Kubernetes Validation

Complete guide to schema validation, deprecation detection, CRD support, and validation-driven release safety.

GitOpsHQ validates Kubernetes manifests against the official Kubernetes API schema before deployment, catching configuration errors, deprecated API versions, and structural issues early — before they reach your clusters. This validation acts as a pre-flight safety check across the entire deployment lifecycle.

Key Concept

Validation shifts errors left: find problems in configuration, not in production. Every manifest is checked against the exact Kubernetes version running on your target cluster, ensuring compatibility before deployment.

Validation Architecture

Loading diagram…

Schema Lookup

The schema browser lets you explore the full Kubernetes API specification for any supported version.

Kubernetes Version Browser

Browse all supported Kubernetes versions with their available API resources.

API: GET /api/v2/k8s/versions

Response:

{ "versions": ["1.25", "1.26", "1.27", "1.28", "1.29", "1.30", "1.31", "1.32"] }

Resource Explorer

For a given Kubernetes version, browse all available API resources.

API: GET /api/v2/k8s/resources?version=1.32

The resource list includes:

Field	Description
Kind	Resource type (e.g., `Deployment`, `Service`)
API Version	Full API version (e.g., `apps/v1`)
Description	Brief description of the resource

Field Schema

API: GET /api/v2/k8s/resources/{gvk}/schema?version=1.32

Drill into any resource type to see its full JSON schema:

Required fields are marked with a badge
Field types shown (string, integer, boolean, object, array)
Enum values listed for constrained fields
Default values displayed when defined
Nested objects expandable in a tree view
Description from the official Kubernetes API documentation

Example schema tree for Deployment:

Deployment (apps/v1)
├── apiVersion: string [required]
├── kind: string [required]
├── metadata: ObjectMeta [required]
│   ├── name: string
│   ├── namespace: string
│   ├── labels: map[string]string
│   └── annotations: map[string]string
└── spec: DeploymentSpec [required]
    ├── replicas: integer (default: 1)
    ├── selector: LabelSelector [required]
    ├── strategy: DeploymentStrategy
    │   ├── type: enum [RollingUpdate, Recreate]
    │   └── rollingUpdate: RollingUpdateDeployment
    └── template: PodTemplateSpec [required]
        └── ...

Manifest Validation

Submit any Kubernetes YAML for validation against a specific Kubernetes version.

Validation API

Endpoint: POST /api/v2/k8s/validate

Request:

{
  "yaml": "apiVersion: apps/v1\nkind: Deployment\nmetadata:\n  name: my-app\nspec:\n  replicas: 3\n  selector:\n    matchLabels:\n      app: my-app\n  template:\n    metadata:\n      labels:\n        app: my-app\n    spec:\n      containers:\n      - name: app\n        image: my-app:latest",
  "version": "1.30"
}

Response:

{
  "valid": true,
  "results": [
    {
      "severity": "warning",
      "message": "Using 'latest' tag is not recommended for production",
      "path": "spec.template.spec.containers[0].image",
      "resource": "Deployment/my-app"
    }
  ],
  "summary": {
    "errors": 0,
    "warnings": 1,
    "info": 0
  }
}

What Gets Validated

Check	Severity	Description
Required Fields	Error	Fields marked as required in the schema are present
Field Types	Error	Values match the expected type (string, integer, etc.)
Enum Values	Error	Constrained fields use valid enum values
API Version	Error	The `apiVersion` is valid for the target K8s version
Resource Kind	Error	The `kind` is recognized in the target K8s version
Deprecated API	Warning	The resource uses a deprecated `apiVersion`
Unknown Fields	Warning	Fields not in the schema (potential typos)
Resource Constraints	Info	Best practice recommendations

Validation Workflow

Select Kubernetes Version

Choose the target Kubernetes version that matches your cluster. This ensures validation uses the correct schema.

Input Manifests

Paste or upload YAML into the validation editor. Multi-document YAML (separated by ---) is supported — each document is validated independently.

Run Validation

Click Validate to check all manifests. Results appear in the panel below, grouped by resource.

Review Results

Examine errors, warnings, and info messages. Each result includes:

The affected resource (Kind/Name)
The field path (e.g., spec.containers[0].image)
A description of the issue
Suggested fix when available

Fix and Re-validate

Address errors directly in the editor and re-run validation. Repeat until the result is clean.

Deprecation Detection

Kubernetes regularly deprecates API versions as resources move from beta to stable or are replaced by newer alternatives. GitOpsHQ automatically detects deprecated API versions in your manifests.

Deprecation API

Endpoint: GET /api/v2/k8s/deprecations?version=1.29

Response:

{
  "version": "1.29",
  "deprecations": [
    {
      "kind": "HorizontalPodAutoscaler",
      "deprecatedApiVersion": "autoscaling/v2beta2",
      "replacementApiVersion": "autoscaling/v2",
      "removedInVersion": "1.32",
      "message": "autoscaling/v2beta2 is deprecated; use autoscaling/v2"
    },
    {
      "kind": "FlowSchema",
      "deprecatedApiVersion": "flowcontrol.apiserver.k8s.io/v1beta3",
      "replacementApiVersion": "flowcontrol.apiserver.k8s.io/v1",
      "removedInVersion": "1.32",
      "message": "flowcontrol.apiserver.k8s.io/v1beta3 is deprecated"
    }
  ]
}

Deprecation Table

The deprecation view presents a table of all deprecated resources for the selected Kubernetes version:

Column	Description
Resource Kind	The Kubernetes resource type
Deprecated API Version	The `apiVersion` that is deprecated
Replacement	The recommended replacement `apiVersion`
Removed In	The Kubernetes version where this API will be completely removed
Impact	Whether you have manifests using this deprecated version

Upgrade Planning

Before upgrading your Kubernetes cluster, always check the deprecation table for the target version. Manifests using removed APIs will fail to apply after the upgrade.

CRD Support (Enterprise)

Custom Resource Definitions (CRDs) extend the Kubernetes API with organization-specific resource types. GitOpsHQ Enterprise supports uploading CRDs to extend the validation engine.

Uploading CRDs

Endpoint: POST /api/v2/k8s/crd

{
  "yaml": "apiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n  name: certificates.cert-manager.io\nspec:\n  group: cert-manager.io\n  names:\n    kind: Certificate\n    plural: certificates\n  scope: Namespaced\n  versions:\n    - name: v1\n      served: true\n      storage: true\n      schema:\n        openAPIV3Schema:\n          type: object\n          properties:\n            spec:\n              type: object\n              ..."
}

CRD Validation Flow

Upload CRD

Submit the CRD YAML via the API or the schema browser UI. The CRD itself is validated for structural correctness.

CRD Registration

Once validated, the CRD's schema is registered in the validation engine alongside built-in Kubernetes resources.

Custom Resource Validation

Manifests using the custom resource kind are now validated against the CRD's OpenAPI v3 schema — catching field errors, type mismatches, and missing required fields.

Schema Browser Integration

Uploaded CRDs appear in the schema browser alongside built-in resources, with the same field tree, type badges, and required field markers.

Enterprise Feature

CRD upload and custom resource validation is available on the Enterprise plan. Common CRDs (cert-manager, Istio, ArgoCD, Prometheus Operator) are frequently used candidates for upload.

Integration with Release Workflow

Kubernetes validation is integrated into the release creation pipeline:

Loading diagram…

Scenario	Behavior
Validation errors present	Release creation is blocked. Errors must be fixed first.
Deprecation warnings only	Release is created with warnings surfaced in the release details.
Clean validation	Release is created normally.

Policy-Driven Validation Behavior

You can configure whether validation outcomes are hard stops or advisory:

Policy Setting	Effect
`validation.errors = block`	Errors prevent release creation (default)
`validation.errors = warn`	Errors are surfaced but don't block
`validation.deprecations = block`	Deprecation warnings also block release creation
`validation.deprecations = warn`	Deprecation warnings are advisory (default)

Validation in Delivery Generator

When the delivery generator renders manifests, it can optionally validate the output against the target Kubernetes version:

Setting	Description
Validate on Preview	Run validation during delivery preview (recommended)
Validate on Generate	Run validation during delivery generation
Target Version	The Kubernetes version to validate against (auto-detected from cluster agent or manually set)

When validation is enabled during generation:

The delivery generator renders all manifests
Each manifest is validated against the target K8s version
Validation errors are reported in the generation output
Depending on policy, errors may block the generation commit

Validation via CI/CD

Use the validation API in your CI/CD pipelines to catch issues before they enter the GitOps workflow:

# Validate a manifest file against K8s 1.30
curl -X POST https://gitopshq.example.com/api/v2/k8s/validate \
  -H "Authorization: Bearer <api-key>" \
  -H "Content-Type: application/json" \
  -d '{
    "yaml": "'"$(cat deployment.yaml)"'",
    "version": "1.30"
  }'

# Check deprecations for K8s 1.30
curl "https://gitopshq.example.com/api/v2/k8s/deprecations?version=1.30" \
  -H "Authorization: Bearer <api-key>"

Troubleshooting

Error	Meaning	Resolution
`503 K8s schema registry not initialized`	The schema registry is starting up	Wait a moment and retry
`400 yaml field is required`	Empty manifest input	Provide valid YAML content
`404 resource schema not found`	Unknown GVK for the selected version	Check the `apiVersion` and `kind` are valid
`400 invalid request body`	Malformed validation request	Verify the JSON payload structure
`400 invalid CRD`	Uploaded CRD has structural issues	Fix the CRD schema and re-upload

Best Practices

Always validate before deploying — Use validation as a mandatory gate in your release workflow
Upload CRDs for custom resources — Extend validation coverage to catch errors in custom resource manifests
Check deprecations before K8s upgrades — Run the deprecation check against the target version before upgrading clusters
Use validation in CI pipelines — Catch manifest errors as early as possible via the validation API
Match the target version to your cluster — Validate against the exact Kubernetes version your cluster runs
Address warnings proactively — Deprecation warnings become errors when the Kubernetes version removes the API
Enable validation in the delivery generator — Validate generated manifests automatically during preview and generation
Review unknown field warnings — These often indicate typos in field names that silently do nothing

On this page