Pre-Commit Hooks DevOps Engineer Should Know To Control Kubernetes

Generally speaking, all companies are looking to increase their productivity at all levels: human, infrastructure, processes, and so on. Often, productivity is driven by the addition of automated processes to facilitate and increase the pace of production. This automation requires an evolution, an adaptation, or even a complete transformation of the concepts historically used. This includes the implementation and control of security policies.

Indeed, since the emergence of new working methods based on agility and flexibility (such as DevOps), some security concepts have had to adapt to the pace of development and management of the components of the infrastructure. Today, one of the best safety practices is to move these control points as early as possible in the integration chain in order to detect as soon as possible any anomaly that deserves special attention.

Why Should You Shift Left Security?

The term “shift left” was introduced by the DevSecOps approach of increasing collaboration among development, security, and operations teams. The idea is to guarantee the security of applications from the beginning of the development cycle by moving the security and test processes to the left on the traditional linear representation of the SDLC.

This method has been recognized as a best development practice for years and has seen, since the emergence of the DevOps methodology, a strong adoption for its simplicity of use and configuration, and its incredible benefits in terms of team collaboration on complex projects such as infrastructure management with Terraform, Ansible, or Kubernetes.

Forcing the use of standards at the level of YAML definition file development as well as at the level of their content and configuration facilitates their reading, adoption, and maintenance — three concepts that any project should seek to implement today.

The purpose of shifting security left is to design software with integrated security best practices — and to detect and resolve potential security issues and vulnerabilities as early in the development process as possible. This makes it easier, faster, and more affordable to address security issues.

How to Shift Left

Pre-commit is an open-source command-line tool that is part of the toolset used to shift certain security aspects left by adding automatic control points after each commit.

This makes it possible to detect and control any anomalies as early as possible in the integration pipeline and make corrections before they are put into production.

To do this, three steps are required:

• Pre-commit must be installed on your machine
• A configuration file named “.pre-commit-config.yaml” must be created at the root of the Git project and configured with the hooks
• The Git project needs to be configured locally to automatically execute the command on every commit

Important Considerations

As you may have understood in the previous section, the pre-commit command and the Git project must be configured locally to run automatically. This is not a configuration that can be forced from the remote source controller. This requires a project configuration step during the onboarding phase to ensure its application. Documentation is therefore required to disseminate the information and ensure its adoption.

Depending on the context, it is nevertheless possible to automate its use by developing an environment configuration script (in this case, the laptop of all team members) or even to create, share, and encourage the team to use a common container image with all the necessary development tools. This practice has many advantages — in particular, in the onboarding of new people, as it minimizes the actions necessary to configure the development environment.

However, if this is not applicable or seems too complex, it is always possible to move these controls further down the integration chain and thus automate their use before deployment.

What Hooks Can You Use to Control Kubernetes Resources?

This section lists a set of hooks available for free and easily installable and usable via Pre-commit. This is an opinionated list that can obviously be supplemented by other hooks depending on the context. For ease of reading, we have voluntarily reduced the list to a Kubernetes ecosystem.

Here is a list of Pre-commit extensions useful for checking the development and maintenance of Kubernetes resources as soon as possible in the integration pipeline:

• Check-merge-conflict to check merge conflict before committing anything
• Trailing-whitespace to clean the code from useless white space
• Check-added-large-files to control the size of the file stored in your repositories
• End-of-file-fixer to ensure files end in a newline and only a newline
• Yamllint to identify formatting errors of your code automatically before each commit, very important to standardize the code and facilitate its reading
• Yamlfix to automate formatting correction
• Checkov to check the compliance of Kubernetes definition files according to best development practices and custom rules
• K8svalidate to check the compliance of Kubernetes definition files according to the version of Kubernetes used
• Detect-secrets to detect any sensitive data and avoid their storage in the code

Most of these hooks are also applicable to other contexts. Depending on the nature of the project, several other hooks can be added to control the format of the files and their contents. However, keep a brief checklist to minimize the impact of these on your productivity.

Here is a Pre-commit configuration file to quickly test these hooks on your Kubernetes projects:

---
repos:
  - repo: https://github.com/adrienverge/yamllint.git
    rev: v1.17.0
    hooks:
      - id: yamllint
        args: [-c=.yamllint]
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.1.0
    hooks:
      - id: check-merge-conflict
      - id: trailing-whitespace
      - id: check-added-large-files
      - id: end-of-file-fixer
  - repo: https://github.com/bridgecrewio/checkov.git
    rev: 2.0.975
    hooks:
      - id: checkov
        args: [-d .]
  - repo: https://github.com/Agilicus/pre-commit-hook-k8svalidate.git
    rev: v0.0.8
    hooks:
      - id: k8svalidate
        files: .yaml$
  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.2.0
    hooks:
      - id: detect-secrets

What's Next?

In this article, we have listed a set of Pre-commit hooks useful on a daily basis for anyone administering one or more Kubernetes clusters. Of course, there are many others adapted to different contexts. A DevOps engineer, for example, will be interested in extensions to control Prometheus configuration and even formatting rules, or Vagrant file control, and so on.

There is no limit to what can be controlled, but it is still necessary to measure the impact that the accumulation of these hooks can have on a person’s productivity vis-à-vis their benefits.

For more information on Pre-commit, please refer to the following links:

• Pre-commit website
• Shift Left Security: Best Practices for Getting Started