{"id":501696,"date":"2022-10-18T03:48:35","date_gmt":"2022-10-18T00:48:35","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-use-datree-to-avoid-kubernetes-misconfigurations\/"},"modified":"2022-10-18T03:48:35","modified_gmt":"2022-10-18T00:48:35","slug":"how-to-use-datree-to-avoid-kubernetes-misconfigurations","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-use-datree-to-avoid-kubernetes-misconfigurations\/","title":{"rendered":"#How to Use Datree to Avoid Kubernetes Misconfigurations"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3ab62011b77\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3ab62011b77\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-datree-to-avoid-kubernetes-misconfigurations\/#%E2%80%9CHow_to_Use_Datree_to_Avoid_Kubernetes_Misconfigurations%E2%80%9D\" >&#8220;How to Use Datree to Avoid Kubernetes Misconfigurations&#8221;<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-datree-to-avoid-kubernetes-misconfigurations\/#Installing_the_Datree_CLI\" >Installing the Datree CLI<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-datree-to-avoid-kubernetes-misconfigurations\/#Performing_a_Policy_Check\" >Performing a Policy Check<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-datree-to-avoid-kubernetes-misconfigurations\/#Interpreting_Scan_Results\" >Interpreting Scan Results<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-datree-to-avoid-kubernetes-misconfigurations\/#Fixing_the_Example_Manifests_Errors\" >Fixing the Example Manifest\u2019s Errors<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-datree-to-avoid-kubernetes-misconfigurations\/#Customizing_Rules\" >Customizing Rules<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-datree-to-avoid-kubernetes-misconfigurations\/#Scanning_With_a_Specific_Policy\" >Scanning With a Specific Policy<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-datree-to-avoid-kubernetes-misconfigurations\/#Scanning_Multiple_Files\" >Scanning Multiple Files<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-datree-to-avoid-kubernetes-misconfigurations\/#Authenticating_Other_CLI_Instances\" >Authenticating Other CLI Instances<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-datree-to-avoid-kubernetes-misconfigurations\/#Using_Datree_Without_Account_Access\" >Using Datree Without Account Access<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-datree-to-avoid-kubernetes-misconfigurations\/#Summary\" >Summary<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"%E2%80%9CHow_to_Use_Datree_to_Avoid_Kubernetes_Misconfigurations%E2%80%9D\"><\/span>&#8220;How to Use Datree to Avoid Kubernetes Misconfigurations&#8221;<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<div>\n<img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage alignnone size-full wp-image-822814\" data-pagespeed-no-defer=\"\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/08\/Datree.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Datree logo\" width=\"1202\" height=\"677\"\/><\/p>\n<p>Kubernetes is a complex system with many moving parts. Correct configuration rules are essential for your service to operate reliably. Errors can occur when you write Kubernetes manifests by hand without a comprehensive review process.<\/p>\n<p><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.datree.io\">Datree<\/a> is a rule-based tool that automatically finds problems in your manifests. You can use it to uncover policy violations without leaving your terminal, enabling a consistent <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>roach to Kubernetes configuration.<\/p>\n<p>In this article, you\u2019ll learn how to use Datree\u2019s CLI to perform on-demand manifest scans. The tool is free and open-source but backed by an online dashboard that lets you centrally manage policies shared by your entire team. This is <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.datree.io\/pricing\">free for individuals<\/a> interacting with up to two Nodes while team plans start at $95\/mo with a base allowance of five Nodes.<\/p>\n<h2 id=\"installing-the-datree-cli\"><span class=\"ez-toc-section\" id=\"Installing_the_Datree_CLI\"><\/span>Installing the Datree CLI<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>First download and set up the Datree CLI using its installation script. This works on Linux and Mac:<\/p>\n<pre>$ curl https:\/\/get.datree.io | \/bin\/bash<\/pre>\n<p>Alternative installation instructions are available <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/hub.datree.io\">in the documentation<\/a> if you\u2019re using Windows or want to run Datree as a Docker container.<\/p>\n<p>Check the CLI\u2019s installed correctly by running the <code>datree<\/code> command without any arguments:<\/p>\n<pre>$ datree&#13;\nDatree is a static code analysis tool for kubernetes files. Full code can be found at https:\/\/github.com\/datreeio\/datree&#13;\n...<\/pre>\n<p>Now you can begin scanning your manifests for errors.<\/p>\n<h2 id=\"performing-a-policy-check\"><span class=\"ez-toc-section\" id=\"Performing_a_Policy_Check\"><\/span>Performing a Policy Check<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Copy the following YAML and save it as <code>datree-demo.yaml<\/code> in your working directory:<\/p>\n<div class=\"wp-geshi-highlight-wrap5\">\n<div class=\"wp-geshi-highlight-wrap4\">\n<div class=\"wp-geshi-highlight-wrap3\">\n<div class=\"wp-geshi-highlight-wrap2\">\n<div class=\"wp-geshi-highlight-wrap\">\n<div class=\"wp-geshi-highlight\">\n<div class=\"yaml\">\n<pre class=\"de1\"><strong class=\"co3\">apiVersion<\/strong><strong class=\"sy2\">: <\/strong>apps\/v1<strong class=\"co3\">\nkind<\/strong><strong class=\"sy2\">: <\/strong>Deployment<strong class=\"co4\">\nmetadata<\/strong>:<strong class=\"co3\">\n  name<\/strong><strong class=\"sy2\">: <\/strong>demo-deployment<strong class=\"co3\">\n  namespace<\/strong><strong class=\"sy2\">: <\/strong>demo<strong class=\"co4\">\nspec<\/strong>:<strong class=\"co3\">\n  replicas<\/strong><strong class=\"sy2\">: <\/strong>2<strong class=\"co4\">\n  selector<\/strong>:<strong class=\"co4\">\n    matchLabels<\/strong>:<strong class=\"co3\">\n      app<\/strong><strong class=\"sy2\">: <\/strong>demo-app<strong class=\"co4\">\n  template<\/strong>:<strong class=\"co4\">\n    metadata<\/strong>:<strong class=\"co3\">\n      namespace<\/strong><strong class=\"sy2\">: <\/strong>demo-deployment<strong class=\"co4\">\n      labels<\/strong>:<strong class=\"co3\">\n        app<\/strong><strong class=\"sy2\">: <\/strong>demo-app<strong class=\"co4\">\n    spec<\/strong>:<strong class=\"co4\">\n      containers<\/strong>:<strong class=\"co3\">\n        - name<\/strong><strong class=\"sy2\">: <\/strong>nginx<strong class=\"co3\">\n          image<\/strong><strong class=\"sy2\">: <\/strong>nginx:latest<strong class=\"co4\">\n          readinessProbe<\/strong>:<strong class=\"co4\">\n            tcpSocket<\/strong>:<strong class=\"co3\">\n              port<\/strong><strong class=\"sy2\">: <\/strong>8080<strong class=\"co4\">\n          resources<\/strong>:<strong class=\"co4\">\n            requests<\/strong>:<strong class=\"co3\">\n              memory<\/strong><strong class=\"sy2\">: <\/strong><strong class=\"st0\">\"256Mi\"<\/strong><strong class=\"co3\">\n              cpu<\/strong><strong class=\"sy2\">: <\/strong><strong class=\"st0\">\"100m\"<\/strong><strong class=\"co4\">\n            limits<\/strong>:<strong class=\"co3\">\n              cpu<\/strong><strong class=\"sy2\">: <\/strong><strong class=\"st0\">\"500m\"<\/strong><strong class=\"co4\">\n          ports<\/strong>:<strong class=\"co3\">\n            - containerPort<\/strong><strong class=\"sy2\">: <\/strong>80<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>This YAML defines a valid Kubernetes Deployment object. Kubectl will apply it to your cluster without reporting any errors:<\/p>\n<pre>$ kubectl apply -f datree-demo.yaml&#13;\ndeployment\/demo-deployment created<\/pre>\n<p>There could be problems with this configuration though. Running the Datree CLI will expose them. Use the <code>datree test<\/code> command to complete an analysis of your manifest:<\/p>\n<pre>$ datree test datree-demo.yaml&#13;\n>&gt; File: datree-demo.yaml&#13;\n&#13;\n[V] YAML validation&#13;\n[V] Kubernetes schema validation&#13;\n&#13;\n[X] Policy check&#13;\n&#13;\n\u274c  Ensure each container image has a pinned (tag) version  [1 occurrence]&#13;\n    - metadata.name: demo-deployment (kind: Deployment)&#13;\n\ud83d\udca1  Incorrect value for key `image` - specify an image version to avoid unpleasant \"version surprises\" in the future&#13;\n&#13;\n\u274c  Ensure each container has a configured liveness probe  [1 occurrence]&#13;\n    - metadata.name: demo-deployment (kind: Deployment)&#13;\n\ud83d\udca1  Missing property object `livenessProbe` - add a properly configured livenessProbe to catch possible deadlocks&#13;\n&#13;\n\u274c  Ensure each container has a configured memory limit  [1 occurrence]&#13;\n    - metadata.name: demo-deployment (kind: Deployment)&#13;\n\ud83d\udca1  Missing property object `limits.memory` - value should be within the accepted boundaries recommended by the organization&#13;\n&#13;\n(Summary)&#13;\n&#13;\n- Passing YAML validation: 1\/1&#13;\n&#13;\n- Passing Kubernetes (1.20.0) schema validation: 1\/1&#13;\n&#13;\n- Passing policy check: 0\/1&#13;\n&#13;\n+-----------------------------------+-----+&#13;\n| Enabled rules in policy \"Default\" | 21  |&#13;\n| Configs tested against policy     | 1   |&#13;\n| Total rules evaluated             | 21  |&#13;\n| Total rules skipped               | 0   |&#13;\n| Total rules failed                | 3   |&#13;\n| Total rules passed                | 18  |&#13;\n+-----------------------------------+-----+<\/pre>\n<p>Datree has uncovered three policy violations that could affect your cluster.<\/p>\n<h3 id=\"interpreting-scan-results\"><span class=\"ez-toc-section\" id=\"Interpreting_Scan_Results\"><\/span>Interpreting Scan Results<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Datree scans look at three aspects of each manifest:<\/p>\n<ul>\n<li><strong>YAML validation<\/strong> \u2013 The first check validates your YAML for correctness. No further checks are run if your YAML file has syntax errors.<\/li>\n<li><strong>Kubernetes schema validation<\/strong> \u2013 Checks whether the manifest contains a legal Kubernetes object. Common causes of these errors include invalid field values and incorrect object nesting.<\/li>\n<li><strong>Policy checks<\/strong> \u2013 This is where Datree tests a valid Kubernetes object schema against common misconfigurations. Policies identify potential issues and missing optimizations so you can make your Kubernetes cluster more resilient.<\/li>\n<\/ul>\n<p>Each report ends with a table that summarizes the number of manifests scanned, rules used, and failures detected.<\/p>\n<h3 id=\"fixing-the-example-manifests-errors\"><span class=\"ez-toc-section\" id=\"Fixing_the_Example_Manifests_Errors\"><\/span>Fixing the Example Manifest\u2019s Errors<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Scanning the example manifest surfaces three errors: the container\u2019s <code>image<\/code> field isn\u2019t using a pinned tag, there\u2019s no <code>livenessProbe<\/code>, and no memory limit.<\/p>\n<p>The first problem can be resolved by using an explicit image version such as <code>nginx:1.23<\/code>. The latest tag is risky because you could unintentionally receive breaking changes, such as <code>1.23<\/code> to <code>2.1<\/code>.<\/p>\n<p>The next error can be eliminated by adding a <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/kubernetes.io\/docs\/tasks\/configure-pod-container\/configure-liveness-readiness-startup-probes\">liveness probe<\/a>. These allow Kubernetes to detect when your containers transition into a failed state. The control plane will automatically restart the container, reducing the probability of a service outage.<\/p>\n<p>Add a new <code>livenessProbe<\/code> field above the <code>readinessProbe<\/code>:<\/p>\n<div class=\"wp-geshi-highlight-wrap5\">\n<div class=\"wp-geshi-highlight-wrap4\">\n<div class=\"wp-geshi-highlight-wrap3\">\n<div class=\"wp-geshi-highlight-wrap2\">\n<div class=\"wp-geshi-highlight-wrap\">\n<div class=\"wp-geshi-highlight\">\n<div class=\"yaml\">\n<pre class=\"de1\"><strong class=\"co4\">livenessProbe<\/strong>:<strong class=\"co4\">\n  tcpSocket<\/strong>:<strong class=\"co3\">\n    port<\/strong><strong class=\"sy2\">: <\/strong>8080<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Finally set a memory limit to address the last warning. Although the example manifest includes CPU and memory requests, as well as a CPU limit, there\u2019s no hard cap on memory. The container could consume unlimited RAM, potentially creating an out of memory situation in your cluster.<\/p>\n<p>The revised YAML should look like this:<\/p>\n<div class=\"wp-geshi-highlight-wrap5\">\n<div class=\"wp-geshi-highlight-wrap4\">\n<div class=\"wp-geshi-highlight-wrap3\">\n<div class=\"wp-geshi-highlight-wrap2\">\n<div class=\"wp-geshi-highlight-wrap\">\n<div class=\"wp-geshi-highlight\">\n<div class=\"yaml\">\n<pre class=\"de1\"><strong class=\"co3\">apiVersion<\/strong><strong class=\"sy2\">: <\/strong>apps\/v1<strong class=\"co3\">\nkind<\/strong><strong class=\"sy2\">: <\/strong>Deployment<strong class=\"co4\">\nmetadata<\/strong>:<strong class=\"co3\">\n  name<\/strong><strong class=\"sy2\">: <\/strong>demo-deployment<strong class=\"co3\">\n  namespace<\/strong><strong class=\"sy2\">: <\/strong>demo<strong class=\"co4\">\nspec<\/strong>:<strong class=\"co3\">\n  replicas<\/strong><strong class=\"sy2\">: <\/strong>2<strong class=\"co4\">\n  selector<\/strong>:<strong class=\"co4\">\n    matchLabels<\/strong>:<strong class=\"co3\">\n      app<\/strong><strong class=\"sy2\">: <\/strong>demo-app<strong class=\"co4\">\n  template<\/strong>:<strong class=\"co4\">\n    metadata<\/strong>:<strong class=\"co3\">\n      namespace<\/strong><strong class=\"sy2\">: <\/strong>demo-deployment<strong class=\"co4\">\n      labels<\/strong>:<strong class=\"co3\">\n        app<\/strong><strong class=\"sy2\">: <\/strong>demo-app<strong class=\"co4\">\n    spec<\/strong>:<strong class=\"co4\">\n      containers<\/strong>:<strong class=\"co3\">\n        - name<\/strong><strong class=\"sy2\">: <\/strong>nginx<strong class=\"co3\">\n          image<\/strong><strong class=\"sy2\">: <\/strong>nginx:1.23  <strong class=\"co4\">\n          livenessProbe<\/strong>:<strong class=\"co4\">\n            tcpSocket<\/strong>:<strong class=\"co3\">\n              port<\/strong><strong class=\"sy2\">: <\/strong>8080<strong class=\"co4\">\n          readinessProbe<\/strong>:<strong class=\"co4\">\n            tcpSocket<\/strong>:<strong class=\"co3\">\n              port<\/strong><strong class=\"sy2\">: <\/strong>8080<strong class=\"co4\">\n          resources<\/strong>:<strong class=\"co4\">\n            requests<\/strong>:<strong class=\"co3\">\n              memory<\/strong><strong class=\"sy2\">: <\/strong><strong class=\"st0\">\"256Mi\"<\/strong><strong class=\"co3\">\n              cpu<\/strong><strong class=\"sy2\">: <\/strong><strong class=\"st0\">\"100m\"<\/strong><strong class=\"co4\">\n            limits<\/strong>:<strong class=\"co3\">\n              memory<\/strong><strong class=\"sy2\">: <\/strong><strong class=\"st0\">\"512Mi\"<\/strong><strong class=\"co3\">\n              cpu<\/strong><strong class=\"sy2\">: <\/strong><strong class=\"st0\">\"500m\"<\/strong><strong class=\"co4\">\n          ports<\/strong>:<strong class=\"co3\">\n            - containerPort<\/strong><strong class=\"sy2\">: <\/strong>80<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Repeat the <code>datree test<\/code> command to verify that your deployment\u2019s now passing the policy checks:<\/p>\n<pre>$ datree test datree-demo.yaml&#13;\n(Summary)&#13;\n&#13;\n- Passing YAML validation: 1\/1&#13;\n&#13;\n- Passing Kubernetes (1.20.0) schema validation: 1\/1&#13;\n&#13;\n- Passing policy check: 1\/1<\/pre>\n<h2 id=\"customizing-rules\"><span class=\"ez-toc-section\" id=\"Customizing_Rules\"><\/span>Customizing Rules<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The example used so far relies on Datree\u2019s built-in set of default policies. These cover many Kubernetes best practices, such as setting up probes, using resource limits, and avoiding deprecated APIs.<\/p>\n<p>You can customize the policies by linking the Datree CLI to your online dashboard. Here you can disable policies that you don\u2019t need and activate new custom rules to implement your organization\u2019s routines.<\/p>\n<p>The easiest way to sign in to Datree is to follow the link shown at the end of the Datree CLI\u2019s output:<\/p>\n<pre>| See all rules in policy           | https:\/\/app.datree.io\/login?t=bbY... |<\/pre>\n<p>The CLI automatically generates a unique token for your account. Click the link and then sign in to Datree with GitHub or Google.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-822815\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/08\/Screenshot-2022-08-02-at-15-35-48-Datree.io-Code-Policy-Enforcement-Solution.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"image of Datree's policies screen\" width=\"1278\" height=\"646\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>You\u2019ll be taken to the Policies dashboard that shows all the policies active on your account. Click the toggle buttons in the \u201cStatus\u201d column to enable or remove policies. Your changes will im<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">media<\/a>tely apply to new scans. The CLI automatically downloads your policy list before starting each test.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-822816\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/08\/Screenshot-2022-08-02-at-15-38-04-Datree.io-Code-Policy-Enforcement-Solution.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"image of Datree's history screen\" width=\"1278\" height=\"646\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>The dashboard also provides a history of the scans you\u2019ve completed. Click the \u201cHistory\u201d tab in the left sidebar to retrieve previous scan results.<\/p>\n<h2 id=\"scanning-with-a-specific-policy\"><span class=\"ez-toc-section\" id=\"Scanning_With_a_Specific_Policy\"><\/span>Scanning With a Specific Policy<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Datree currently has 60 built-in rules which provide individual tests. Rules are combined into groups called policies. The Default policy is used automatically. It enables 21 of the 60 rules. Datree also comes with pre-configured policies for Argo and NSA Kubernetes configurations.<\/p>\n<p>You can create your own policy with the blue \u201cCreate Policy\u201d button in the online dashboard. Give your policy a name and enable one or more rules.<\/p>\n<p>To start a scan with a specific policy, add the <code>--policy<\/code> CLI flag. This should be supplied the name of the policy you want to use.<\/p>\n<pre>$ datree test --policy NSA datree-demo.yaml<\/pre>\n<p>Datree also lets you implement custom tests by adding entirely new rules. While <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/hub.datree.io\/custom-rules\/custom-rules-overview\">rule creation<\/a> is outside the scope of this getting started guide, you could enforce that Deployments have specific labels, a minimum replica count, and use images from an approved registry. Rules are defined as JSON or YAML using <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/json-schema.org\">JSON Schema<\/a> logic.<\/p>\n<h2 id=\"scanning-multiple-files\"><span class=\"ez-toc-section\" id=\"Scanning_Multiple_Files\"><\/span>Scanning Multiple Files<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The <code>datree test<\/code> command accepts a file path or a glob pattern. You can scan a directory of manifests using the following syntax:<\/p>\n<pre>datree test demo-dir\/*.yaml<\/pre>\n<p>Any invalid files matched by your glob will show as failing the Datree YAML validation check.<\/p>\n<h2 id=\"authenticating-other-cli-instances\"><span class=\"ez-toc-section\" id=\"Authenticating_Other_CLI_Instances\"><\/span>Authenticating Other CLI Instances<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The Datree CLI connects to your account using an authentication token. A new token is generated automatically when you install the CLI. It sets up a fresh account the first time it\u2019s used.<\/p>\n<p>You\u2019ll need to manually provide your existing authentication token if you install Datree on another machine. You can retrieve the value from the <code>token<\/code> field in your <code>~\/.datree\/config.yaml<\/code> file. Alternatively, head to the online dashboard, click your profile picture in the top-right corner, choose Settings from the menu, and switch to the \u201cToken Management\u201d tab.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-822818\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/08\/Screenshot-2022-08-02-at-15-43-07-Datree.io-Code-Policy-Enforcement-Solution-1.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"image of Datree's token management screen\" width=\"1278\" height=\"646\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Back in your new CLI instance, use the following command to add your token:<\/p>\n<pre>$ datree config set token &lt;TOKEN_VALUE&gt;<\/pre>\n<p>The CLI will now use the policies configured in your account. Scans will start showing up on the History screen too.<\/p>\n<h2 id=\"using-datree-without-account-access\"><span class=\"ez-toc-section\" id=\"Using_Datree_Without_Account_Access\"><\/span>Using Datree Without Account Access<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>You can disable the Datree CLI\u2019s account connection features if you\u2019re satisfied with the default rule set and don\u2019t want scans to communicate with Datree\u2019s servers:<\/p>\n<pre>$ datree config set offline local<\/pre>\n<p>This also removes support for Kubernetes schema validation.<\/p>\n<p>You can stop individual scans from showing up in your account\u2019s History page by setting the <code>--no-record<\/code> flag in the CLI.<\/p>\n<pre>$ datree test datree-demo.yaml --no-record<\/pre>\n<h2 id=\"summary\"><span class=\"ez-toc-section\" id=\"Summary\"><\/span>Summary<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Datree automates detection of Kubernetes config errors by offering a simple CLI that\u2019s centrally configured by an online dashboard. This ensures everyone in your team is testing their manifests against the same policies, reducing the risk that mistakes will reach your cluster. You can integrate Datree into your CI pipelines to prevent deployment of changes that contain a rule violation.<\/p>\n<p>Datree\u2019s also available as a <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/datreeio\/admission-webhook-datree\">Kubernetes admission webhook<\/a> that will actively block non-compliant resources. Admission webhooks are responsible for deciding whether new objects can be added to a cluster; Datree will reject any objects that fail your policy tests. Setting up the webhook provides absolute confidence that misconfigured resources can\u2019t be used, even if a user manually applies a manifest with Kubectl.<\/p>\n<\/div>\n<p><script>\n setTimeout(function(){\n  !function(f,b,e,v,n,t,s)\n  {if(f.fbq)return;n=f.fbq=function(){n.callMethod?\n  n.callMethod.apply(n,arguments):n.queue.push(arguments)};\n  if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0';\n  n.queue=[];t=b.createElement(e);t.async=!0;\n  t.src=v;s=b.getElementsByTagName(e)[0];\n  s.parentNode.insertBefore(t,s) } (window, document,'script',\n  'https:\/\/connect.facebook.net\/en_US\/fbevents.js');\n   fbq('init', '335401813750447');\n   fbq('track', 'PageView');\n  },3000);\n<\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.howtogeek.com\/devops\/how-to-use-datree-to-avoid-kubernetes-misconfigurations\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;How to Use Datree to Avoid Kubernetes Misconfigurations&#8221; Kubernetes is a complex system with many moving parts. Correct configuration rules are essential for your service to operate reliably. Errors can occur when you write Kubernetes manifests by hand without a comprehensive review process. Datree is a rule-based tool that automatically finds problems in your manifests&#8230;.<\/p>\n","protected":false},"author":1,"featured_media":501697,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/08\/Datree.jpg?height=200p&trim=2,2,2,2","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-501696","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/501696","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=501696"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/501696\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/501697"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=501696"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=501696"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=501696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}