Skip to main content

Overview

Datree monitors and validates your objects against your configured policy upon pushing them into a cluster, by using an admission webhook.

Datree will catch create, apply and edit operations and initiate a policy check against the configs associated with each operation.

Note

After installation, Datree runs with enforcement mode disabled by default. To enable enforcement mode, see the behavior page.

If any misconfigurations are found and enforcement mode is enabled, the webhook will reject the operation and display a detailed output with instructions on how to resolve each misconfiguration.

Validation triggers

K8s use different abstractions to simplify and automate complex processes. For example, when explicitly applying an object type “Deployment”, under the hood, Kubernetes will “translate” this object into implicit objects of types "ReplicaSet" and “Pod.”

When installed on your cluster, other policy enforcement tools will validate both explicit and implicit objects. This approach may create a lot of noise and false positive failures since it will cause the webhook to validate objects that the users don’t manage and, in some cases, are not even accessible.

To avoid such issues, we decided to support the following triggers:

  • Kubectl - validate objects that were created or updated using kubectl create, edit, and apply commands. Objects that were implicitly created (e.g., pods created via deployment) are ignored since the webhook validates the deployment that generated them and is accessible to the user.
  • Helm/Kustomize - validate objects that were created or updated using Helm or Kustomize.
  • Gitops CD tools - validate objects that were explicitly created and distinguish them from other objects (custom resources) that were implicitly created during the installation and are required for the ongoing operation of these tools (e.g., ArgoCD, FluxCD, etc.)

Background policy check

After installation, Datree will run a policy check against all resources in your cluster. The results will be displayed in your dashboard, detailing any found misconfigurations and how to fix them.

To manually trigger this scan again, run the following command:

kubectl get job "scan-job" -n datree -o json | jq 'del(.spec.selector)' | jq 'del(.spec.template.metadata.labels)' | kubectl replace --force -f -

Note that you need to have jq installed to run this command.