GitHub Action
Monokle Validation
Monokle Action is a GitHub Action for static analysis of Kubernetes resources.
Use it to prevent misconfigurations within Kustomize, Helm or default Kubernetes resources. The output is available as a SARIF file which you can upload to GitHub CodeScan.
Under the hood it uses @monokle/validation which allows you to configure validation rules extensively.
The action will find problems for you.
You can configure the validator whether a problem is an error or a warning.
The action fails when at least one error is found. Only warnings will not result in a failure and allow you to still merge. This allows for transition periods in your policies.
on: push
jobs:
validate:
name: Validate Kustomize with Monokle
runs-on: ubuntu-latest
steps:
- id: checkout
uses: actions/checkout@master
- id: bake
uses: azure/k8s-bake@v2.2
with:
renderEngine: "kustomize"
kustomizationPath: "./kustomize-happy-cms/overlays/local"
- id: validate
uses: kubeshop/monokle-action@v0.2.0
with:
path: ${{ steps.bake.outputs.manifestsBundle }}
on: push
jobs:
validate:
name: Validate Helm with Monokle
runs-on: ubuntu-latest
steps:
- id: checkout
uses: actions/checkout@master
- id: bake
uses: azure/k8s-bake@v2.2
with:
renderEngine: "helm"
helmChart: "./helm-yellow-wordpress"
- id: validate
uses: kubeshop/monokle-action@v0.2.0
with:
path: ${{ steps.bake.outputs.manifestsBundle }}
on: push
jobs:
validate:
name: Validate Kubernetes resources with Monokle
runs-on: ubuntu-latest
steps:
- id: checkout
uses: actions/checkout@master
- id: validate
uses: kubeshop/monokle-action@v0.2.0
with:
path: __path_to_file_or_directory_with_kubernetes_yaml_files__
on: push
jobs:
validate:
runs-on: ubuntu-latest
permissions:
security-events: write
name: Validate Kustomize with Monokle
steps:
- id: checkout
uses: actions/checkout@master
- id: bake
uses: azure/k8s-bake@v2.2
with:
renderEngine: "kustomize"
kustomizationPath: "./kustomize-happy-cms/overlays/local"
- id: validate
uses: kubeshop/monokle-action@v0.2.0
with:
path: ${{ steps.bake.outputs.manifestsBundle }}
- id: upload-sarif
if: always()
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.validate.outputs.sarif }}
[path] Relative path to a directory or a YAML file with Kubernetes resources.
[config] Relative path to the Monokle validation configuration file.
The Monokle Action looks for a Monokle Validation configuration.
The default path is found at ./monokle.validation.yaml
.
Learn more about Monokle Validation configuration
Example
plugins:
yaml-syntax: true
kubernetes-schema: true
rules:
yaml-syntax/no-bad-alias: "warn"
yaml-syntax/no-bad-directive: false
open-policy-agent/no-last-image: "err"
open-policy-agent/cpu-limit: "err"
open-policy-agent/memory-limit: "err"
open-policy-agent/memory-request: "err"
settings:
kubernetes-schema:
schemaVersion: v1.24.2