kubeconform vs kubeval (2026): Validate K8s Manifests
kubeconform vs kubeval compared - schema validation speed, CRD support, and why kubeval is deprecated and kubeconform is the successor to use in 2026.
If you are choosing a Kubernetes manifest schema validator in 2026, the decision is already made for you: kubeconform vs kubeval is really “the maintained successor vs the deprecated original.” Both answer the same question - does this YAML conform to the Kubernetes API spec for the version you target? - but only one of them is still being maintained.
This page draws the line clearly so you can migrate with confidence. For the broader picture of how schema validation fits alongside security and best-practice scanners, see our kube-score vs kubeaudit vs Checkov vs Trivy comparison.
The short answer
- Pick kubeconform if you are starting fresh, want faster CI, need newer Kubernetes API versions, or have to validate custom resource definitions (CRDs). This is almost everyone.
- Pick kubeval only if you are maintaining a legacy pipeline that already depends on it and you have no time to migrate yet. It still runs, but it is deprecated and unmaintained.
- Both do the same fundamental thing - schema validation against the Kubernetes OpenAPI spec - so migrating between them is low-risk and usually quick.
Deciding factor to pick
| Your deciding factor | Pick |
|---|---|
| Starting a new project today | kubeconform |
| Need newer Kubernetes API versions | kubeconform |
| Must validate CRDs (cert-manager, Argo, Istio) | kubeconform |
| Want the fastest CI validation | kubeconform |
| Want active maintenance and bug fixes | kubeconform |
| Locked into an old pipeline, no migration time | kubeval (for now) |
| Validating against very old clusters only | kubeval (for now) |
| Want the safest long-term choice | kubeconform |
The rule: unless you are temporarily stuck on a legacy kubeval setup, use kubeconform.
What each tool is
- kubeval is the original Kubernetes manifest schema validator. It checks whether your YAML conforms to the Kubernetes OpenAPI / JSON schemas - the right fields, the right types, valid for a given API version. It was widely adopted for years, but it is now deprecated and no longer actively maintained, and the project itself points users toward kubeconform.
- kubeconform is the faster, actively maintained drop-in successor to kubeval. It does the same schema validation, but it validates manifests in parallel for speed, tracks newer Kubernetes API versions, and supports CRD validation through custom schema locations. It is built to be CI-friendly and is the tool to reach for today.
kubeconform vs kubeval: head-to-head
| Dimension | kubeconform | kubeval |
|---|---|---|
| Core job | Schema validation vs K8s API spec | Schema validation vs K8s API spec |
| Maintenance status | Active | Deprecated / unmaintained |
| Recommended in 2026 | Yes | No (migrate off) |
| Speed | Fast (parallel validation) | Slower (sequential) |
| Newer K8s API versions | Tracked and updated | Lags, often stale |
| CRD validation | Yes (custom schema locations) | No maintained path |
| Drop-in migration | Successor to kubeval | n/a |
| Custom schema sources | Local or remote, configurable | Limited |
| Output formats | JSON, TAP, JUnit, text | JSON, TAP, text |
| CI-friendliness | Strong (fast, scriptable) | Workable but slow |
| License | Apache 2.0 | Apache 2.0 |
| Cost | Free / open source | Free / open source |
The cells that decide it: kubeconform wins on maintenance, speed, newer API support, and CRD validation. kubeval matches it only on the basics, and trails everywhere that matters going forward.
When to choose kubeconform
- You are starting any new validation pipeline in 2026 and want a tool that will still be maintained next year.
- You target recent Kubernetes API versions and need the schemas to keep up.
- You need to validate custom resource definitions for tools like cert-manager, Argo, or Istio via custom schema locations.
- You run validation on every pull request and want the parallel speed to keep CI fast on large manifest sets.
- You want clean machine-readable output (JUnit, JSON) to wire into CI gates.
- You are migrating off kubeval and want a near drop-in replacement.
When to choose kubeval
- You have an existing pipeline that already depends on kubeval and you have not scheduled the migration yet.
- You are only validating against older clusters whose API versions kubeval still covers.
- You need a stopgap while you plan the switch - but treat this as temporary, because the project is deprecated and will only fall further behind.
In every one of these cases, the honest recommendation is still to plan a migration to kubeconform. There is no scenario in 2026 where kubeval is the better long-term choice.
Can you use them together?
There is little reason to run both - they do the same job, and kubeconform supersedes kubeval. The realistic pattern is a migration, not a coexistence: swap the binary, port your flags (kubeconform keeps the spirit of kubeval’s interface), and add -schema-location entries for any CRDs you need. Run kubeconform once in CI and retire kubeval.
Where tools genuinely combine is across layers, not against each other. Schema validation is the first gate; best-practice and security scanning come next. See Polaris vs kube-score for the best-practice layer that runs after schema validation passes.
Cost comparison
There is nothing to compare on price - both kubeconform and kubeval are free and open source, kubeval under Apache 2.0 and kubeconform under Apache 2.0. The real cost is operational. kubeval’s deprecation means you eventually pay in maintenance debt: stale schemas, missing API versions, and no upstream fixes. kubeconform’s active maintenance and parallel validation keep both CI minutes and engineering time down. The cheaper tool over any real time horizon is kubeconform.
Common pitfalls
- Treating schema validation as security validation. kubeconform tells you a manifest is valid, not that it is safe or well-configured. You still need best-practice and security scanners on top.
- Expecting CRDs to validate out of the box. kubeconform supports CRDs, but you have to supply their schemas via custom schema locations - it does not ship them.
- Staying on kubeval “because it still works.” It works until a Kubernetes upgrade introduces API versions kubeval never learned, and then it silently passes or wrongly fails manifests.
- Skipping schema validation entirely and letting
kubectl applybe your first check - that pushes errors all the way to the cluster instead of catching them in CI. - Not pinning the target Kubernetes version. Validate against the API version your cluster actually runs, or you will validate against the wrong schema and trust a green check that means nothing.
Related
- Deployment gates in kubeqa
- Polaris vs kube-score
- kube-score vs kubeaudit vs Checkov vs Trivy
- Kubernetes QA tools comparison
Schema validation is exactly the kind of check that belongs at the front of a deployment gate, and kubeqa validates manifests as part of its gates so a structurally invalid or stale-API manifest never makes it to the cluster. It runs schema validation alongside best-practice and security checks behind a single score, so you get correctness, hardening, and policy in one pass instead of stitching tools together by hand.
Install it and try it on your own manifests:
brew install nomadx-ae/tap/kubeqa
Frequently Asked Questions
kubeconform vs kubeval: which should I use?
Use kubeconform. kubeval is deprecated and no longer actively maintained, and its own maintainers point people to kubeconform as the successor. kubeconform is a faster, drop-in schema validator that supports newer Kubernetes API versions and custom resource definitions. There is no real reason to start a new project on kubeval in 2026.
Is kubeval deprecated?
Yes. kubeval is deprecated and the project is no longer actively maintained. It still works for older clusters, but it does not track newer Kubernetes API versions well and has no momentum behind bug fixes or schema updates. The community has largely moved to kubeconform, which is a near drop-in replacement with the same core job of validating manifests against the Kubernetes schema.
Is kubeconform a good kubeval alternative?
kubeconform is the direct successor to kubeval, not just an alternative. It does the same schema validation - checking whether your YAML conforms to the Kubernetes OpenAPI spec for a given API version - but it is significantly faster because it validates in parallel, it tracks newer Kubernetes releases, and it can validate custom resource definitions through custom schema locations. Migrating is usually a matter of swapping the binary and adjusting a few flags.
Does kubeconform validate custom resource definitions (CRDs)?
Yes, with setup. kubeconform does not ship CRD schemas, but it lets you point it at custom schema locations using the schema-location flag so it can validate manifests for CRDs like cert-manager, Argo, or Istio. You convert each CRD's OpenAPI schema to the JSON schema format kubeconform expects and host it locally or remotely. kubeval had no comparable maintained path for CRD validation, which is one of the main reasons teams switched.
Does schema validation replace security and best-practice scanning?
No. Schema validation only answers whether a manifest is structurally valid for the Kubernetes API version you target - correct fields, correct types, no typos. It does not tell you whether the config is secure or follows best practices. For that you still need tools like kube-score, kubeaudit, Checkov, or Trivy. A complete pipeline runs kubeconform first for schema correctness, then layers best-practice and security scanners on top.
How much does kubeconform or kubeval cost?
Both are free and open source, so there is no license cost for either. kubeval is published under the Apache 2.0 license and kubeconform under Apache 2.0 as well. Your only real cost is operational - CI minutes and maintenance - and that is exactly where kubeconform wins, because its parallel validation is faster and its active maintenance means you are not stuck patching an abandoned tool.
Related Comparisons
Ship Kubernetes with Confidence
Free for open-source use. No credit card required. Install kubeqa and run your first cluster scan in under 5 minutes.
Get Started Free