1
0
mirror of https://github.com/tektoncd/catalog.git synced 2024-11-25 06:17:50 +00:00
catalog/task/datree/0.1
2022-05-04 08:20:26 +01:00
..
samples feat: add datree task to catalog 2022-04-05 13:32:25 +01:00
datree.yaml feat: add datree task to catalog 2022-04-05 13:32:25 +01:00
README.md docs: remove unused parameter from datree docs 2022-05-04 08:20:26 +01:00

Datree Test

Datree is an open source tool for identifying Kubernetes misconfigurations. It provides a policy enforcement solution to run automatic checks for rule violations. This task can be used to run datree tests.

Task can also be customised with the various parameters that are passed as flags for the datree command.

Install the Task

kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/datree/0.1/datree.yaml

Parameters

  • yamlSrc: Complete path for the yaml files relative to the workspace path. Should include the yaml file name with extension. (default: ./*.yaml).
  • output: Output the policy check results in the requested format (simple, json, yaml, xml) (Optional).
  • schemaVersion: Set Kubernetes version to validate against. Defaults to 1.18.0 in Datree (Optional).
  • ignoreMissingSchemas: Skip files with missing schemas instead of failing the schema validation check Should be a string of either true or false (Optional).
  • policy: Specify which policy to execute (by policy name). Example-staging (Optional).
  • onlyK8sFiles: Skip all non-K8s files.Especially useful when scanning a dir with K8s and other config files. Should be a string of either true or false (Optional).
  • DATREE_TOKEN_SECRET: The name of the secret holding the datree token (default:datree-token).
  • DATREE_TOKEN_SECRET_KEY: The name of the secret key holding the datree token (default:DATREE_TOKEN).
  • datreeImage - Datree image to run datree. Ensure the image has the datree binary in / (default:docker.io/datree/datree:0.15.22@sha256:85cf78f16e67e08ea9df18ab6d3d823a576bfbcc5937f30629eb4859fdeb3fd1) Use docker.io/datree/datree:latest to use the latest image.

Workspace

  • source: Contains Kubernetes manifests on which the test has to be performed.

Secrets

  • Secret to provide Datree access token to authenticate with Datree.

Check this to get personal access token for Datree.

Platforms

The Task can be run on linux/amd64 platform.

Usage

This task expects a secret named datree-token to exists, with a Datree token in DATREE_TOKEN.

This task runs the datree tests and outputs the results to the standard output by default. You can also view the results in the Datree UI.

The params output, schemaVersion, ignoreMissingSchemas, policy and onlyK8sFiles are used to specify the Datree CLI flags --output, --schema-version, --ignore-missing-schemas, --policy and --only-k8s-files respectively. These params are optional and the respective flag will not be used if the param is not provided.

The files on which the scan has to be performed must be available in the workspace named source. This can be done using git-clone task as shown here.

To run the datree test, the following steps can be followed to get started -

  1. Create a secret that contains the Datree token

Secrets can be created as follows:

apiVersion: v1
kind: Secret
metadata:
  name: datree-token
type: Opaque
stringData:
  TAKEN_TOKEN: $(datree_token)
  1. Create a workspace for the YAML files.

This example uses PVC for sharing the files in the workspace, PVC can be created using the following configuration:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: tekton-pvc
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 2Gi 
  1. Install the datree task

  2. Create a TaskRun or a Pipeline with the datree task. An example of the Pipeline and PipelineRun -

---
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: datree-pipeline
spec:
  params:
  - name: git_url
    default: https://github.com/kubernetes/examples
    type: string
  workspaces:
    - name: source-code-ws
  tasks:
  - name: git-clone
    taskRef:
      name: git-clone
    workspaces:
    - name: output
      workspace: source-code-ws
    params:
    - name: url
      value: $(params.git_url)
  - name: datree-test
    taskRef:
      name: datree
    workspaces:
    - name: source
      workspace: source-code-ws
    params:
    - name: yamlSrc
      value: "guestbook/*.yaml"
    - name: output
      value: json
    - name: schemaVersion
      value: "1.22.0"
    - name: ignoreMissingSchemas
      value: "false"
    - name: policy
      value: Default
    - name: onlyK8sFiles
      value: "true"
    - name: DATREE_TOKEN_SECRET
      value: datree-token
    - name: DATREE_TOKEN_SECRET_KEY
      value: DATREE_TOKEN
    - name: datreeImage
      value: docker.io/datree/datree:latest
    runAfter:
    - git-clone
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  creationTimestamp: null
  generateName: datree-pipeline-run-
  namespace: default
spec:
  params:
  - name: git_url
    value: https://github.com/kubernetes/examples
  pipelineRef:
    name: datree-pipeline
  workspaces:
  - name: source-code-ws
    persistentVolumeClaim:
      claimName: tekton-pvc
    subPath: ~/
status: {}

Note

  • Task uses image from docker.io/datree/datree which is based on this Dockerfile.