/datree

Prevent Kubernetes misconfigurations from reaching production (again 😤 )! From code to cloud, Datree provides an E2E policy enforcement solution to run automatic checks for rule violations. See our docs: https://hub.datree.io

Primary LanguageGoApache License 2.0Apache-2.0

datree=github

Prevent Kubernetes Misconfigurations

Explore the docs »

🤔 What is Datree?

Datree automatically validates Kubernetes objects for rule violations, ensuring no misconfigurations reach production. It’s an E2E policy enforcement solution that can be used on the command line, admission webhook, or even as a kubectl plugin.

It’s far more effective than manual processes, such as sending an email to a slew of developers, begging them to set various limits, which likely falls on deaf ears because developers are already overwhelmed.

✌️ Quick-start in two steps

1. Install the latest release on your CLI

Linux & MacOS: curl https://get.datree.io | /bin/bash
Windows: iwr -useb https://get.datree.io/windows_install.ps1 | iex

Other installation options (Homebrew, Docker, etc.) can be found here

2. Pass Datree a Kubernetes manifest file to scan

datree test [k8s-manifest-file]

...and voilà, you just ran your first policy check! 🥳

Datree-cli

⚙️ How it works

Datree scans Kubernetes configurations and validates them against a centrally managed policy for rule violations and misconfigurations.

Architecture
Architecture

The CLI interface can be run locally, as a pre-commit hook, or in your CI, to shift left misconfiguration detection. With the admission webhook interface, you can enforce the same policy on the cluster.

Each Datree scan runs three validation on your Kubernetes objects:

  • YAML validation
  • Schema validation (Including CRD support)
  • Policy check

Datree comes with dozens of battle-tested rules for you to select to create your policy. The policy rules cover a variety of Kubernetes resources such as workload security, networking availability, Argo best practices, NSA hardening guide, and many more.

In addition to our built-in rules, you can write any custom rule you wish and then run it against your Kubernetes configurations to check for rule violations. The custom rule engine is based on JSON Schema.

🔌 Helm plugin

Datree's Helm plugin can be accessed through the helm CLI to provide a seamless experience to Helm users:

helm plugin install https://github.com/datreeio/helm-datree

🗂 Kustomize support

Datree comes with out-of-the-box support for Kustomize:

datree kustomize test [kustomization.yaml dir path/]

Management dashboard (web application)

Datree can be customized via code (policy as code) or via a management dashboard. The dashboard offers the following capabilities in an intuitive visual interface:

  • Customize policies
  • Edit rules failure message
  • Issue tokens
  • View policy check history
  • Configure Kubernetes schema version

Datree-saas

✔️ Next step: Integrate into your workflow

From develop to runtime, you can use Datree in every step of your Kuberenetes pipeline to help you prevent misconfigurations:

  • Develop (code) - run the CLI locally (or as a pre-commit hook) to get instant validation
  • Distribute (CI) - integrate with your CI platform to shift-left policy checks
  • Deploy (CD) - gate your cluster with the admission webhook
  • Runtime (production) - query deployed resources with the kubectl plugin to your know your status

Offerings

Contributing

Contributions are welcome!

Contributors

Thank you to all the people who already contributed to Datree ❤️