Behavior

Dashboard vs. Helm chart configuration

By default, the following options are configurable via your dashboard:

Action on failure - Select whether to monitor or block resources that fail the policy check (defaults to "monitor").
Active policy - The name of the policy to check (defaults to "Starter").
Ignored resources - Resources to be ignored, in regex format, specified by namespace/kind/name or any combination of the three. See examples here.

If you wish to control these options via the Datree Helm chart instead, you can do so by changing the value of the configFromHelm parameter:

# values.yaml
datree:
  configFromHelm: true

Then apply your updated values.yaml file:

helm upgrade -n datree -f values.yaml datree-webhook datree-webhook/datree-admission-webhook

Now you can control the parameters described in the table below via your Helm chart.
To update your dashboard and reflect the changes, run a manual scan.

Important

When controlling these options via the dashboard, changing them via the Helm chart will have no effect.
All other configuration options (see table below) are always controlled via the helm chart.

Options

The following options (Helm chart parameters) are available for configuring Datree's behavior:

Option	Description	Type
`configFromHelm`	Determines whether the options listed here are managed from Helm chart or from the dashboard (default: false)	boolean
`enforce`	Block resources that fail the policy check from being applied to the cluster. Relevant only if `configFromHelm` is `true`	boolean
`policy`	The name of the policy to check, e.g: "Argo". Relevant only if `configFromHelm` is `true`	string
`customSkipList`	Skip resources by namespace/kind/name. See custom skipping for details. Relevant only if `configFromHelm` is `true`	Object
`clusterName`	The name of the cluster to be displayed in your dashboard	string
`scanIntervalHours`	The number of hours between cluster scans	number
`existingSecret`	A reference to a `Secret` object containing a Datree token	Object
`token`	The token used to link the CLI to your dashboard	string
`verbose`	Display 'How to Fix' link for failed rules in output	boolean
`output`	The format output of the policy check results: yaml, json, xml, simple, JUnit, sarif	string
`noRecord`	Don’t send policy checks metadata to the dashboard	boolean
`affinity`	Offers more expressive syntax for fine-grained control of how Pods are scheduled to specific nodes	Object
`nodeSelector`	Used to select on which node a pod is scheduled to run	Object

ℹ️ For the full list of configurable parameters in the Datree helm chart, click here

Configure options

To set/change one or more options, change the desired parameter(s) in your values.yaml file, then apply it:

# values.yaml
datree:
  enforce: true

helm upgrade -n datree -f values.yaml datree-webhook datree-webhook/datree-admission-webhook

Set/change token

To change your token, you can simply change the datree.token parameter in your values.yaml file and apply it using the command mentioned above.

If you're looking for a more secure approach, use the datree.existingSecret parameter:

Create a Secret object containing your token and apply it to your cluster.
Set the Secret's data in the datree.existingSecret parameter in your values.yaml file:

# values.yaml
datree:
  existingSecret:
    name: <secret-name>
    key: <secret-key>

Apply values.yaml to your cluster.

NOTE

If both options are set, datree.existingSecret will take precedence.

Custom skipping

Datree can be configured to skip certain rules/resources by using a dedicated ConfigMap.
The ConfigMap is a part of the Datree Helm chart, under the parameter datree.customSkipList.
You can use it to skip a namespace, kind, name, or any combination of the three.

To add an entry to the ConfigMap:

1. In your values.yaml file, add the following parameter:

datree:
  customSkipList:
    - "(.*);(.*);(.*)" # "namespace;kind;name"

Replace (.*);(.*);(.*) with your desired values (see examples below). You can use a regular expression for any of the aformentioned properties.

2. Apply your values.yaml file:

helm upgrade -n datree -f values.yaml datree-webhook datree-webhook/datree-admission-webhook

NOTE

By default, Datree skips all resources with a name starting with aws-node.
This entry is already included in the default values.yaml file.

Example patterns

The following pattern will cause Datree to skip all resources in the namespace 'myNs':

myNs;(.*);(.*)

The following pattern will cause Datree to skip all resources of kind ServiceAccount, regardless of their namespace:

(.*);ServiceAccount;(.*)

The following pattern will cause Datree to skip all resources in all namespaces if the resource name starts with the prefix 'appName-':

(.*);(.*);(^appName-.*)

Ignore a namespace

Add the label "admission.datree/validate=skip" to the configuration of the namespace you would like to ignore:

kubectl label namespaces default "admission.datree/validate=skip"

To delete the label and resume running the datree webhook on the namespace again:

kubectl label namespaces default "admission.datree/validate-"

Skip specific rules for a single object

To skip a rule for a specific object, add the following annotation to its manifest:

datree.skip/[identifier]: [message]

identifier - the unique rule identifier.
message - optional text to be presented in the policy check output (CLI and activity-log tab at the dashboard).

To obtain identifiers of built-in rules, go to your dashboard and click on the 'i' icon of your desired rule:

rule_i

This will lead you to the documentation of the rule, where you will find the identifier:

rule_identifier_docs

Identifiers of custom rules can be found in the policy.yaml file, when in Policy-as-code mode. For example:

customRules:
  - identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
    name: Ensure correct environment labels are used [CUSTOM RULE]
    defaultMessageOnFailure: Use only approved environment labels ('prod', 'staging' and 'test')
    schema:

Example of a Deployment with skipped rules:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: rss-site
  namespace: test
  labels:
    environment: prod
    app: web
  annotations:
    datree.skip/WORKLOAD_INVALID_LABELS_VALUE: irrelevant for deployments, skipping.
    datree.skip/CONTAINERS_MISSING_LIVENESSPROBE_KEY: irrelevant for prod environment, skipping.

Note

annotations have a character limit - the key and value of an annotation cannot exceed 63 characters each.
For more information, see the Kubernetes docs

Update

To update Datree to the latest version, run the following commands:

helm repo update
helm upgrade -n datree datree-webhook datree-webhook/datree-admission-webhook --set datree.token=<YOUR_DATREE_TOKEN> --set datree.clusterName=<DESIRED_CLUSTER_NAME> --debug

Gitops approach

To avoid having to write your token and cluster name explicity, you can use a values.yaml file to hold them, then apply it using the -f flag when upgrading Datree.
For example:

# values.yaml
datree:
  token: a1b2c3d4e5f6g7h8i9
  clusterName: aws-stg1

Uninstall

To uninstall Datree, run the following commands:

helm uninstall datree-webhook -n datree
kubectl delete ns datree

Dashboard vs. Helm chart configuration​

Options​

Configure options​

Set/change token​

Custom skipping​

Example patterns​

Ignore a namespace​

Skip specific rules for a single object​

Example of a Deployment with skipped rules:​

Update​

Uninstall​