Validation is no longer an optional but a necessity shift left. Empower developers and SREs with better vulnerability detection capabilities and build robust applications with Monokle's GitHub Bot.
Manually enabling validation as a part of the development process is a tedious task. It will not only limit the validation information with the developers but will also be prone to policy violations. This problem grows exponentially when working with multiple teams. When you are reviewing PR from different teams, it is hard to understand and validate the changes in PRs especially in the case of Helm and Kustomize. Any miss in policy validation and lead to security and performance issues.
There are measures in place like having different environments, however, the process of validating a PR is still manual. Nowadays many developers also working on configuring deployments, and any miss from their end means that the SRE teams are again required to revisit and ensure deployments follow the standards. For a smoother and more robust process, we need a smarter and more automated way to review manifest files against a set of policies earlier in the PR process.
Monokle bot is a tool that allows authorized members to add automated validation checks as part of Pull Requests (PR). It allows both the developer and the SRE to have enough information right on the PR about the changes and their impact based on the guidelines and policies laid down. In this blog post, we will understand how this bot can be enabled to review a PR and make validation part of the early pipeline.
Monokle GitHub Bot is programmed to perform automated validation. It allows integration of validation with the GitHub PR pipeline to enhance GitOps workflow and automate policy checks. The validation includes standard OPA policies, Kubernetes schema validation, resource link checks, or custom organization policies. These can be configured and enabled along with the criticality level.
In Monokle Cloud IDE for Policy Enforcement, you can create a project and add multiple GitHub repositories in it for which you want to enable validation. Monokle supports collaboration by allowing the feature to onboard multiple team members as part of the project. Once the bot is enabled, all the PRs raised by anyone in the team for the repository configured in the project will be automatically validated first. The results can be viewed in the PR on GitHub. The details related to the policies can be viewed in the Monokle Cloud IDE.
Monokle Cloud IDE provides the ability to enable the Monokle GitHub Bot in a lightweight browser-based dashboard. We will show you with the help of the monokle-demo Github repository how to make use of Monokle’s architecture to add a repository to Monokle Cloud and enable validation for new PRs.
Monokle organizes your work into workspaces, projects and repositories. Every workspace can have multiple projects and every project can have multiple repositories. Let us understand this with an example. Suppose your organization has multiple products. Monokle helps you control your GitOps workflow by segmenting your workspace, allowing you to create multiple workspaces based on products. You can have a dedicated workspace for each of your products.
A product can have multiple projects like the free version and paid version. These versions can be individual projects that can maintain repositories dedicated to that project. Connecting with the above example, there can be a separate repository for the UI, backend, and core plugins of the product. An SRE can control access rights to the workspace as well as the project. Monokle gives a granular level of control over the repositories. Let us get started with the initial setup.
Monokle Cloud IDE for Policy Enforcement
Authorize Monokle Cloud
The user logged in to Monokle Cloud IDE
Monokle Cloud Workspaces
Each workspace can have multiple projects. Below the workspace name, you can find the text, “1 project available”.
Monokle creates a Default project in the Default workspace at the time of account setup for ease in getting started. Click on Default to view workspace details.
Monokle Cloud Default workspace
Using this, you can create new projects to add repositories in it, invite members to this workspace, control your billing, and edit workspace settings like workspace name and description.
Project created successfully
Add a repository
Authorize Monokle Cloud
GitHub account configured and repository selected
The repository successfully added to the project
Monokle adds the selected repository to the project and loads the IDE to show options with which you can configure policies and enable GitHub Bot. So let us go ahead and enable GitHub Bot for the repository to allow PR validation.
Monokle provides standard policies that can be configured to enable validation pre-deployment. You can also add custom policies and enable them tailored to your organization's requirements. We are going to enable National Security Agency(NSA) policy that adheres to Kubernetes hardening guidance and meets our organization's standards.
Default standard policies available by Monokle
NSA policy configured for the project
With policies configured, you can now enable the GitHub bot for your repository that will validate any new PR based on the rules mentioned in the policy.
Monokle GitHub Bot enabled for PR validation
We have selected our product’s repository for which the Monokle bot will be enabled. This helps us with the optimized usage of resources and enables bots only in those repositories where needed.
Now that the policies are in place and the GitHub bot is enabled, any new PR will be automatically validated by Monokle. This saves a lot of time and manual effort. It is also the efficient utilization of an SRE’s potential as they can now immediately see which policies are adhered to against the changes. Let’s go ahead, make some changes, and raise a PR to see how validation works.
Monokle Cloud Editor
Start PR using Monokle Cloud
Note: Make sure that pop-ups are not blocked in browser for Monokle.
Enter details to create PR
Hurray!! Monokle validated PR successfully
Monokle GitHub bot has done the validation and we can see there are 7 warnings mentioned by the bot. Click on the validation button that shows the result to check the warnings. GitHub will redirect you to Monokle Cloud where only authorized members of the project can view all the warnings or errors.
Validation audit details
In the above example, we can see 7 warnings as policy violations in Monokle Cloud. In the Validation Overview section, Monokle lists the file path, the line number which has a warning, and the warning message on that line. Click on the warning to view in Editor the Source and Info. Monokle highlights the line which has a warning in the source section. The info section provides the rule applied and its relevant information like its description, severity level, hint to debug, and more.
This helps in collaborating with the developers, sharing insights with them, and working on fixing these. SREs can make use of this audit view to check for the validations that have failed. To understand the impact of these, they can compare the current changes in PR with the last commit for any manifest. Let us see how to compare manifests.
Monokle provides a feature to compare resources. SREs can compare simple manifests as well as Kustomization or Helm charts. Monokle provides the ability to dry run the resources in PR and compare the target branch with the last commit using the Kustomization/Helm dry run. They can understand the impact of changes and then suggest the next steps.
For the changes we did in our Kustomize local overlay, we can compare the resources easily using this feature. Click on Compare in Monokle Cloud to compare the target branch “local-overlay” with “main” using the Kustomization dry run. You can also achieve this directly by clicking on Compare with `main` in Monokle Cloud option available in the PR.
Compare the PR branch with the main branch
Monokle loads all the relevant resources which this kustomization will create and shows a diff button for the resources that have changed since the last merge. Click on diff to view the changes.
Diff visible to SREs in Monokle Cloud
With this, you can easily view the changes against each line giving you a granular level of control and better visibility of resources. It helps in identifying certain hidden semantic errors which could easily make their way to production if not manually debug by you which is very time-consuming. You can configure policies in Monokle Cloud and enable the GitHub Bot to automatically validate all the PRs. Monokle makes it easy and takes a lot of load off the SRE's shoulders by providing the feature to compare resources.
Monokle is a suite of tools that work together to improve your configuration management capabilities. Along with Monokle Cloud IDE for Policy Enforcement, you can also have similar capabilities that can be executed locally, like Monokle Desktop and the Monokle CLI.
Monokle Cloud IDE for Policy Enforcement allows enabling of standard as well as custom policies to validate manifest pre-deployment. The new feature Monokle GitHub Bot helps in automating the standard policies enforcement, making validation an early step in PR. It takes away most of the manual effort needed in PR review and provides better visibility to authorized teams.
In this blog post, we have added created a project in Monokle’s default workspace and added a repository. We have configured policies for this repository and automated validation by using Monokle GitHub Bot. So, whether you're a developer or SRE doing reviews, or just someone interested in keeping your organization on track, Monokle Cloud IDE for Policy Enforcement is an absolute must-have.
You can also reach out to Monokle Product Leader Ole if you have feedback about how we can make Monokle work better for you or drop a mail to email@example.com for information/assistance. You can also join in conversation with other users via Discord as part of our growing community.
Join the Monokle Community in one of these channels: