Skip to main content

Behavior

Set/change token

Since your token is sensitive 🤫 and you would not want to keep it in your repository, we recommend to set/change it by running a separate kubectl patch command:

kubectl patch deployment webhook-server -n datree -p '
spec:
template:
spec:
containers:
- name: server
env:
- name: DATREE_TOKEN
value: "<your-token>"'

Simply replace <your-token> with your actual token, then copy the entire command and run it in your terminal.

Options

The following options are available for configuring Datree's behavior:

OptionDescriptionType
policyThe name of the policy to check, e.g: "Argo"string
verboseDisplay 'How to Fix' link for failed rules in outputboolean
outputThe format output of the policy check results: yaml, json, xml, simple, JUnit, sarifstring
noRecordDon’t send policy checks metadata to the dashboardboolean
enforceBlock resources that fail the policy check from being applied to the clusterboolean

Configure options

To set/change one or more options, choose one of the following methods:

1. Using a Helm inline command

The following example will enable enforce mode and block resources that fail the policy check:

helm upgrade -n datree datree-webhook datree-webhook/datree-admission-webhook --reuse-values --set datree.enforce="true"

2. Using a new Helm values file

Create a YAML file with your desired values, then run the following command to apply it:

helm upgrade -n datree -f newValues.yaml datree-webhook datree-webhook/datree-admission-webhook

Ignore a namespace

Add the label "admission.datree/validate=skip" to the configuration of the namespace you would like to ignore:

kubectl label namespaces default "admission.datree/validate=skip"

To delete the label and resume running the datree webhook on the namespace again:

kubectl label namespaces default "admission.datree/validate-"

Skip specific rules for a single object

To skip a rule for a specific object, add the following annotation to its manifest:

datree.skip/[identifier]: [message]

identifier - the unique rule identifier.
message - optional text to be presented in the policy check output (CLI and history tab at the dashboard).

To obtain identifiers of built-in rules, go to your dashboard and click on the 'i' icon of your desired rule:

rule_i

This will lead you to the documentation of the rule, where you will find the identifier:

rule_identifier_docs

Identifiers of custom rules can be found in the policy.yaml file, when in Policy-as-code mode. For example:

customRules:
- identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
name: Ensure correct environment labels are used [CUSTOM RULE]
defaultMessageOnFailure: Use only approved environment labels ('prod', 'staging' and 'test')
schema:

Example of a Deployment with skipped rules:

apiVersion: apps/v1
kind: Deployment
metadata:
name: rss-site
namespace: test
labels:
environment: prod
app: web
annotations:
datree.skip/WORKLOAD_INVALID_LABELS_VALUE: irrelevant for deployments, skipping.
datree.skip/CONTAINERS_MISSING_LIVENESSPROBE_KEY: irrelevant for prod environment, skipping.
Note

annotations have a character limit - the key and value of an annotation cannot exceed 63 characters each.
For more information, see the Kubernetes docs


Custom skipping

Datree can be configured to skip certain rules by using a dedicated ConfigMap (see example below).

  • The ConfigMap must be named 'webhook-scanning-filters.yaml' and must reside in the 'datree' namespace.
  • Enter the resources you wish to skip under the data.skiplist key, in the format of namespace;resourceKind;resourceName.
  • You can use a regular expression for any of the aformentioned properties.
Important

After creating/changing your ConfigMap, run kubectl rollout restart deployment -n datree to restart the webhook and apply your changes.

The following example will cause the webhook to skip all resources of type (kind) ServiceAccount in all namespaces, regardless of their name:

apiVersion: v1
kind: ConfigMap
metadata:
name: webhook-scanning-filters
namespace: datree
data:
skiplist: |
- (.*);ServiceAccount;(.*)

The following example will skip all resources in the namespace 'myNs':

data:
skiplist: |
- myNs;(.*);(.*)

The following example will skip all resources in all namespaces if the resource name starts with the prefix 'appName-':

data:
skiplist: |
- (.*);(.*);(^appName-.*)

Uninstall

To uninstall Datree, run the following command in your terminal:

helm uninstall datree-webhook -n datree
kubectl delete ns datree