Module kubelint

syncable_cli::analyzer

Module kubelint 

Source
Expand description

KubeLint-RS: Native Rust Kubernetes Linter

A Rust translation of the kube-linter project.

§Attribution

This module is a derivative work based on kube-linter, originally written in Go by StackRox (Red Hat).

Original Project: https://github.com/stackrox/kube-linter Original License: Apache-2.0 Original Copyright: Copyright (c) StackRox, Inc.

This Rust translation maintains compatibility with the Apache-2.0 license. See THIRD_PARTY_NOTICES.md and LICENSE files for full details.

§Features

  • Kubernetes YAML file validation
  • Helm chart linting (with template rendering)
  • Kustomize directory support
  • 63 built-in security and best practice checks
  • Annotation-based rule ignoring
  • Multiple output formats (JSON, SARIF, plain text)

§Example

use syncable_cli::analyzer::kubelint::{lint, KubelintConfig, LintResult};
use std::path::Path;

let config = KubelintConfig::default();
let result = lint(Path::new("./k8s/deployment.yaml"), &config);

for failure in result.failures {
    println!("{}: {} - {}", failure.file_path.display(), failure.code, failure.message);
}

§Checks

KubeLint includes 63 built-in checks covering:

§Security Checks

  • Privileged containers
  • Privilege escalation
  • Run as non-root
  • Read-only root filesystem
  • Linux capabilities
  • Host namespace access (network, PID, IPC)
  • Host path mounts

§Best Practice Checks

  • Image tag policies (no :latest)
  • Liveness/readiness probes
  • Resource requirements (CPU/memory)
  • Minimum replicas
  • Anti-affinity rules
  • Rolling update strategy

§RBAC Checks

  • Cluster admin bindings
  • Wildcard rules
  • Access to sensitive resources

§Validation Checks

  • Dangling services/ingresses
  • Selector mismatches
  • Invalid target ports

Re-exports§

pub use config::KubelintConfig;
pub use formatter::OutputFormat;
pub use formatter::format_result;
pub use formatter::format_result_to_string;
pub use lint::LintResult;
pub use lint::LintSummary;
pub use lint::lint;
pub use lint::lint_content;
pub use lint::lint_file;
pub use types::CheckFailure;
pub use types::Diagnostic;
pub use types::RuleCode;
pub use types::Severity;

Modules§

checks
Check definitions and registration.
config
Configuration for the kubelint-rs linter.
context
Lint context for Kubernetes objects.
extract
Extractors for Kubernetes object data.
formatter
Output formatters for lint results.
lint
Main linting orchestration for kubelint-rs.
objectkinds
Object kind definitions and matching.
parser
YAML, Helm, and Kustomize parsing for Kubernetes manifests.
pragma
Annotation-based rule ignoring.
templates
Check templates for kube-linter.
types
Core types for the kubelint-rs linter.