Behavior
Set/change token
Since your token is sensitive 🤫 and you would not want to keep it in your repository, we recommend to set/change it using the helm upgrade
command:
helm upgrade -n datree datree-webhook datree-webhook/datree-admission-webhook --reuse-values --set datree.token=<your-token>
(simply replace <your-token>
with your actual token)
Options
The following options are available for configuring Datree's behavior:
Option | Description | Type |
---|---|---|
policy | The name of the policy to check, e.g: "Argo" | string |
verbose | Display 'How to Fix' link for failed rules in output | boolean |
output | The format output of the policy check results: yaml, json, xml, simple, JUnit, sarif | string |
noRecord | Don’t send policy checks metadata to the dashboard | boolean |
enforce | Block resources that fail the policy check from being applied to the cluster | boolean |
ℹ️ For the full list of configurable parameters in the Datree helm chart, click here
Configure options
To set/change one or more options, choose one of the following methods:
1. Using a Helm inline command
The following example will enable enforce mode and block resources that fail the policy check:
helm upgrade -n datree datree-webhook datree-webhook/datree-admission-webhook --reuse-values --set datree.enforce="true"
2. Using a new Helm values file
Create a YAML file with your desired values, then run the following command to apply it:
helm upgrade -n datree -f newValues.yaml datree-webhook datree-webhook/datree-admission-webhook
Ignore a namespace
Add the label "admission.datree/validate=skip"
to the configuration of the namespace you would like to ignore:
kubectl label namespaces default "admission.datree/validate=skip"
To delete the label and resume running the datree webhook on the namespace again:
kubectl label namespaces default "admission.datree/validate-"
Skip specific rules for a single object
To skip a rule for a specific object, add the following annotation to its manifest:
datree.skip/[identifier]: [message]
identifier - the unique rule identifier.
message - optional text to be presented in the policy check output (CLI and history tab at the dashboard).
To obtain identifiers of built-in rules, go to your dashboard and click on the 'i' icon of your desired rule:
This will lead you to the documentation of the rule, where you will find the identifier:
Identifiers of custom rules can be found in the policy.yaml file, when in Policy-as-code mode. For example:
customRules:
- identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
name: Ensure correct environment labels are used [CUSTOM RULE]
defaultMessageOnFailure: Use only approved environment labels ('prod', 'staging' and 'test')
schema:
Example of a Deployment with skipped rules:
apiVersion: apps/v1
kind: Deployment
metadata:
name: rss-site
namespace: test
labels:
environment: prod
app: web
annotations:
datree.skip/WORKLOAD_INVALID_LABELS_VALUE: irrelevant for deployments, skipping.
datree.skip/CONTAINERS_MISSING_LIVENESSPROBE_KEY: irrelevant for prod environment, skipping.
annotations
have a character limit - the key and value of an annotation cannot exceed 63 characters each.
For more information, see the Kubernetes docs
Custom skipping
Datree can be configured to skip certain rules by using a dedicated ConfigMap
(see example below).
- The
ConfigMap
must be named 'webhook-scanning-filters.yaml' and must reside in the 'datree' namespace. - Enter the resources you wish to skip under the
data.skiplist
key, in the format of namespace;resourceKind;resourceName. - You can use a regular expression for any of the aformentioned properties.
After creating/changing your ConfigMap
, run kubectl rollout restart deployment -n datree
to restart the webhook and apply your changes.
The following example will cause the webhook to skip all resources of type (kind) ServiceAccount
in all namespaces, regardless of their name:
apiVersion: v1
kind: ConfigMap
metadata:
name: webhook-scanning-filters
namespace: datree
data:
skiplist: |
- (.*);ServiceAccount;(.*)
The following example will skip all resources in the namespace 'myNs':
data:
skiplist: |
- myNs;(.*);(.*)
The following example will skip all resources in all namespaces if the resource name starts with the prefix 'appName-':
data:
skiplist: |
- (.*);(.*);(^appName-.*)
Update
To update Datree to the latest version, run the following commands:
helm repo update
helm upgrade -n datree datree-webhook datree-webhook/datree-admission-webhook --reuse-values --debug
Uninstall
To uninstall Datree, run the following commands:
helm uninstall datree-webhook -n datree
kubectl delete ns datree