Back to skills
extension
Category: OtherNo API key required

Kustomize Analyzer

Analyze Kustomize configurations for best practices, overlay consistency, patch correctness, and deployment safety across environments.

personAuthor: charlie-morrisonhubclawhub

Kustomize Analyzer

Analyze Kustomize configurations for best practices, overlay consistency, strategic/JSON patch correctness, resource management, and deployment safety. Use when reviewing Kustomize setups, preparing multi-environment deployments, or auditing existing configurations.

Usage

"Analyze my Kustomize overlays for issues"
"Check if my dev/staging/prod configs are consistent"
"Verify the Kustomize patches are correct"
"Audit resource management across environments"

How It Works

1. Structure Discovery

Map the Kustomize directory layout:

# Find all kustomization files
find . -name "kustomization.yaml" -o -name "kustomization.yml" | sort

# Map base and overlay relationships
for k in $(find . -name "kustomization.yaml"); do
  dir=$(dirname "$k")
  echo "=== $dir ==="
  grep -A 5 "resources:\|bases:" "$k" 2>/dev/null
done

2. Configuration Audit

Base resources:

  • All required resources present (Deployment, Service, ConfigMap, etc.)
  • Resource names follow conventions
  • Labels and annotations consistent
  • Namespace handling (set vs inherit)

Overlay analysis:

  • Each overlay extends base correctly
  • Environment-specific values properly patched
  • No duplicate or conflicting patches
  • Resource limits set for production overlays
  • Replica counts appropriate per environment

Patch correctness:

  • Strategic merge patches target existing fields
  • JSON patches reference valid paths
  • No patches that silently do nothing (wrong target)
  • Patch ordering doesn't cause conflicts

3. Cross-Environment Consistency

Compare overlays for consistency:

  • Same resources exist in all environments
  • Resource limits scale appropriately (dev < staging < prod)
  • Secrets/ConfigMaps match expected keys
  • Image tags follow promotion pattern (dev: latest, staging: RC, prod: semver)
  • Network policies consistent with environment isolation

4. Security Review

  • Secrets not stored in plain text in overlays
  • SecurityContext set in production overlays
  • NetworkPolicies defined
  • ServiceAccount configurations appropriate
  • RBAC resources present where needed
  • PodDisruptionBudgets for production

5. Build Verification

# Build each overlay and check output
for overlay in overlays/*/; do
  echo "=== Building $overlay ==="
  kubectl kustomize "$overlay" 2>&1 | head -5
  echo "Resources: $(kubectl kustomize "$overlay" 2>/dev/null | grep "^kind:" | wc -l)"
done

Output

## Kustomize Analysis

**Base:** k8s/base (8 resources)
**Overlays:** dev, staging, production

### 🔴 Issues (3)
1. **Missing resource limits in production** — overlays/production/
   Base deployment has no resource limits and production doesn't patch them
   → Add strategic merge patch with CPU/memory limits

2. **Patch targets nonexistent field** — overlays/staging/ingress-patch.yaml
   Patches `spec.rules[0].host` but base ingress has no rules defined
   → Fix base ingress or use JSON patch with add operation

3. **Plain text secret** — overlays/production/database-secret.yaml
   DB password in plain YAML: `password: cHJvZF9wYXNz` (base64 of "prod_pass")
   → Use SealedSecrets, SOPS, or external secrets operator

### 🟡 Warnings (4)
4. Dev overlay missing NetworkPolicy (base has none, prod has one)
5. Image tag `latest` in staging overlay (should be release candidate)
6. No PodDisruptionBudget in production
7. ConfigMap keys differ between dev (3 keys) and prod (5 keys)

### 📊 Environment Comparison
| Resource | Dev | Staging | Prod |
|----------|-----|---------|------|
| Replicas | 1 | 2 | 3 |
| CPU limit | none | 500m | 1000m |
| Memory limit | none | 512Mi | 1Gi |
| Image tag | latest | latest ⚠️ | v2.1.0 |
| NetworkPolicy | ❌ | ❌ | ✅ |
| PDB | ❌ | ❌ | ❌ ⚠️ |

### ✅ Good Practices
- Clean base/overlay separation
- Namespace set per overlay via kustomization.yaml
- Common labels applied via commonLabels
- Resource naming follows conventions