Skip to content

Validating Resources

Monokle automatically validates all resources of the corresponding Kubernetes 1.22.1 schemas. In the Navigator, a resource which is not validated is shown with a red error icon. A resource with a broken link is shown with a yellow triangle.

Resource Validation

You will see the number of both link and syntax validation errors in resources at the top of the Navigator:

Link and Syntax Errors

Click on the yellow triangle to see a list of the broken links in the current resources:

Link Errors

Click on the red circle to see a list of syntax errors in the current resources:

Syntax Errors

Clicking on any item in the broken link or syntax error list will locate the file where the error exits in the Navigator and open the source in the Editor.

This same functionality is available when the error icons are next to the file names in the Navigator:

Link and Syntax Icons

Hover on the error icon to check the error details and see the corresponding line in the Editor:

Resource Error Popup

Inspecting Policy Errors

Monokle now integrates with the Open Policy Agent and is able to use Rego policies to validate your resources. This means that validation now goes beyond syntax validation and also ensures that semantics are correct. For example, you can enable a policy that ensures that images no longer use the latest tag.

Let's have a look at how you would configure and remediate violations.

When you look at the left sidebar, you will notice that a new icon is available for resource validation. Clicking on the icon will open a drawer:

Open validation drawer

This is the new home for all modules related to validation. Continue by clicking on the Open Policy Agent integration and you will see a set of rules:

Open OPA drawer

Here you can familiarize yourself with the rules that are available. We recommend enabling all of them and afterwards disabling those that generate too much noice for your use cases.

Great! Policy validation is now enabled. Policy errors have the same behavior as syntax errors. This means that you will see a red error icon appear whenever a violation is detected.

Policy error navigator

After opening the resource in your editor, you will notice that the error is also marked in gutter and highlighted. Hovering over the error will show you help on how to remediate the violation. Use this information to directly edit your resource and the errors will disappear in real-time.

Policy error editor

Policy rules

A big shout out to the DefSec team at Aqua Security as full credit for these rules goes to them. You can find the source of the Rego policies here.

An overview of available rules:

Rule Description Severity
KSV001 Process can elevate its own privileges medium
KSV002 Default AppArmor profile not set medium
KSV003 Default capabilities not dropped low
KSV005 SYS_ADMIN capability added high
KSV006 hostPath volume mounted with docker.sock high
KSV008 Access to host IPC namespace high
KSV009 Access to host network high
KSV010 Access to host PID high
KSV011 CPU not limited low
KSV012 Runs as root user medium
KSV013 Image tag ':latest' used low
KSV014 Root file system is not read-only low
KSV015 CPU requests not specified low
KSV016 Memory requests not specified low
KSV017 Privileged container high
KSV018 Memory not limited low
KSV020 Runs with low user ID low
KSV021 Runs with low group ID medium
KSV023 hostPath volumes mounted medium
KSV024 Access to host ports high
KSV025 SELinux custom options set medium
KSV027 Non-default /proc masks set medium
KSV028 Non-ephemeral volume types used low
KSV029 A root primary or supplementary GID set low
KSV030 Default Seccomp profile not set low

Policy validation FAQ

How does it work?

Under the hood, Rego policies are compiled to web assembly. Monokle uses the opa-wasm NPM module to load the policy and evaluate your resources in real-time.

Can I use this with Helm and Kustomize?

No, in this first release only vanilla Kubernetes resources are validated. Let us know if this is something you need by liking our related Helm and Kustomize GitHub issue.

Can I use my own Rego policies?

No, currently only a set of preconfigured rules is available. We are considering policy plugins or an OPA Gatekeeper integration, feel free to let us know if this is something you'd like!