Datree is an open-source CLI utility tool that helps Kubernetes admin develop policies they want the team to follow. This helps prevent errors in Kubernetes configurations which may lead to the failure of clusters in production.
Normally, Datreee works by running automatic checks on code changes for rule violations and misconfigurations. Whenever violations/misconfigurations are found, an alert that guides the developer on how to fix the issue is provided.
Below is a diagram illustrating the Datree architecture.
Datree offers the following benefits to admins:
- Enable restrictions management: Perform management restrictions in a dedicated place across the entire organization. The admins have the full power to control the systems.
- Enforce policy restrictions on development: restrictions are enforced before being applied to the cluster. Developers are alerted early when misconfigurations occur. They are able to catch the mistakes before the code moves to production.
- Educate about best practices: Best practices involve; reviewing, fencing, and future-proofing all possible pitfalls in the current and future use cases. Datree comes with Kubernetes best practices built-in so no human observation is required.
- DevOps culture: It provides mechanisms similar to other development tools like unit tests. This makes it easy to use since developers are familiar with them. These tools are used to cultivate the DevOps culture.
By following this guide, you should be able to perform security checks on Kubernetes manifests and Helm charts using Datree.
Getting Started.
This guide requires the following packages installed.
### CentOS / RHEL ###
sudo yum -y install vim curl wget unzip
### Debian / Ubuntu ###
sudo apt update
sudo apt install -y vim curl wget unzip
### Fedora ###
sudo dnf -y install vim curl wget unzip
#1. Install Datree on your System
Installing Datree on Linux/macOS systems is as easy as robbing a child’s bank. All you have to do is execute the below command:
curl https://get.datree.io | /bin/bash
Execution Output:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1736 100 1736 0 0 36936 0 --:--:-- --:--:-- --:--:-- 36936
Installing Datree...
[V] Downloaded Datree
[V] Finished Installation
Usage: $ datree test ~/.datree/k8s-demo.yaml
Using Helm? => https://github.com/datreeio/helm-datree
Using Kustomize? => https://hub.datree.io/kustomize-support
Run 'datree completion -h' to learn how to generate shell autocompletions
On Windows, execute the below command on Powershell to install Datree:
iwr -useb https://get.datree.io/windows_install.ps1 | iex
The above commands install the latest Datree release. There are other installation options such as:
- Using Homebrew:
brew tap datreeio/datree
brew install datreeio/datree/datree
- Using Docker:
docker pull datree/datree
Verify the installation.
$ datree version
1.4.3
#2. Use Datree to Scan Kubernetes manifest files
Once installed, you can easily use Datree to perform security checks on Kubernetes manifests.
The syntax used is:
datree test [k8s-manifest-file]
When the check is run, it passes through 3 main validations:
- YAML validation
- Kubernetes schema validation
- Kubernetes policies validations
For example, performing checks on my demo manifest, the command will be:
datree test ~/.datree/k8s-demo.yaml
Sample Output:
From the output, you can see the detailed output of the violations available in the manifest. This provides admins with the required guidance on how to fix it.
#3. Customize your policy
Each Datree policy check runs using the default policy that includes 44 in-built rules. To configure the policy, you need to go back to the terminal execution and sign up by clicking on the link provided at the end of the output.
+-----------------------------------+------------------------------------------------------+
| Enabled rules in policy “Default” | 21 |
| Configs tested against policy | 1 |
| Total rules evaluated | 21 |
| Total rules skipped | 0 |
| Total rules failed | 4 |
| Total rules passed | 17 |
| See all rules in policy | https://app.datree.io/login?t=bDNVK7Tg9ZSCN76pZPhmT7 |
+-----------------------------------+------------------------------------------------------+
Sign up by providing the required credentials.
You will then be redirected to the Centralized policy dashboard.
Here, you can enable/disable the built-in rules and Optionally, you can add your own custom rules to be run against your manifest.
From the dashboard, you can also see the scan history.
#4. Integrate Datree into your CI
To be able to maintain clean and stable repositories by preventing misconfigurations on time, you need to perform integrations.
The following integrations are supported.
- Kubectl plugin
- Helm plugin
- Github action
- Git hooks
- Pre-commit hook
This guide demonstrates how to install and use the below plugins:
- Kubectl plugin
The Kubectl plugin can be installed using the command:
kubectl krew install datree
The syntax below is used to perform scans with the kubectl-datree plugin.
kubectl datree test [datree CLI args] -- [options]
For example, performing a scan by fetching all resources in the namespace test and executing a policy check:
kubectl datree test -- -n test
- Helm plugin
This plugin is used to validate charts against the Datree policy. The plugin can be installed with the command:
helm plugin install https://github.com/datreeio/helm-datree
Learn how to install and use Helm with the aid of the guide below:
Unfortunately, this plugin is not supported on Windows OS and so the users need to work around using Helm on WSL.
To update the plugin, simply run:
helm plugin update datree
Uninstall the plugin using the command:
helm plugin uninstall datree
To trigger a Datree policy check on Helm charts, issue the command bearing the syntax below.
helm datree test [CHART_DIRECTORY]
If you need to pass arguments to your template, add the ---
before them as below:
helm datree test [CHART_DIRECTORY] -- --values values.yaml --set name=prod
To demonstrate how to use the plugin, I will create a sample Helm chart as below:
$ helm create buildachart
Creating buildachart
Now perform a test on the charts.
helm datree test buildachart/templates/deployment.yaml
Sample Output:
To integrate Datree in your CI/CD, you can follow the below example. You need to follow the steps below:
- Get your account token (can be found from the dashboard under Settings)
- Set DATREE_TOKEN as a secret/environment variable
- Add Datree to your CI script as shown in the example below:
version: 2.1
jobs:
build:
docker:
- image: circleci/node
steps:
- checkout
- run: npm run build
test:
docker:
- image: circleci/node
steps:
- checkout
- run: curl https://get.datree.io | /bin/bash
- run: datree test ~/.datree/k8s-demo.yaml
workflows:
main:
jobs:
- build
- test
Books For Learning Kubernetes Administration:
Voila!
That concludes the guide on how to perform security checks on Kubernetes manifests and Helm charts using Datree. We can agree that Datree can be used to prevent errors in Kubernetes configurations which may lead to the failure of clusters in production.
Interested in more?