What is Datree?
Datree is a CLI tool that prevents Kubernetes(K8S) misconfigurations from reaching production. As we know there is a K8S configuration file that is used to create a cluster. However, before creating the cluster (or updating it), Datree can step in and let the developers know about the misconfigurations in the configurations. This prevents cluster failure in production. The CLI solution offered by Datree is Open Source and is pre-dominantly supported by the Kubernetes Community.
Why is Datree required?
In any tech-infrastructural organization, production stability has a very high priority. It is paramount that no changes are directly deployed to production. There needs to be tests and configurations must be managed. If production comes down, then there is simply no product and no product means no business. Datree makes sure that these changes don't reach the production environment as we can test the manifest files without even having to run clusters.
Getting Started with Datree
So, let's start by signing up with Datree. Visit the Datree and click on the big red "QuickStart" button at the top. This will lead you to the "Getting Started" page and we will get the options to login/signup. For the scope of this article, we will be signing up using Github. Once authorized, we would land on the below page:
Donwloading Datree CLI
Here we can see that Datree gives us three commands to run the Datree CLI. We will now open up our terminal and run the first command to download the CLI:
Configuring the token
We can also go ahead and run the second command mentioned there. This will configure our dashboard with the local repository and reflect real-time changes. As we can see, there is a token assigned to us. This token is used to connect the dashboard to a local repository. This token can be configured in the config.yaml file. This can also be changed using Datree CLI command:
datree config set token token-name
Working with the demo YAML file
We can now go into our root/home directory where we installed datree and find a few files:
As we can see, we have a demo YAML file (configuration file) to test out Datree! We can view the contents of the file as well:
Now let's test this file with datree. Run the following command:
datree test .datree/k8s-demo.yaml (depending on your directory)
We wil get an output like this:
Datree Policies and Rules
The output shown above is showing the Datree Policy Check. As we can see, the policy check is taking place in three phases:
YAML Validation - verifies that the file is a valid YAML. Syntax errors for YAML, indentation errors, etc. are covered here.
Kubernetes schema validation - Verifies that the file is a valid Kubernetes file. This is done via Kubeconform.
Policy Check - checks the YAML against your configured policy.
In the above demo file, we can see that we have 4 policy check rule fails. The details are also mentioned for the same so that it is easier for the developer to manage the misconfigurations. Consider the following policy which failed:
This is failing because we have a policy rule in place which checks if each container image has a pinned version. If we view the manifest file again, we see that the version is not mentioned for the image.
This test was also updated on our dashboard. As we can see in the history tab:
And if we switch to the policies tab, we can see all the rules which can be used in our policy checks. Let's disable the pinned version image rule and run the test again:
As expected, now we are skipping that particular rule and now only three are failing. Thus, we can manage the rules as per our requirements and enable/disable them easily. Not only this, but we can also edit the error messages themselves :
Making custom policies
Datree gives us 60 rules out of the box to make our policy. We can also make custom policies with different rules for different phases of development. We can visit our dashboard and on the policies window, click on the "Create Policy" Button to create custom policies with the required rules. Here's a custom policy with 5 active rules:
We can run our test against this new policy by running the command:
datree test .datree/k8s-demo.yaml -p Policy_Name
Datree also gives us a feature to enable us if we want to collaborate with a team and other developers. This is known as Policy as Code. Policy-as-code, similar to Infrastructure-as-code, is the concept of using declarative code to replace actions that require using a user interface. By representing policies in code, proven software development best practices can be adopted, such as version control, collaboration, and automation. Let's try this out. Go to the settings and download the policy YAML file:
If we open this file, we can see that all the rules are present. The rules which we don't want can be commented out.
We can publish this policy via the following command:
datree publish policy.yaml
Make sure that the code in YAML file is correct and the Policy as Code feature is enabled in the settings, otherwise, we can get a few errors:
Closing Remarks, Future Scope, and References
The simple fact that we were able to manage so many K8S configurations without even running a cluster makes Datree an extremely powerful and useful tool. As a next step, users can explore how Datree is incorporated into a CI pipeline. Setting up custom rules is also an exciting area of study. Finally, we must remember that Datree is Open Source and we can always head on to their repository to support this awesome software. Here are some important references and resources: