Let's be honest here, Getting started with Kubernetes and following Kubernetes best practices is tough. Say that your company has multiple project teams, where developers are deploying their applications to Kubernetes. A DevOps engineer who is managing the Kubernetes clusters in the company, who wants every project team to follow certain rules and write Kubernetes configuration files, which follow the best practices. This way they want to prevent any misconfigurations or security issues from ending up in the cluster when the applications are deployed.
What are the examples of these best/bad practices you may be asking. Well this could be :
- Specifying a
pinned version
on each container image.✔
✔
spec:
containers:
- name: app
image: nginx:1.19.8
❌
spec:
containers:
- name: app
image: nginx
spec:
containers:
- name: app
image: nginx:latest
- Copying and Pasting the K8s files for a certain application from the internet without a proper check. ❌
Root Access Capabilities ❌
spec:
containers:
- name: app
image: nginx:1.19.8
securityContext :
priviliged: true
Deprecated K8s APIs ❌
apiVersion: rbac.authorization.k8s.io/v1alpha1
kind: ClusterRoleBinding
So to avoid this, the Kubernetes administrators will screen the configuration regularly and check for any misconfigurations or security issues and after detecting the issues, they would notify the teams about the issues which they need to fix.
So the question is: How can Kubernetes administrators delegate Kubernetes responsibilities to developers without losing control?
Basically letting developers still create those manifests themselves but making sure any configuration that ends up in the cluster is correct and follows the best practice rules that administrators want. Well that's exactly the problem Datree solves.
Introduction:
Datree is a CLI solution that supports Kubernetes owners in their roles, by preventing developers from making errors in Kubernetes configurations that can cause clusters to fail in production.
Now before you get started you want to take a look at your workflow and where Datree fits in it.
Let's assume here's our development team. Now the development team is any team in the organization that has to write code and Kubernetes manifests. And those, the code and the Kubernetes manifests are pushed to your git
repository.
Usually, you are developing on a test branch
, or any feature branch
, where we are pushing our initial code to. Then you want to promote your code from your test branch
to our main branch
. Now while you promote it from your test branch
to your main branch
, you want to ensure that your code passes certain checks and that's usually done with your CI/CD pipelines.
CI/CD pipelines allow you to automate your tests and ensure that your tests pass before your new code is promoted from the main branch
deployed to your development cluster and then in your production cluster.
Now usually, the DevOps Team or the SRE Team are responsible to set up these checks. And as part of those checks, they can set up Datree. Usually, it's quite a manual task to verify that your Kubernetes manifests follow best practices and do not introduce any vulnerabilities to your cluster/to your deployments. Datree will run checks on your Kubernetes manifests to ensure they follow best practices before they will promote through the CI/CD pipeline, in the new deployment to your development cluster.
Now if the checks didn't pass; let's say Datree is not happy with all Kubernetes manifests; those checks will fail. This will allow your development team to implement better practices and to improve upon what is currently wrong within your Kubernetes manifests. This way before you deploy anything to your development, to your staging, or even to your production cluster, you can be ensured that your Kubernetes manifest follow best practices and doesn't introduce any vulnerabilities.
How Datree works?
Datree is a command line tool, which you can install with a single command which means:
- Install it on any machine.
$ curl https://get.datree.io | /bin/bash
- Integrate into any tool.
-
Trigger when you want.
- On Commit
- On Pull Request
- On Merge
So basically Kubernetes admins who actually know Kubernetes and how to properly configure Kubernetes components will create policies with all the rules and best practices once, then integrate them in all the teams development workflows and this way make the company-wide consistent policies that all the projects will use. And to integrate it into multiple CI/CD pipelines you actually don't have to copy and paste the policies and include them in every project. These policies are stored centrally in Datree and not in the project as additional project file so you can reference the central policy and use them in all the CI/CD pipelines.
Also in addition to you being able to create policies Datree already gives you a list of built-in policies, which covers all the Kubernetes best practices of configuration and this means once you set it up you can already start validating your Kubernetes YAML files with these built-in policies.
So, that's the basics of Datree and if you want more information on how to get started, refer the links down below 👇
This article sums up this entire video.
Peace!!😉✌
Top comments (0)