# Datree — Policy Enforcement for Kubernetes Configurations > Prevent Kubernetes misconfigurations from reaching production. Datree validates manifests against built-in and custom rules in CI or the CLI. ## Install Save in your project root: # Datree — Policy Enforcement for Kubernetes Configurations ## Quick Use ```bash curl https://get.datree.io | /bin/bash datree test my-deployment.yaml # Or use as a kubectl plugin: kubectl krew install datree kubectl datree test my-deployment.yaml ``` ## Introduction Datree scans Kubernetes YAML manifests and Helm charts against a library of rules that catch misconfigurations before they reach a cluster. It helps teams enforce best practices like resource limits, liveness probes, and security contexts without writing custom policies from scratch. ## What Datree Does - Validates Kubernetes YAML files, Helm charts, and Kustomize output against policy rules - Ships with 60+ built-in rules covering security, reliability, and resource management - Supports custom rules written in JSON Schema for organization-specific standards - Integrates as a CLI tool, a kubectl plugin, or a CI pipeline step - Provides schema validation to catch structural YAML errors before policy checks ## Architecture Overview Datree is a Go CLI that performs three validation phases on each manifest: YAML syntax checking, Kubernetes schema validation against the target API version, and policy rule evaluation. Rules are defined as JSON Schema assertions that run entirely client-side. Results are printed to the terminal or output as JSON and SARIF for CI integration. ## Self-Hosting & Configuration - Install via curl script, Homebrew, or as a kubectl plugin through Krew - Run datree test on YAML files to check against the default policy - Create a policy.yaml to define custom rule sets and severity levels - Add a datree test step to GitHub Actions, GitLab CI, or Jenkins pipelines - Use --schema-version to validate against a specific Kubernetes API version ## Key Features - 60+ built-in misconfiguration rules covering CIS benchmarks and best practices - Three-phase validation: YAML syntax, K8s schema, and policy rules in one pass - Custom rules via JSON Schema for organization-specific standards - Helm and Kustomize support to validate rendered output - SARIF output for integration with GitHub Advanced Security and VS Code ## Comparison with Similar Tools - **OPA/Gatekeeper** — Enforces policies at admission time in the cluster; Datree shifts left to CI and local development - **Checkov** — Broad IaC scanner for Terraform, CloudFormation, and more; Datree focuses specifically on Kubernetes manifests - **Kubeconform** — Schema-only validation; Datree adds policy rules on top of schema checks - **Polaris** — Similar rule engine for K8s; Datree offers more built-in rules and a kubectl plugin ## FAQ **Q: Does Datree require network access to run?** A: The open-source offline mode runs entirely locally. No data is sent to external services. **Q: Can I use Datree with Helm charts?** A: Yes. Datree can validate the rendered output of helm template or scan chart templates directly. **Q: How do I add custom organization rules?** A: Define rules as JSON Schema assertions in a policy.yaml file and pass it to datree test --policy. **Q: Does Datree replace admission controllers?** A: It complements them. Datree catches issues early in CI, while admission controllers enforce policies at deploy time as a final gate. ## Sources - https://github.com/datreeio/datree - https://hub.datree.io --- Source: https://tokrepo.com/en/workflows/a1078df1-3974-11f1-9bc6-00163e2b0d79 Author: AI Open Source