Skip to content

kubeshop/monokle-cli

Repository files navigation

Monokle Logo

Welcome to Monokle CLI

Monokle CLI is a command-line interface for static analysis of Kubernetes resources.

Use it to prevent misconfigurations within Kustomize, Helm or default Kubernetes resources. The output is available as a SARIF file which you can upload to GitHub CodeScan.

Monokle CLI allows for integration with Monokle Cloud and Monokle Enterprise to manage and enforce validation policies centrally for all your repos and pipelines.

You can read more about Monokle CLI features and entire Monokle Ecosystem in announcement blog-post.

Table of contents

Installation

You can install Monokle CLI via npm:

npm install --global @monokle/cli

Or using brew if you're on MacOS:

brew install kubeshop/monokle/monokle-cli

Usage

Monokle CLI exposes following commands:

  • monokle validate [path] - validate Kubernetes resources in a given path.
  • monokle init - generate local configuration file.
  • monokle login - login to Monokle Cloud or Enterprise to use remote policy.
  • monokle logout- logout from Monokle Cloud or Enterprise.
  • monokle whoami - get information about currently authenticated user.
  • monokle config show [path] - show policy configuration file which will be used to validated given path.

You can always use --help argument to get list of all available commands or detailed information about each command.

Validation

Monokle CLI includes built-in validators to provide you with comprehensive validation possibilities for K8s configurations out of the box:

  • Pod Security Standards validation for secure deployments
  • Kubernetes Schema validation to ensure your resource are compliant with their schemas and a target K8s version
  • Resource links validates that reference to other Kubernetes resources are valid.
  • Metadata validation for standard and custom labels/annotations
  • Common practices validation for basic configuration sanity
  • Security policies based on OPA (Open Policy Agent) to reduce your attack surface.
  • YAML Syntax validates that your manifests have correct YAML syntax.

Under the hood it uses [@monokle/validation][https://github.com/kubeshop/monokle-core/tree/main/packages/validation] which allows you to configure validation rules extensively.

Once installed, using the CLI is straight-forward.

Validate a YAML file

monokle validate bundle.yaml

Validate a directory

This will recursively scan all YAML files and parse them as plain Kubernetes resources.

monokle validate k8s-dir

Validate a templated Helm chart

helm template helm-dir | monokle validate -

Validate a Kustomize build

kustomize build kustomize-dir/overlays/local | monokle validate -

Validate using local configuration file

monokle validate path/to/validate -c path/to/config/monokle.validation.yaml

Validate using centralized policy from Monokle Cloud

To use remote policy, you need to login to Monokle CLoud first. This can be done via monokle login command:

monokle login

After that, simply run validate command. Monokle CLI will fetch remote policy based on your user data:

monokle validate path/to/validate

IMPORTANT: Please keep in mind that remote policies needs to be configured first. Please refer to Using with Monokle Cloud section below.

Frameworks

Monokle CLI supports predefined sets of rules called frameworks, which allow you to quickly run Monokle validation without the need for additional configuration. By using a framework, you can easily perform comprehensive validations based on established best practices and industry standards.

When using a framework, you don't have to configure the monokle.validation.yaml file manually. Simply specify the desired framework using the --framework or -f CLI arguments, and Monokle CLI will automatically apply the corresponding set of rules.

Available frameworks:

  • pss-restricted
  • pss-baseline
  • nsa

Using frameworks is an excellent way to get started quickly with Monokle CLI and perform comprehensive validations without the need for extensive configuration.

Here's an example of how to use the --framework argument:

monokle validate k8s-dir --framework pss-restricted

If you prefer a more customized validation, you can still configure the monokle.validation.yaml file with your own rules. The easiest way is to use monokle init command which will guide you through creating custom configuration based on available frameworks.

Generate SARIF analysis

The Monokle CLI can output its results in SARIF format.

monokle validate --output sarif k8s-dir > results.sarif

Afterward you could use VSC's SARIF Viewer or other tools to inspect the results.

Using with Monokle Cloud

To use remote policy with Monokle CLI you will need to create a project and configure policy for it in Monokle Cloud. Start by signing in to Monokle Cloud.

In case of doubts, refer to Getting Started Guide or hit us directly on Discord.

Project setup

After signing up, start by creating a project on Projects page:

Add your repository to your project

After project is created, add a repository (the one you will be working locally with) to a project. This can be done by going to Repositories tab in project view and using Add repository button:

Policy setup

The last step is policy setup. You can use policy wizard by going to Policy tab in project view:

After the setup is done, you can run monokle validate command and it will use remote policy as long as you are logged in.

Using with Monokle Enterprise

Using with Monokle Enterprise (self-hosted) is very similar to usage with Monokle Cloud. The main difference is the origin (URLs) with which Monokle CLI will communicate. This can be set on login or for each command separately (useful for automated scenarios).

monokle login --origin https://monokle.mydomain.com

IMPORTANT: Env variable MONOKLE_ORIGIN can be also used to set origin for logging command. If neither is used, CLI will prompt whenever to use custom origin.

For using --origin flag without logging in, please refer to Using on CI/CD pipelines section below.

Using on CI/CD pipelines

We have dedicated Monokle GitHub Bot to integrate centralized policy management into GitHub CI/CD pipelines which gives tighter integration with Monokle Cloud than using CLI directly.

To use Monokle CLI as part of CI/CD pipeline, it needs to be installed first and then simply run with monokle validate path/to/resources.

The other case is using centrally managed policy from Monokle Cloud in such scenarios. In such, one should use Automation Token (which can be generated via Automation token tab in Workspace view) together with project id from which policy should be used:

monokle validate project/path -t YOUR_AUTOMATION_TOKEN -p PROJECT_ID

Project id can be obtain on Project details page from URL https://app.monokle.com/dashboard/projects/<projectId>.

You can also change origin which will be used to fetch policies from (e.g. when running your own instance of Monokle Enterprise):

monokle validate project/path -t YOUR_AUTOMATION_TOKEN -p PROJECT_ID -r https://monokle.mydomain.com

IMPORTANT: Always remember to keep your API token as secret and pass it to CI/CD jobs the same way as other secrets.

Monokle GitHub Bot

The Monokle GitHub Bot can be used to validate your resources as part of your GitHub CI/CD pipelines. It is integrated with Monokle Cloud out-of-the-box to allow easy centralized policy management.

Monokle GitHub Action

The Monokle GitHub Action can be used to validate your resources as part of your CI/CD pipelines on GitHub. It gives more customizability when it comes to validating Dry Runs results.

If you need something tightly integrated with Monokle Cloud, we recommend using Monokle GitHub Bot.

Configuration

Command-line arguments

You can use --help to access help information directly from the CLI.

@monokle/validation rules

The Monokle CLI looks for a Monokle Validation configuration file at ./monokle.validation.yaml. You can change this by using the --config flag.

All rules are enabled by default and are described in the Monokle Validation configuration documentation.

Example

plugins:
  yaml-syntax: true
  kubernetes-schema: true
rules:
  yaml-syntax/no-bad-alias: "warn"
  yaml-syntax/no-bad-directive: false
  open-policy-agent/no-last-image: "err"
  open-policy-agent/cpu-limit: "err"
  open-policy-agent/memory-limit: "err"
  open-policy-agent/memory-request: "err"
settings:
  kubernetes-schema:
    schemaVersion: v1.24.2

Custom validators

It is easy to extend the Monokle CLI with custom validators that can be shared with others using our Monokle Community Plugins repository.

Docker

You can use the Docker image monokle-cli:latest to run the Monokle CLI in a containerized environment. This can be particularly useful for integrating Monokle into CI/CD pipelines or other automated systems.

To run the Docker image, you can use the docker run command. The Monokle CLI arguments can be passed directly to the Docker run command. For example:

docker run -v /path/to/input:/input -e CONFIG_FILE=my-validation-config.yaml monokle-cli:latest validate /input

In this command:

  • -v /path/to/input:/input mounts a directory from your host system to the /input directory inside the Docker container.
  • -e CONFIG_FILE=my-validation-config.yaml sets an environment variable inside the Docker container. If this environment variable is set, the Docker container will use the specified file as the Monokle validation configuration.
  • validate /input is the command that will be passed to the Monokle CLI. You can replace this with any command you want to run with the Monokle CLI.