Kustomize support
Overview
Datree comes with out-of-the-box support for Kustomize, allowing you to easily scan your Kustomization file and the resources it will generate for misconfigurations.
When testing a kustomization directory, Datree will build temporary copies of the resources defined in kustomization.yaml and run a policy check against them.
Linux, MacOS, and Windows are supported.
Dependencies
Using the Datree CLI to scan kustomize files requires Kustomize and/or kubectl to be installed.
Usage
Simply add the 'kustomize' argument to the CLI command, like so:
datree kustomize test [path] [cliArgs] -- [kustomizeArgs]
path - the path to your desired kustomize directory (that contains a kustomization.yaml file).
cliArgs (optional) - your desired Datree CLI arguments, as described here: CLI arguments.
kustomizeArgs (optional) - your desired arguments for the 'kustomize build' command. To see a list of supported arguments, run kustomize build -h
or kubectl kustomize -h
Examples
Assuming "/path/to/dir/" is a directory containing a 'kustomization.yaml' file, the following command will perform a policy check against all generated resources:
datree kustomize test /path/to/dir/
The following command will also perform a policy check against all generated resources, this time using k8s schema version 1.23.0 and a Datree policy named "staging":
datree kustomize test /path/to/dir/ -s 1.23.0 -p staging
Testing multiple kustomizations
If you have multiple kustomization directories inside a single directory, you can test all of them sequentially using the following script:
#!/bin/bash
path="${1:-.}"
final_exit_code=0
while read -r kustomization; do
dir="$(dirname "$kustomization")"
echo "Datree Kustomization Test: $kustomization"
set +e
datree kustomize test "$dir"
exitcode=$?
set -e
if [ "$exitcode" -gt "$final_exit_code" ]; then
final_exit_code="$exitcode"
fi
done < <(find "$path" -type f -name 'kustomization.y*ml')
if [ "$final_exit_code" = 0 ]; then
echo "Success"
else
echo "Violations found, returning exit code $final_exit_code"
fi
exit "$final_exit_code"
The script will run a policy check against all kustomizations before exiting, and return 0 only if no violations were found in any of them.
This is useful for CI, to avoid the need to call datree test
multiple times.
Thanks to Hari Sekhon for contributing the script 😎