Skip to main content

Cluster scan

By default, Datree will scan your cluster(s) every hour, and update your dashboard accordingly.

Scan interval

You can set the scan interval to be longer than 1 hour (but not shorter).
To do this, set the value of datree.scanIntervalHours in your values.yaml file to the desired number of hours, then apply it:

# values.yaml
scanIntervalHours: 3
helm upgrade -n datree -f values.yaml datree-webhook datree-webhook/datree-admission-webhook


The policy(set of rules) used for the scan is the same one that is used when deploying new resources into the cluster. This policy is displayed in your dashboard, and can be changed using the command shown here.

Supported resources

The scan will check the following resource kinds:

Native k8sdeployment, pod, daemonset, statefulset, replicaset, cronjob, job, ingress, service, replicationcontroller, horizontalpodautoscaler, configmap, endpointslice, serviceaccount, role, clusterrole, rolebindings, clusterrolebinding
Argo CRDsworkflow, workflowtemplate, rollout, application, appproject

Excluded resources

The scan will ignore resources with the following labels:

  • rbac-defaults - used by Kubernetes to label default RBAC resources
  • datree - used by Datree to label its own resources

Manual scan

To initiate a scan manually, press the "Rescan cluster" button in your dashboard:


If you chose to configure Datree via the Helm chart, run the following command to initiate a scan:

kubectl delete jobs/scan-job -n datree; kubectl create job --from=cronjob/scan-cronjob scan-job -n datree