Skip to main content

Policy customization

Rule Skipping

Rule skipping allows you to instrument your policy evaluation process, and specify which of your rules should not apply to a specific resource.

info

Skipping is allowed for a specific resource instance, skipping rules on a specific namespace or container is currently not supported.

Skipping is done by adding the following annotation to a given resource manifest:

datree.skip/[identifier]: [message]

identifier - the unique rule identifier.
message - optional text to be presented in the policy check output (CLI and history tab at the dashboard).

To obtain identifiers of built-in rules, go to your dashboard and click on the 'i' icon of your desired rule:

rule_i

This will lead you to the documentation of the rule, where you will find the identifier:

rule_identifier_docs

Identifiers of custom rules can be found in the policy.yaml file, when in Policy-as-code mode. For example:

customRules:
- identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
name: Ensure correct environment labels are used [CUSTOM RULE]
defaultMessageOnFailure: Use only approved environment labels ('prod', 'staging' and 'test')
schema:

Example YAML with skipped rules:

apiVersion: apps/v1
kind: Deployment
metadata:
name: rss-site
namespace: test
labels:
environment: prod
app: web
annotations:
datree.skip/WORKLOAD_INVALID_LABELS_VALUE: irrelevant for deployments, skipping.
datree.skip/CONTAINERS_MISSING_LIVENESSPROBE_KEY: irrelevant for prod environment, skipping.
Note

annotations have a character limit - the key and value of an annotation cannot exceed 63 characters each.
For more information, see the Kubernetes docs