Does it check against the live Kubernetes API schema?

**No.** The validator hand-codes the top 30 rules for the most common kinds. It does not download CRDs (Custom Resource Definitions) from your cluster, so anything beyond the standard kinds shows as info only. For full schema-level validation against your specific cluster, use `kubeval`, `kube-score`, or `kubectl apply --dry-run=server`. For very thorough best-practice scoring, `kube-linter` and `kube-score` are good open-source companions.

Why is "selector does not match template labels" so common?

Because the relationship is **not obvious to people new to K8s**. `spec.selector.matchLabels` in a Deployment tells the controller which pods this Deployment owns. `spec.template.metadata.labels` is what the controller stamps on every pod it creates. If they disagree, the Deployment creates pods that the **Deployment's own selector cannot find**, and the controller spins forever creating more. Worse, if a Service points at the same selector, traffic goes to phantom endpoints. The fix: every key in matchLabels must also be in template labels, with the same value.

Why is :latest a warning?

Because **:latest is a mutable tag**: the image content changes over time. A pod restart can pull a different binary than it ran with originally, and that is a surprise nobody wants in production at 3 am. Pin to either a **semantic version** (`nginx:1.27-alpine`) or, for ultimate reproducibility, **a digest** (`nginx@sha256:abc...`). Combined with `imagePullPolicy: IfNotPresent` on pinned tags, deployments are deterministic and faster.

What is wrong with privileged: true?

**[[privileged||container runs with full host capabilities, including direct device access; very few legitimate uses]]** disables almost all isolation between the container and the host: full device access, can mount host filesystems, can change network state of the node. **Almost no app needs it.** Legitimate uses are very specific: certain CSI drivers, system pods (kube-proxy in some setups). For everything else it is a security disaster waiting to happen. Set `privileged: false` (the default) and grant only the specific Linux capabilities you need via `securityContext.capabilities.add`.

What is a hostPort and why is it a warning?

**[[hostPort||a port number bound to the node the pod runs on; reduces scheduler flexibility]]** binds a port on the node where the pod is scheduled. Two consequences: **One**, only one pod can use that port on a given node (so you cannot have two replicas on the same node). **Two**, scheduling becomes harder because the scheduler must pick a node where the port is free. For exposing a pod to the cluster, use a **Service**. For exposing to the outside, use a **Service** + **Ingress** + **LoadBalancer/NodePort**. `hostPort` is rarely the right answer.

Do I need both liveness and readiness probes?

They serve different purposes. **[[liveness||K8s asks every few seconds if the pod is alive and should be restarted if not]]** decides whether to **restart** the container. Use for "the process is wedged and only a restart helps". **[[readiness||K8s asks every few seconds if the pod is ready to receive traffic]]** decides whether the pod is **added to the Service**. Use for "this pod is starting up / draining and should not get traffic right now". A pod can be alive but not ready. Most production workloads should have both. The check is two endpoints (or two TCP probes) on different paths.

Why does the validator warn about no resource limits?

Because **without limits one pod can take the whole node's memory or CPU**. With memory: OS OOM-killer kicks in, kills a random process, the node misbehaves until the kubelet evicts pods. With CPU: noisy neighbor problems, p99 latency spikes. **Requests** tell the scheduler "I need at least this much"; **limits** cap usage. For predictable behavior set both. As a starter: limits = 2x requests, then tune from real metrics.

My YAML is one big file with --- separators. Does it work?

**Yes.** The validator uses js-yaml's `loadAll` and reports per-document issues with the document index. This is the normal pattern: Deployment + Service + ConfigMap together in one file. If any single document fails to parse, the whole file fails parse, so fix syntax first. After that, each document is checked independently and the cross-checks (Service -> pod `targetPort`) span all documents.

Does this replace kube-score / kube-linter?

**No, it is a quick browser-side check.** `kube-score` and `kube-linter` are full-featured CLI tools with way more rules, configuration files, and the ability to run in CI. Use this tool while you write a manifest and want immediate feedback. Use `kube-score` / `kube-linter` for CI gates and full audits of large repos. The two complement each other well.

Kubernetes YAML Validator - free

SamplesClick to load

YAML manifest(s)

Paste a K8s manifest. Multi-doc with `---` is fine

Errors

Warnings

Info

Documents: 2 · recognized kinds: Deployment, Service

All clean - no issues found

The validator did not flag anything. Safe to `kubectl apply`

Tips

The validator checks the top 30 rules. For full schema validation against your cluster: `kubectl apply --dry-run=server`
Pin images to a version or a digest (`@sha256:...`). `:latest` is a recipe for surprise restarts
Always set resource requests and limits. Without them, one pod can take down a node

What this validator does

Kubernetes manifests look like normal YAML, but the real validation lives inside the cluster: `kubectl apply` accepts a file and only later, after the API server resolves it against the live schema and admission controllers, you find out something is wrong. By then you might have a misconfigured Deployment running in production with no liveness probe, no resource limits, and a Service that does not actually route to its pods because the label selector does not match.

This tool catches the top 30 mistakes before you apply. Paste any K8s manifest, multi-document files with `---` separators included. The validator parses each document, detects the kind, and runs hand-written checks: missing `apiVersion` or `metadata.name`, Service `targetPort` that does not exist on the pod, Deployment selector that does not match the pod labels, `privileged: true` containers, `:latest` tags, missing resource limits and probes, Ingress on a deprecated API version, PVCs without storage size.

Everything runs in your browser. No upload, no kubectl, no cluster contact. The validator does not pull live CRD schemas (those live in your specific cluster), so custom resources show as info only.

How to use it

Pick a sample at the top to see how the output looks, or paste your own YAML into the input panel. The validator handles multi-document files with `---` separators.
Read the error / warning / info counts on the right. Errors mean the manifest will be rejected by the API server or behave broken (missing fields, mismatched selectors, invalid HPA). Warnings are best-practice violations (`:latest` tag, no resource limits, `privileged: true`). Info items are suggestions.
Each issue lists the kind, the resource name, the document index (which manifest in a multi-doc file), the message, and a fix hint.
Common fixes covered: add liveness/readiness probes, set resource requests and limits, remove hostPort, replace `:latest` with a pinned tag, align selector matchLabels with template metadata.labels, set HPA scaleTargetRef and a valid min/max replica range.
For Services, the validator cross-checks that the `targetPort` actually exists as a `containerPort` on the pod selected by `spec.selector`. This catches the classic mistake of a Service that quietly routes to nothing.
When the input is empty or YAML parsing fails, you get a parse error with the line number from js-yaml. Fix that first and the rest of the checks light up.
Click Copy to put the manifest in your clipboard, then drop it into `kubectl apply -f -` to actually deploy. The validator never sends your YAML anywhere.

When this is useful

Seven concrete situations where catching K8s mistakes before kubectl apply saves real downtime:

First time touching K8s. The official docs are huge and you do not yet have intuition for which fields are mandatory. The validator flags missing `apiVersion`, `kind`, `metadata.name` immediately and gives a fix hint for each.
Service that connects to nothing. The classic mistake: Service selector says `app: web`, Deployment template labels say `app: api`. K8s creates the Service, the Service has no endpoints, traffic 503s. The validator says exactly which keys do not match.
Pre-commit gate for K8s repos. Plug the validator output check into your review process. PRs that introduce `privileged: true`, `:latest`, missing limits, missing probes get flagged before merge.
GitOps repo health check. A repo with hundreds of manifests is hard to audit by eye. Paste a file, see all issues at once. Repeat per file or wire it into CI by hand.
Migration from extensions/v1beta1 Ingress to networking.k8s.io/v1. The validator flags the old API version with a one-line fix. Saves a deploy that 404s the next time the cluster upgrades.
CronJob without limits running on a small node. A nightly backup with no memory limit can OOM the node. The validator warns about every container missing limits.
HPA misconfigured to scale only between 1 and 1. The check catches `minReplicas >= maxReplicas` (which is invalid) and missing `scaleTargetRef` (which makes the HPA do nothing).

Questions and answers

`kubectl apply --dry-run=server` sends the manifest to the API server and gets back the real cluster's opinion: schema valid, allowed by admission, possible (e.g. quota). It is the gold standard but needs an actual cluster and your kubeconfig. This validator does client-side, schema-light, best-practice checks without a cluster. They are complementary: this for "before I even open kubectl", `--dry-run=server` for "is my cluster going to accept it".

What this validator does

How to use it

Pick a sample at the top to see how the output looks, or paste your own YAML into the input panel. The validator handles multi-document files with `---` separators.

Read the error / warning / info counts on the right. Errors mean the manifest will be rejected by the API server or behave broken (missing fields, mismatched selectors, invalid HPA). Warnings are best-practice violations (`:latest` tag, no resource limits, `privileged: true`). Info items are suggestions.

Each issue lists the kind, the resource name, the document index (which manifest in a multi-doc file), the message, and a fix hint.

Common fixes covered: add liveness/readiness probes, set resource requests and limits, remove hostPort, replace `:latest` with a pinned tag, align selector matchLabels with template metadata.labels, set HPA scaleTargetRef and a valid min/max replica range.

For Services, the validator cross-checks that the `targetPort` actually exists as a `containerPort` on the pod selected by `spec.selector`. This catches the classic mistake of a Service that quietly routes to nothing.

When the input is empty or YAML parsing fails, you get a parse error with the line number from js-yaml. Fix that first and the rest of the checks light up.

Click Copy to put the manifest in your clipboard, then drop it into `kubectl apply -f -` to actually deploy. The validator never sends your YAML anywhere.

When this is useful

Seven concrete situations where catching K8s mistakes before kubectl apply saves real downtime:

First time touching K8s. The official docs are huge and you do not yet have intuition for which fields are mandatory. The validator flags missing `apiVersion`, `kind`, `metadata.name` immediately and gives a fix hint for each.
Service that connects to nothing. The classic mistake: Service selector says `app: web`, Deployment template labels say `app: api`. K8s creates the Service, the Service has no endpoints, traffic 503s. The validator says exactly which keys do not match.
Pre-commit gate for K8s repos. Plug the validator output check into your review process. PRs that introduce `privileged: true`, `:latest`, missing limits, missing probes get flagged before merge.
GitOps repo health check. A repo with hundreds of manifests is hard to audit by eye. Paste a file, see all issues at once. Repeat per file or wire it into CI by hand.
Migration from extensions/v1beta1 Ingress to networking.k8s.io/v1. The validator flags the old API version with a one-line fix. Saves a deploy that 404s the next time the cluster upgrades.
CronJob without limits running on a small node. A nightly backup with no memory limit can OOM the node. The validator warns about every container missing limits.
HPA misconfigured to scale only between 1 and 1. The check catches `minReplicas >= maxReplicas` (which is invalid) and missing `scaleTargetRef` (which makes the HPA do nothing).

Questions and answers

Kubernetes YAML Validator

What this validator does

How to use it

When this is useful

Questions and answers

Related tools

GitHub Actions YAML Builder

GitLab CI YAML Builder

Dockerfile Linter

.editorconfig Generator

Docker Compose Builder

Nginx Config Snippet Builder

Kubernetes YAML Validator

What this validator does

How to use it

When this is useful

Questions and answers

Related tools

GitHub Actions YAML Builder

GitLab CI YAML Builder

Dockerfile Linter

.editorconfig Generator

Docker Compose Builder

Nginx Config Snippet Builder