Kunal Kushwaha
Kunal Kushwaha

Kunal Kushwaha

Working with Datree’s Helm Plugin

Prevent Kubernetes Misconfigurations

Kunal Kushwaha's photo
Kunal Kushwaha
·Mar 23, 2022·

7 min read

Working with Datree’s Helm Plugin

Subscribe to my newsletter and never miss my upcoming articles

Table of contents

  • What is Datree?
  • What is Helm?
  • Datree's Helm plugin
  • Getting started
  • Prometheus Helm Chart
  • Using the Helm CLI for policy checks
  • Passing CLI arguments
  • Wrapping up
  • Resources

What is Datree?

Datree is a CLI tool that supports Kubernetes owners in their roles by preventing developers from making errors in their Kubernetes configuration files before they reach production and cause failures. It does so by providing a policy enforcement solution to run automatic checks for rule violations. It can be used on the command line to run policies against Kubernetes manifest files and Helm charts. You can include Datree's policy check as part of your CI/CD pipeline or run it locally before every commit.

If you are new to Datree, check out my introductory blog post to get started with the tool.

What is Helm?

helm.png

Helm is a Kubernetes deployment tool that deploys packaged applications to Kubernetes and structures them into charts. The charts contain all pre-configured application resources and all the versions in one easily manageable package. As a result, Helm streamlines installing, upgrading, fetching dependencies, and configuring deployments on Kubernetes with simple CLI commands.

Helm helps you manage Kubernetes applications using Helm charts that are easy to make, version, share, and publish, and help you define, install, and upgrade your Kubernetes applications. In addition, Helm automates the maintenance of YAML manifests for Kubernetes objects by packaging information into charts and advertising them to a Kubernetes cluster.

Datree's Helm plugin

Datree's Helm plugin is an add-on that seamlessly integrates with Helm and, as a result, extends the features of Datree to Helm as well. You can access it via the Helm CLI and perform policy checks against your Helm charts.

Getting started

Installation

Follow these steps to install the plugin:

$ helm plugin install https://github.com/datreeio/helm-datree
Installing helm-datree...
https://github.com/datreeio/datree/releases/download/1.0.6/datree-cli_1.0.6_Darwin_x86_64.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   673  100   673    0     0   1439      0 --:--:-- --:--:-- --:--:--  1469
100 6901k  100 6901k    0     0  1852k      0  0:00:03  0:00:03 --:--:-- 2865k
helm-datree is installed.

See https://hub.datree.io for help getting started.
Installed plugin: datree

Update

Here's how you can update the Helm plugin to the latest version:

$ helm plugin update datree
Installing helm-datree...
https://github.com/datreeio/datree/releases/download/1.0.6/datree-cli_1.0.6_Darwin_x86_64.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   673  100   673    0     0   3383      0 --:--:-- --:--:-- --:--:--  3542
100 6901k  100 6901k    0     0  9536k      0 --:--:-- --:--:-- --:--:-- 9536k
helm-datree is installed.

See https://hub.datree.io for help getting started.
Updated plugin: datree

Check version

You can also check the plugin version that you are running:

$ helm datree version
1.0.6

Help text

To get more information about the tool, use the following command:

$ helm datree help
Datree is a static code analysis tool for kubernetes files. Full code can be found at https://github.com/datreeio/datree

Usage:
  datree [command]

Available Commands:
  completion       Generate completion script for bash,zsh,fish,powershell
  config           Configuration management
  help             Help about any command
  kustomize
  publish          Publish policies configuration for given <fileName>.
  test             Execute static analysis for given <pattern>
  version          Print the version number

Flags:
  -h, --help   help for datree

Use "datree [command] --help" for more information about a command.

Prometheus Helm Chart

For this demo, we will get the Prometheus Helm Chart for our demo and run our Datree policy checks against it to check for possible misconfigurations.

prometheusio-ar21.png

Download the Helm chart repository:

$ helm pull prometheus-community/prometheus

You can cd into the directory after unzipping the file:

$ cd prometheus

Here you can see the Helm chart files:

$ ls
Chart.lock  Chart.yaml  README.md   charts      templates   values.yaml

Using the Helm CLI for policy checks

You can now use the Helm CLI to trigger the Datree policy checks.

Format: $ helm datree test [CHART DIRECTORY]

$ helm datree test .
>>  File: ../../../tmp/helmtmp-prometheus_1648034635.yaml

[V] YAML validation
[V] Kubernetes schema validation

[X] Policy check

❌  Ensure each container has a configured CPU request  [7 occurrences]
    — metadata.name: release-name-prometheus-node-exporter (kind: DaemonSet)
    — metadata.name: release-name-kube-state-metrics (kind: Deployment)
    — metadata.name: release-name-prometheus-alertmanager (kind: Deployment)
    — metadata.name: release-name-prometheus-pushgateway (kind: Deployment)
    — metadata.name: release-name-prometheus-server (kind: Deployment)
💡  Missing property object `requests.cpu` - value should be within the accepted boundaries recommended by the organization

❌  Prevent workload from using the default namespace  [5 occurrences]
    — metadata.name: release-name-prometheus-node-exporter (kind: DaemonSet)
    — metadata.name: release-name-kube-state-metrics (kind: Deployment)
    — metadata.name: release-name-prometheus-alertmanager (kind: Deployment)
    — metadata.name: release-name-prometheus-pushgateway (kind: Deployment)
    — metadata.name: release-name-prometheus-server (kind: Deployment)
💡  Incorrect value for key `namespace` - use an explicit namespace instead of the default one (`default`)

❌  Ensure Deployment has more than one replica configured  [4 occurrences]
    — metadata.name: release-name-kube-state-metrics (kind: Deployment)
    — metadata.name: release-name-prometheus-alertmanager (kind: Deployment)
    — metadata.name: release-name-prometheus-pushgateway (kind: Deployment)
    — metadata.name: release-name-prometheus-server (kind: Deployment)
💡  Incorrect value for key `replicas` - running 2 or more replicas will increase the availability of the service


(Summary)

- Passing YAML validation: 1/1

- Passing Kubernetes (1.18.0) schema validation: 1/1

- Passing policy check: 0/1

+---------------------------------+-----------------------+
| Enabled rules in policyKunal| 8                     |
| Configs tested against policy   | 27                    |
| Total rules evaluated           | 8                     |
| Total rules failed              | 3                     |
| Total rules passed              | 5                     |
| See all rules in policy         | https://hub.datree.io |
+---------------------------------+-----------------------+


Error: plugin "datree" exited with error

. means the location of the Helm chart. In this case, it is the current directory.

You can also see the results in your Datree dashboard: Screenshot 2022-03-23 at 4.55.08 PM.png

Passing CLI arguments

Datree arguments

$ helm datree test --schema-version "1.21.0" .
>>  File: ../../../tmp/helmtmp-prometheus_1648034727.yaml

[V] YAML validation
[V] Kubernetes schema validation

[X] Policy check

❌  Ensure Deployment has more than one replica configured  [4 occurrences]
    — metadata.name: release-name-kube-state-metrics (kind: Deployment)
    — metadata.name: release-name-prometheus-alertmanager (kind: Deployment)
    — metadata.name: release-name-prometheus-pushgateway (kind: Deployment)
    — metadata.name: release-name-prometheus-server (kind: Deployment)
💡  Incorrect value for key `replicas` - running 2 or more replicas will increase the availability of the service

❌  Ensure each container has a configured CPU request  [7 occurrences]
    — metadata.name: release-name-prometheus-node-exporter (kind: DaemonSet)
    — metadata.name: release-name-kube-state-metrics (kind: Deployment)
    — metadata.name: release-name-prometheus-alertmanager (kind: Deployment)
    — metadata.name: release-name-prometheus-pushgateway (kind: Deployment)
    — metadata.name: release-name-prometheus-server (kind: Deployment)
💡  Missing property object `requests.cpu` - value should be within the accepted boundaries recommended by the organization

❌  Prevent workload from using the default namespace  [5 occurrences]
    — metadata.name: release-name-prometheus-node-exporter (kind: DaemonSet)
    — metadata.name: release-name-kube-state-metrics (kind: Deployment)
    — metadata.name: release-name-prometheus-alertmanager (kind: Deployment)
    — metadata.name: release-name-prometheus-pushgateway (kind: Deployment)
    — metadata.name: release-name-prometheus-server (kind: Deployment)
💡  Incorrect value for key `namespace` - use an explicit namespace instead of the default one (`default`)


(Summary)

- Passing YAML validation: 1/1

- Passing Kubernetes (1.21.0) schema validation: 1/1

- Passing policy check: 0/1

+---------------------------------+-----------------------+
| Enabled rules in policyKunal| 8                     |
| Configs tested against policy   | 27                    |
| Total rules evaluated           | 8                     |
| Total rules failed              | 3                     |
| Total rules passed              | 5                     |
| See all rules in policy         | https://hub.datree.io |
+---------------------------------+-----------------------+


Error: plugin "datree" exited with error

Helm arguments

In order to pass Helm arguments, you would have to add -- after the chart directory, and then add the Helm arguments:

$ helm datree test . -- --values values.yaml --set name=test
>>  File: ../../../tmp/helmtmp-prometheus_1648034771.yaml

[V] YAML validation
[V] Kubernetes schema validation

[X] Policy check

❌  Ensure each container has a configured CPU request  [7 occurrences]
    — metadata.name: release-name-prometheus-node-exporter (kind: DaemonSet)
    — metadata.name: release-name-kube-state-metrics (kind: Deployment)
    — metadata.name: release-name-prometheus-alertmanager (kind: Deployment)
    — metadata.name: release-name-prometheus-pushgateway (kind: Deployment)
    — metadata.name: release-name-prometheus-server (kind: Deployment)
💡  Missing property object `requests.cpu` - value should be within the accepted boundaries recommended by the organization

❌  Prevent workload from using the default namespace  [5 occurrences]
    — metadata.name: release-name-prometheus-node-exporter (kind: DaemonSet)
    — metadata.name: release-name-kube-state-metrics (kind: Deployment)
    — metadata.name: release-name-prometheus-alertmanager (kind: Deployment)
    — metadata.name: release-name-prometheus-pushgateway (kind: Deployment)
    — metadata.name: release-name-prometheus-server (kind: Deployment)
💡  Incorrect value for key `namespace` - use an explicit namespace instead of the default one (`default`)

❌  Ensure Deployment has more than one replica configured  [4 occurrences]
    — metadata.name: release-name-kube-state-metrics (kind: Deployment)
    — metadata.name: release-name-prometheus-alertmanager (kind: Deployment)
    — metadata.name: release-name-prometheus-pushgateway (kind: Deployment)
    — metadata.name: release-name-prometheus-server (kind: Deployment)
💡  Incorrect value for key `replicas` - running 2 or more replicas will increase the availability of the service


(Summary)

- Passing YAML validation: 1/1

- Passing Kubernetes (1.18.0) schema validation: 1/1

- Passing policy check: 0/1

+---------------------------------+-----------------------+
| Enabled rules in policyKunal| 8                     |
| Configs tested against policy   | 27                    |
| Total rules evaluated           | 8                     |
| Total rules failed              | 3                     |
| Total rules passed              | 5                     |
| See all rules in policy         | https://hub.datree.io |
+---------------------------------+-----------------------+


Error: plugin "datree" exited with error

Wrapping up

As you can see, in just a few steps we were able to extend the functionality of Datree to Helm. This is a powerful use case and now you can make sure that your Helm charts are free of misconfigurations that may cause problems in production.

Resources

Did you find this article valuable?

Support Kunal Kushwaha by becoming a sponsor. Any amount is appreciated!

See recent sponsors Learn more about Hashnode Sponsors
 
Share this