It is recommended to incorporate Datree's policy check in your CI process. This way, every time the CI is triggered, it will also run 

 to verify the Kubernetes files are always configured according to your standards. Before adding Datree to your CI, please make sure you have completed these two tasks:

Set the account token as an environment variable (DATREE_TOKEN) in the CI itself

Best practice for setting account token in the CI

Datree CLI should be able to integrate with every CI, but we have already tested it on several common CI provides:

Working examples of each one of those CI's can be found on 

☑️ Prevent deploying naked pods

 INTEGRATIONS

Helm plugin

INTEGRATIONS

Datree

Networking

☑️ Prevent containers from mounting Docker socket

Centralized policy

☑️ Prevent CronJob from executing jobs concurrency

Getting started

☑️ Ensure HPA has maximum replicas configured

☑️ Ensure each container has a configured CPU limit

Get Started

Deprecation

☑️ Ensure Deployment has more than one replica configured

☑️ Ensure each container has a configured CPU request

CLI output

☑️ Ensure deployment-like resource is using a valid restart policy

Overview

Account token

☑️ Prevent Ingress from forwarding all traffic to a single container

☑️ Ensure CronJob has a configured deadline

☑️ Prevent deprecated APIs in Kubernetes v1.16

GitHub Actions

☑️ Prevent containers from having root access capabilities

☑️ Ensure each container image has a digest tag

Invocations history

☑️ Ensure CronJob scheduler is valid

 SETUP

☑️ Prevent containers from sharing the host’s IPC namespace

GitLab CI/CD

☑️ Ensure each container has a configured readiness probe

CircleCi

CLI options

Travis CI

☑️ Prevent containers from sharing the host’s PID namespace

☑️ Ensure HPA has minimum replicas configured

☑️ Ensure workload has a configured `owner` label

☑️ Prevent workload from using the default namespace

 GLOSSARY

Workload

 BUILT-IN RULES

Other

☑️ Ensure each container has a configured memory limit

☑️ Ensure Deployment has a configured `env` label

☑️ Prevent deprecated APIs in Kubernetes v1.17

☑️ Ensure each container has a configured liveness probe

☑️ Ensure each container has a configured memory request

☑️ Ensure each container image has a pinned (tag) version

 FAQ

☑️ Ensure workload has valid label values

CronJob

☑️ Prevent Service from exposing node port

What is Datree?

☑️ Prevent containers from accessing host files by using high UIDs

Schema validation

Containers

☑️ Prevent containers from sharing the host’s network namespace

Kubernetes Policy