Getting started
Datree secures your Kubernetes by blocking the deployment of misconfigured resources.
Policy evaluations occur locally on your machine, and the contents of your resources are never sent anywhere.
To read more about our security practices, see the data privacy page.
Quickstart
Install Datree to get insights on the status of your cluster and enforce your desired policies on new resources.
By default, Datree does not block misconfigured resources, it only monitors and alerts about them.
To enable enforcement mode, see the behavior page.
Install Datree using the tool of your choice
- Helm
- ArgoCD
- Flux
- Openshift
Add the Datree Helm repository
helm repo add datree-webhook https://datreeio.github.io/admission-webhook-datree
helm repo updateInstall Datree on your cluster
Replace<DATREE_TOKEN>
with the token from your dashboard, and run the following command:helm install -n datree datree-webhook datree-webhook/datree-admission-webhook --debug \
--create-namespace \
--set datree.token=<DATREE_TOKEN> \
--set datree.clusterName=$(kubectl config current-context)
Install Datree using one of the following methods:
Option 1 - Using the Argo CLI
Replace <DATREE_TOKEN>
with your desired values, then run the following command:
argocd app create datree --repo https://datreeio.github.io/admission-webhook-datree --helm-chart datree-admission-webhook --revision 0.3.83 --dest-namespace datree --dest-server https://kubernetes.default.svc --helm-set datree.token=<DATREE_TOKEN> --helm-set datree.clusterName=$(kubectl config current-context) --sync-option CreateNamespace=true
Option 2 - Using the Argo UI
Create a new application, edit its YAML, and copy-paste the following (replace <DATREE_TOKEN>
and <CLUSTER_NAME>
with your values):
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: datree
spec:
destination:
name: ''
namespace: datree
server: 'https://kubernetes.default.svc'
source:
path: ''
repoURL: 'https://datreeio.github.io/admission-webhook-datree'
targetRevision: 0.3.83
chart: datree-admission-webhook
helm:
parameters:
- name: datree.token
value: <DATREE_TOKEN>
- name: datree.clusterName
value: <CLUSTER_NAME>
sources: []
project: default
syncPolicy:
syncOptions:
- CreateNamespace=true
Create the
datree
namespace which will hold Datree's resourceskubectl create namespace datree
Create a
HelmRepository
resourceflux create source helm admission-webhook-datree --url https://datreeio.github.io/admission-webhook-datree --namespace datree
Create a
HelmRelease
resource
Replace<path-to-values-file.yaml>
with the path to your values file, and run the following command:flux create hr admission-webhook-datree --chart=datree-admission-webhook --source=HelmRepository/admission-webhook-datree --values=<path-to-values-file.yaml> --namespace=datree
Your values.yaml
file must contain your token and cluster name. A minimal example of a file:
#values.yaml
datree:
token: 1234-abcd-5678-efgh
clusterName: MyAwesomeCluster
Add the Datree Helm repository
helm repo add datree-webhook https://datreeio.github.io/admission-webhook-datree
helm repo updateInstall Datree on your cluster
Replace<DATREE_TOKEN>
with the token from your dashboard, and run the following command:helm install -n datree datree-webhook datree-webhook/datree-admission-webhook --debug \
--create-namespace \
--set datree.token=<DATREE_TOKEN> \
--set datree.clusterName=$(kubectl config current-context) \
--set securityContext.runAsUser=null \
--set datree.labelKubeSystem=false
kubectl label ns kube-system datree admission.datree/validate=skip --overwrite
- The installation will create a new namespace (datree), where Datree’s services and application resources will reside.
datree.token
is used to connect your cluster to your dashboard.- Note that the installation can take up to 5 minutes.
You're all set! 🎉
Datree will now run in the background, scanning your cluster for misconfigurations.
A detailed report will be available in your dashboard once the scan is complete.
What's next?
You can now proceed to configure Datree according to your needs.