DEV Community

Cover image for Kubernetes Best Practices Validation in Azure Pipelines with Datree
Davide 'CoderDave' Benvegnù
Davide 'CoderDave' Benvegnù

Posted on

Kubernetes Best Practices Validation in Azure Pipelines with Datree

In this third article dedicated to Datree we will explore how to use the tool with Azure Pipelines to validate and secure our Kubernetes deployments.

Video

As usual, if you are a visual learner, or simply prefer to watch and listen instead of reading, here you have the video with the whole explanation and demo, which to be fair is much more complete than this post.

Link to the video: https://youtu.be/aM7EVflmEt4. The part about Azure Pipelines starts at minute 16:33

If you rather prefer reading, well... let's just continue :)

The Basics

While I will not cover how to install and use the service in general (check the video and the first article of this series if you want to know more about it), there are few things worth remembering and that will be useful later on in this article:

  • Datree is a CLI tool, which works on Linux, MacOS and Windows
  • The Centralized Policy Management uses a Token as connection between the scans and the account

Datree in Azure Pipelines

Alright, let's do this. First thing we have to do, as we would in a local environment, is to install the CLI

- script: curl https://get.datree.io | /bin/bash
  displayName: 'Install Datree'
Enter fullscreen mode Exit fullscreen mode

In this case the pipeline is running on Linux, so I can use the bash script for installing it.

This step will take only few seconds to execute.

This is necessary if you are using the Microsoft Hosted Agents. If you are instead on Self-hosted Agents you can install the CLI directly on the agent machine so you can skip this step. However, you'd need to manually take care of updating the CLI

Next, we can invoke the validation command:

- script: datree test ~/.datree/k8s-demo.yaml
  env:
    DATREE_TOKEN: $(DATREE_TOKEN)
  displayName: 'Run the datree scan'
Enter fullscreen mode Exit fullscreen mode

As you can see, nothing different from what we would normally do.

Since we don't have access to the config file in our CI environment, we need to pass the Token as environment variable. Best practice is to save it as a protected variable in Pipelines, and retrieve it using $(YOUR_SECRET_NAME)

In the example above the Token is passed as environment variable directly in the task to minimize exposure. If you have multiple scans in the same workflow, you can also add it as job, stage, or pipeline environment variable.

And this is basically all you need.

So the full pipeline will look like this:

# Pipeline to show Datree scan

trigger:
  - main

pool:
  vmImage: ubuntu-latest

steps:
- script: curl https://get.datree.io | /bin/bash
  displayName: 'Install Datree'

- script: datree test ~/.datree/k8s-demo.yaml
  env:
    DATREE_TOKEN: $(DATREE_TOKEN)
  displayName: 'Run the datree scan'

Enter fullscreen mode Exit fullscreen mode

Of course you can also integrate this into your own CI or PR validation pipelines rather than keeping it separate if you wish so.

Execution and Results

First thing to notice is that, as Ive said before, the installation step is very quick.

Installation

This is why it is probably a good idea to leave it there even on Self-hosted agents so you don't have to worry about updating it.

Execution

And the validation scan is also very quick.

Second thing to notice is that by design if a validation fails it will break the build/run. This is to ensure the enforcement of the policies and best practices.

Finally, let's take a look at the results.

Results

As you can see, the output is exactly the same as when executing the CLI on any local environment, or anywhere else for what batters, keeping the experience very consistent.

Offer

Datree is free to use up to 1000 scans per month, and you can pay for more scans and enhanced support. However...

A Month for Free

You can get 1 month of the Premium plan for FREE is you use this link: https://app.datree.io/?utm_source=coder-dave&medium=youtube

Conclusions

So, what do you think about Datree? Is it something you will adopt as part of your workflow? Let me know in the comment section below, I'd really like to know it.

You may also want to watch this video in which show you how to deploy to Kubernetes in Azure Pipelines starting from scratch.

Like, share and follow me 🚀 for more content:

📽 YouTube
Buy me a coffee
💖 Patreon
📧 Newsletter
🌐 CoderDave.io Website
👕 Merch
👦🏻 Facebook page
🐱‍💻 GitHub
👲🏻 Twitter
👴🏻 LinkedIn
🔉 Podcast

Buy Me A Coffee

Top comments (0)