datreeio/datreeArchived

Features

• Kubernetes Policy Enforcers - Enforces security and compliance rules on Kubernetes configurations before they reach production.
• Kubernetes Policy Engines - Operates as a Kubernetes policy engine that scans configurations against built-in and custom rules to block misconfigurations.
• Policy as Code - Creates and publishes YAML policies files that link custom rules to named policies for Kubernetes enforcement.
• Memory Request Validators - Validate that every container in a pod-based resource defines a minimum memory request to ensure predictable resource allocation.
• Kubernetes Configuration Scanners - Runs policy checks on Kubernetes configurations from the command line to catch misconfigurations before deployment.
• Kubernetes Manifest Scanners - Provides a CLI tool that scans Kubernetes manifests for rule violations before deployment.
• Custom Kubernetes Policy Enforcers - Blocks deployments that violate user-defined rules written in JSON Schema, Rego, or CEL.
• Admission Webhooks - Blocks non-compliant deployments at admission time using a webhook integrated with Kubernetes clusters.
• CI/CD Pipeline Integrations - Embeds policy checks into CI/CD pipelines to catch Kubernetes misconfigurations before production deployment.
• Kubernetes Policy Validators - Integrates with CI/CD pipelines to automatically enforce Kubernetes policies during deployment.
• Dual-Mode Policy Enforcers - Ships both a CLI scanner and an admission webhook for policy enforcement, covering pre-deployment and runtime phases.
• Probe Configuration Enforcers - Validate that container liveness, readiness, and startup probes include an explicit initial delay to prevent reliance on unknown default behaviors.
• Kubernetes Misconfiguration Blockers - Blocks Kubernetes resources from being deployed when they violate a centrally managed policy.
• Policy-As-Code Engines - Validates Kubernetes YAML manifests against rules written in JSON Schema, Rego, or CEL at runtime.
• Policy Behavior Configurations - Set a default action on failure, choose which policy to use, define resources or namespaces to ignore, and customize rule failure messages.
• Configuration Audits - Runs policy checks inside CI pipelines or from a terminal to find Kubernetes misconfigurations before they reach a cluster.
• Container Security Hardening - Scans cluster resources to ensure containers and pods have defined operating system security settings.
• Container Privilege Restrictions - Checks cluster resources to ensure containers do not use unsafe Linux kernel privileges.
• Custom Validation Rules - Allows creation of tailored validation logic using JSON Schema or Rego to check for specific configuration violations.
• Container Cgroup Resource Limits - Scans cluster resources to ensure every container has a defined memory limit, preventing pods from consuming excessive system memory.
• Rego Rule Authors - Defines policy rules using the Rego language to validate Kubernetes resource configurations against custom requirements.
• JSON Schema Rule Authors - Supports writing custom validation logic using either Rego policy language or JSON Schema constraints for flexible rule creation.
• Rule Evaluators - Applies a set of named policies that map to individual rules, each rule checking a specific Kubernetes resource property for compliance.
• Annotation-Based Rule Skipping - Provides annotation-based per-resource policy rule skipping for Kubernetes manifests.
• Namespace-Level - Allows entire namespaces to bypass admission webhook policy validation via labels.
• Pattern-Based - Skips policy validation for resources matching regex patterns on namespace, kind, or name.
• Label Validators - Checks cluster resources for required labels to ensure correct recognition by deployment controllers.
• CPU Request Validators - Validates that all containers in cluster resources have a minimum CPU request configured.
• Memory Request Equality Validators - Ensures container memory requests and limits are identical to maintain Guaranteed QoS class and prevent eviction.
• HPA Minimum Replica Validators - Validates that HorizontalPodAutoscaler resources define a minimum number of replicas to prevent unintended scaling down.
• Minimum Replica Count Validators - Validates that deployment configurations specify multiple replicas to ensure high availability.
• CronJob Deadline Validators - Validates that CronJob resources define a starting deadline to prevent excessive missed schedules.
• CronJob Schedule Validators - Checks the schedule expression of a CronJob resource to ensure it is a valid cron format before deployment.
• Resource Type Scoped Rules - Restricts custom Rego rules to apply only to resources matching a given kind, such as Deployments, using a JSON schema constraint.
• Image Digest Enforcers - Enforces that all container images specify a unique digest tag to prevent deploying inconsistent image versions.
• Configuration and Policy Enforcement - Sets the policy name, output format, and cluster context through Helm values or command-line arguments.
• Policy Skip Annotations - Allows individual resources or namespaces to bypass specific policy rules through Kubernetes annotations or regex patterns.
• Namespace Enforcers - Validates that specific cluster resources are deployed into a required namespace to ensure consistency and prevent configuration errors.
• Kubernetes Label Presence Validations - Validates that required Kubernetes resource label keys are present for environment filtering and bulk operations.
• Tag Pinning - Validates that container images use specific version tags or SHAs instead of generic tags for deployment stability.
• Policy Management Interfaces - Controls which rules apply to specific namespaces, defines failure actions, and manages authentication tokens through a visual interface.
• Resource Compliance Monitoring - Tracks policy check history and displays resource violations with fix instructions in a management dashboard.
• Kubernetes Compliance Monitoring - Tracks and reports policy violations across Kubernetes clusters with a management dashboard and health scoring.
• Policy-to-Namespace Mappers - Assigns distinct policies to different namespaces by configuring policy-to-namespace mappings.
• Policy Check Bypass Authorizers - Allows designated users, groups, or ServiceAccounts to bypass a failing policy check and deploy resources.
• Policy Bundle Publishers - Creates and publishes a YAML policies file that bundles custom rules into named policies for admission control.
• HostPath Write Access Blockers - Blocks the deployment of pods that mount host node filesystems with write access to prevent host modification.
• Default Service Account Blockers - Prevents the use of default service accounts by pods to ensure workloads use specific accounts with minimal permissions.
• Policy-to-Namespace Mappings - Allows different policies to apply to different namespaces, enabling per-namespace rule sets and bypass configurations.
• Kubernetes Label Value Validations - Validates that Kubernetes resource label values match allowed entries and blocks invalid deployments.
• Cluster Health Monitoring - Ranks cluster stability with a health score and displays a dashboard of failed checks and remediation steps.
• HPA Replica Limit Validators - Checks that HorizontalPodAutoscaler resources define a maximum replica count to prevent uncontrolled scaling.

Star history