An always up to date collection of useful tools for your Kubernetes linting and auditing needs.

Mount a folder containing your Helm or raw Kubernetes manifests:

docker run --rm -it -v $PWD:/root/workspace ghcr.io/chgl/kube-powertools:v2.1.33

The container image is pushed to these two registries:

• docker.io/chgl/kube-powertools:v2.1.33
• ghcr.io/chgl/kube-powertools:v2.1.33

The kube-powertools image includes a few helpful scripts to simplify working with Helm chart repositories.

The image includes a chart-powerlint.sh script which can be used to apply several linters to Helm chart repos.

For example, you can mount this repository into the kube-powertools container and run the following to lint the sample chart in the /samples/charts dir:

$ docker run --rm -it -v $PWD:/root/workspace ghcr.io/chgl/kube-powertools:v2.1.33
bash-5.1# CHARTS_DIR=samples/charts chart-powerlint.sh

You can auto-generate and format Markdown docs from the chart's values.yaml using generate-docs.sh. This scripts uses either chart-doc-gen if the chart dir contains a doc.yaml, or helm-docs if it doesn't.

You can auto-generate the Helm schema from the chart's values.yaml using generate-schemas.sh.

Finally, there's generate-chart-changelog.sh, which can be used to generate a CHANGELOG.md file from the contents of a Chart.yaml's artifacthub.io/changes annotation.

You can use this file in conjunction with the chart-releaser tool's --release-notes-file option to produce release notes for a GitHub release. See https://github.com/chgl/charts/blob/master/.github/workflows/release.yaml#L32 and https://github.com/chgl/charts/blob/master/.github/ct/ct.yaml#L16 for a sample workflow.

• kubectl
• helm
• helm push plugin
• helm schema-gen plugin
• helm-local-chart-version
• chart-doc-gen
• kubeval
• kube-score
• chart-testing
• polaris
• pluto
• helm-docs
• kube-linter
• kustomize
• conftest
• nova
• kubesec
• kubeconform
• kube-no-trouble
• trivy
• yq
• kubescape
• gomplate
• cosign
• crane
• checkov
• kubepug
• container-structure-test
• Artifact Hub CLI
• Kyverno CLI

docker build -t kube-powertools:dev .
$ docker run --rm -it -v $PWD:/root/workspace kube-powertools:dev
bash-5.1# CHARTS_DIR=samples/charts scripts/chart-powerlint.sh

Prerequisites:

• cosign
• slsa-verifier
• crane

First, determine the digest of the container image to verify. This digest is also visible on the packages page on GitHub: https://github.com/chgl/kube-powertools/pkgs/container/kube-powertools.

IMAGE=ghcr.io/chgl/kube-powertools:v2.1.33
IMAGE_DIGEST=$(crane digest $IMAGE)
IMAGE_TAG="${IMAGE#*:}"

Verify the container signature:

cosign verify \
   --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
   --certificate-identity="https://github.com/chgl/kube-powertools/.github/workflows/ci.yaml@refs/tags/${IMAGE_TAG}" \
   "ghcr.io/chgl/kube-powertools@${IMAGE_DIGEST}"

Verify the container SLSA level 3 provenance attestation:

slsa-verifier verify-image \
    --source-uri github.com/chgl/kube-powertools \
    --source-tag ${IMAGE_TAG} \
    --source-branch master \
    "ghcr.io/chgl/kube-powertools@${IMAGE_DIGEST}"

See also https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#verification for details on verifying the image integrity using automated policy controllers.