stackrox · janisz · Oct 8, 2025
@@ -445,6 +445,64 @@ KubeLinter supports the following templates:
 **Supported Objects**: JobLike
 
 
+## kubeconform
+
+**Key**: `kubeconform`
+
+**Description**: Flag objects that does not match schema using https://github.com/yannh/kubeconform
+
+**Supported Objects**: Any
+
+
+**Parameters**:
+
+```yaml
+- arrayElemType: string
+  description: 'SchemaLocations contains locations of schemas to use. See: https://github.com/yannh/kubeconform/tree/master?tab=readme-ov-file#overriding-schemas-location'
+  name: schemaLocations
+  negationAllowed: true
+  regexAllowed: false
+  required: false
+  type: array
+- description: Cache specifies the folder to cache schemas downloaded via HTTP.
+  name: cache
+  negationAllowed: true
+  regexAllowed: false
+  required: false
+  type: string
+- arrayElemType: string
+  description: SkipKinds lists resource kinds to ignore during validation.
+  name: skipKinds
+  negationAllowed: true
+  regexAllowed: false
+  required: false
+  type: array
+- arrayElemType: string
+  description: RejectKinds lists resource kinds to reject during validation.
+  name: rejectKinds
+  negationAllowed: true
+  regexAllowed: false
+  required: false
+  type: array
+- description: KubernetesVersion specifies the Kubernetes version - must match one
+    in https://github.com/instrumenta/kubernetes-json-schema
+  name: kubernetesVersion
+  negationAllowed: true
+  regexAllowed: false
+  required: false
+  type: string
+- description: Strict enables strict validation that will error if resources contain
+    undocumented fields.
+  name: strict
+  required: false
+  type: boolean
+- description: IgnoreMissingSchemas will skip validation for resources if no schema
+    can be found.
+  name: ignoreMissingSchemas
+  required: false
+  type: boolean
+```
+
 ## Latest Tag
 
 **Key**: `latest-tag`

@@ -45,6 +45,24 @@ get_value_from() {
   [[ "${count}" == "6" ]]
 }
 
+@test "template-kubeconform" {
+  tmp="tests/checks/kubeconform.yml"
+  cmd="${KUBE_LINTER_BIN} lint --config e2etests/testdata/kubeconform-config.yaml --do-not-auto-add-defaults --format json ${tmp}"
+  run ${cmd}
+
+  print_info "${status}" "${output}" "${cmd}" "${tmp}"
+  [ "$status" -eq 1 ]
+
+  message1=$(get_value_from "${lines[0]}" '.Reports[0].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[0].Diagnostic.Message')
+  message2=$(get_value_from "${lines[0]}" '.Reports[1].Object.K8sObject.GroupVersionKind.Kind + ": " + .Reports[1].Diagnostic.Message')
+  count=$(get_value_from "${lines[0]}" '.Reports | length')
+
+  # Should find 2 validation errors: DaemonSet with replicas field and Pod with invalid field
+  [[ "${count}" == "2" ]]
+  [[ "${message1}" =~ "DaemonSet: resource is not valid:" ]]
+  [[ "${message2}" =~ "Pod: resource is not valid:" ]]
+}
+
 @test "template-check-installed-bash-version" {
     run "bash --version"
     [[ "${BASH_VERSION:0:1}" -ge '4' ]] || false

@@ -0,0 +1,13 @@
+checks:
+  addAllBuiltIn: false
+customChecks:
+  - name: "kubeconform-validation"
+    description: "Validate Kubernetes resources against their schemas using kubeconform"
+    remediation: "Fix the resource to conform to the Kubernetes API schema"
+    scope:
+      objectKinds:
+        - Any
+    template: "kubeconform"
+    params:
+      strict: true
+      ignoreMissingSchemas: true
@@ -18,6 +18,7 @@ require (
 	github.com/spf13/pflag v1.0.10
 	github.com/spf13/viper v1.21.0
 	github.com/stretchr/testify v1.11.1
+	github.com/yannh/kubeconform v0.7.0
 	helm.sh/helm/v3 v3.19.0
 	k8s.io/api v0.34.1
 	k8s.io/apimachinery v0.34.1
@@ -62,7 +63,9 @@ require (
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect

@@ -142,8 +142,14 @@ github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1ns
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
+github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
+github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
+github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
+github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
+github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
 github.com/hashicorp/golang-lru/arc/v2 v2.0.5 h1:l2zaLDubNhW4XO3LnliVj0GXO3+/CGNJAg1dcN2Fpfw=
 github.com/hashicorp/golang-lru/arc/v2 v2.0.5/go.mod h1:ny6zBSQZi2JxIeYcv7kt2sH2PXJtirBN7RDhRpxPkxU=
 github.com/hashicorp/golang-lru/v2 v2.0.5 h1:wW7h1TG88eUIJ2i69gaE3uNVtEPIagzhGvHgwfx2Vm4=
@@ -296,6 +302,8 @@ github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ=
 github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0=
+github.com/yannh/kubeconform v0.7.0 h1:ZFfniR8VChrWQxaxTUGnNrxw8RIDkjVBrjdhXSamwjw=
+github.com/yannh/kubeconform v0.7.0/go.mod h1:oHO1wjM16sTRW6s41HJUox+tD69qOTE5ZVQ9HeqX+xM=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=

@@ -27,6 +27,7 @@ import (
 	_ "golang.stackrox.io/kube-linter/pkg/templates/hpareplicas"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/imagepullpolicy"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/jobttlsecondsafterfinished"
+	_ "golang.stackrox.io/kube-linter/pkg/templates/kubeconform"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/latesttag"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/livenessport"
 	_ "golang.stackrox.io/kube-linter/pkg/templates/livenessprobe"

@@ -0,0 +1,24 @@
+package params
+
+// Params defines the configuration parameters for this template.
+type Params struct {
+	// SchemaLocations contains locations of schemas to use. See: https://github.com/yannh/kubeconform/tree/master?tab=readme-ov-file#overriding-schemas-location
+	// +noregex
+	SchemaLocations []string
+	// Cache specifies the folder to cache schemas downloaded via HTTP.
+	// +noregex
+	Cache string
+	// SkipKinds lists resource kinds to ignore during validation.
+	// +noregex
+	SkipKinds []string
+	// RejectKinds lists resource kinds to reject during validation.
+	// +noregex
+	RejectKinds []string
+	// KubernetesVersion specifies the Kubernetes version - must match one in https://github.com/instrumenta/kubernetes-json-schema
+	// +noregex
+	KubernetesVersion string
+	// Strict enables strict validation that will error if resources contain undocumented fields.
+	Strict bool
+	// IgnoreMissingSchemas will skip validation for resources if no schema can be found.
+	IgnoreMissingSchemas bool
+}