Policy customization
Rule Skipping
Rule skipping allows you to instrument your policy evaluation process, and specify which of your rules should not apply to a specific resource.
info
Skipping is allowed for a specific resource instance, skipping rules on a specific namespace or container is currently not supported.
Skipping is done by adding the following annotation to a given resource manifest:
datree.skip/[identifier]: [message]
identifier - the unique rule identifier.
message - optional text to be presented in the policy check output (CLI and history tab at the dashboard).
To obtain identifiers of built-in rules, go to your dashboard and click on the 'i' icon of your desired rule:
This will lead you to the documentation of the rule, where you will find the identifier:
Identifiers of custom rules can be found in the policy.yaml file, when in Policy-as-code mode. For example:
customRules:
- identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
name: Ensure correct environment labels are used [CUSTOM RULE]
defaultMessageOnFailure: Use only approved environment labels ('prod', 'staging' and 'test')
schema:
Example YAML with skipped rules:
apiVersion: apps/v1
kind: Deployment
metadata:
name: rss-site
namespace: test
labels:
environment: prod
app: web
annotations:
datree.skip/WORKLOAD_INVALID_LABELS_VALUE: irrelevant for deployments, skipping.
datree.skip/CONTAINERS_MISSING_LIVENESSPROBE_KEY: irrelevant for prod environment, skipping.
Note
annotations
have a character limit - the key and value of an annotation cannot exceed 63 characters each.
For more information, see the Kubernetes docs