Working with Datree’s Helm Plugin
7 min read
What is Datree?
Datree is a CLI tool that supports Kubernetes owners in their roles by preventing developers from making errors in their Kubernetes configuration files before they reach production and cause failures. It does so by providing a policy enforcement solution to run automatic checks for rule violations. It can be used on the command line to run policies against Kubernetes manifest files and Helm charts. You can include Datree's policy check as part of your CI/CD pipeline or run it locally before every commit.
If you are new to Datree, check out my introductory blog post to get started with the tool.
What is Helm?
Helm is a Kubernetes deployment tool that deploys packaged applications to Kubernetes and structures them into charts. The charts contain all pre-configured application resources and all the versions in one easily manageable package. As a result, Helm streamlines installing, upgrading, fetching dependencies, and configuring deployments on Kubernetes with simple CLI commands.
Helm helps you manage Kubernetes applications using Helm charts that are easy to make, version, share, and publish, and help you define, install, and upgrade your Kubernetes applications. In addition, Helm automates the maintenance of YAML manifests for Kubernetes objects by packaging information into charts and advertising them to a Kubernetes cluster.
Datree's Helm plugin
Datree's Helm plugin is an add-on that seamlessly integrates with Helm and, as a result, extends the features of Datree to Helm as well. You can access it via the Helm CLI and perform policy checks against your Helm charts.
Getting started
Installation
Follow these steps to install the plugin:
$ helm plugin install https://github.com/datreeio/helm-datree
Installing helm-datree...
https://github.com/datreeio/datree/releases/download/1.0.6/datree-cli_1.0.6_Darwin_x86_64.zip
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 673 100 673 0 0 1439 0 --:--:-- --:--:-- --:--:-- 1469
100 6901k 100 6901k 0 0 1852k 0 0:00:03 0:00:03 --:--:-- 2865k
helm-datree is installed.
See https://hub.datree.io for help getting started.
Installed plugin: datree
Update
Here's how you can update the Helm plugin to the latest version:
$ helm plugin update datree
Installing helm-datree...
https://github.com/datreeio/datree/releases/download/1.0.6/datree-cli_1.0.6_Darwin_x86_64.zip
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 673 100 673 0 0 3383 0 --:--:-- --:--:-- --:--:-- 3542
100 6901k 100 6901k 0 0 9536k 0 --:--:-- --:--:-- --:--:-- 9536k
helm-datree is installed.
See https://hub.datree.io for help getting started.
Updated plugin: datree
Check version
You can also check the plugin version that you are running:
$ helm datree version
1.0.6
Help text
To get more information about the tool, use the following command:
$ helm datree help
Datree is a static code analysis tool for kubernetes files. Full code can be found at https://github.com/datreeio/datree
Usage:
datree [command]
Available Commands:
completion Generate completion script for bash,zsh,fish,powershell
config Configuration management
help Help about any command
kustomize
publish Publish policies configuration for given <fileName>.
test Execute static analysis for given <pattern>
version Print the version number
Flags:
-h, --help help for datree
Use "datree [command] --help" for more information about a command.
Prometheus Helm Chart
For this demo, we will get the Prometheus Helm Chart for our demo and run our Datree policy checks against it to check for possible misconfigurations.
Download the Helm chart repository:
$ helm pull prometheus-community/prometheus
You can cd into the directory after unzipping the file:
$ cd prometheus
Here you can see the Helm chart files:
$ ls
Chart.lock Chart.yaml README.md charts templates values.yaml
Using the Helm CLI for policy checks
You can now use the Helm CLI to trigger the Datree policy checks.
Format: $ helm datree test [CHART DIRECTORY]
$ helm datree test .
>> File: ../../../tmp/helmtmp-prometheus_1648034635.yaml
[V] YAML validation
[V] Kubernetes schema validation
[X] Policy check
❌ Ensure each container has a configured CPU request [7 occurrences]
— metadata.name: release-name-prometheus-node-exporter (kind: DaemonSet)
— metadata.name: release-name-kube-state-metrics (kind: Deployment)
— metadata.name: release-name-prometheus-alertmanager (kind: Deployment)
— metadata.name: release-name-prometheus-pushgateway (kind: Deployment)
— metadata.name: release-name-prometheus-server (kind: Deployment)
💡 Missing property object `requests.cpu` - value should be within the accepted boundaries recommended by the organization
❌ Prevent workload from using the default namespace [5 occurrences]
— metadata.name: release-name-prometheus-node-exporter (kind: DaemonSet)
— metadata.name: release-name-kube-state-metrics (kind: Deployment)
— metadata.name: release-name-prometheus-alertmanager (kind: Deployment)
— metadata.name: release-name-prometheus-pushgateway (kind: Deployment)
— metadata.name: release-name-prometheus-server (kind: Deployment)
💡 Incorrect value for key `namespace` - use an explicit namespace instead of the default one (`default`)
❌ Ensure Deployment has more than one replica configured [4 occurrences]
— metadata.name: release-name-kube-state-metrics (kind: Deployment)
— metadata.name: release-name-prometheus-alertmanager (kind: Deployment)
— metadata.name: release-name-prometheus-pushgateway (kind: Deployment)
— metadata.name: release-name-prometheus-server (kind: Deployment)
💡 Incorrect value for key `replicas` - running 2 or more replicas will increase the availability of the service
(Summary)
- Passing YAML validation: 1/1
- Passing Kubernetes (1.18.0) schema validation: 1/1
- Passing policy check: 0/1
+---------------------------------+-----------------------+
| Enabled rules in policy “Kunal” | 8 |
| Configs tested against policy | 27 |
| Total rules evaluated | 8 |
| Total rules failed | 3 |
| Total rules passed | 5 |
| See all rules in policy | https://hub.datree.io |
+---------------------------------+-----------------------+
Error: plugin "datree" exited with error
. means the location of the Helm chart. In this case, it is the current directory.
You can also see the results in your Datree dashboard:
Passing CLI arguments
Datree arguments
$ helm datree test --schema-version "1.21.0" .
>> File: ../../../tmp/helmtmp-prometheus_1648034727.yaml
[V] YAML validation
[V] Kubernetes schema validation
[X] Policy check
❌ Ensure Deployment has more than one replica configured [4 occurrences]
— metadata.name: release-name-kube-state-metrics (kind: Deployment)
— metadata.name: release-name-prometheus-alertmanager (kind: Deployment)
— metadata.name: release-name-prometheus-pushgateway (kind: Deployment)
— metadata.name: release-name-prometheus-server (kind: Deployment)
💡 Incorrect value for key `replicas` - running 2 or more replicas will increase the availability of the service
❌ Ensure each container has a configured CPU request [7 occurrences]
— metadata.name: release-name-prometheus-node-exporter (kind: DaemonSet)
— metadata.name: release-name-kube-state-metrics (kind: Deployment)
— metadata.name: release-name-prometheus-alertmanager (kind: Deployment)
— metadata.name: release-name-prometheus-pushgateway (kind: Deployment)
— metadata.name: release-name-prometheus-server (kind: Deployment)
💡 Missing property object `requests.cpu` - value should be within the accepted boundaries recommended by the organization
❌ Prevent workload from using the default namespace [5 occurrences]
— metadata.name: release-name-prometheus-node-exporter (kind: DaemonSet)
— metadata.name: release-name-kube-state-metrics (kind: Deployment)
— metadata.name: release-name-prometheus-alertmanager (kind: Deployment)
— metadata.name: release-name-prometheus-pushgateway (kind: Deployment)
— metadata.name: release-name-prometheus-server (kind: Deployment)
💡 Incorrect value for key `namespace` - use an explicit namespace instead of the default one (`default`)
(Summary)
- Passing YAML validation: 1/1
- Passing Kubernetes (1.21.0) schema validation: 1/1
- Passing policy check: 0/1
+---------------------------------+-----------------------+
| Enabled rules in policy “Kunal” | 8 |
| Configs tested against policy | 27 |
| Total rules evaluated | 8 |
| Total rules failed | 3 |
| Total rules passed | 5 |
| See all rules in policy | https://hub.datree.io |
+---------------------------------+-----------------------+
Error: plugin "datree" exited with error
Helm arguments
In order to pass Helm arguments, you would have to add -- after the chart directory, and then add the Helm arguments:
$ helm datree test . -- --values values.yaml --set name=test
>> File: ../../../tmp/helmtmp-prometheus_1648034771.yaml
[V] YAML validation
[V] Kubernetes schema validation
[X] Policy check
❌ Ensure each container has a configured CPU request [7 occurrences]
— metadata.name: release-name-prometheus-node-exporter (kind: DaemonSet)
— metadata.name: release-name-kube-state-metrics (kind: Deployment)
— metadata.name: release-name-prometheus-alertmanager (kind: Deployment)
— metadata.name: release-name-prometheus-pushgateway (kind: Deployment)
— metadata.name: release-name-prometheus-server (kind: Deployment)
💡 Missing property object `requests.cpu` - value should be within the accepted boundaries recommended by the organization
❌ Prevent workload from using the default namespace [5 occurrences]
— metadata.name: release-name-prometheus-node-exporter (kind: DaemonSet)
— metadata.name: release-name-kube-state-metrics (kind: Deployment)
— metadata.name: release-name-prometheus-alertmanager (kind: Deployment)
— metadata.name: release-name-prometheus-pushgateway (kind: Deployment)
— metadata.name: release-name-prometheus-server (kind: Deployment)
💡 Incorrect value for key `namespace` - use an explicit namespace instead of the default one (`default`)
❌ Ensure Deployment has more than one replica configured [4 occurrences]
— metadata.name: release-name-kube-state-metrics (kind: Deployment)
— metadata.name: release-name-prometheus-alertmanager (kind: Deployment)
— metadata.name: release-name-prometheus-pushgateway (kind: Deployment)
— metadata.name: release-name-prometheus-server (kind: Deployment)
💡 Incorrect value for key `replicas` - running 2 or more replicas will increase the availability of the service
(Summary)
- Passing YAML validation: 1/1
- Passing Kubernetes (1.18.0) schema validation: 1/1
- Passing policy check: 0/1
+---------------------------------+-----------------------+
| Enabled rules in policy “Kunal” | 8 |
| Configs tested against policy | 27 |
| Total rules evaluated | 8 |
| Total rules failed | 3 |
| Total rules passed | 5 |
| See all rules in policy | https://hub.datree.io |
+---------------------------------+-----------------------+
Error: plugin "datree" exited with error
Wrapping up
As you can see, in just a few steps we were able to extend the functionality of Datree to Helm. This is a powerful use case and now you can make sure that your Helm charts are free of misconfigurations that may cause problems in production.
