🎯 Pluto & Helm Chart Testing: Full Guide (Summary Document)

Piyush KabraPiyush Kabra
5 min read

This document consolidates everything I've doneβ€”from setting up Pluto, creating a deprecated-API test Helm chart, to validating without needing an actual clusterβ€”into a clear, step-by-step guide with code snippets and visuals.


1. πŸš€ Install Pluto CLI & Helm

Use the latest Pluto v5.19.2 binary (stable as of mid‑2025):

In Linux :-

curl -sL "https://github.com/FairwindsOps/pluto/releases/download/v5.19.2/pluto_5.19.2_linux_amd64.tar.gz" \
  | tar -xz pluto && sudo mv pluto /usr/local/bin/ && sudo chmod +x /usr/local/bin/pluto

Verify installation:

pluto version
# Expected: Pluto Version: v5.19.2

2. ⚠️ Create a Helm Chart with Deprecated APIs

Use helm create and customize templates to include deprecated API resources.

Scaffold:

helm create deprecated-test
cd deprecated-test

Update templates/deployment.yaml:

apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: {{ .Release.Name }}-dep
spec:
  replicas: 1
  template:
    metadata:
      labels: { app: deprecated }
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        ports:
        - containerPort: 80

Create templates/ingress.yaml:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: {{ .Release.Name }}-ing
spec:
  rules:
    - host: deprecated.local
      http:
        paths:
          - path: /
            backend:
              serviceName: dummy-service
              servicePort: 80

Create templates/psp.yaml:

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata: { name: {{ .Release.Name }}-psp }
spec:
  privileged: false
  allowPrivilegeEscalation: false
  runAsUser: { rule: 'RunAsAny' }
  seLinux: { rule: 'RunAsAny' }
  fsGroup: { rule: 'RunAsAny' }
  supplementalGroups: { rule: 'RunAsAny' }

Create templates/cronjob.yaml:

apiVersion: batch/v1beta1
kind: CronJob
metadata: { name: {{ .Release.Name }}-cron }
spec:
  schedule: "*/5 * * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: hello
            image: busybox
            args: ["/bin/sh", "-c", "date; echo Hello"]
          restartPolicy: OnFailure

Add dummy service (e.g. templates/service.yaml):

apiVersion: v1
kind: Service
metadata: { name: dummy-service }
spec:
  selector: { app: deprecated }
  ports: [ { protocol: TCP, port: 80, targetPort: 80 } ]

3. πŸ§ͺ Test Deprecated APIs Without a Cluster

Render chart locally:

helm template deprecated-test ./deprecated-test > rendered.yaml

Scan with Pluto:

pluto detect-files -f rendered.yaml -o wide

Expected output highlighting deprecated APIs:

NAME                      VERSION             KIND               REPLACEMENT              REMOVED IN VERSION
deprecated-test-dep       apps/v1beta1        Deployment         apps/v1                  1.16.0
deprecated-test-ing       extensions/v1beta1  Ingress            networking.k8s.io/v1     1.22.0
deprecated-test-psp       policy/v1beta1      PodSecurityPolicy  policy/v1                1.25.0
deprecated-test-cron      batch/v1beta1       CronJob            batch/v1                 1.21.0

4. βœ… (Optional) Deploy to a Cluster with Deprecated APIs

If you absolutely want to deploy and scan live:

Use kind or minikube with an older Kubernetes version (< v1.16–v1.21):

kind create cluster --name test-legacy --image kindest/node:v1.15.11
helm install deprecated-test ./deprecated-test
pluto detect-helm -o wide

This ensures the cluster supports deprecated APIs so the chart installs successfully.


5. Checking from Individual Files :-

pluto detect-files -d .
# -d to check in directory & . means pwd


Great addition! Let's enhance the blog by including a section about Pluto alternatives for detecting deprecated Kubernetes APIs and a basic overview of each.


πŸ”„ Alternatives to Pluto (and Overview)

While Pluto is a fantastic tool focused on detecting deprecated APIs in Helm releases, raw Kubernetes manifests, and live clusters, it’s not the only option. Here are some popular alternatives:


πŸ›  1. kubent (Kubernetes Event Exporter - deprecated)

Maintainer: Fairwinds (same as Pluto)

  • kubent was an earlier tool developed by Fairwinds before Pluto took over the job.

  • It parsed cluster objects for deprecated APIs.

  • It is now deprecated in favor of Pluto.

βœ… Use Pluto instead β€” same team, more features.


🧰 2. kube-no-trouble (a.k.a. kubent from Doitintl)

GitHub: doitintl/kube-no-trouble

  • Scans live clusters or local YAML files for deprecated API versions.

  • Supports multiple formats for input (kubectl live scan, kubeconfig, local files).

  • CLI-based and simple to integrate into pipelines.

βœ… Strengths:

  • Does not require Helm

  • More general-purpose

kube-no-trouble --out json

⚠️ Lacks built-in Helm chart awareness like Pluto.


πŸ”Ž 3. Checkov

GitHub: bridgecrewio/checkov

  • Security-focused IaC scanner (Terraform, K8s, Helm, etc.)

  • Can catch deprecated K8s API usage as part of static policy checks

βœ… Great if you already use it for IaC security

checkov -d ./helm-chart/

⚠️ More focused on security than just API version tracking.


πŸ” 4. OPA + Gatekeeper

Project: Open Policy Agent

  • Write custom rules to block or audit deprecated API usage

  • Use with Gatekeeper as admission controller

βœ… Powerful, policy-as-code
⚠️ Requires setup, not plug-and-play


πŸ“Š 5. KubeLinter

GitHub: stackrox/kube-linter

  • A static analysis tool for Kubernetes YAML and Helm charts

  • Checks for deprecated APIs, misconfigurations, and best practices

kube-linter lint ./my-helm-chart/

βœ… Lightweight and fast
⚠️ No in-cluster scanning


πŸ” Summary: Tool Comparison

ToolLocal YAML ScanHelm Chart AwareIn-Cluster ScanPolicy EngineRecommended For
Plutoβœ…βœ…βœ…βŒHelm charts, CI/CD pipelines
kube-no-troubleβœ…βŒβœ…βŒNon-Helm YAML audits
Checkovβœ…βœ…βŒβœ…IaC security + deprecated APIs
OPA/GatekeeperβŒβŒβœ…βœ…Admission control, policy-as-code
KubeLinterβœ…βœ…βŒβŒStatic YAML/Helm validation

πŸ“Œ Final Thoughts

While Pluto is ideal for Helm-based and YAML-based workflows, depending on your environment you might also consider tools like:

  • Checkov (if you're doing security and IaC compliance)

  • kube-no-trouble (for live YAML API checks)

  • KubeLinter (for local static analysis)

Each tool has its sweet spot. You can even combine a few in CI pipelines to get broader coverage.


Let me know if you'd like to embed this section directly into the earlier blog or want a side-by-side PDF/Markdown version.

6. πŸ—’οΈ Summary Table

StepCommand
Install Pluto CLI`curl … pluto_5.19.2_linux_amd64.tar.gz
Scaffold Helm charthelm create deprecated-test
Edit templates with deprecated APIsSee Deployment, Ingress, PSP, CronJob YAML above
Render chart locallyhelm template deprecated-test > rendered.yaml
Scan for deprecated APIspluto detect-files -f rendered.yaml -o wide
(Optional) Test in-clusterUse kind at v1.15 then helm install + pluto detect-helm

βœ… Final Note

  • You don’t need an actual K8s cluster to test deprecated APIs.

  • helm template ➝ pluto detect-files It is a robust, cluster-free workflow.

  • Deploying live is optional and ideal only for hands-on testing of older versions.

0
Subscribe to my newsletter

Read articles from Piyush Kabra directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Piyush Kabra
Piyush Kabra