CEL support

Datree supports writing custom rules in the CEL language, by utilizing a custom JSON Schema keyword.

Supported version

Writing custom rules in CEL is supported in CLI version 1.9.19 and above.

Required properties

In addition to the basic required format, a CEL custom rule has the following requirements:

The schema property must have a property named CELDefinition, which is an array of items.
Each item must have a property named expression that contains the logic of the rule written in CEL. Within the expression, use object to reference the resource being evaluated (see example below).
Each item may have a property named message, which specifies what print when the expression is violated.

Online CEL validation

Ensure the validity of your CEL expressions by testing them against resources using an online CEL playground.

Example:

The following schema requires that resources of kind ServiceAccount have the automountServiceAccountToken property set to false:

schema:
  CELDefinition:
    - expression: "object.kind != 'ServiceAccount' || (has(object.automountServiceAccountToken) && object.automountServiceAccountToken == false)"
      message: "ServiceAccounts must have automountServiceAccountToken set to false" # `message` is optional

Constraints

In the above example, the constraint object.kind != 'ServiceAccount' is a part of the CEL logic.
You can also write such a constraint in JSON schema and write the rest of the logic using CEL:

schema:
  # Constraint - enforce rule only on `ServiceAccount` resources
  if:
    properties:
      kind:
        enum:
          - ServiceAccount
  then:
    CELDefinition:
      - expression: "has(object.automountServiceAccountToken) && object.automountServiceAccountToken == false"

Required properties​

Example:​

Constraints​

For more examples, including a complete custom rules YAML, see the examples page.​

Required properties

Example:

Constraints

For more examples, including a complete custom rules YAML, see the examples page.