Skip to content
activity

GitHub Action

Monokle Validation

v0.3.2 Latest version

Monokle Validation

activity

Monokle Validation

Monokle Action analyzes your Kubernetes resources to quickly find misconfigurations

Installation

Copy and paste the following snippet into your .yml file.

 
              
- name: Monokle Validation

              
  uses: kubeshop/monokle-action@v0.3.2
Learn more about this action in kubeshop/monokle-action

Choose a version

Monokle Logo

Welcome to Monokle Action

Monokle Action is a GitHub Action for static analysis of Kubernetes resources.

Use it to prevent misconfigurations within Kustomize, Helm or default Kubernetes resources. The output is available as a SARIF file which you can upload to GitHub CodeScan.

Under the hood it uses @monokle/validation which allows you to configure validation rules extensively.

Explore a demo pull request

Table of content

Usage

Understanding the Action's result

The action will find problems for you.

You can configure the validator whether a problem is an error or a warning.

The action fails when at least one error is found. Only warnings will not result in a failure and allow you to still merge. This allows for transition periods in your policies.

Validate the output of Kustomize

on: push

jobs:
  validate:
    name: Validate Kustomize with Monokle
    runs-on: ubuntu-latest
    steps:
      - id: checkout
        uses: actions/checkout@master
      - id: bake
        uses: azure/k8s-bake@v2.2
        with:
          renderEngine: "kustomize"
          kustomizationPath: "./kustomize-happy-cms/overlays/local"
      - id: validate
        uses: kubeshop/monokle-action@v0.2.0
        with:
          path: ${{ steps.bake.outputs.manifestsBundle }}

Validate the output of Helm

on: push

jobs:
  validate:
    name: Validate Helm with Monokle
    runs-on: ubuntu-latest
    steps:
      - id: checkout
        uses: actions/checkout@master
      - id: bake
        uses: azure/k8s-bake@v2.2
        with:
          renderEngine: "helm"
          helmChart: "./helm-yellow-wordpress"
      - id: validate
        uses: kubeshop/monokle-action@v0.2.0
        with:
          path: ${{ steps.bake.outputs.manifestsBundle }}

Validate default Kubernetes resources

on: push

jobs:
  validate:
    name: Validate Kubernetes resources with Monokle
    runs-on: ubuntu-latest
    steps:
      - id: checkout
        uses: actions/checkout@master
      - id: validate
        uses: kubeshop/monokle-action@v0.2.0
        with:
          path: __path_to_file_or_directory_with_kubernetes_yaml_files__

Validate and upload to GitHub CodeScan

on: push

jobs:
  validate:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    name: Validate Kustomize with Monokle
    steps:
      - id: checkout
        uses: actions/checkout@master
      - id: bake
        uses: azure/k8s-bake@v2.2
        with:
          renderEngine: "kustomize"
          kustomizationPath: "./kustomize-happy-cms/overlays/local"
      - id: validate
        uses: kubeshop/monokle-action@v0.2.0
        with:
          path: ${{ steps.bake.outputs.manifestsBundle }}
      - id: upload-sarif
        if: always()
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: ${{ steps.validate.outputs.sarif }}

Configuration

Action inputs

[path] Relative path to a directory or a YAML file with Kubernetes resources.

[config] Relative path to the Monokle validation configuration file.

@monokle/validation rules

The Monokle Action looks for a Monokle Validation configuration.

The default path is found at ./monokle.validation.yaml.

Learn more about Monokle Validation configuration

Example

plugins:
  yaml-syntax: true
  kubernetes-schema: true
rules:
  yaml-syntax/no-bad-alias: "warn"
  yaml-syntax/no-bad-directive: false
  open-policy-agent/no-last-image: "err"
  open-policy-agent/cpu-limit: "err"
  open-policy-agent/memory-limit: "err"
  open-policy-agent/memory-request: "err"
settings:
  kubernetes-schema:
    schemaVersion: v1.24.2