Cluster scan
By default, Datree will scan your cluster(s) every hour, and update your dashboard accordingly.
Scan interval
You can set the scan interval to be longer than 1 hour (but not shorter).
To do this, set the value of datree.scanIntervalHours in your values.yaml file to the desired number of hours, then apply it:
# values.yaml
datree:
scanIntervalHours: 3
helm upgrade -n datree -f values.yaml datree-webhook datree-webhook/datree-admission-webhook
Policy
The policy(set of rules) used for the scan is the same one that is used when deploying new resources into the cluster. This policy is displayed in your dashboard, and can be changed using the command shown here.
Supported resources
The scan will check the following resource kinds:
| Type | Kind |
|---|---|
| Native k8s | deployment, pod, daemonset, statefulset, replicaset, cronjob, job, ingress, service, replicationcontroller, horizontalpodautoscaler, configmap, endpointslice, serviceaccount, role, clusterrole, rolebindings, clusterrolebinding |
| Argo CRDs | workflow, workflowtemplate, rollout, application, appproject |
Excluded resources
The scan will ignore resources with the following labels:
kubernetes.io/bootstrapping: rbac-defaults- used by Kubernetes to label default RBAC resourcesapp.kubernetes.io/part-of: datree- used by Datree to label its own resources
Manual scan
To initiate a scan manually, press the "Rescan cluster" button in your dashboard:
If you chose to configure Datree via the Helm chart, run the following command to initiate a scan:
kubectl delete jobs/scan-job -n datree; kubectl create job --from=cronjob/scan-cronjob scan-job -n datree