What is Datree and why use it?
it's a CLI tool that helps developers to detect and prevent errors in their Kubernetes manifest files (which is a YAML file) so that the developers don't have to go through production failure after the deployment phase. it helps by providing a policy enforcement solution that automatically checks for rule violations. It can be used to run checks and validations against Kubernetes manifest files through the command line.
Installation and configuration
Before downloading the CLI, you need to create an account on Datree in order to connect your local machine to the Datree's dashboard. Since I'm using Windows, I'll be running this command on Windows PowerShell to download the CLI:
iwr -useb https://get.datree.io/windows_install.ps1 | iex
and for users on Linux or macOS, use this command to do the same:
curl https://get.datree.io | /bin/bash
Once you download the CLI, you will need to connect the CLI to your account with the help of a unique token that is provided to you by Datree on your dashboard. it will look something like this:
and what this will do is that any change made via you on the site will be reflected directly in your local machine. Let's demonstrate it in the next step
Testing the YAML file
As a beginner, you can download the demo file which Datree provides in case you don't have one to run some checks. The DEMO FILE looks like this
apiVersion: apps/v1
kind: Deployment
metadata:
name: rss-site
namespace: test
labels:
owner: --
environment: prod
app: web
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
namespace: test
labels:
app: web
spec:
containers:
- name: front-end
image: nginx:latest
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
memory: "64Mi"
cpu: "64m"
limits:
cpu: "500m"
ports:
- containerPort: 80
- name: rss-reader
image: datree/nginx@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
livenessProbe:
httpGet:
path: /healthz
port: 8080
httpHeaders:
- name: Custom-Header
value: Awesome
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
cpu: "64m"
memory: "128Mi"
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 88
To avoid writting some necessary rules for our yaml file
Datree provides us some in-built policies that are important for the YAML file.
running this command datree test k8s-demo.yaml(you have to mention the path of the file here) will run those in-built policies against our kubernetes manifest file.
You can also see the same results on your Datree account under the history tab
Now if you see the order in which those checks are validating, first it's checking whether the file we have provided is in the correct YAML format or not. then it's checking for any wrong Kubernetes object. if none is present then it will proceed for those in-built policies check.
you can see that we are having 4 policies check fails in our YAML file
First check tells that liveness probe is not configured. (Many applications running for long periods of time eventually transition to broken states and can only be fixed by restarting. Kubernetes provides Liveness probes to find and fix such problems.)
The second policy check is telling that labels do not follow Kubernetes label syntax requirements. (Labels are custom key-value pairs that are attached to objects which are used to manage Kubernetes resources)
The third policy check is failing because the memory limit was not configured for the container.(Memory limit allows you to use memory resources efficiently)
Another policy check is telling that the image tag is not descriptive. (every time that image is pulled, the version will be a different version and might break your code. So better to mention the version number)
Creating your own policy
Datree also provides policy management where you can create your own policy. Creating your own policy might be helpful for testing purposes in different deployment phases.
As you can see the image below I have created a new policy that contains those 4 check rules that failed in our previous test and even have created a custom message for the rule that ensures the presence of the image version.
Now if we want to run our YAML file againts the new policy that we have just created, we will use the same command as before but the only change would be adding a -p tag with the name of our policy
datree test .\k8s-demo.yaml -p Test_Policy
Sharing your policies
There's something called "Policy as code" where your policies are represented in a declarative way (It's similar to infrastructure as code) and while this mode is enabled, you can only make change to the policy by publishing the YAML configuration file containing all of your rules. Till now we are making change in our file via GUI but when this mode is enabled, the only way to do the same is via changing the YAML configuration file.
To enable the "Policy as Code" mode, head over to the settings page and enable the same. Then download the policies.yaml file displayed next to it
Once you download the file and when you open it, you'll find all your policies including your custom ones. The ones which are not active will be mentioned as comment.
Now you can use your YAML file to make changes instead of your graphical user interface. You can use this in your version control system, and even share your YAML file with anyone now. Let's say you don't want to use any specific rule, then just comment it out and when you decide to use it then simply undo the changes.
Once you're done and are ready to publish the changes, run the following command:
datree publish policies.yaml
This will update your previously setted-up policies to the one you've just published.
Setting Datree on a new device
Let's say you want to set up datree on someone else's machine then before running the test you need to update the account token of that device. Account token is what that helps you to connect your local machine to the datree dashboard. You can also check the account token from the configuration file where your datree is installed using the following comamnd:
cat .datree/config.yaml
To set your account token on a new device, simply use this command:
datree set config token 415ffd7e-5cfc-4dd1-9ad1-f65d03972e03