Skip to main content

Cluster scan

By default, Datree will scan your cluster(s) every hour, and update your dashboard accordingly.

Scan interval

You can set the scan interval to be longer than 1 hour (but not shorter). To do this, run the following command:

helm upgrade -n datree datree-webhook datree-webhook/datree-admission-webhook --reuse-values --set datree.scanIntervalHours=<interval>

Replace <interval> with the number of hours you'd like to have between scans.

Policy

The policy(set of rules) used for the scan is the same one that is used when deploying new resources into the cluster. This policy is displayed in your dashboard, and can be changed using the command shown here.

Supported resources

The scan will check the following resource kinds:

TypeKind
Native k8sdeployment, pod, daemonset, statefulset, replicaset, cronjob, job, ingress, service, replicationcontroller, horizontalpodautoscaler, configmap, endpointslice, serviceaccount, role, clusterrole, rolebindings, clusterrolebinding
Argo CRDsworkflow, workflowtemplate, rollout, application, appproject

Excluded resources

The scan will ignore resources with the following labels:

  • kubernetes.io/bootstrapping: rbac-defaults - used by Kubernetes to label default RBAC resources
  • app.kubernetes.io/part-of: datree - used by Datree to label its own resources

Manual scan

To initiate a scan manually, run the following command:

kubectl delete jobs/scan-job -n datree; kubectl create job --from=cronjob/scan-cronjob scan-job -n datree