Skip to content

Kubernetes Manifest Validation

flowchart LR
  Source[Helm / Kustomize / YAML] --> Render[Render each environment]
  Render --> Schema[kubeconform]
  Render --> Security[Trivy Config]
  Render --> Policy[Optional Conftest]

Kubeconform uses the supported Kubernetes versions for EKS and AKS. Built-in resources run in strict mode. CRD schemas, including Argo CD resources, are supplied where practical; missing schemas are explicitly listed rather than globally ignored without visibility.

Trivy Config checks insecure workloads. Conftest is reserved for Nexa-specific rules that generic scanners cannot express reliably.

A rendering failure blocks the PR because no reliable desired state exists. A schema failure blocks unless the object is an approved CRD with a documented schema exception. High or critical Trivy findings block according to the security policy. Style-only YAML findings may start as warnings during migration, but duplicate keys and parse errors always fail.

The validation matrix follows the Kubernetes versions actively used by Nexa EKS and AKS clusters. Before a cluster upgrade, manifests are validated against the target version to identify removed APIs and changed schemas. This makes the deployment repository an upgrade readiness control rather than only a syntax check.