Skip to main content

Kustomize support


Datree comes with out-of-the-box support for Kustomize, allowing you to easily scan your Kustomization file and the resources it will generate for misconfigurations.

When testing a kustomization directory, Datree will build temporary copies of the resources defined in kustomization.yaml and run a policy check against them.

Linux, MacOS, and Windows are supported.


Using the Datree CLI to scan kustomize files requires Kustomize and/or kubectl to be installed.


Simply add the 'kustomize' argument to the CLI command, like so:

datree kustomize test [path] [cliArgs] -- [kustomizeArgs]

path - the path to your desired kustomize directory (that contains a kustomization.yaml file).
cliArgs (optional) - your desired Datree CLI arguments, as described here: CLI arguments.
kustomizeArgs (optional) - your desired arguments for the 'kustomize build' command. To see a list of supported arguments, run kustomize build -h or kubectl kustomize -h


Assuming "/path/to/dir/" is a directory containing a 'kustomization.yaml' file, the following command will perform a policy check against all generated resources:

datree kustomize test /path/to/dir/

The following command will also perform a policy check against all generated resources, this time using k8s schema version 1.23.0 and a Datree policy named "staging":

datree kustomize test /path/to/dir/ -s 1.23.0 -p staging

Testing multiple kustomizations

If you have multiple kustomization directories inside a single directory, you can test all of them sequentially using the following script:



while read -r kustomization; do
dir="$(dirname "$kustomization")"
echo "Datree Kustomization Test: $kustomization"
set +e
datree kustomize test "$dir"
set -e
if [ "$exitcode" -gt "$final_exit_code" ]; then
done < <(find "$path" -type f -name 'kustomization.y*ml')

if [ "$final_exit_code" = 0 ]; then
echo "Success"
echo "Violations found, returning exit code $final_exit_code"
exit "$final_exit_code"

The script will run a policy check against all kustomizations before exiting, and return 0 only if no violations were found in any of them.
This is useful for CI, to avoid the need to call datree test multiple times.
Thanks to Hari Sekhon for contributing the script 😎