🎯 Pluto & Helm Chart Testing: Full Guide (Summary Document)

This document consolidates everything I've done—from setting up Pluto, creating a deprecated-API test Helm chart, to validating without needing an actual cluster—into a clear, step-by-step guide with code snippets and visuals.

---

1. 🚀 Install Pluto CLI & Helm

Use the latest Pluto v5.19.2 binary (stable as of mid‑2025):

In Linux :-

curl -sL "https://github.com/FairwindsOps/pluto/releases/download/v5.19.2/pluto_5.19.2_linux_amd64.tar.gz" \
  | tar -xz pluto && sudo mv pluto /usr/local/bin/ && sudo chmod +x /usr/local/bin/pluto

Verify installation:

pluto version
# Expected: Pluto Version: v5.19.2

---

2. ⚠️ Create a Helm Chart with Deprecated APIs

Use helm create and customize templates to include deprecated API resources.

Scaffold:

helm create deprecated-test
cd deprecated-test

Update templates/deployment.yaml:

apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: {{ .Release.Name }}-dep
spec:
  replicas: 1
  template:
    metadata:
      labels: { app: deprecated }
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        ports:
        - containerPort: 80

Create templates/ingress.yaml:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: {{ .Release.Name }}-ing
spec:
  rules:
    - host: deprecated.local
      http:
        paths:
          - path: /
            backend:
              serviceName: dummy-service
              servicePort: 80

Create templates/psp.yaml:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata: { name: {{ .Release.Name }}-psp }
spec:
  privileged: false
  allowPrivilegeEscalation: false
  runAsUser: { rule: 'RunAsAny' }
  seLinux: { rule: 'RunAsAny' }
  fsGroup: { rule: 'RunAsAny' }
  supplementalGroups: { rule: 'RunAsAny' }

Create templates/cronjob.yaml:

apiVersion: batch/v1beta1
kind: CronJob
metadata: { name: {{ .Release.Name }}-cron }
spec:
  schedule: "*/5 * * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: hello
            image: busybox
            args: ["/bin/sh", "-c", "date; echo Hello"]
          restartPolicy: OnFailure

Add dummy service (e.g. templates/service.yaml):

apiVersion: v1
kind: Service
metadata: { name: dummy-service }
spec:
  selector: { app: deprecated }
  ports: [ { protocol: TCP, port: 80, targetPort: 80 } ]

---

3. 🧪 Test Deprecated APIs Without a Cluster

Render chart locally:

helm template deprecated-test ./deprecated-test > rendered.yaml

Scan with Pluto:

pluto detect-files -f rendered.yaml -o wide

Expected output highlighting deprecated APIs:

NAME                      VERSION             KIND               REPLACEMENT              REMOVED IN VERSION
deprecated-test-dep       apps/v1beta1        Deployment         apps/v1                  1.16.0
deprecated-test-ing       extensions/v1beta1  Ingress            networking.k8s.io/v1     1.22.0
deprecated-test-psp       policy/v1beta1      PodSecurityPolicy  policy/v1                1.25.0
deprecated-test-cron      batch/v1beta1       CronJob            batch/v1                 1.21.0

---

4. ✅ (Optional) Deploy to a Cluster with Deprecated APIs

If you absolutely want to deploy and scan live:

Use kind or minikube with an older Kubernetes version (< v1.16–v1.21):

kind create cluster --name test-legacy --image kindest/node:v1.15.11
helm install deprecated-test ./deprecated-test
pluto detect-helm -o wide

This ensures the cluster supports deprecated APIs so the chart installs successfully.

---

5. Checking from Individual Files :-

pluto detect-files -d .
# -d to check in directory & . means pwd

---

Great addition! Let's enhance the blog by including a section about Pluto alternatives for detecting deprecated Kubernetes APIs and a basic overview of each.

---

🔄 Alternatives to Pluto (and Overview)

While Pluto is a fantastic tool focused on detecting deprecated APIs in Helm releases, raw Kubernetes manifests, and live clusters, it’s not the only option. Here are some popular alternatives:

---

🛠 1. kubent (Kubernetes Event Exporter - deprecated)

Maintainer: Fairwinds (same as Pluto)

• kubent was an earlier tool developed by Fairwinds before Pluto took over the job.

• It parsed cluster objects for deprecated APIs.

• It is now deprecated in favor of Pluto.

✅ Use Pluto instead — same team, more features.

---

🧰 2. kube-no-trouble (a.k.a. kubent from Doitintl)

GitHub: doitintl/kube-no-trouble

• Scans live clusters or local YAML files for deprecated API versions.

• Supports multiple formats for input (kubectl live scan, kubeconfig, local files).

• CLI-based and simple to integrate into pipelines.

✅ Strengths:

• Does not require Helm

• More general-purpose

kube-no-trouble --out json

⚠️ Lacks built-in Helm chart awareness like Pluto.

---

🔎 3. Checkov

GitHub: bridgecrewio/checkov

• Security-focused IaC scanner (Terraform, K8s, Helm, etc.)

• Can catch deprecated K8s API usage as part of static policy checks

✅ Great if you already use it for IaC security

checkov -d ./helm-chart/

⚠️ More focused on security than just API version tracking.

---

🔍 4. OPA + Gatekeeper

Project: Open Policy Agent

• Write custom rules to block or audit deprecated API usage

• Use with Gatekeeper as admission controller

✅ Powerful, policy-as-code
⚠️ Requires setup, not plug-and-play

---

📊 5. KubeLinter

GitHub: stackrox/kube-linter

• A static analysis tool for Kubernetes YAML and Helm charts

• Checks for deprecated APIs, misconfigurations, and best practices

kube-linter lint ./my-helm-chart/

✅ Lightweight and fast
⚠️ No in-cluster scanning

---

🔁 Summary: Tool Comparison

---

📌 Final Thoughts

While Pluto is ideal for Helm-based and YAML-based workflows, depending on your environment you might also consider tools like:

• Checkov (if you're doing security and IaC compliance)

• kube-no-trouble (for live YAML API checks)

• KubeLinter (for local static analysis)

Each tool has its sweet spot. You can even combine a few in CI pipelines to get broader coverage.

---

Let me know if you'd like to embed this section directly into the earlier blog or want a side-by-side PDF/Markdown version.

6. 🗒️ Summary Table

---

✅ Final Note

• You don’t need an actual K8s cluster to test deprecated APIs.

• helm template ➝ pluto detect-files It is a robust, cluster-free workflow.

• Deploying live is optional and ideal only for hands-on testing of older versions.