How to Avoid Kubernetes Misconfiguration with Datree on Windows
Copying and pasting Kubernetes manifests is common among developers and Kubernetes administrators. However, this is risky if the code is not analyzed and modified to suit the specific needs of your cluster. Many misconfigurations stem from copied and unanalyzed code.
Kubernetes cluster misconfigurations are created whenever YAML key-value pairs contain incorrect values or critical mechanisms such as livenessProbe and resource limits are not added. Misconfigurations jeopardize the security and health of the cluster. Therefore, it is important to prevent Kubernetes misconfigurations by using Datree, which is a Kubernetes CLI that inspects and analyzes YAML files to detect Kubernetes misconfigurations, provides the details of the detected misconfiguration, and what you should do to eliminate the misconfiguration.
This guide explains how to install and use Datree on a Windows workstation.
Prerequisites
Make sure you have installed Kubectl on your Windows workstation.
How to Install Datree on Windows
The Datree CLI scans local YAML files for any misconfigurations and gives details about the detected vulnerability.
Open PowerShell on your Windows workstation.
Install Datree in PowerShell:
PS> iwr -useb https://get.datree.io/windows_install.ps1 | iex
You will get the following output:
Installing Datree... [V] Downloaded Datree [V] Finished Installation To run datree globally, please follow these steps: 1. Run the following command as administrator: `setx PATH "$env:path;C:\Users\example\AppData\Local\datree" -m` 2. Close and reopen your terminal. For more information, please visit https://datree.io
Usage: datree test $home/.datree/k8s-demo.yaml
Run 'datree completion -h' to learn how to generate shell autocompletions
Add Datree to the system path. Substitute your home path for
C:\users\example
in the command shown.PS> setx PATH "$env:path;C:\Users\example\AppData\Local\datree" -m
You will get the following output if successful.
SUCCESS: Specified value was saved.
Close and restart Powershell after installing Datree.
Run the following PowerShell command to verify Datree is installed properly.
PS> datree version
You will get the following output:
1.5.25
How to Analyze YAML Files with Datree
In this section, you will learn how to use Datree to scan a service file.
Create a YAML file called service.yaml which will contain the contents of the service called my-service.
Add the following contents to the service.yaml file:
apiVersion: v1 kind: Service metadata: name: my-service namespace: earth labels: app: nginx spec: externalTrafficPolicy: Local ports: - name: http port: 80 protocol: TCP targetPort: 80 selector: app: nginx type: NodePort
Do not apply this YAML file to your cluster until it has successfully passed the Datree scan.
Use the following command to scan the above file:
PS> datree test service.yaml
You will get the following Datree scan results:
>> File: service.yaml
[V] YAML validation
[V] Kubernetes schema validation
The above information states the name of the file being scanned and the components being validated.
The following section of the scan results contains the detected misconfiguration in the service.yaml file. The service.yaml file contains a misconfiguration caused by a service type called NodePort, which was supposed to be set as a LoadBalancer. The problem with NodePorts is that they bypass network security.
[X] Policy check
β Prevent Service from exposing node port [1 occurrence]
- metadata.name: my-service (kind: Service)
π‘ Incorrect value for key `type` - `NodePort` will open a port on all nodes where it can be reached by the network external to the cluster
The following section of the scan results summarizes the policy check and YAML validation.
(Summary)
- Passing YAML validation: 1/1
- Passing Kubernetes (1.20.0) schema validation: 1/1
- Passing policy check: 0/1
+-----------------------------------+------------------------------------------------------+
| Enabled rules in policy "Default" | 21 |
| Configs tested against policy | 1 |
| Total rules evaluated | 21 |
| Total rules skipped | 0 |
| Total rules failed | 1 |
| Total rules passed | 20 |
| See all rules in policy | https://app.datree.io/login?t=example |
+-----------------------------------+------------------------------------------------------+
Eliminate the detected misconfiguration by modifying the service.yaml file and setting the service type as LoadBalancer:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: earth
labels:
app: nginx
spec:
externalTrafficPolicy: Local
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
selector:
app: nginx
type: LoadBalancer
Scan the modified service.yaml file.
PS> datree test service.yaml
Now you should see the following output, which shows the modified service has no misconfigurations.
(Summary)
- Passing YAML validation: 1/1
- Passing Kubernetes (1.20.0) schema validation: 1/1
- Passing policy check: 1/1
+-----------------------------------+------------------------------------------------------+
| Enabled rules in policy "Default" | 21 |
| Configs tested against policy | 1 |
| Total rules evaluated | 21 |
| Total rules skipped | 0 |
| Total rules failed | 0 |
| Total rules passed | 21 |
| See all rules in policy | https://app.datree.io/login?t=example |
+-----------------------------------+------------------------------------------------------+
How to Scan a Pod Using Datree
This section explains how to scan a Pod using Datree.
Create a YAML file called pod.yaml and add the following contents.
apiVersion: v1 kind: Pod metadata: name: pod-example namespace: mattermost spec: containers: - name: app image: gcr.io/google-samples/gb-frontend:v4 resources: requests: memory: "64Mi" cpu: "250m" limits: memory: "128Mi" cpu: "500m"
Scan the file.
PS> datree test pod-example.yaml
You will get the following output:
>> File: pod-example.yaml [V] YAML validation [V] Kubernetes schema validation
The pod.yaml file created has two misconfigurations because: the readinessProbe
and livenessProbe
properties were not added. These properties are crucial in Kubernetes because they alert the Kubelet when containers and applications are not progressing or failing.
[X] Policy check
β Ensure each container has a configured liveness probe [1 occurrence]
- metadata.name: pod-example (kind: Pod)
π‘ Missing property object `livenessProbe` - add a properly configured livenessProbe to catch possible deadlocks
β Ensure each container has a configured readiness probe [1 occurrence]
- metadata.name: pod-example (kind: Pod)
π‘ Missing property object `readinessProbe` - add a properly configured readinessProbe to notify kubelet your Pods are ready for traffic
(Summary)
- Passing YAML validation: 1/1
- Passing Kubernetes (1.20.0) schema validation: 1/1
- Passing policy check: 0/1
+-----------------------------------+------------------------------------------------------+
| Enabled rules in policy "Default" | 21 |
| Configs tested against policy | 1 |
| Total rules evaluated | 21 |
| Total rules skipped | 0 |
| Total rules failed | 2 |
| Total rules passed | 19 |
| See all rules in policy | https://app.datree.io/login?t=example |
+-----------------------------------+------------------------------------------------------+
To eliminate the detected misconfigurations modify the Pod by adding the readinessProbe
and livenessProbe
properties:
apiVersion: v1
kind: Pod
metadata:
name: pod-example
spec:
containers:
- name: app
image: gcr.io/google-samples/gb-frontend:v4
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 8080
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 15
periodSeconds: 20
Scan the modified service.yaml file.
PS> datree test pod-example.yaml
You should see the following output, which shows the Pod no longer has misconfigurations detected in the previous Datree scan.
(Summary)
- Passing YAML validation: 1/1
- Passing Kubernetes (1.20.0) schema validation: 1/1
- Passing policy check: 1/1
+-----------------------------------+------------------------------------------------------+
| Enabled rules in policy "Default" | 21 |
| Configs tested against policy | 1 |
| Total rules evaluated | 21 |
| Total rules skipped | 0 |
| Total rules failed | 0 |
| Total rules passed | 21 |
| See all rules in policy | https://app.datree.io/login?t=example |
+-----------------------------------+------------------------------------------------------+
Learn More
To learn more about Datree, see the project documentation.