ghcr.io/chgl/kube-powertools:v2.3.27
The container image is pushed to these two registries:
- docker.io/chgl/kube-powertools:v2.3.27
- ghcr.io/chgl/kube-powertools:v2.3.27
Helm Chart Repositories
The kube-powertools image includes a few helpful scripts to simplify working with Helm chart repositories.
Linting
The image includes a chart-powerlint.sh script which can be used to apply several linters to Helm chart repos.
For example, you can mount this repository into the kube-powertools container and run the following to lint the sample chart
in the /samples/charts dir:
$ docker run --rm -it -v $PWD:/root/workspace ghcr.io/chgl/kube-powertools:v2.3.27
bash-5.1# CHARTS_DIR=samples/charts chart-powerlint.sh
Generating Chart Documentation
You can auto-generate and format Markdown docs from the chart's values.yaml using generate-docs.sh.
This scripts uses either chart-doc-gen if the chart dir contains a doc.yaml, or helm-docs if it doesn't.
Generating Chart Schemas
You can auto-generate the Helm schema from the chart's values.yaml using generate-schemas.sh.
Generating CHANGELOG files
Finally, there's generate-chart-changelog.sh, which can be used to generate a CHANGELOG.md file from the contents of a Chart.yaml's artifacthub.io/changes annotation.
You can use this file in conjunction with the chart-releaser tool's --release-notes-file option to produce release notes for a GitHub release. See https://github.com/chgl/charts/blob/master/.github/workflows/release.yaml#L32 and https://github.com/chgl/charts/blob/master/.github/ct/ct.yaml#L16 for a sample workflow.
What's included
- kubectl
- helm
- helm push plugin
- helm schema-gen plugin
- helm-local-chart-version
- chart-doc-gen
- kubeval
- kube-score
- chart-testing
- polaris
- pluto
- helm-docs
- kube-linter
- kustomize
- conftest
- nova
- kubesec
- kubeconform
- kube-no-trouble
- trivy
- yq
- kubescape
- gomplate
- cosign
- crane
- checkov
- kubepug
- container-structure-test
- Artifact Hub CLI
- Kyverno CLI
Testing locally
docker build -t kube-powertools:dev .
$ docker run --rm -it -v $PWD:/root/workspace kube-powertools:dev
bash-5.1# CHARTS_DIR=samples/charts scripts/chart-powerlint.sh
Image signature and provenance verification
Prerequisites:
First, determine the digest of the container image to verify. This digest is also visible on the packages page on GitHub: https://github.com/chgl/kube-powertools/pkgs/container/kube-powertools.
IMAGE=ghcr.io/chgl/kube-powertools:v2.3.27
IMAGE_DIGEST=$(crane digest $IMAGE)
IMAGE_TAG="${IMAGE#*:}"
Verify the container signature:
cosign verify \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity-regexp="https://github.com/chgl/.github/.github/workflows/standard-build.yaml@.*" \
--certificate-github-workflow-name="ci" \
--certificate-github-workflow-repository="chgl/kube-powertools" \
--certificate-github-workflow-trigger="release" \
--certificate-github-workflow-ref="refs/tags/${IMAGE_TAG}" \
"ghcr.io/chgl/kube-powertools@${IMAGE_DIGEST}"
Verify the container SLSA level 3 provenance attestation:
slsa-verifier verify-image \
--source-uri github.com/chgl/kube-powertools \
--source-tag ${IMAGE_TAG} \
--source-branch master \
"ghcr.io/chgl/kube-powertools@${IMAGE_DIGEST}"
See also https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#verification for details on verifying the image integrity using automated policy controllers.
