datree test: Policy-Check Kubernetes Manifests
datree test manifests/*.yaml runs schema validation plus policy rules on Kubernetes YAML and fails on violations.
datree combines a Kubernetes schema check (like kubeconform) with a built-in policy engine, so one command catches both invalid and unsafe manifests.
What it does
datree test takes Kubernetes manifest paths or globs, validates each resource against the Kubernetes JSON schema for the chosen version, and evaluates a policy (a set of rules such as "readiness probe required"). It prints per-rule failures and exits non-zero when any occur.
Common usage
# test manifests with the default policy
datree test manifests/*.yaml
# select a policy and pin the k8s schema version
datree test --policy Argo --schema-version 1.29.0 k8s/*.yaml
# only treat files that look like k8s as manifests
datree test --only-k8s-files ./**/*.yaml
# machine-readable output for CI
datree test -o json manifests/Options
| Flag | What it does |
|---|---|
| --policy <name> | Which policy to enforce |
| --schema-version <ver> | Kubernetes version for schema validation |
| --only-k8s-files | Skip non-Kubernetes YAML in a glob |
| --ignore-missing-schemas | Do not fail on CRDs with no schema |
| -o, --output json|yaml|xml|JUnit | Result format |
| --no-record | Do not send results to the datree backend |
In CI
datree test exits non-zero on schema or policy failures, so drop it in as a step to block unsafe manifests at PR time. Pin --schema-version to the cluster version and pass --only-k8s-files when globbing a repo that also has non-manifest YAML.
Common errors in CI
[X] YAML validation / [X] Kubernetes schema validation sections list which stage failed. k8s schema validation error: for field spec.template.spec.containers.0.image Invalid type. Expected: string, given: null flags a schema type error. could not find schema for ... means a CRD has no bundled schema; add --ignore-missing-schemas. A network error contacting the backend can be avoided with --no-record for offline runners.