# datreeio/datree **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/datreeio-datree).** 6,339 stars · 357 forks · Go · Apache-2.0 · archived ## Links - GitHub: https://github.com/datreeio/datree - Homepage: https://datree.io - awesome-repositories: https://awesome-repositories.com/repository/datreeio-datree.md ## Topics `admission-webhook` `best-practices` `cli` `datree` `devops` `guardrail` `kubernetes` `policy` `policy-management` `security` `static-code-analysis` ## Description Datree is a policy enforcement framework for Kubernetes that validates configurations against rules written in Rego, JSON Schema, or CEL. It operates as both a command-line tool for pre-deployment scanning and as a cluster-side admission webhook for real-time enforcement, integrating with CI/CD pipelines and continuous delivery tools like ArgoCD and FluxCD. The framework supports namespace-scoped policy mapping, allowing different policies to apply to different namespaces, and provides a skip annotation mechanism for selectively bypassing rules on individual resources or entire namespaces. It includes a management dashboard for monitoring policy compliance, tracking check history, and displaying resource violations with remediation steps, along with a cluster health scoring system. Datree enforces a wide range of Kubernetes best practices, including container resource limits and requests, liveness and readiness probes, pinned image versions, security contexts, and minimum replica counts. It also validates CronJob schedules and deadlines, HorizontalPodAutoscaler configurations, and resource labels, while supporting custom rule authoring through Rego, JSON Schema, or CEL. ## Tags ### Security & Cryptography - [Kubernetes Policy Enforcers](https://awesome-repositories.com/f/security-cryptography/infrastructure-policy-enforcement/security-policy-enforcers/kubernetes-policy-enforcers.md) — Enforces security and compliance rules on Kubernetes configurations before they reach production. - [Kubernetes Policy Engines](https://awesome-repositories.com/f/security-cryptography/infrastructure-policy-enforcement/security-policy-enforcers/kubernetes-policy-engines.md) — Operates as a Kubernetes policy engine that scans configurations against built-in and custom rules to block misconfigurations. - [Probe Configuration Enforcers](https://awesome-repositories.com/f/security-cryptography/infrastructure-policy-enforcement/security-policy-enforcers/kubernetes-policy-enforcers/probe-configuration-enforcers.md) — Validate that container liveness, readiness, and startup probes include an explicit initial delay to prevent reliance on unknown default behaviors. ([source](https://hub.datree.io/built-in-rules/ensure-initial-probe-delay)) - [Kubernetes Misconfiguration Blockers](https://awesome-repositories.com/f/security-cryptography/misconfiguration-scanning/azure-misconfiguration-detectors/kubernetes-misconfiguration-blockers.md) — Blocks Kubernetes resources from being deployed when they violate a centrally managed policy. ([source](https://cdn.jsdelivr.net/gh/datreeio/datree@main/README.md)) - [Policy-As-Code Engines](https://awesome-repositories.com/f/security-cryptography/policy-as-code-engines.md) — Validates Kubernetes YAML manifests against rules written in JSON Schema, Rego, or CEL at runtime. - [Policy Behavior Configurations](https://awesome-repositories.com/f/security-cryptography/policy-based-access-control/namespace-grouping/policy-to-namespace-mappers/policy-behavior-configurations.md) — Set a default action on failure, choose which policy to use, define resources or namespaces to ignore, and customize rule failure messages. ([source](https://cdn.jsdelivr.net/gh/datreeio/datree@main/README.md)) - [Configuration Audits](https://awesome-repositories.com/f/security-cryptography/security-auditing/configuration-audits.md) — Runs policy checks inside CI pipelines or from a terminal to find Kubernetes misconfigurations before they reach a cluster. ([source](https://cdn.jsdelivr.net/gh/datreeio/datree@main/README.md)) - [Container Security Hardening](https://awesome-repositories.com/f/security-cryptography/security/infrastructure-and-hardware/infrastructure-system-hardening/deployment-security-hardening/container-security-hardening.md) — Scans cluster resources to ensure containers and pods have defined operating system security settings. ([source](https://hub.datree.io/built-in-rules/ensure-containers-pods-security-context)) - [Container Privilege Restrictions](https://awesome-repositories.com/f/security-cryptography/security/policies/capability-authorization/capability-based-security/container-privilege-restrictions.md) — Checks cluster resources to ensure containers do not use unsafe Linux kernel privileges. ([source](https://hub.datree.io/built-in-rules/ensure-containers-limited-capabilities)) - [Policy Management Interfaces](https://awesome-repositories.com/f/security-cryptography/authorization-policies/policy-management-interfaces.md) — Controls which rules apply to specific namespaces, defines failure actions, and manages authentication tokens through a visual interface. ([source](https://cdn.jsdelivr.net/gh/datreeio/datree@main/README.md)) - [Resource Compliance Monitoring](https://awesome-repositories.com/f/security-cryptography/governance-policy-frameworks/compliance-governance/security-and-compliance/resource-compliance-monitoring.md) — Tracks policy check history and displays resource violations with fix instructions in a management dashboard. ([source](https://cdn.jsdelivr.net/gh/datreeio/datree@main/README.md)) - [Kubernetes Compliance Monitoring](https://awesome-repositories.com/f/security-cryptography/kubernetes-compliance-monitoring.md) — Tracks and reports policy violations across Kubernetes clusters with a management dashboard and health scoring. - [Policy-to-Namespace Mappers](https://awesome-repositories.com/f/security-cryptography/policy-based-access-control/namespace-grouping/policy-to-namespace-mappers.md) — Assigns distinct policies to different namespaces by configuring policy-to-namespace mappings. ([source](https://hub.datree.io/setup/behavior)) - [Policy Check Bypass Authorizers](https://awesome-repositories.com/f/security-cryptography/security-configurations/security-check-bypasses/policy-check-bypass-authorizers.md) — Allows designated users, groups, or ServiceAccounts to bypass a failing policy check and deploy resources. ([source](https://hub.datree.io/setup/behavior)) - [Policy Bundle Publishers](https://awesome-repositories.com/f/security-cryptography/security-policy-controllers/security-policy-management/yaml-detection-policies/policy-bundle-publishers.md) — Creates and publishes a YAML policies file that bundles custom rules into named policies for admission control. ([source](https://hub.datree.io/custom-rules/custom-rules-overview)) - [HostPath Write Access Blockers](https://awesome-repositories.com/f/security-cryptography/security/policies/host-resource-access/file-system-access-controls/path-access-restrictions/read-only-filesystem-enforcement/hostpath-write-access-blockers.md) — Blocks the deployment of pods that mount host node filesystems with write access to prevent host modification. ([source](https://hub.datree.io/built-in-rules/ensure-hostpath-mounts-readonly)) ### Part of an Awesome List - [Policy as Code](https://awesome-repositories.com/f/awesome-lists/devops/policy-as-code.md) — Creates and publishes YAML policies files that link custom rules to named policies for Kubernetes enforcement. ([source](https://hub.datree.io/custom-rules-overview)) ### Data & Databases - [Memory Request Validators](https://awesome-repositories.com/f/data-databases/horizontal-database-scaling/resource-scaling-strategies/pod-resource-request-scaling/memory-request-equality-validators/memory-request-validators.md) — Validate that every container in a pod-based resource defines a minimum memory request to ensure predictable resource allocation. ([source](https://hub.datree.io/built-in-rules/ensure-memory-request)) - [Annotation-Based Rule Skipping](https://awesome-repositories.com/f/data-databases/field-validation/conditional-validation-rules/validation-skipping/annotation-based-rule-skipping.md) — Provides annotation-based per-resource policy rule skipping for Kubernetes manifests. ([source](https://hub.datree.io/setup/behavior)) - [Namespace-Level](https://awesome-repositories.com/f/data-databases/field-validation/conditional-validation-rules/validation-skipping/namespace-level.md) — Allows entire namespaces to bypass admission webhook policy validation via labels. ([source](https://hub.datree.io/setup/behavior)) - [Pattern-Based](https://awesome-repositories.com/f/data-databases/field-validation/conditional-validation-rules/validation-skipping/pattern-based.md) — Skips policy validation for resources matching regex patterns on namespace, kind, or name. ([source](https://hub.datree.io/setup/behavior)) - [Label Validators](https://awesome-repositories.com/f/data-databases/field-validation/kubernetes-resource-validation/label-validators.md) — Checks cluster resources for required labels to ensure correct recognition by deployment controllers. ([source](https://hub.datree.io/built-in-rules/ensure-configmap-is-recognized-by-argocd)) - [CPU Request Validators](https://awesome-repositories.com/f/data-databases/horizontal-database-scaling/resource-scaling-strategies/pod-resource-request-scaling/cpu-request-validators.md) — Validates that all containers in cluster resources have a minimum CPU request configured. ([source](https://hub.datree.io/built-in-rules/ensure-cpu-request)) - [Memory Request Equality Validators](https://awesome-repositories.com/f/data-databases/horizontal-database-scaling/resource-scaling-strategies/pod-resource-request-scaling/memory-request-equality-validators.md) — Ensures container memory requests and limits are identical to maintain Guaranteed QoS class and prevent eviction. ([source](https://hub.datree.io/built-in-rules/ensure-memory-request-limit-equal)) - [HPA Minimum Replica Validators](https://awesome-repositories.com/f/data-databases/horizontal-scaling/replica-scaling/hpa-minimum-replica-validators.md) — Validates that HorizontalPodAutoscaler resources define a minimum number of replicas to prevent unintended scaling down. ([source](https://hub.datree.io/built-in-rules/ensure-hpa-minimum-replicas)) - [Minimum Replica Count Validators](https://awesome-repositories.com/f/data-databases/horizontal-scaling/replica-scaling/minimum-replica-count-validators.md) — Validates that deployment configurations specify multiple replicas to ensure high availability. ([source](https://hub.datree.io/built-in-rules/ensure-minimum-two-replicas)) ### Development Tools & Productivity - [Kubernetes Configuration Scanners](https://awesome-repositories.com/f/development-tools-productivity/cli-configuration-automation/kubernetes-configuration-scanners.md) — Runs policy checks on Kubernetes configurations from the command line to catch misconfigurations before deployment. ([source](https://cdn.jsdelivr.net/gh/datreeio/datree@main/README.md)) - [Kubernetes Manifest Scanners](https://awesome-repositories.com/f/development-tools-productivity/cli-configuration-files/audit-scanners/kubernetes-manifest-scanners.md) — Provides a CLI tool that scans Kubernetes manifests for rule violations before deployment. - [Custom Kubernetes Policy Enforcers](https://awesome-repositories.com/f/development-tools-productivity/pull-request-review-tools/policy-enforcement-rules/custom-kubernetes-policy-enforcers.md) — Blocks deployments that violate user-defined rules written in JSON Schema, Rego, or CEL. ([source](https://hub.datree.io/custom-rules-overview)) - [CronJob Deadline Validators](https://awesome-repositories.com/f/development-tools-productivity/job-schedulers/kubernetes-cronjob-schedulers/cronjob-deadline-validators.md) — Validates that CronJob resources define a starting deadline to prevent excessive missed schedules. ([source](https://hub.datree.io/built-in-rules/ensure-cronjob-deadline)) - [CronJob Schedule Validators](https://awesome-repositories.com/f/development-tools-productivity/job-schedulers/kubernetes-cronjob-schedulers/cronjob-schedule-validators.md) — Checks the schedule expression of a CronJob resource to ensure it is a valid cron format before deployment. ([source](https://hub.datree.io/built-in-rules/ensure-cronjob-scheduler-valid)) - [Resource Type Scoped Rules](https://awesome-repositories.com/f/development-tools-productivity/pull-request-review-tools/policy-enforcement-rules/resource-type-scoped-rules.md) — Restricts custom Rego rules to apply only to resources matching a given kind, such as Deployments, using a JSON schema constraint. ([source](https://hub.datree.io/custom-rules/rego-support)) ### DevOps & Infrastructure - [Admission Webhooks](https://awesome-repositories.com/f/devops-infrastructure/admission-webhooks.md) — Blocks non-compliant deployments at admission time using a webhook integrated with Kubernetes clusters. - [CI/CD Pipeline Integrations](https://awesome-repositories.com/f/devops-infrastructure/ci-cd-pipeline-integrations.md) — Embeds policy checks into CI/CD pipelines to catch Kubernetes misconfigurations before production deployment. - [Kubernetes Policy Validators](https://awesome-repositories.com/f/devops-infrastructure/ci-cd-pipeline-integrations/kubernetes-policy-validators.md) — Integrates with CI/CD pipelines to automatically enforce Kubernetes policies during deployment. - [Image Digest Enforcers](https://awesome-repositories.com/f/devops-infrastructure/container-image-tagging/image-digest-enforcers.md) — Enforces that all container images specify a unique digest tag to prevent deploying inconsistent image versions. ([source](https://hub.datree.io/built-in-rules/ensure-digest-tag)) - [Configuration and Policy Enforcement](https://awesome-repositories.com/f/devops-infrastructure/infrastructure/configuration-policy-enforcement.md) — Sets the policy name, output format, and cluster context through Helm values or command-line arguments. ([source](https://datreeio.github.io/admission-webhook-datree)) - [Policy Skip Annotations](https://awesome-repositories.com/f/devops-infrastructure/kubernetes-deployments/annotation-based-deployment/policy-skip-annotations.md) — Allows individual resources or namespaces to bypass specific policy rules through Kubernetes annotations or regex patterns. - [Namespace Enforcers](https://awesome-repositories.com/f/devops-infrastructure/resource-definitions/namespaced/namespace-enforcers.md) — Validates that specific cluster resources are deployed into a required namespace to ensure consistency and prevent configuration errors. ([source](https://hub.datree.io/built-in-rules/ensure-application-and-appproject-are-part-of-the-argocd-namespace)) - [Kubernetes Label Presence Validations](https://awesome-repositories.com/f/devops-infrastructure/resource-visibility-filters/resource-label-filtering/kubernetes-label-presence-validations.md) — Validates that required Kubernetes resource label keys are present for environment filtering and bulk operations. ([source](https://hub.datree.io/built-in-rules/ensure-env-label)) ### Networking & Communication - [Dual-Mode Policy Enforcers](https://awesome-repositories.com/f/networking-communication/proxy-servers/proxy-enforcement/injection-enforcement/admission-webhooks/dual-mode-policy-enforcers.md) — Ships both a CLI scanner and an admission webhook for policy enforcement, covering pre-deployment and runtime phases. ### Software Engineering & Architecture - [Custom Validation Rules](https://awesome-repositories.com/f/software-engineering-architecture/custom-validation-rules.md) — Allows creation of tailored validation logic using JSON Schema or Rego to check for specific configuration violations. ([source](https://cdn.jsdelivr.net/gh/datreeio/datree@main/README.md)) - [Default Service Account Blockers](https://awesome-repositories.com/f/software-engineering-architecture/naming-conventions/reserved-names/access-restrictions/service-account-permissions/default-service-account-blockers.md) — Prevents the use of default service accounts by pods to ensure workloads use specific accounts with minimal permissions. ([source](https://hub.datree.io/built-in-rules/ensure-default-service-account-not-used)) - [Policy-to-Namespace Mappings](https://awesome-repositories.com/f/software-engineering-architecture/naming-conventions/reserved-names/access-restrictions/service-account-permissions/namespace-access-controls/namespace-scoped-operations/policy-to-namespace-mappings.md) — Allows different policies to apply to different namespaces, enabling per-namespace rule sets and bypass configurations. - [Kubernetes Label Value Validations](https://awesome-repositories.com/f/software-engineering-architecture/runtime-value-validation/allowed-value-validations/kubernetes-label-value-validations.md) — Validates that Kubernetes resource label values match allowed entries and blocks invalid deployments. ([source](https://hub.datree.io/built-in-rules/ensure-labels-value-valid)) ### System Administration & Monitoring - [Container Cgroup Resource Limits](https://awesome-repositories.com/f/system-administration-monitoring/cgroup-resource-analyzers/container-cgroup-resource-limits.md) — Scans cluster resources to ensure every container has a defined memory limit, preventing pods from consuming excessive system memory. ([source](https://hub.datree.io/built-in-rules/ensure-cpu-limit)) - [Rego Rule Authors](https://awesome-repositories.com/f/system-administration-monitoring/database-operation-auditing/custom-validation-rules/rego-rule-authors.md) — Defines policy rules using the Rego language to validate Kubernetes resource configurations against custom requirements. ([source](https://hub.datree.io/custom-rules/rego-support)) - [JSON Schema Rule Authors](https://awesome-repositories.com/f/system-administration-monitoring/database-operation-auditing/custom-validation-rules/rego-rule-authors/json-schema-rule-authors.md) — Supports writing custom validation logic using either Rego policy language or JSON Schema constraints for flexible rule creation. - [Rule Evaluators](https://awesome-repositories.com/f/system-administration-monitoring/monitoring-and-observability/rule-based-alerting-engines/rule-evaluation-debuggers/rule-evaluators.md) — Applies a set of named policies that map to individual rules, each rule checking a specific Kubernetes resource property for compliance. - [Cluster Health Monitoring](https://awesome-repositories.com/f/system-administration-monitoring/cluster-health-monitoring.md) — Ranks cluster stability with a health score and displays a dashboard of failed checks and remediation steps. ([source](https://cdn.jsdelivr.net/gh/datreeio/datree@main/README.md)) - [HPA Replica Limit Validators](https://awesome-repositories.com/f/system-administration-monitoring/resource-usage-limiters/kernel-resource-limiting/collection-resource-limits/hpa-replica-limit-validators.md) — Checks that HorizontalPodAutoscaler resources define a maximum replica count to prevent uncontrolled scaling. ([source](https://hub.datree.io/built-in-rules/ensure-hpa-maximum-replicas)) ### Operating Systems & Systems Programming - [Tag Pinning](https://awesome-repositories.com/f/operating-systems-systems-programming/os-development-distributions/custom-image-builders/immutable-image-distribution/image-tagging-automation/image-tag-selection-policies/tag-pinning.md) — Validates that container images use specific version tags or SHAs instead of generic tags for deployment stability. ([source](https://hub.datree.io/built-in-rules/ensure-image-pinned-version))