Cluster scan
By default, Datree will scan your cluster(s) every hour, and update your dashboard accordingly.
Scan interval
You can set the scan interval to be longer than 1 hour (but not shorter). To do this, run the following command:
helm upgrade -n datree datree-webhook datree-webhook/datree-admission-webhook --reuse-values --set datree.scanIntervalHours=<interval>
Replace <interval>
with the number of hours you'd like to have between scans.
Policy
The policy(set of rules) used for the scan is the same one that is used when deploying new resources into the cluster. This policy is displayed in your dashboard, and can be changed using the command shown here.
Supported resources
The scan will check the following resource kinds:
Type | Kind |
---|---|
Native k8s | deployment , pod , daemonset , statefulset , replicaset , cronjob , job , ingress , service , replicationcontroller , horizontalpodautoscaler , configmap , endpointslice , serviceaccount , role , clusterrole , rolebindings , clusterrolebinding |
Argo CRDs | workflow , workflowtemplate , rollout , application , appproject |
Excluded resources
The scan will ignore resources with the following labels
:
kubernetes.io/bootstrapping: rbac-defaults
- used by Kubernetes to label default RBAC resourcesapp.kubernetes.io/part-of: datree
- used by Datree to label its own resources
Manual scan
To initiate a scan manually, run the following command:
kubectl delete jobs/scan-job -n datree; kubectl create job --from=cronjob/scan-cronjob scan-job -n datree