CLI arguments
Running a policy check
The minimum input that's required to trigger a policy check is to use the command datree test and to provide a Kubernetes configuration file path or a glob pattern:
$ datree test kube-prod/deployment.yaml
$ datree test kube-*/*.yaml
Testing all files recursively (also within subdirectories) is not supported automatically by all shells.
To enable this feature in bash, make sure your bash version is 4 or higher, and run the following command in your terminal:
shopt -s globstar
or use the following workaround for bash version 3 or lower:
find . -name '*.yaml' -print0 | xargs -0 datree test
For more information, see the bash documentation
Flags
The following flags for the datree test command allow you to change the behavior of each part of the policy check:
YAML validation flags:
| Flag | Alias | Values | Description |
|---|---|---|---|
| --only-k8s-files | N/A | N/A | Skip all non-K8s files. Especially useful when scanning a dir with K8s and other config files: datree test *.yaml --only-k8s-files |
Kubernetes schema validation flags:
| Flag | Alias | Values | Description |
|---|---|---|---|
| --schema-version | -s | e.g. "1.20.0" | Set Kubernetes version to validate against. Default can also be changed from the dashboard |
| --schema-location | N/A | e.g. "http://example.com/schema.json" | Override Kubernetes schema location. See relevant page for more information. |
| --ignore-missing-schemas | N/A | N/A | Skip files with missing schemas instead of failing the schema validation check |
| --permissive-schema | N/A | N/A | Allow duplicated keys and/or additional properties that are not part of the schema |
Policy check flags:
| Flag | Alias | Values | Description |
|---|---|---|---|
| --policy | -p | e.g. staging | Specify which policy to execute (by policy name) |
| --no-record | N/A | N/A | Don’t send policy checks metadata to the backend |
| --policy-config | N/A | e.g. "myPolicyConfig.yaml" | Specify a path to a local policies-configuration file |
Output flags:
| Flag | Alias | Values | Description |
|---|---|---|---|
| --output | -o | json, yaml, xml, JUnit, sarif | Output the policy check results in the requested format |
| --output | -o | simple | Output the policy check results in simple text (without emoji or colors) |
| --verbose | N/A | N/A | Display 'How to Fix' link for failed rules in output |
| --save-rendered | N/A | N/A | Don't delete rendered files after the policy check (e.g helm, kustomize) |
Additional options
Built-in Kustomize support
Run datree kustomize test [path] to render resources defined in a kustomization.yaml file located in [path] and run a policy check against them.
For more information, options and examples, see the Kustomize support page.
Publish policy-as-code configuration
When using Policy as code mode, the command datree publish fileName.yaml will publish policies configuration for given fileName. Input should be the path to the Policy-as-Code yaml configuration file.
Configure the CLI via the config.yaml file
After running your first policy check, a default config file will be created (defaults to $HOME/.datree/config.yaml) with the following contents:
client_id: [your client ID]
offline: fail
token: [your token]
The command datree config allows you to manage the config file.
Use datree config set to change the value of the following keys in the file:
token- the token used to link the CLI to your dashboard.
$ datree config set token NEW_TOKEN
offline- determines how your CLI will behave when there is no active internet connection.
By default, when executing a policy check, the CLI attempts to pull your policy from your dashboard. If there is no internet connection, the default behavior (fail) will cause the CLI to exit with an error without performing the policy check.
When in offline-mode, you will need to instruct the CLI to use a local policy file instead. Set the value tolocalby running the following command:
$ datree config set offline local
Upgrade the CLI to the latest version
To upgrade your CLI, simply run datree upgrade.
Print the current CLI version
To print your CLI version, run datree version.
Open the documentation website
Run datree docs to open the Datree documentation website in your browser.
Shell autocompletion
The CLI supports autocompletion for commands when using various shells.
Run datree completion -h to see which shells are supported and how to enable autocompletion for each of them.
For your convenience, the instructions are laid out here as well. Simply choose the shell of your choice:
- Bash
- Zsh
- fish
- PowerShell
Run the following command:
source <(datree completion bash)
To load completions for each session, run the following command once:
Linux:
datree completion bash > /etc/bash_completion.d/datree
MacOS:
datree completion bash > /usr/local/etc/bash_completion.d/datree
If shell completion is not already enabled in your environment, you will need to enable it.
To do that, run the following command once:
echo "autoload -U compinit; compinit" >> ~/.zshrc
To load completions for each session, run the following command once:
datree completion zsh > "${fpath[1]}/_datree"
You will need to start a new shell for this setup to take effect.
Run the following command:
datree completion fish | source
To load completions for each session, run the following command once:
datree completion fish > ~/.config/fish/completions/datree.fish
Run the following command:
PS> datree completion powershell | Out-String | Invoke-Expression
To load completions for every new session, run the following command:
PS> datree completion powershell > datree.ps1
Then, source this file from your PowerShell profile.
Alternatively, autocompletion for the Datree CLI is also available automatically as a part of Fig.
To install Fig, visit the autocomplete github repository.