How to Secure Kubernetes Manifests with KubeLinter: Install, Run, and Configure

What Is KubeLinter?

KubeLinter, an open‑source project from StackRox, scans Kubernetes YAML files—including Helm charts and Knative resources—for security misconfigurations and coding errors, helping teams adopt DevOps best practices and accelerate cloud‑native development.

Why Choose KubeLinter?

It ships with sensible default checks, is fully configurable, and allows custom checks to enforce organization‑specific policies. The tool runs under an Apache 2.0 license, permitting free use, modification, and distribution.

Installation Options

You can install KubeLinter using one of the following methods:

Go installation :

go install golang.stackrox.io/kube-linter/cmd/kube-linter@latest

Homebrew (macOS) or LinuxBrew (Linux) : brew install kube-linter Build from source :

git clone https://github.com/stackrox/kube-linter.git
make build

Verify the installation with .gobin/kube-linter version .

Running KubeLinter

To lint a single YAML file: kube-linter lint /path/to/your/yaml.yaml To lint all files in a directory:

kube-linter lint /path/to/directory/containing/yaml-files/

For Helm charts, point to the directory containing Chart.yaml: kube-linter lint /path/to/chart/ Use --format=json or --format=sarif to change the output format.

Example Manifest and Lint Output

Given the following pod.yaml (which lacks a read‑only root filesystem, CPU limits, and memory limits), KubeLinter reports three errors with remediation suggestions:

pod.yaml: (object: /security-context-demo, Kind=Pod)
container "sec-ctx-demo" does not have a read‑only root file system (check: no-read-only-root-fs, remediation: Set readOnlyRootFilesystem to true)
container "sec-ctx-demo" has cpu limit 0 (check: unset-cpu-requirements, remediation: Set CPU requests and limits)
container "sec-ctx-demo" has memory limit 0 (check: unset-memory-requirements, remediation: Set memory requests and limits)
Error: found 3 lint errors

Configuration

KubeLinter looks for a configuration file named .kube-linter.yaml or .kube-linter.yml in the current directory; if none is found, it uses built‑in defaults.

Configuration consists of two sections: customChecks: define custom checks based on provided templates. checks: enable or disable built‑in checks, e.g.:

checks:
  doNotAutoAddDefaults: true

or

checks:
  addAllBuiltIn: true

Integration with CI and Pre‑Commit

KubeLinter can be added as a pre‑commit hook:

- repo: https://github.com/stackrox/kube-linter
  rev: 0.6.0
  hooks:
    - id: kube-linter

Or invoked directly in CI pipelines using the standard kube-linter lint command.

Conclusion

KubeLinter is still in an early (alpha) stage, so commands, flags, and configuration formats may evolve. Nevertheless, it provides a practical way to automatically detect security and best‑practice issues in Kubernetes manifests and to contribute improvements back to the project.