Welcome to Monokle Action

Monokle Action is a GitHub Action for static analysis of Kubernetes resources.

Use it to prevent misconfigurations within Kustomize, Helm or default Kubernetes resources. The output is available as a SARIF file which you can upload to GitHub CodeScan.

Under the hood it uses @monokle/validation which allows you to configure validation rules extensively.

Explore a demo pull request

Table of content

• Usage
  • Understanding the Action's result
  • Validate the output of Kustomize
  • Validate the output of Helm
  • Validate default Kubernetes resources
  • Validate and upload to GitHub CodeScan
• Configuration
  • Action inputs
  • @monokle/validation rules

Usage

Understanding the Action's result

The action will find problems for you.

You can configure the validator whether a problem is an error or a warning.

The action fails when at least one error is found. Only warnings will not result in a failure and allow you to still merge. This allows for transition periods in your policies.

Validate the output of Kustomize

on: push

jobs:
  validate:
    name: Validate Kustomize with Monokle
    runs-on: ubuntu-latest
    steps:
      - id: checkout
        uses: actions/checkout@master
      - id: bake
        uses: azure/[email protected]
        with:
          renderEngine: "kustomize"
          kustomizationPath: "./kustomize-happy-cms/overlays/local"
      - id: validate
        uses: kubeshop/[email protected]
        with:
          path: ${{ steps.bake.outputs.manifestsBundle }}

Validate the output of Helm

on: push

jobs:
  validate:
    name: Validate Helm with Monokle
    runs-on: ubuntu-latest
    steps:
      - id: checkout
        uses: actions/checkout@master
      - id: bake
        uses: azure/[email protected]
        with:
          renderEngine: "helm"
          helmChart: "./helm-yellow-wordpress"
      - id: validate
        uses: kubeshop/[email protected]
        with:
          path: ${{ steps.bake.outputs.manifestsBundle }}

Validate default Kubernetes resources

on: push

jobs:
  validate:
    name: Validate Kubernetes resources with Monokle
    runs-on: ubuntu-latest
    steps:
      - id: checkout
        uses: actions/checkout@master
      - id: validate
        uses: kubeshop/[email protected]
        with:
          path: __path_to_file_or_directory_with_kubernetes_yaml_files__

Validate and upload to GitHub CodeScan

on: push

jobs:
  validate:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    name: Validate Kustomize with Monokle
    steps:
      - id: checkout
        uses: actions/checkout@master
      - id: bake
        uses: azure/[email protected]
        with:
          renderEngine: "kustomize"
          kustomizationPath: "./kustomize-happy-cms/overlays/local"
      - id: validate
        uses: kubeshop/[email protected]
        with:
          path: ${{ steps.bake.outputs.manifestsBundle }}
      - id: upload-sarif
        if: always()
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: ${{ steps.validate.outputs.sarif }}

Configuration

Action inputs

[path] Relative path to a directory or a YAML file with Kubernetes resources.

[config] Relative path to the Monokle validation configuration file.

@monokle/validation rules

The Monokle Action looks for a Monokle Validation configuration.

The default path is found at ./monokle.validation.yaml.

Learn more about Monokle Validation configuration

Example

plugins:
  yaml-syntax: true
  kubernetes-schema: true
rules:
  yaml-syntax/no-bad-alias: "warn"
  yaml-syntax/no-bad-directive: false
  open-policy-agent/no-last-image: "err"
  open-policy-agent/cpu-limit: "err"
  open-policy-agent/memory-limit: "err"
  open-policy-agent/memory-request: "err"
settings:
  kubernetes-schema:
    schemaVersion: v1.24.2