Skip to main content

Validating Resources

Monokle Desktop automatically validates all resources of the corresponding Kubernetes 1.22.1 schemas. In the Navigator, a resource that is not validated is shown in red. A resource with a broken link is shown in yellow.

Resource Validation

You will see the number of both link and syntax validation errors in resources at the top of the Navigator:

Link and Syntax Errors

Clicking on any item in the broken link or syntax error list will locate the file where the error exits in the Navigator and open the source in the Editor.

Hover on the error icon to check the error details and see the corresponding line in the Editor:

Resource Error Popup

Inspecting Policy Errors

Monokle Desktop integrates with the Open Policy Agent and can use Rego policies to validate your resources. This means that validation now goes beyond syntax validation and also ensures that semantics are correct. For example, you can enable a policy that ensures that images no longer use the latest tag.

Let's have a look at how you would configure and remediate violations.

When you look at the left sidebar, you will notice that a new icon is available for resource validation. Clicking on the icon will open a drawer:

Open validation drawer

This is the new home for all modules related to validation. Continue by clicking on the Open Policy Agent integration and you will see a set of rules:

Open OPA drawer

Here you can familiarize yourself with the available rules. We recommend enabling all of them and afterwards disabling those that generate too much noise for your use cases.

Great! Policy validation is now enabled. Policy errors have the same behavior as syntax errors. This means that you will see a red error icon appear whenever a violation is detected.

Policy error navigator

After opening the resource in your editor, you will notice that the error is also marked in the gutter and highlighted. Hovering over the error will show you help on how to remediate the violation. Use this information to directly edit your resource and the errors will disappear in real-time.

Policy error editor

Policy Rules

A big shout out to the DefSec team at Aqua Security as full credit for these rules goes to them. You can find the source of the Rego policies here.

An overview of available rules:

KSV001Process can elevate its own privilegesmedium
KSV002Default AppArmor profile not setmedium
KSV003Default capabilities not droppedlow
KSV005SYS_ADMIN capability addedhigh
KSV006hostPath volume mounted with docker.sockhigh
KSV008Access to host IPC namespacehigh
KSV009Access to host networkhigh
KSV010Access to host PIDhigh
KSV011CPU not limitedlow
KSV012Runs as root usermedium
KSV013Image tag ':latest' usedlow
KSV014Root file system is not read-onlylow
KSV015CPU requests not specifiedlow
KSV016Memory requests not specifiedlow
KSV017Privileged containerhigh
KSV018Memory not limitedlow
KSV020Runs with low user IDlow
KSV021Runs with low group IDmedium
KSV023hostPath volumes mountedmedium
KSV024Access to host portshigh
KSV025SELinux custom options setmedium
KSV027Non-default /proc masks setmedium
KSV028Non-ephemeral volume types usedlow
KSV029A root primary or supplementary GID setlow
KSV030Default Seccomp profile not setlow

Policy Validation FAQ

How does it work?

Under the hood, Rego policies are compiled to web assembly. Monokle Desktop uses the opa-wasm NPM module to load the policy and evaluate your resources in real-time.

Can I use this with Helm and Kustomize?

No, in this first release only vanilla Kubernetes resources are validated. Let us know if this is something you need by liking our related Helm and Kustomize GitHub issues.

Can I use my own Rego policies?

No, currently only a set of preconfigured rules is available. We are considering policy plugins or an OPA Gatekeeper integration, feel free to let us know if this is something you'd like!