Kuberef is a lightweight, cloud-native CLI tool designed to validate Kubernetes Secret references before you deploy. It bridges the gap between static YAML manifests and your live cluster state, preventing "silent failures" caused by missing secrets or incorrect data keys.
-
Batch & Recursive Spec Discovery: Automatically scans single files or entire directories for Kubernetes resources including
Deployments,StatefulSets,Jobs, andCronJobsto find nested Pod specifications. -
Deep-Key Validation: Verifies not only that a Secret exists, but that the specific keys required are present in the Secret's data, preventing runtime container crashes.
-
Comprehensive Pattern Matching: Audits all common Secret reference patterns, including
env.valueFrom, bulkenvFromloads,volumes(Secret mounts), andimagePullSecrets. -
Live Cluster Auditing: Performs real-time cross-referencing against the live Kubernetes API using your active
kubeconfigcontext. -
Pre-Flight Environment Checks: Validates cluster connectivity and ensures the target namespace exists before executing the audit to prevent false positives.
-
Global Automation Reporting: Built with
Typerto provide aggregate summary statistics accross multiple files and standard exit codes (0 for success, 1 for failures/warnings) to automatically break pipeline builds on misconfigurations. -
Rich Terminal UI: Utilizes the
Richlibrary to deliver a clean, color-coded terminal interface with clear PASS/FAIL/WARNING status tables for every file scanned.
Install the tool globally using pip:
pip install kuberefIf you want to run the tool from source or contribute:
git clone https://github.com/hudazaan/kuberef.git
cd kuberef
poetry install
poetry run kuberef path/to/your/k8s-manifest.yamlIf you don't want to install Python locally, you can run Kuberef as a container. You must mount your local kubeconfig and the directory containing your manifests.
Build the image locally:
docker build -t kuberef https://github.com/hudazaan/kuberef.gitRun the audit:
# Linux / macOS (zsh, bash)
docker run -it --rm --network="host" -v ~/.kube/config:/root/.kube/config -v "$(pwd):/app" kuberef /app
# Windows (PowerShell)
docker run -it --rm --network="host" -v "${HOME}/.kube/config:/root/.kube/config" -v "C:/PATH/TO/YOUR/MANIFESTS:/app" kuberef /appVerification Commands (For Debugging):
# Inspect package
pip show kuberef
# Run as a module
python -m kuberef --help
Audit a single manifest against the default namespace:
kuberef deployment.yamlAudit an entire directory of manifests:
kuberef ./k8s-manifests/Audit a specific namespace by using -n or --namespace flag to validate secrets:
kuberef deployment.yaml --namespace productionGeneral Syntax to add path to your Kubernetes manifest:
kuberef <YOUR_FILE>.yaml --namespace <YOUR_NAMESPACE>Example Output:
- Recursive Discovery Engine: Implements a depth-first search to locate Pod specifications across all resource types (
Deployments,Jobs,CronJobs, etc). - Live Validation: Interfaces with the
kubernetesPython client to perform real-timeread_namespaced_secretcalls for existence and key-level verification. - Stream Parser: Leverages
PyYAMLandsafe_load_allto parse multi-document manifests in a single pass. - Directory Processing Engine: Implements a file-system crawler that identifies and filters YAML manifests for batch processing across directories.
- CLI Framework: Built on
Typerto provide a high-performance interface with accumulated state counters for global multi-file reporting and standard Unix exit codes for automation. - CI/CD Pipeline: Integrated with GitHub Actions to automatically build and test the tool on every code push, ensuring production readiness on Cloud-hosted runners.
- Containerization: Multi-stage Docker build optimized for minimal image size.
Kuberef includes a suite of unit tests to ensure the recursive discovery engine and parser remain stable. These tests use pytest and mock data to verify logic without requiring a live cluster.
To run the tests:
poetry run pytestVerification Results:
- Recursive Discovery: Confirms secrets are found deep within nested controllers.
- Resilience: Ensures the tool handles empty or non-Kubernetes YAML gracefully.
Contributions are welcome!
- Fork the Project
- Create your Feature Branch (
git checkout -b YOUR-BRANCH-NAME) - Run tests (
poetry run pytest) - Commit your Changes (
git commit -m 'your message') - Push to the Branch (
git push origin YOUR-BRANCH-NAME) - Open a Pull Request
Built with ❤️ by Huda Naaz
Distributed under the MIT License. See LICENSE for more information.