Monokle: Kubernetes Policies Made Easy
Getting started with Kubernetes is a handful. From(re)learning how to architect an application for cloud native infrastructures to coming to grips with a declarative and mostly YAML-driven approach to application configuration, the Kubernetes adoption process is full of challenges difficult to overcome.
Maybe the most challenging, if not to say urgent, obstacle occurs when you discover that not all YAML is created equal, secure or compliant. Introducing a tool to help you and your team(s) by providing guardrails for correctly crafting YAML configurations from the get-go becomes essential to adoption success.
Initially, you might opt for linting tools, or IDE plugins to help you with your YAML crafting, but you’ll realize that enforcing configuration rules (or “policies”) locally isn’t enough as configurations can easily “slip between the cracks” and end up in your git repo or cluster without being locally validated, resulting in another tedious debugging session.
Or you might start by installing a dedicated policy tool in your cluster, like Kyverno or OPA Gatekeeper. But quickly you’ll find out that although these tools are powerful, they aren’t made for someone new to Kubernetes who just wants to get basic security policies into place. You’ll end up having to learn more YAML and their respective “policy languages” before you get some basic policies into place.
What you really need is a policy solution that gets you and your team started with common-sense security policies and best practices across the entire development life cycle in a quick and straightforward way without having to learn a new policy language, but with advanced features that you can grow into as you continue to mature on your Kubernetes journey.
What Is Monokle?
Monokle is a comprehensive open source platform for Kubernetes policy enforcement. Monokle greatly simplifies the tasks of:
- Defining and managing configuration policies.
- Enforcing policies across the entire development life cycle.
- Identifying and fixing misconfigurations in your code and clusters.
To achieve this, the Monokle platform provides three sets of tools:
1. Policy enforcement Tools that you can use across the development life cycle to check your YAML configurations against your defined policies. They include:
- Monokle VS-Code Extension
- Monokle CLI
- Monokle GitHub Bot and Action
- Monokle Admission Controller
- Monokle Desktop
2. Policy management console
- A browser-based console used to manage and track the policies that will be used in the enforcement points listed above.
- Monokle Cloud runs the console in the cloud.
- Monokle Enterprise is an on-premises deployment of Monokle Cloud, with single sign-on integration capabilities.
3. Configuration IDEs
- Visual developer tools dedicated to identifying and fixing misconfigurations in your configurations and clusters.
- Monokle Desktop
- Monokle Web IDE (part of Monokle Cloud)
80+ Configuration Policy Rules — No Coding Required
Monokle comes with more than 80 policy rules out of the box, with no need to learn any policy languages to get started. The included rules are all you would expect of a modern policy platform:
- Security rules to ensure that your deployments don’t expose an exploitable attack surface, including compliance with NSA/CIS frameworks.
- Resource usage to ensure that your applications make use of resources correctly.
- Resource metadata to ensure that your resources have the correct metadata.
- Kubernetes version compliance ensures/validates compliance with target Kubernetes versions.
- Resource links to ensure that resources don’t refer to invalid/unknown peer resources.
If these don’t cover your validation needs, creating custom policies is of course possible (more on that below).
Policy Enforcement Everywhere
Monokle makes it easy to enforce your policies across the entire development life cycle:
- The VS-Code extension integrates real-time misconfiguration detection in your local development workflows.
- The Monokle CLI allows you to validate your YAML configurations locally or as part of your CI/CD/GitOps workflows.
- The Monokle Github App/Bot integrates policy enforcement into your GitHub pull request and build workflows.
- The Admission Controller enforces Monokle policies in your clusters, ensuring that no misconfigurations slip through the cracks on their way to deployment.
All these tools can be run either standalone or integrated with Monokle Cloud to ensure that the same policies are enforced across all your teams and workflows.
Centralized Policy Management
While all the above-mentioned tools can be used standalone, tying them together into a coherent policy platform with Monokle Cloud is where you can make big gains in the consistent use of policies across your development workflows. Not only does Monokle Cloud allow you to quickly define, manage and distribute policies across your projects, repositories and clusters, but it also provides a browser-based IDE and a wealth of advanced features to help you make the most of your policies going forward.
Configuration IDEs to Save You Time
Monokle includes both browser and desktop versions of a configuration-focused IDE, with a wealth of features geared toward misconfiguration detection and remediation, including:
- Hot fixes – one-click action to fix common misconfiguration errors (Monokle Cloud).
- Real-time policy development – develop ValidatingAdmissionPolicies and see their impact in real time.
- Dry-runs – perform dry-runs of Kustomize overlays and Helm charts to validate their output and compare them to deployed applications.
- Cluster inspection – Inspect your clusters for misconfiguration and fix them in real time if needed (Monokle Desktop).
- And much more.
Policy Powers at Your Fingertips
Although Monokle strives to make basic policy-related tasks easy, it also understands and embraces more advanced needs and workflows related to policy management in a complex and evolving application infrastructure.
It is a common need to be able to suppress individual rules for specific resources, for example, certain pods might need to be able to act as root or access the file system of their container to do their work. Monokle Cloud provides a point-and-click approach to suppressing desired misconfigurations, including an approval-based workflow where administrators can ensure that only authorized suppressions are allowed.
If the built-in rule library isn’t enough you can, of course, craft your own validator plugins using Monokles plugin-development tooling. For example if you might want to enforce conventions for custom resource definitions (CRDs) being used in your application infrastructure. When installed in Monokle Cloud, custom validation plugins are automatically distributed to all aforementioned enforcement-points (VS Code, CLI, cluster), making it easy to ensure that everyone is using the right version of custom validation plugins and their corresponding rules.
Tracking misconfigurations over time in your git repositories helps you both detect unexpected diversions from a steady path to zero misconfigurations and keep track of your team’s progress in improving the quality of your YAML configurations.
When applying policies to different runtime namespaces/clusters it’s common to need to enforce a “base policy” across all and then overlay namespace/cluster-specific policies. Monokle allows you to achieve this, either manually or by the point-and-click interface available in Monokle Cloud, making advanced policy enforcement scenarios both possible and easy to put in place.
Helm/Kustomize Dry-Run Validations
Using a tool like Helm or Kustomize to template and generate large sets of Kubernetes resources is a common approach to scaling application configurations to different environments with different requirements. Just as applying policies to vanilla YAML configurations, Monokle allows you to validate the output of these tools as part of your local or CI/CD workflows, ensuring that the generated manifests comply with your policies before they get committed to source control or deployed to your clusters.
Embracing Open Source
All Monokle enforcement-point tooling and the core validation plugin framework are open source, MIT licensed and available on GitHub. Using these tools separately without the centralized policy management and extra features provided by Monokle Cloud is a great way to “kick the tires” of the Monokle validation engine and ecosystem before tying them into a coherent solution with Monokle Cloud to roll out across your organization.
Is Monokle for You?
There is one way to find out: Give it a try!
- Sign in to Monokle Cloud to try the Policy Management functionality and Cloud IDE.
- Get the VS Code extension on the Marketplace.
- Download Monokle Desktop from GitHub.
- Install the Admission Controller from within Monokle Cloud or standalone via GitHub.
- Try the Monokle CLI from GitHub.
Confused? Intrigued? Reach out to us for a discussion or demo on how Monokle can help you tackle the complexities of Kubernetes Policies.