Perform security checks on Kubernetes manifests and Helm charts using Datree

Posted on 121 views

Datree is an open-source CLI utility tool that helps Kubernetes admin develop policies they want the team to follow. This helps prevent errors in Kubernetes configurations which may lead to the failure of clusters in production.

Normally, Datreee works by running automatic checks on code changes for rule violations and misconfigurations. Whenever violations/misconfigurations are found, an alert that guides the developer on how to fix the issue is provided.

Below is a diagram illustrating the Datree architecture.

Perform-security-checks-on-Kubernetes-manifests-and-Helm-charts-using-Datree-1-1024x437

Datree offers the following benefits to admins:

  • Enable restrictions management: Perform management restrictions in a dedicated place across the entire organization. The admins have the full power to control the systems.
  • Enforce policy restrictions on development: restrictions are enforced before being applied to the cluster. Developers are alerted early when misconfigurations occur. They are able to catch the mistakes before the code moves to production.
  • Educate about best practices: Best practices involve; reviewing, fencing, and future-proofing all possible pitfalls in the current and future use cases. Datree comes with Kubernetes best practices built-in so no human observation is required.
  • DevOps culture: It provides mechanisms similar to other development tools like unit tests. This makes it easy to use since developers are familiar with them. These tools are used to cultivate the DevOps culture.

By following this guide, you should be able to perform security checks on Kubernetes manifests and Helm charts using Datree.

Getting Started.

This guide requires the following packages installed.

### CentOS / RHEL ###
sudo yum -y install vim curl wget unzip

### Debian / Ubuntu ###
sudo apt update
sudo apt install -y vim curl wget unzip

### Fedora ###
sudo dnf -y install vim curl wget unzip

#1. Install Datree on your System

Installing Datree on Linux/macOS systems is as easy as robbing a child’s bank. All you have to do is execute the below command:

curl https://get.datree.io | /bin/bash

Execution Output:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1736  100  1736    0     0  36936      0 --:--:-- --:--:-- --:--:-- 36936
Installing Datree...

[V] Downloaded Datree
[V] Finished Installation

 Usage: $ datree test ~/.datree/k8s-demo.yaml 
 Using Helm? => https://github.com/datreeio/helm-datree 
 Using Kustomize? => https://hub.datree.io/kustomize-support 
 Run 'datree completion -h' to learn how to generate shell autocompletions 

On Windows, execute the below command on Powershell to install Datree:

iwr -useb https://get.datree.io/windows_install.ps1 | iex

The above commands install the latest Datree release. There are other installation options such as:

  • Using Homebrew:
brew tap datreeio/datree
brew install datreeio/datree/datree
  • Using Docker:
docker pull datree/datree

Verify the installation.

$ datree version
1.4.3

#2. Use Datree to Scan Kubernetes manifest files

Once installed, you can easily use Datree to perform security checks on Kubernetes manifests.

The syntax used is:

datree test [k8s-manifest-file]

When the check is run, it passes through 3 main validations:

  • YAML validation
  • Kubernetes schema validation
  • Kubernetes policies validations

For example, performing checks on my demo manifest, the command will be:

datree test ~/.datree/k8s-demo.yaml

Sample Output:

Perform-security-checks-on-Kubernetes-manifests-and-Helm-charts-using-Datree-2

From the output, you can see the detailed output of the violations available in the manifest. This provides admins with the required guidance on how to fix it.

#3. Customize your policy

Each Datree policy check runs using the default policy that includes 44 in-built rules. To configure the policy, you need to go back to the terminal execution and sign up by clicking on the link provided at the end of the output.

+-----------------------------------+------------------------------------------------------+
| Enabled rules in policy “Default” | 21                                                   |
| Configs tested against policy     | 1                                                    |
| Total rules evaluated             | 21                                                   |
| Total rules skipped               | 0                                                    |
| Total rules failed                | 4                                                    |
| Total rules passed                | 17                                                   |
| See all rules in policy           | https://app.datree.io/login?t=bDNVK7Tg9ZSCN76pZPhmT7 |
+-----------------------------------+------------------------------------------------------+

Sign up by providing the required credentials.

Perform-security-checks-on-Kubernetes-manifests-and-Helm-charts-using-Datree-3

You will then be redirected to the Centralized policy dashboard.

Perform-security-checks-on-Kubernetes-manifests-and-Helm-charts-using-Datree-4

Here, you can enable/disable the built-in rules and Optionally, you can add your own custom rules to be run against your manifest.

From the dashboard, you can also see the scan history.

Perform-security-checks-on-Kubernetes-manifests-and-Helm-charts-using-Datree-5

#4. Integrate Datree into your CI

To be able to maintain clean and stable repositories by preventing misconfigurations on time, you need to perform integrations.

The following integrations are supported.

  • Kubectl plugin
  • Helm plugin
  • Github action
  • Git hooks
  • Pre-commit hook

This guide demonstrates how to install and use the below plugins:

  • Kubectl plugin

The Kubectl plugin can be installed using the command:

kubectl krew install datree

The syntax below is used to perform scans with the kubectl-datree plugin.

kubectl datree test [datree CLI args] -- [options]

For example, performing a scan by fetching all resources in the namespace test and executing a policy check:

kubectl datree test -- -n test
  • Helm plugin

This plugin is used to validate charts against the Datree policy. The plugin can be installed with the command:

helm plugin install https://github.com/datreeio/helm-datree

Learn how to install and use Helm with the aid of the guide below:

Unfortunately, this plugin is not supported on Windows OS and so the users need to work around using Helm on WSL.

To update the plugin, simply run:

helm plugin update datree

Uninstall the plugin using the command:

helm plugin uninstall datree

To trigger a Datree policy check on Helm charts, issue the command bearing the syntax below.

helm datree test [CHART_DIRECTORY]

If you need to pass arguments to your template, add the --- before them as below:

helm datree test [CHART_DIRECTORY] -- --values values.yaml --set name=prod

To demonstrate how to use the plugin, I will create a sample Helm chart as below:

$ helm create buildachart
Creating buildachart

Now perform a test on the charts.

helm datree test buildachart/templates/deployment.yaml

Sample Output:

Perform-security-checks-on-Kubernetes-manifests-and-Helm-charts-using-Datree-6

To integrate Datree in your CI/CD, you can follow the below example. You need to follow the steps below:

  • Get your account token (can be found from the dashboard under Settings)
  • Set DATREE_TOKEN as a secret/environment variable
  • Add Datree to your CI script as shown in the example below:
version: 2.1
jobs:
  build:
    docker:
      - image: circleci/node
    steps:
      - checkout
      - run: npm run build
  test:
    docker:
      - image: circleci/node
    steps:
      - checkout
      - run: curl https://get.datree.io | /bin/bash
      - run: datree test ~/.datree/k8s-demo.yaml

workflows:
  main:
    jobs:
      - build
      - test

Voila!

That concludes the guide on how to perform security checks on Kubernetes manifests and Helm charts using Datree. We can agree that Datree can be used to prevent errors in Kubernetes configurations which may lead to the failure of clusters in production.

coffee

Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.