Datree — Policy Enforcement for Kubernetes Configurations

Introduction

Datree scans Kubernetes YAML manifests and Helm charts against a library of rules that catch misconfigurations before they reach a cluster. It helps teams enforce best practices like resource limits, liveness probes, and security contexts without writing custom policies from scratch.

What Datree Does

• Validates Kubernetes YAML files, Helm charts, and Kustomize output against policy rules
• Ships with 60+ built-in rules covering security, reliability, and resource management
• Supports custom rules written in JSON Schema for organization-specific standards
• Integrates as a CLI tool, a kubectl plugin, or a CI pipeline step
• Provides schema validation to catch structural YAML errors before policy checks

Architecture Overview

Datree is a Go CLI that performs three validation phases on each manifest: YAML syntax checking, Kubernetes schema validation against the target API version, and policy rule evaluation. Rules are defined as JSON Schema assertions that run entirely client-side. Results are printed to the terminal or output as JSON and SARIF for CI integration.

Self-Hosting & Configuration

• Install via curl script, Homebrew, or as a kubectl plugin through Krew
• Run datree test on YAML files to check against the default policy
• Create a policy.yaml to define custom rule sets and severity levels
• Add a datree test step to GitHub Actions, GitLab CI, or Jenkins pipelines
• Use --schema-version to validate against a specific Kubernetes API version

Key Features

• 60+ built-in misconfiguration rules covering CIS benchmarks and best practices
• Three-phase validation: YAML syntax, K8s schema, and policy rules in one pass
• Custom rules via JSON Schema for organization-specific standards
• Helm and Kustomize support to validate rendered output
• SARIF output for integration with GitHub Advanced Security and VS Code

Comparison with Similar Tools

• OPA/Gatekeeper — Enforces policies at admission time in the cluster; Datree shifts left to CI and local development
• Checkov — Broad IaC scanner for Terraform, CloudFormation, and more; Datree focuses specifically on Kubernetes manifests
• Kubeconform — Schema-only validation; Datree adds policy rules on top of schema checks
• Polaris — Similar rule engine for K8s; Datree offers more built-in rules and a kubectl plugin

FAQ

Q: Does Datree require network access to run? A: The open-source offline mode runs entirely locally. No data is sent to external services.

Q: Can I use Datree with Helm charts? A: Yes. Datree can validate the rendered output of helm template or scan chart templates directly.

Q: How do I add custom organization rules? A: Define rules as JSON Schema assertions in a policy.yaml file and pass it to datree test --policy.

Q: Does Datree replace admission controllers? A: It complements them. Datree catches issues early in CI, while admission controllers enforce policies at deploy time as a final gate.

Sources

• https://github.com/datreeio/datree
• https://hub.datree.io