Prevent Kubernetes Misconfigurations from Reaching Production with Datree

Prevent Kubernetes Misconfigurations from Reaching Production with Datree

What is Datree?

Datree is a CLI tool that prevents Kubernetes(K8S) misconfigurations from reaching production. As we know there is a K8S configuration file that is used to create a cluster. However, before creating the cluster (or updating it), Datree can step in and let the developers know about the misconfigurations in the configurations. This prevents cluster failure in production. The CLI solution offered by Datree is Open Source and is pre-dominantly supported by the Kubernetes Community.

Why is Datree required?

In any tech-infrastructural organization, production stability has a very high priority. It is paramount that no changes are directly deployed to production. There needs to be tests and configurations must be managed. If production comes down, then there is simply no product and no product means no business. Datree makes sure that these changes don't reach the production environment as we can test the manifest files without even having to run clusters.

Getting Started with Datree

So, let's start by signing up with Datree. Visit the Datree and click on the big red "QuickStart" button at the top. This will lead you to the "Getting Started" page and we will get the options to login/signup. For the scope of this article, we will be signing up using Github. Once authorized, we would land on the below page:

Screenshot from 2022-07-13 11-45-15.png

Donwloading Datree CLI

Here we can see that Datree gives us three commands to run the Datree CLI. We will now open up our terminal and run the first command to download the CLI:

Screenshot from 2022-07-13 11-50-48.png

Configuring the token

We can also go ahead and run the second command mentioned there. This will configure our dashboard with the local repository and reflect real-time changes. As we can see, there is a token assigned to us. This token is used to connect the dashboard to a local repository. This token can be configured in the config.yaml file. This can also be changed using Datree CLI command:

datree config set token token-name

Working with the demo YAML file

We can now go into our root/home directory where we installed datree and find a few files:

Screenshot from 2022-07-13 12-01-35.png

As we can see, we have a demo YAML file (configuration file) to test out Datree! We can view the contents of the file as well:

Screenshot from 2022-07-13 12-04-13.png

Now let's test this file with datree. Run the following command:

datree test .datree/k8s-demo.yaml (depending on your directory)

We wil get an output like this:

Screenshot from 2022-07-13 12-08-08.png

Datree Policies and Rules

The output shown above is showing the Datree Policy Check. As we can see, the policy check is taking place in three phases:

  1. YAML Validation - verifies that the file is a valid YAML. Syntax errors for YAML, indentation errors, etc. are covered here.

  2. Kubernetes schema validation - Verifies that the file is a valid Kubernetes file. This is done via Kubeconform.

  3. Policy Check - checks the YAML against your configured policy.

In the above demo file, we can see that we have 4 policy check rule fails. The details are also mentioned for the same so that it is easier for the developer to manage the misconfigurations. Consider the following policy which failed:

Screenshot from 2022-07-13 12-19-33.png

This is failing because we have a policy rule in place which checks if each container image has a pinned version. If we view the manifest file again, we see that the version is not mentioned for the image.

Screenshot from 2022-07-13 12-21-43.png

This test was also updated on our dashboard. As we can see in the history tab:

Screenshot from 2022-07-13 12-24-20.png

And if we switch to the policies tab, we can see all the rules which can be used in our policy checks. Let's disable the pinned version image rule and run the test again:

Screenshot from 2022-07-13 12-26-41.png

Screenshot from 2022-07-13 12-27-11.png

As expected, now we are skipping that particular rule and now only three are failing. Thus, we can manage the rules as per our requirements and enable/disable them easily. Not only this, but we can also edit the error messages themselves :

Screenshot from 2022-07-13 12-29-35.png

Screenshot from 2022-07-13 12-31-04.png

Making custom policies

Datree gives us 60 rules out of the box to make our policy. We can also make custom policies with different rules for different phases of development. We can visit our dashboard and on the policies window, click on the "Create Policy" Button to create custom policies with the required rules. Here's a custom policy with 5 active rules:

Screenshot from 2022-07-13 12-42-12.png

We can run our test against this new policy by running the command:

datree test .datree/k8s-demo.yaml -p Policy_Name

Screenshot from 2022-07-13 12-44-02.png

Policy-as-code

Datree also gives us a feature to enable us if we want to collaborate with a team and other developers. This is known as Policy as Code. Policy-as-code, similar to Infrastructure-as-code, is the concept of using declarative code to replace actions that require using a user interface. By representing policies in code, proven software development best practices can be adopted, such as version control, collaboration, and automation. Let's try this out. Go to the settings and download the policy YAML file:

Screenshot from 2022-07-13 12-54-26.png

Screenshot from 2022-07-13 12-54-50.png

If we open this file, we can see that all the rules are present. The rules which we don't want can be commented out.

Screenshot from 2022-07-13 12-58-21.png

We can publish this policy via the following command:

datree publish policy.yaml

Make sure that the code in YAML file is correct and the Policy as Code feature is enabled in the settings, otherwise, we can get a few errors:

Screenshot from 2022-07-13 13-05-31.png

Closing Remarks, Future Scope, and References

The simple fact that we were able to manage so many K8S configurations without even running a cluster makes Datree an extremely powerful and useful tool. As a next step, users can explore how Datree is incorporated into a CI pipeline. Setting up custom rules is also an exciting area of study. Finally, we must remember that Datree is Open Source and we can always head on to their repository to support this awesome software. Here are some important references and resources:

Did you find this article valuable?

Support WeMakeDevs by becoming a sponsor. Any amount is appreciated!