Real-time Kubernetes Policy Development with Monokle

Oct 27, 2023
4 min
read
Ole Lensmar
CTO
monokle

Writing “good” policies is a complex, time-consuming task. Learn to build and troubleshoot policies interactively – with immediate feedback with the power of Monokle Cloud.

Share on Twitter
Share on LinkedIn
Share on Reddit
Share on HackerNews
Copy URL

Table of Contents

No items found.

Try Monokle Desktop Today

Using policies to enforce security, manage resource usage, and apply domain-specific rules for your Kubernetes applications is a well-adopted practice, thanks to both common sense and widely used open-source policy engines like Kyverno and Open Policy Agent (OPA). Recently, Kubernetes itself introduced native approaches to defining configuration policies, via Pod Security Standards in Kubernetes 1.25, and ValidatingAdmissionPolicy and related resources in Kubernetes 1.28. Although it will probably take some time for these native approaches to gain broad acceptance, it doesn’t seem unreasonable to assume that they will be the preferred approach for many teams getting started with security and resource policies for their deployments.

Unfortunately, the process of developing custom policies with any of these engines is a somewhat cumbersome task:

-   First, you’ll need to define your policy and related resources using the language/syntax used by your corresponding policy engine.

-   Second, you’ll need to run some kind of tool (usually a CLI) to compile/apply/deploy these policies to a set of resources.

-   Lastly, it’s time to look at the output of the tool used to determine if the validation worked as expected. If it did, great! But if not, adjustments must be made taking you right back step 1 all over again.

This might not seem so harrowing – at first. But writing “good” policies is a complex task that takes time, and this workflow is far from the interactivity many developers have grown to expect from real-time tooling in other areas of development, resulting in a less than desirable Developer Experience and unnecessary long development times for your policy needs.

So, wouldn’t it be nice if there was a way to learn, build and troubleshoot policies interactively – with immediate feedback on how they apply, what messages they produce, etc.?

ValidatingAdmissionPolicy Support in Monokle

Given the (dramatic) build-up in this blog-post – it shouldn’t come as a surprise that this is now possible thanks to recently introduced alpha-support for ValidatingAdmissionPolicy support in the Monokle tooling ecosystem.

If you don’t recall all details of Monokle, Monokle is set of tools for Kubernetes Policy Management and enforcement:

-   Monokle Cloud provides a dashboard for centralized policy management. 

-   Monokle Vs-Code Extension / CLI / Desktop / GitHub App are open-source tools used to enforce policies at different points in the application lifecycle. You can use these either standalone or connected to Monokle Cloud.

So, what features in this regard are we so excited to tell you about?

1. Monokle now identifies and parses the above-mentioned `ValidatingAdmissionPolicy`, `ValidatingAdmissionPolicyBinding` resources in any set of Kubernetes YAMLs that it is validating or working with.

2. Thanks to the admission-policy plugin to Monokle’s validation engine, the policies expressed in these resources are immediately applied to any other resources found, with corresponding warnings/errors being highlighted in the Monokle Cloud and Desktop IDEs or via our VS-Code extension.

3. When working in either of the Monokle IDEs or with the VS-Code extension, any changes made to these policies or target resources will be picked up by Monokle’s validation engine and result in immediate revalidation of your resources – giving you real-time feedback as your policies and target resources evolve.

As an added bonus, the Monokle IDEs also visualizes dependencies / references between ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding resources, together with any ConfigMap references they might have for parameters, making it easy to navigate and understand your policies and their dependencies on other resources. 

Altogether, this will do wonders for your Kubernetes Policy development workflows: 

-   Add / modify / remove any ValidatingAdmissionPolicy-related resources with Monokle and immediately see updated error/warning messages for your target resources.

-   Eliminate dependence upon CLIs and other auxiliary tools while discovering / learning / developing policies for your Kubernetes applications.

-   Troubleshooting/debugging custom policies is a breeze – simply point Monokle at any set of resources that aren’t being validated as expected, determine what changes are needed, and adjust the policies with real-time feedback.

Needless to say, by using Monokle to shorten the development loop described above and implementing native Kubernetes policies based on ValidatingAdmissionPolicy resources, the use of custom policy enforcement becomes a much more approachable and attainable goal for all teams regardless of expertise levels or size.  

Seeing is believing.

Instead of me trying to textually convince you of the goodness herein – let’s have a look at how this all works!

 

You can try all the above by going to https://app.monokle.com/explore/github/kubeshop/monokle-demo/branch/olelensmar/vap-demo-resources (you’ll be asked to sign in with GitHub - no YAML strings attached!).

It doesn’t stop here though...

Custom Resource Validation Rules 

Kubernetes 1.25 introduced the concept of Validation Rules - making it possible to specify CEL-based expressions for validating individual properties in your custom resources. Validation rules are added as properties in the JSON Schema of the corresponding CRD for a resource and are enforced by Kubernetes itself during resource admission, removing the need for managing a separate AdmissionController. Some examples (from the documentation):

<table><tr>
  <td><b>Rule</b>

  </td>
  <td><b>Purpose</b>

  </td>
 </tr>
 <tr>
  <td><pre>self.minReplicas <= self.replicas &&
self.replicas <= self.maxReplicas</pre>
  </td>
  <td>Validate that the three fields defining replicas are ordered appropriately

  </td>
 </tr>
 <tr>
  <td><pre>'Available' in self.stateCounts</pre>
  </td>
  <td>Validate that an entry with the 'Available' key exists in a map

  </td>
 </tr>
 <tr>
  <td><pre>self.health.startsWith('ok')</pre>
  </td>
  <td>Validate a 'health' string field has the prefix 'ok'

  </td>
 </tr></table>

While Validation Rules are great for providing basic constraints in your CRDs, developing them is a hassle: 

  • First you have to add the expressions to the JSON Schema in your CRD
  • Next you have to deploy the updated CRD to Kubernetes
  • Now you have to deploy a corresponding resource to see if your rule(s) work as expected.

Very tedious - Monokle to the rescue! Monokle effectively removes the roundtrip currently required to add Validation Rules to your CRDs.:

  • Resource properties that violate a Validation Rule will be highlighted correspondingly in the resource editors and validation panel
  • Adding/updating Validation Rules to a CRD will immediately apply these rules to corresponding resources, allowing for real-time development and troubleshooting of rules - versus having to deploy the CRD to Kubernetes and then deploying a corresponding resource to see if the validation works as expected.

And of course there’s a video to show you this in action:

 

What about Pod Security Standards?

Many of you probably noticed the earlier mention of the Pod Security Standards introduced in Kubernetes 1.25. You might be asking yourself, does Monokle have any built-in support for those? I’m so glad you asked! Not only does Monokle support Pod Security Standards, but the Monokle validation engine offers a dedicated “Pod Security Standards” plugin that allows you to interactively apply – and hotfix (!) many of the rules included in basic and restricted profiles. Obviously, this feature is worthy of its own fanfare, so we wrote a dedicated blog-post to show you how that works - Adopting Pod Security Standards with Monokle.

Alpha Disclaimer

While the above goes a long way in helping you learn and work with ValidatingAdmissionPolicy resources, Monokle doesn’t yet support all related functionality - namely the following advanced features are still being implemented:

  • matchConditions 
  • variable composition 
  • wildcards in resourceRules

(If you find anything else that isn’t working as expected in this context - please let us know!)

That’s it!

Learning a policy framework and creating policies to keep your deployments safe, sound and compliant doesn’t have to be hard and tedious work.We hope that the above addition to our Monokle tooling ecosystem serves to make this task a bit easier and helps you along your journey to better Kubernetes deployments with policies based on the ValidatingAdmissionPolicy standard. 

Please don’t hesitate to reach out and let us know how things are going – ask for help – or suggest improvements, we’d love to hear from you.

Thank you!

Related Content