How to Avoid Kubernetes Misconfiguration with Datree on Windows

Updated on November 21, 2023
How to Avoid Kubernetes Misconfiguration with Datree on Windows header image

Copying and pasting Kubernetes manifests is common among developers and Kubernetes administrators. However, this is risky if the code is not analyzed and modified to suit the specific needs of your cluster. Many misconfigurations stem from copied and unanalyzed code.

Kubernetes cluster misconfigurations are created whenever YAML key-value pairs contain incorrect values or critical mechanisms such as livenessProbe and resource limits are not added. Misconfigurations jeopardize the security and health of the cluster. Therefore, it is important to prevent Kubernetes misconfigurations by using Datree, which is a Kubernetes CLI that inspects and analyzes YAML files to detect Kubernetes misconfigurations, provides the details of the detected misconfiguration, and what you should do to eliminate the misconfiguration.

This guide explains how to install and use Datree on a Windows workstation.

Prerequisites

Make sure you have installed Kubectl on your Windows workstation.

How to Install Datree on Windows

The Datree CLI scans local YAML files for any misconfigurations and gives details about the detected vulnerability.

  1. Open PowerShell on your Windows workstation.

  2. Install Datree in PowerShell:

     PS> iwr -useb https://get.datree.io/windows_install.ps1 | iex

    You will get the following output:

     Installing Datree...
    
     [V] Downloaded Datree
     [V] Finished Installation
    
     To run datree globally, please follow these steps:
    
         1. Run the following command as administrator: `setx PATH "$env:path;C:\Users\example\AppData\Local\datree" -m`
    
         2. Close and reopen your terminal.
    
     For more information, please visit https://datree.io

    Usage: datree test $home/.datree/k8s-demo.yaml

         Run 'datree completion -h' to learn how to generate shell autocompletions
  3. Add Datree to the system path. Substitute your home path for C:\users\example in the command shown.

     PS> setx PATH "$env:path;C:\Users\example\AppData\Local\datree" -m

    You will get the following output if successful.

     SUCCESS: Specified value was saved.
  4. Close and restart Powershell after installing Datree.

  5. Run the following PowerShell command to verify Datree is installed properly.

     PS> datree version

    You will get the following output:

     1.5.25

How to Analyze YAML Files with Datree

In this section, you will learn how to use Datree to scan a service file.

  1. Create a YAML file called service.yaml which will contain the contents of the service called my-service.

  2. Add the following contents to the service.yaml file:

     apiVersion: v1
     kind: Service
     metadata:
       name: my-service
       namespace: earth
       labels:
         app: nginx
     spec:
       externalTrafficPolicy: Local
       ports:
       - name: http
         port: 80
         protocol: TCP
         targetPort: 80
       selector:    
         app: nginx
       type: NodePort

    Do not apply this YAML file to your cluster until it has successfully passed the Datree scan.

  3. Use the following command to scan the above file:

     PS> datree test service.yaml

You will get the following Datree scan results:

    >>  File: service.yaml
    
    [V] YAML validation
    [V] Kubernetes schema validation

The above information states the name of the file being scanned and the components being validated.

The following section of the scan results contains the detected misconfiguration in the service.yaml file. The service.yaml file contains a misconfiguration caused by a service type called NodePort, which was supposed to be set as a LoadBalancer. The problem with NodePorts is that they bypass network security.

    [X] Policy check
    
    ❌  Prevent Service from exposing node port  [1 occurrence]
        - metadata.name: my-service (kind: Service)
    πŸ’‘  Incorrect value for key `type` - `NodePort` will open a port on all nodes where it can be reached by the network external to the cluster

The following section of the scan results summarizes the policy check and YAML validation.

    (Summary)
    
    - Passing YAML validation: 1/1
    
    - Passing Kubernetes (1.20.0) schema validation: 1/1
    
    - Passing policy check: 0/1
    
    +-----------------------------------+------------------------------------------------------+
    | Enabled rules in policy "Default" | 21                                                   |
    | Configs tested against policy     | 1                                                    |
    | Total rules evaluated             | 21                                                   |
    | Total rules skipped               | 0                                                    |
    | Total rules failed                | 1                                                    |
    | Total rules passed                | 20                                                   |
    | See all rules in policy           | https://app.datree.io/login?t=example                |
    +-----------------------------------+------------------------------------------------------+

Eliminate the detected misconfiguration by modifying the service.yaml file and setting the service type as LoadBalancer:

    apiVersion: v1
    kind: Service
    metadata:
      name: my-service
      namespace: earth
      labels:
        app: nginx
    spec:
      externalTrafficPolicy: Local
      ports:
      - name: http
        port: 80
        protocol: TCP
        targetPort: 80
      selector:    
        app: nginx
      type: LoadBalancer

Scan the modified service.yaml file.

    PS> datree test service.yaml

Now you should see the following output, which shows the modified service has no misconfigurations.

    (Summary)
    
    - Passing YAML validation: 1/1
    
    - Passing Kubernetes (1.20.0) schema validation: 1/1
    
    - Passing policy check: 1/1
    
    +-----------------------------------+------------------------------------------------------+
    | Enabled rules in policy "Default" | 21                                                   |
    | Configs tested against policy     | 1                                                    |
    | Total rules evaluated             | 21                                                   |
    | Total rules skipped               | 0                                                    |
    | Total rules failed                | 0                                                    |
    | Total rules passed                | 21                                                   |
    | See all rules in policy           | https://app.datree.io/login?t=example                |
    +-----------------------------------+------------------------------------------------------+

How to Scan a Pod Using Datree

This section explains how to scan a Pod using Datree.

  1. Create a YAML file called pod.yaml and add the following contents.

     apiVersion: v1
     kind: Pod
     metadata:
       name: pod-example
       namespace: mattermost
     spec:
       containers:
       - name: app
         image: gcr.io/google-samples/gb-frontend:v4
         resources:
           requests:
             memory: "64Mi"
             cpu: "250m"
           limits:
             memory: "128Mi"
             cpu: "500m"
  2. Scan the file.

      PS> datree test pod-example.yaml
  3. You will get the following output:

     >>  File: pod-example.yaml
    
     [V] YAML validation
     [V] Kubernetes schema validation

The pod.yaml file created has two misconfigurations because: the readinessProbe and livenessProbe properties were not added. These properties are crucial in Kubernetes because they alert the Kubelet when containers and applications are not progressing or failing.

    [X] Policy check
    
    ❌  Ensure each container has a configured liveness probe  [1 occurrence]
        - metadata.name: pod-example (kind: Pod)
    πŸ’‘  Missing property object `livenessProbe` - add a properly configured livenessProbe to catch possible deadlocks
    
    ❌  Ensure each container has a configured readiness probe  [1 occurrence]
        - metadata.name: pod-example (kind: Pod)
    πŸ’‘  Missing property object `readinessProbe` - add a properly configured readinessProbe to notify kubelet your Pods are ready for traffic
    
    (Summary)
    
    - Passing YAML validation: 1/1
    
    - Passing Kubernetes (1.20.0) schema validation: 1/1
    
    - Passing policy check: 0/1
    
    +-----------------------------------+------------------------------------------------------+
    | Enabled rules in policy "Default" | 21                                                   |
    | Configs tested against policy     | 1                                                    |
    | Total rules evaluated             | 21                                                   |
    | Total rules skipped               | 0                                                    |
    | Total rules failed                | 2                                                    |
    | Total rules passed                | 19                                                   |
    | See all rules in policy           | https://app.datree.io/login?t=example                |
    +-----------------------------------+------------------------------------------------------+

To eliminate the detected misconfigurations modify the Pod by adding the readinessProbe and livenessProbe properties:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-example
    spec:
      containers:
      - name: app
        image: gcr.io/google-samples/gb-frontend:v4
        resources:
          requests:
            memory: "64Mi"
            cpu: "250m"
          limits:
            memory: "128Mi"
            cpu: "500m"
        ports:
        - containerPort: 8080
        readinessProbe:
          tcpSocket:
            port: 8080
          initialDelaySeconds: 5
          periodSeconds: 10
        livenessProbe:
          tcpSocket:
            port: 8080
          initialDelaySeconds: 15
          periodSeconds: 20

Scan the modified service.yaml file.

    PS> datree test pod-example.yaml

You should see the following output, which shows the Pod no longer has misconfigurations detected in the previous Datree scan.

    (Summary)
    
    - Passing YAML validation: 1/1
    
    - Passing Kubernetes (1.20.0) schema validation: 1/1
    
    - Passing policy check: 1/1
    
    +-----------------------------------+------------------------------------------------------+
    | Enabled rules in policy "Default" | 21                                                   |
    | Configs tested against policy     | 1                                                    |
    | Total rules evaluated             | 21                                                   |
    | Total rules skipped               | 0                                                    |
    | Total rules failed                | 0                                                    |
    | Total rules passed                | 21                                                   |
    | See all rules in policy           | https://app.datree.io/login?t=example                |
    +-----------------------------------+------------------------------------------------------+

Learn More

To learn more about Datree, see the project documentation.