Getting Started With Datree

A Beginner's Guide

Getting Started With Datree

What is Datree and why use it?

it's a CLI tool that helps developers to detect and prevent errors in their Kubernetes manifest files (which is a YAML file) so that the developers don't have to go through production failure after the deployment phase. it helps by providing a policy enforcement solution that automatically checks for rule violations. It can be used to run checks and validations against Kubernetes manifest files through the command line.

Installation and configuration

Before downloading the CLI, you need to create an account on Datree in order to connect your local machine to the Datree's dashboard. Since I'm using Windows, I'll be running this command on Windows PowerShell to download the CLI:

iwr -useb https://get.datree.io/windows_install.ps1 | iex

b1.png and for users on Linux or macOS, use this command to do the same:

curl https://get.datree.io | /bin/bash

Once you download the CLI, you will need to connect the CLI to your account with the help of a unique token that is provided to you by Datree on your dashboard. it will look something like this: b2.png

b3.png

and what this will do is that any change made via you on the site will be reflected directly in your local machine. Let's demonstrate it in the next step

Testing the YAML file

As a beginner, you can download the demo file which Datree provides in case you don't have one to run some checks. The DEMO FILE looks like this

apiVersion: apps/v1
kind: Deployment
metadata:
  name: rss-site
  namespace: test
  labels:
    owner: --
    environment: prod
    app: web
spec:
  replicas: 2
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      namespace: test
      labels:
        app: web
    spec:
      containers:
        - name: front-end
          image: nginx:latest
          readinessProbe:
            tcpSocket:
              port: 8080
            initialDelaySeconds: 5
            periodSeconds: 10
          resources:
            requests:
              memory: "64Mi"
              cpu: "64m"
            limits:
              cpu: "500m"
          ports:
            - containerPort: 80
        - name: rss-reader
          image: datree/nginx@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
          livenessProbe:
            httpGet:
              path: /healthz
              port: 8080
              httpHeaders:
                - name: Custom-Header
                  value: Awesome
          readinessProbe:
            tcpSocket:
              port: 8080
            initialDelaySeconds: 5
            periodSeconds: 10
          resources:
            requests:
              cpu: "64m"
              memory: "128Mi"
            limits:
              memory: "128Mi"
              cpu: "500m"
          ports:
            - containerPort: 88

To avoid writting some necessary rules for our yaml file Datree provides us some in-built policies that are important for the YAML file. running this command datree test k8s-demo.yaml(you have to mention the path of the file here) will run those in-built policies against our kubernetes manifest file.

b4.png

You can also see the same results on your Datree account under the history tab

b5.png

Now if you see the order in which those checks are validating, first it's checking whether the file we have provided is in the correct YAML format or not. then it's checking for any wrong Kubernetes object. if none is present then it will proceed for those in-built policies check.

b6.png

you can see that we are having 4 policies check fails in our YAML file

  • First check tells that liveness probe is not configured. (Many applications running for long periods of time eventually transition to broken states and can only be fixed by restarting. Kubernetes provides Liveness probes to find and fix such problems.)

  • The second policy check is telling that labels do not follow Kubernetes label syntax requirements. (Labels are custom key-value pairs that are attached to objects which are used to manage Kubernetes resources)

  • The third policy check is failing because the memory limit was not configured for the container.(Memory limit allows you to use memory resources efficiently)

  • Another policy check is telling that the image tag is not descriptive. (every time that image is pulled, the version will be a different version and might break your code. So better to mention the version number)

Creating your own policy

b8.png

Datree also provides policy management where you can create your own policy. Creating your own policy might be helpful for testing purposes in different deployment phases.

As you can see the image below I have created a new policy that contains those 4 check rules that failed in our previous test and even have created a custom message for the rule that ensures the presence of the image version.

b9.png

Now if we want to run our YAML file againts the new policy that we have just created, we will use the same command as before but the only change would be adding a -p tag with the name of our policy

datree test .\k8s-demo.yaml -p Test_Policy

b10.png

Sharing your policies

There's something called "Policy as code" where your policies are represented in a declarative way (It's similar to infrastructure as code) and while this mode is enabled, you can only make change to the policy by publishing the YAML configuration file containing all of your rules. Till now we are making change in our file via GUI but when this mode is enabled, the only way to do the same is via changing the YAML configuration file.

To enable the "Policy as Code" mode, head over to the settings page and enable the same. Then download the policies.yaml file displayed next to it

b11.png

Once you download the file and when you open it, you'll find all your policies including your custom ones. The ones which are not active will be mentioned as comment.

b12.png

Now you can use your YAML file to make changes instead of your graphical user interface. You can use this in your version control system, and even share your YAML file with anyone now. Let's say you don't want to use any specific rule, then just comment it out and when you decide to use it then simply undo the changes.

Once you're done and are ready to publish the changes, run the following command:

datree publish policies.yaml

This will update your previously setted-up policies to the one you've just published.

Setting Datree on a new device

Let's say you want to set up datree on someone else's machine then before running the test you need to update the account token of that device. Account token is what that helps you to connect your local machine to the datree dashboard. You can also check the account token from the configuration file where your datree is installed using the following comamnd:

cat .datree/config.yaml

To set your account token on a new device, simply use this command:

datree set config token 415ffd7e-5cfc-4dd1-9ad1-f65d03972e03

Resources