π― Pluto & Helm Chart Testing: Full Guide (Summary Document)

Table of contents
- 1. π Install Pluto CLI & Helm
- 2. β οΈ Create a Helm Chart with Deprecated APIs
- 3. π§ͺ Test Deprecated APIs Without a Cluster
- 4. β (Optional) Deploy to a Cluster with Deprecated APIs
- 5. Checking from Individual Files :-
- π Alternatives to Pluto (and Overview)
- π Summary: Tool Comparison
- π Final Thoughts
- 6. ποΈ Summary Table
- β Final Note

This document consolidates everything I've doneβfrom setting up Pluto, creating a deprecated-API test Helm chart, to validating without needing an actual clusterβinto a clear, step-by-step guide with code snippets and visuals.
1. π Install Pluto CLI & Helm
Use the latest Pluto v5.19.2 binary (stable as of midβ2025):
In Linux :-
curl -sL "https://github.com/FairwindsOps/pluto/releases/download/v5.19.2/pluto_5.19.2_linux_amd64.tar.gz" \
| tar -xz pluto && sudo mv pluto /usr/local/bin/ && sudo chmod +x /usr/local/bin/pluto
Verify installation:
pluto version
# Expected: Pluto Version: v5.19.2
2. β οΈ Create a Helm Chart with Deprecated APIs
Use helm create
and customize templates to include deprecated API resources.
Scaffold:
helm create deprecated-test
cd deprecated-test
Update templates/deployment.yaml:
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: {{ .Release.Name }}-dep
spec:
replicas: 1
template:
metadata:
labels: { app: deprecated }
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
Create templates/ingress.yaml:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ .Release.Name }}-ing
spec:
rules:
- host: deprecated.local
http:
paths:
- path: /
backend:
serviceName: dummy-service
servicePort: 80
Create templates/psp.yaml:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata: { name: {{ .Release.Name }}-psp }
spec:
privileged: false
allowPrivilegeEscalation: false
runAsUser: { rule: 'RunAsAny' }
seLinux: { rule: 'RunAsAny' }
fsGroup: { rule: 'RunAsAny' }
supplementalGroups: { rule: 'RunAsAny' }
Create templates/cronjob.yaml:
apiVersion: batch/v1beta1
kind: CronJob
metadata: { name: {{ .Release.Name }}-cron }
spec:
schedule: "*/5 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: hello
image: busybox
args: ["/bin/sh", "-c", "date; echo Hello"]
restartPolicy: OnFailure
Add dummy service (e.g. templates/service.yaml
):
apiVersion: v1
kind: Service
metadata: { name: dummy-service }
spec:
selector: { app: deprecated }
ports: [ { protocol: TCP, port: 80, targetPort: 80 } ]
3. π§ͺ Test Deprecated APIs Without a Cluster
Render chart locally:
helm template deprecated-test ./deprecated-test > rendered.yaml
Scan with Pluto:
pluto detect-files -f rendered.yaml -o wide
Expected output highlighting deprecated APIs:
NAME VERSION KIND REPLACEMENT REMOVED IN VERSION
deprecated-test-dep apps/v1beta1 Deployment apps/v1 1.16.0
deprecated-test-ing extensions/v1beta1 Ingress networking.k8s.io/v1 1.22.0
deprecated-test-psp policy/v1beta1 PodSecurityPolicy policy/v1 1.25.0
deprecated-test-cron batch/v1beta1 CronJob batch/v1 1.21.0
4. β (Optional) Deploy to a Cluster with Deprecated APIs
If you absolutely want to deploy and scan live:
Use kind
or minikube
with an older Kubernetes version (< v1.16βv1.21):
kind create cluster --name test-legacy --image kindest/node:v1.15.11
helm install deprecated-test ./deprecated-test
pluto detect-helm -o wide
This ensures the cluster supports deprecated APIs so the chart installs successfully.
5. Checking from Individual Files :-
pluto detect-files -d .
# -d to check in directory & . means pwd
Great addition! Let's enhance the blog by including a section about Pluto alternatives for detecting deprecated Kubernetes APIs and a basic overview of each.
π Alternatives to Pluto (and Overview)
While Pluto is a fantastic tool focused on detecting deprecated APIs in Helm releases, raw Kubernetes manifests, and live clusters, itβs not the only option. Here are some popular alternatives:
π 1. kubent (Kubernetes Event Exporter - deprecated)
Maintainer: Fairwinds (same as Pluto)
kubent
was an earlier tool developed by Fairwinds before Pluto took over the job.It parsed cluster objects for deprecated APIs.
It is now deprecated in favor of Pluto.
β Use Pluto instead β same team, more features.
π§° 2. kube-no-trouble (a.k.a. kubent
from Doitintl)
GitHub: doitintl/kube-no-trouble
Scans live clusters or local YAML files for deprecated API versions.
Supports multiple formats for input (kubectl live scan, kubeconfig, local files).
CLI-based and simple to integrate into pipelines.
β Strengths:
Does not require Helm
More general-purpose
kube-no-trouble --out json
β οΈ Lacks built-in Helm chart awareness like Pluto.
π 3. Checkov
GitHub: bridgecrewio/checkov
Security-focused IaC scanner (Terraform, K8s, Helm, etc.)
Can catch deprecated K8s API usage as part of static policy checks
β Great if you already use it for IaC security
checkov -d ./helm-chart/
β οΈ More focused on security than just API version tracking.
π 4. OPA + Gatekeeper
Project: Open Policy Agent
Write custom rules to block or audit deprecated API usage
Use with Gatekeeper as admission controller
β
Powerful, policy-as-code
β οΈ Requires setup, not plug-and-play
π 5. KubeLinter
GitHub: stackrox/kube-linter
A static analysis tool for Kubernetes YAML and Helm charts
Checks for deprecated APIs, misconfigurations, and best practices
kube-linter lint ./my-helm-chart/
β
Lightweight and fast
β οΈ No in-cluster scanning
π Summary: Tool Comparison
Tool | Local YAML Scan | Helm Chart Aware | In-Cluster Scan | Policy Engine | Recommended For |
Pluto | β | β | β | β | Helm charts, CI/CD pipelines |
kube-no-trouble | β | β | β | β | Non-Helm YAML audits |
Checkov | β | β | β | β | IaC security + deprecated APIs |
OPA/Gatekeeper | β | β | β | β | Admission control, policy-as-code |
KubeLinter | β | β | β | β | Static YAML/Helm validation |
π Final Thoughts
While Pluto is ideal for Helm-based and YAML-based workflows, depending on your environment you might also consider tools like:
Checkov (if you're doing security and IaC compliance)
kube-no-trouble (for live YAML API checks)
KubeLinter (for local static analysis)
Each tool has its sweet spot. You can even combine a few in CI pipelines to get broader coverage.
Let me know if you'd like to embed this section directly into the earlier blog or want a side-by-side PDF/Markdown version.
6. ποΈ Summary Table
Step | Command |
Install Pluto CLI | `curl β¦ pluto_5.19.2_linux_amd64.tar.gz |
Scaffold Helm chart | helm create deprecated-test |
Edit templates with deprecated APIs | See Deployment, Ingress, PSP, CronJob YAML above |
Render chart locally | helm template deprecated-test > rendered.yaml |
Scan for deprecated APIs | pluto detect-files -f rendered.yaml -o wide |
(Optional) Test in-cluster | Use kind at v1.15 then helm install + pluto detect-helm |
β Final Note
You donβt need an actual K8s cluster to test deprecated APIs.
helm template β pluto detect-files
It is a robust, cluster-free workflow.Deploying live is optional and ideal only for hands-on testing of older versions.
Subscribe to my newsletter
Read articles from Piyush Kabra directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
