Kustomize Analyzer
Analyze Kustomize configurations for best practices, overlay consistency, strategic/JSON patch correctness, resource management, and deployment safety. Use when reviewing Kustomize setups, preparing multi-environment deployments, or auditing existing configurations.
Usage
"Analyze my Kustomize overlays for issues"
"Check if my dev/staging/prod configs are consistent"
"Verify the Kustomize patches are correct"
"Audit resource management across environments"
How It Works
1. Structure Discovery
Map the Kustomize directory layout:
# Find all kustomization files
find . -name "kustomization.yaml" -o -name "kustomization.yml" | sort
# Map base and overlay relationships
for k in $(find . -name "kustomization.yaml"); do
dir=$(dirname "$k")
echo "=== $dir ==="
grep -A 5 "resources:\|bases:" "$k" 2>/dev/null
done
2. Configuration Audit
Base resources:
- All required resources present (Deployment, Service, ConfigMap, etc.)
- Resource names follow conventions
- Labels and annotations consistent
- Namespace handling (set vs inherit)
Overlay analysis:
- Each overlay extends base correctly
- Environment-specific values properly patched
- No duplicate or conflicting patches
- Resource limits set for production overlays
- Replica counts appropriate per environment
Patch correctness:
- Strategic merge patches target existing fields
- JSON patches reference valid paths
- No patches that silently do nothing (wrong target)
- Patch ordering doesn't cause conflicts
3. Cross-Environment Consistency
Compare overlays for consistency:
- Same resources exist in all environments
- Resource limits scale appropriately (dev < staging < prod)
- Secrets/ConfigMaps match expected keys
- Image tags follow promotion pattern (dev: latest, staging: RC, prod: semver)
- Network policies consistent with environment isolation
4. Security Review
- Secrets not stored in plain text in overlays
- SecurityContext set in production overlays
- NetworkPolicies defined
- ServiceAccount configurations appropriate
- RBAC resources present where needed
- PodDisruptionBudgets for production
5. Build Verification
# Build each overlay and check output
for overlay in overlays/*/; do
echo "=== Building $overlay ==="
kubectl kustomize "$overlay" 2>&1 | head -5
echo "Resources: $(kubectl kustomize "$overlay" 2>/dev/null | grep "^kind:" | wc -l)"
done
Output
## Kustomize Analysis
**Base:** k8s/base (8 resources)
**Overlays:** dev, staging, production
### 🔴 Issues (3)
1. **Missing resource limits in production** — overlays/production/
Base deployment has no resource limits and production doesn't patch them
→ Add strategic merge patch with CPU/memory limits
2. **Patch targets nonexistent field** — overlays/staging/ingress-patch.yaml
Patches `spec.rules[0].host` but base ingress has no rules defined
→ Fix base ingress or use JSON patch with add operation
3. **Plain text secret** — overlays/production/database-secret.yaml
DB password in plain YAML: `password: cHJvZF9wYXNz` (base64 of "prod_pass")
→ Use SealedSecrets, SOPS, or external secrets operator
### 🟡 Warnings (4)
4. Dev overlay missing NetworkPolicy (base has none, prod has one)
5. Image tag `latest` in staging overlay (should be release candidate)
6. No PodDisruptionBudget in production
7. ConfigMap keys differ between dev (3 keys) and prod (5 keys)
### 📊 Environment Comparison
| Resource | Dev | Staging | Prod |
|----------|-----|---------|------|
| Replicas | 1 | 2 | 3 |
| CPU limit | none | 500m | 1000m |
| Memory limit | none | 512Mi | 1Gi |
| Image tag | latest | latest ⚠️ | v2.1.0 |
| NetworkPolicy | ❌ | ❌ | ✅ |
| PDB | ❌ | ❌ | ❌ ⚠️ |
### ✅ Good Practices
- Clean base/overlay separation
- Namespace set per overlay via kustomization.yaml
- Common labels applied via commonLabels
- Resource naming follows conventions