HomeSign upBook a demoLoginTerracotta AI
Guides
Start typing to search…

Kubernetes Manifest Analysis

Terracotta AI automatically detects and analyzes Kubernetes manifests in pull requests β€” no extra setup required. The same AI-powered review pipeline that applies to Terraform also applies to your K8s YAML, Helm charts, and Kustomize configurations.

πŸ” Automatic File Detection

Terracotta detects Kubernetes content based on file content, not directory structure. A file is treated as a Kubernetes manifest when it is a .yaml or .yml file that contains:

  • apiVersion: β€” and β€”
  • A recognized Kubernetes kind:, such as:
    • Workloads: Deployment, StatefulSet, DaemonSet, CronJob, Job, ReplicaSet, Pod
    • Networking: Service, Ingress, NetworkPolicy
    • Configuration: ConfigMap, Secret, Namespace
    • RBAC: ServiceAccount, Role, RoleBinding, ClusterRole, ClusterRoleBinding
    • Scaling: HorizontalPodAutoscaler
    • Storage: PersistentVolumeClaim
    • GitOps: HelmRelease, Application

Helm charts are detected by the presence of Chart.yaml or Chart.yml. Kustomize configurations are detected by kustomization.yaml or kustomization.yml.

βš™οΈ Enabling Kubernetes Checks

Enable K8s checks from the repository Overview tab, the same way you enable Terraform checks. Each check type has its own toggle:

  • K8s Summary β€” runs automatically on PR open to summarize manifest changes
  • K8s Code Review β€” full review with structured findings
  • K8s Validation β€” syntax and schema validation
  • K8s Resource Impact β€” resource request/limit analysis
  • K8s Security β€” RBAC, pod security, and privilege analysis
  • K8s Guardrails β€” policy enforcement via your org's Guardrail rules
  • K8s Conflict β€” detects PRs modifying the same manifest files

When enabled, these checks run automatically and post results as GitHub Check Runs or GitLab commit statuses β€” just like Terraform checks.

πŸ€– Commands

All K8s checks can also be triggered manually by commenting in any pull request:

tc:k8s-summary

Summarize all Kubernetes manifest changes in the PR β€” what workloads, services, or configs are being added, modified, or removed, and their deployment impact.

tc:k8s-review

Detailed code review of Kubernetes manifests with structured findings, severity ratings, and remediation recommendations.

  • Flags anti-patterns, missing best practices, deprecated API versions, and resource misconfigurations.

tc:k8s-validate

Validate Kubernetes YAML syntax, schema compliance, and manifest correctness.

  • Catches invalid field names, missing required fields, incorrect API versions, and spec violations before they reach a cluster.

tc:k8s-resources

Analyze resource requests and limits, CPU/memory allocation, and container resource impact.

  • Flags containers missing requests/limits, overprovisioned allocations, and potential resource quota violations.

tc:k8s-security

Audit Kubernetes security posture across all manifests in the PR.

  • Checks RBAC roles and bindings for over-permissive access
  • Validates pod security standards (privileged containers, host networking, root users)
  • Detects missing securityContext settings
  • Flags containers without read-only root filesystems

tc:k8s-guard

Validate Kubernetes manifests against your organization's Guardrail policies.

  • Uses the same Guardrail rules defined in the Terracotta UI β€” applied to K8s resources.
  • Detects violations like missing namespace labels, required annotations, or disallowed image registries.

tc:k8s-conflict

Detect conflicts in Kubernetes manifests across multiple open PRs modifying the same files.

  • Surfaces overlapping changes before they cause merge conflicts or duplicate applies.

πŸ” Mixed Repos (Terraform + Kubernetes)

If a PR changes both Terraform and Kubernetes files, Terracotta runs separate analyses for each and posts results independently. Terraform check runs and K8s check runs appear side by side in your PR.

πŸ’‘ AI-Generated Fix Suggestions

For fixable K8s issues, Terracotta posts fixes as native GitHub/GitLab committable suggestions β€” click "Commit suggestion" to apply the fix in a single commit directly in the PR.

For fork PRs, Terracotta posts a manual comment with the full diff and instructions.

πŸ“‹ TL;DR

  • No setup required β€” Terracotta auto-detects K8s files by content
  • Enable checks from the repo Overview tab to auto-run on every PR
  • Trigger any check manually with tc:k8s-<command> in a PR comment
  • 7 check types: summary, review, validate, resources, security, guard, conflict
  • Works alongside Terraform checks in mixed repos

Updated about 5 hours ago