Skip to content
🛥️🐳 KSail

ksail workload validate

Validate Kubernetes manifest files and kustomizations using kubeconform.


This command validates individual YAML files and kustomizations in the specified path.
If no path is provided, the path is resolved in order:
  1. spec.workload.sourceDirectory from ksail.yaml (if a config file is found and the field is set)
  2. The default source directory when spec.workload.sourceDirectory is unset ("k8s" directory)
  3. The current directory (fallback when no ksail.yaml config file is found)


The validation process:
1. Validates individual YAML files (patch files referenced in a kustomization file via patches,
   patchesStrategicMerge, or patchesJson6902 are excluded — they are not valid standalone
   Kubernetes resources and are validated as part of the kustomize build output instead)
2. Validates kustomizations by building them with kustomize and validating the output


  Flux variable substitutions are resolved before validation using type-aware placeholders:
  - ${VAR} (bare, no default): when a JSON schema type is available, substitutes a typed
    placeholder derived from the schema for the field ("placeholder" for strings, 0 for
    integers, true for booleans); when no schema type is available, it falls back to the
    string value "placeholder"
  - ${VAR:-default} / ${VAR:=default}: when a schema type is available, uses the default
    value parsed according to the field schema type (e.g., "3" → int 3 for integer fields);
    when no schema type is available, the default is parsed using YAML-native type inference
  - Mixed text (e.g., "prefix.${VAR}"): substitutes "placeholder" in string context


Schema lookups use a local disk cache and require no network access. When no cached
JSON schema is available, placeholders fall back to strings with YAML-native parsing.


By default, Kubernetes Secrets are skipped to avoid validation failures due to SOPS fields.


Usage:
  ksail workload validate [PATH] [flags]


Flags:
      --ignore-missing-schemas   Ignore resources with missing schemas (default true)
      --skip-secrets             Skip validation of Kubernetes Secrets (default true)
      --strict                   Enable strict validation mode


Global Flags:
      --benchmark       Show per-activity benchmark output
      --config string   Path to config file (default: ksail.yaml found via directory traversal)