Developer Guardrails with Monokle VS Code Extension

How to set standards and validate all resources in Kubernetes 

Platform engineers are often tasked with creating guardrails for developers. However, since Kubernetes has deprecated many policies, setting standards to validate all resources according to company compliance and organizational standards has become a daunting task. Hence shifting resource validation to the pre-deployment phase to ensure everything is functional and secure can actually save teams and their leaders a lot of time and headaches. In our last blog post, we saw how Monokle Cloud can be leveraged to enable policies like Pod Security Standards, hardening guidance by NSA and CISA, etc., ultimately helping developers adhere to these standards even before submitting their code.q

How can developers use VS Code to make resource validation quick and easy? Monokle is committed to empowering all team members, including developers, so it has released an extension for Visual Studio Code called the Monokle VS Code extension. In this blog post, we will learn how developers can use the extension to make resource validation and compliance with pre-defined policies simple. Let us understand in detail the extension’s features, the benefits it offers, and how platform engineers can leverage it in conjunction with Monokle Cloud to define guardrails for their Development Team through policies empowering them to employ best practices while tackling complex configuration tasks in a more efficient way. 

What is the Monokle VS Code Extension?

The Monokle Visual Studio Code Extension is an open-source extension that makes management and validation of Kubernetes YAML configurations in VS-Code simple. With the extension enabled in Visual Studio Code, developers can validate Kubernetes configurations from the comfort of their favorite editor. The key feature of the Monokle VS Code extension is it takes away the dependency on the developers to manually configure and ensure all the required policies are enabled and provides them with real-time pre-deployment validation.

‍

Platform engineers can use Monokle Cloud to configure policies and enforce them on repositories with Kubernetes resources. The extension will auto-sync policy configurations to the developers’ VS Code allowing uniform enforcement of policies across teams and environments. Companies can ensure compliance without compromising development agility. Let us understand in depth some of the benefits of using Monokle VS Code extension for validating Kubernetes configurations.

Benefits of using the Monokle VS Code extension

• Validate During Development: The extension plugged into the Visual Studio Code IDE provides the developer with real-time detection of configuration errors and provides context for faster troubleshooting resulting in better and faster validation of resources. It empowers developers to ensure code quality without waiting for the validation pipelines to tell them that validation errors exist at a later stage. Developers can fix errors in the pre-commit phase with the VS Code extension and perform multiple validations to ensure adherence to company policies and best practices through its integration with Monokle Cloud. This takes away the dependency on migrating developers to any other external tool.

• Playground With Guardrails For Developers: Compliance with organizational policies and adherence to Kubernetes standards is an essential part of the product development life-cycle. But it limits developers from exploring further possibilities because, without guardrails in place, they have constant thoughts of “What if I break something”. By leveraging the default policies already included in the Monokle VS Code extension or by adding additional policies through a Monokle Cloud workspace,  Platform Engineers and other Team Leaders provide developers with clear boundaries and a safe playground to test new things.
  
  
• Easy-to-setup and use extension: Monokle VS Code extension and its pre-configured policies can easily be enabled in Visual Studio Code. It also provides Platform Engineers and team leaders the capability to configure custom policies in Monokle Cloud that can be integrated with the extension. This way, developers do not have to worry about which standards to adhere to.
  
  
• Standardized code base with NSA and CISA policies: Monokle can be leveraged to enforce standards like hardening guidance by NSA and CISA in addition to  Pod Security Standards ultimately strengthening governance across all Kubernetes configurations. It helps maintain a standardized code base and keeps teams in check to avoid violations reducing efforts and expenses in maintainability.

Hence, Monokle empowers both developers and platform engineers to streamline their work with an easy-to-use extension fully integrated with all of the advantages of Monokle Cloud at their disposal. Let us get started with installing the extension and explore some of the benefits that it offers.

Installing the Monokle VS Code extension

Prerequisites

• User account configured on Monokle Cloud ( For Platform Engineers: To set policy configurations )
• Install Visual Studio Code (For Developers: To sync policies, validate manifests, and know the state of resources)

Steps to install Monokle VS Code extension

• Launch Visual Studio Code. Click on “Extensions” in the toolbar.
• VS Code loads the Extensions: Marketplace. In the search bar, enter “Monokle”.

‍

‍

• VS Code loads the Monokle extension. Click on “Install”.
  
  

‍

The Monokle VS Code extension is successfully installed and is enabled by default in Visual Studio Code. Now, let’s access our repository and see how we can make use of this extension to bring real-time validation to our fingertips.

Use cases

With the multiple benefits that Monokle VS Code extension offers, it gets easier to validate Kubernetes configurations and enable custom policies to help guide developers. Let us dig deeper into how to achieve this with the help of the monokle-demo Kubernetes manifest repository.

Validate Resources

Monokle VS Code extension allows developers to validate resources in real-time based on default policies. The default configuration includes the following validation plugins:

• Pod Security Standards: Validation is based on the standardization of the Kubernetes project.
• Kubernetes Schema: Validation is based on the version of Kubernetes used.
• Resource Links: Validation is done to ensure that the reference across resources is valid.
• YAML Syntax: Validation is done to ensure that the valid YAML syntax is followed.

We have forked the monokle-demo repository and accessed it in the Visual Studio (VS) Code.

‍

With the extension enabled, Monokle validates the resources in the repository and loads the validation results in VS Code based on the above policies. In the results, click on the file location dropdown and select the error to view details and access the file that has a validation error.

‍

The Monokle VS Code Extension has three parts, let us look at each in detail.

• Validation Panel (SARIF Results): Monokle runs validation on resources and generates results in the Static Analysis Results Interchange Format (SARIF). These results are segregated based on the file. There can be multiple validation errors in a single file which can be viewed when we select the errors corresponding to the line number. It is also known as the Validation Panel.

‍

• Editor: The Visual Studio Code editor loads the manifest that we selected from the SARIF results. The extension has highlighted the line that has the error. Hover over the line to view the details related to the error.

‍

‍

• Info: This section provides the complete details related to the validation error like the plugin name that enforced the policy which is violated here, description, severity level, etc. These details help fix the error.

‍

‍

Thus, Monokle empowers the developers to easily identify the validation errors and fix them at the development stage.

Update Configuration

The policy configuration used to validate the manifests is set by default. In case we want to play around with this configuration, Monokle provides the capability to update the configuration locally in VS Code. Let us look at the steps to achieve it.

• Open the Command Palette ( ctrl + shift + P ) and enter the `Monokle: Bootstrap configuration` command.
  
  

• The bootstrap loads the `monokle.validation.yaml` that maintains the policy configurations. Adjust the configuration as per requirements. Let us go ahead and set `Pod Security Standards` to `true`.
  
  

• Press `ctrl+s` to save the configuration file so that the changes can be reflected. The extension runs the validation again based on the updated configuration and updates the SARIF Results.
  
  

• In the above screenshot, we can see that the count of SARIF Results has updated from 2 to 88 after the changes to the policy configuration.

Thus the Monokle VS Code extension makes it easier to customize the playground as per the needs of the project and test with guardrails.

Enforce Policies with Monokle Cloud

In the above use cases, we have seen how to utilize the default policies provided by Monokle to enable validation. The resources can also be validated against custom policies that are specific to any organization by configuring policies in Monokle Cloud and synchronizing them in VS Code. This helps platform engineers bring all the developers to a common ground and have a uniform configuration for a specific project, team, or environment. 

This requires the combined efforts of the team and can be achieved in the following two steps:

Configure Policies using Monokle Cloud [For Platform Engineers]

Let us see the steps to configure uniform policies for a team with Kubernetes Hardening Guidance by NSA and CISA in Monokle Cloud.

• Configure a repository on Monokle Cloud. We have configured the monokle-demo repository in Monokle Cloud.

• Set up a policy using the Policy Wizard in Monokle Cloud. Select the policy from the dropdown and click on Next. Monokle also provides the capability to create custom policies that can be enabled and shared to enforce organization-specific policies.
  
  

‍

• Click on Finish.

‍

‍

With this, the task of the Platform Engineer is done. Now any developer who syncs this policy configuration will have guardrails already set up.

Synchronize Policies using the VS Code Extension [For Developers]

Let us see how developers can sync the above policy configuration in VS Code using the extension.

• Open the Command Palette and select `Monokle: Login`. This command will initiate the login to Monokle Cloud. This is a one-time activity and we will remain logged in to Monokle Cloud unless we do not run the `Monokle: Logout` command.
  
  

• Select `Login with a web browser` to proceed with authorization.
  
  

• Click on “Yes” to allow login.
  
  

‍

• Once the login is successful, close the window and head back to VS Code.
  
  

‍

• The VS Code Extension automatically syncs the updated configuration of policies. Use `Monokle: Synchronize` to sync with the latest configuration. For the repository that we were using, the Validation Panel is updated with a new count of SARIF Results. This means the configuration is already synced.
  
  

• Let us view the new policy configuration using the Command Palette. Enter the command `Monokle: Show configuration`.
  
  

• The above plugins, rules, and settings are per Kubernetes Hardening Guidance by NSA and CISA. Thus Monokle makes it easier for the Platform Engineers to provide guardrails to developers.
  
  

With this, we have seen how Monokle can help developers validate resources at the development stage, and have a playground to explore and avoid misconfigurations. Platform engineers can utilize Monokle Cloud to configure policies and the developers can auto-sync this configuration in their VS Code workspace easily.

Conclusion

In this blog post, we have talked about the open-source extension, Monokle Visual Studio Code Extension, added to the suite of tools offered by Monokle that brings validation to the fingertips of developers. They can validate resources using the default policies. It empowers platform engineers to build guardrails and have uniform policy enforcement across organizations, teams, or environments. Monokle aims to make guardrails the common language that brings dev and ops together.

We hope that you find this blog post helpful. You can also reach out to Monokle Product Leader Ole if you have feedback about how we can make Monokle work better for you or drop a mail to ole@kubeshop.io for information/assistance. Join in the conversation with other users via Discord as part of our growing community.