Leverage the power of Monokle to enable consistent misconfiguration detection in both pre-commit and pre-deployment workflows.
In an ongoing effort to combat poor Kubernetes configurations and failing deployments, our Monokle team has made major updates to our validation engine which is used across the entire Monokle tool suite including Monokle Cloud, Monokle Desktop, and now, in the latest version of Monokle CLI.
Major improvements since the initial release of our CLI validation engine include:
As before, it’s super-easy to get started with the Monokle CLI.
For Mac, you can install it with brew:
```
brew install kubeshop/monokle/monokle-cli
```
On other platforms, you’ll need either npm - or you can use our Docker Image available on DockerHub:
```
docker run -v /my-manifests:/input -e CONFIG_FILE=my-validation-config.yaml monokle-cli:latest validate /input
```
Configuration for the CLI is as before via a corresponding monokle.validation.yaml file - read more on GitHub - here’s a quick example:
plugins:
```
pod-security-standards: true
kubernetes-schema: true
rules:
pod-security-standard/host-process: "warn"
pod-security-standard/selinux: "err"
pod-security-standard/sysctls: false
kubernetes-schema/deprecation-violated: "warn"
kubernetes-schema/removal-violated: "err"
settings:
kubernetes-schema:
schemaVersion: "v1.26.1"
```
Let’s have a quick look at each of the new validators.
The Pod Security Standards validator validates your manifests in line with the Kubernetes Pod Security Standards - read more about available configurations and rules on GitHub.
A sample monokle.validation.yaml file using this validator would be:
```
plugins:
pod-security-standards: true
rules:
pod-security-standard/host-process: "warn"
pod-security-standard/selinux: "err"
pod-security-standard/sysctls: false
```
The existing Kubernetes Schema validator has been improved to also check for invalid or deprecated resource kinds/versions, checking that your resources are compatible with the Kubernetes version you are targeting. Read more on GitHub.
Use as follows:
```
annotation-related
plugins:
kubernetes-schema: true
settings:
kubernetes-schema:
schemaVersion: "v1.26.1"
rules:
kubernetes-schema/deprecation-violated: "warn"
kubernetes-schema/removal-violated: "err"
```
The metadata validator allows you to check for resource metadata properties and values - both custom and predefined - read more on GitHub.
For the custom label and annotation-related rules, the work is as follows:
```
rules:
metadata/custom-labels: [<level>, <array of keys>]
metadata/custom-annotations: [<level>, <array of keys>]
metadata/foo-label: [<level>, <array of values>]
metadata/foo-annotation: [<level>, <array of values>]
```
for example:
```
plugins:
metadata: true
rules:
metadata/recommended-labels: "warn"
metadata/custom-labels: ["warn", ["my-label"]]
metadata/foo-annotation: ["warn", ["ben", "joe"]]
```
The Common Practices validator checks for just that - common practices that might be applicable to your Kubernetes configurations, for example disallowing the latest image tags or requiring a read-only root file system. Find more information about individual rules on GitHub.
An example:
```
plugins:
practices: true
rules:
practices/no-latest-image: "warn"
practices/no-writable-fs: "err"
```
As before, extending the Monokle CLI with custom validators written in typescript is easy. Validation plugins can be shared with the community and used in Monokle Desktop and Monokle Cloud - check out the docs/tutorials to get started and don’t hesitate to reach out to us on Discord if you need any help or guidance.
Do you have specific validation needs? We’d love to create more validators available to the community so please, reach out! We’re keen to include validators to save you time and improve your workflows. For example, maybe you're struggling to validate your Kustomize overlays or Helm Charts? If this is the case, let us know so we can get to work on solving this issue for you and your team.
Get started with Monokle CLI today and join our Monokle Community via Discord, follow us on Twitter and LinkedIn, learn more about our complete suite of tools, and contribute to our open source project.
Thank you!
Join the Monokle Community in one of these channels:
Subscribe to our monthly newsletter to stay up to date with all-things Monokle.
