Policy customization

Rule Skipping

Rule skipping allows you to instrument your policy evaluation process, and specify which of your rules should not apply to a specific resource.

info

Skipping is allowed for a specific resource instance, skipping rules on a specific namespace or container is currently not supported.

Skipping is done by adding the following annotation to a given resource manifest:

datree.skip/[identifier]: [message]

identifier - the unique rule identifier.
message - optional text to be presented in the policy check output (CLI and history tab at the dashboard).

To obtain identifiers of built-in rules, go to your dashboard and click on the 'i' icon of your desired rule:

rule_i

This will lead you to the documentation of the rule, where you will find the identifier:

rule_identifier_docs

Identifiers of custom rules can be found in the policy.yaml file, when in Policy-as-code mode. For example:

customRules:
  - identifier: CUSTOM_WORKLOAD_INCORRECT_ENVIRONMENT_LABELS
    name: Ensure correct environment labels are used [CUSTOM RULE]
    defaultMessageOnFailure: Use only approved environment labels ('prod', 'staging' and 'test')
    schema:

Example YAML with skipped rules:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: rss-site
  namespace: test
  labels:
    environment: prod
    app: web
  annotations:
    datree.skip/WORKLOAD_INVALID_LABELS_VALUE: irrelevant for deployments, skipping.
    datree.skip/CONTAINERS_MISSING_LIVENESSPROBE_KEY: irrelevant for prod environment, skipping.

Note

annotations have a character limit - the key and value of an annotation cannot exceed 63 characters each.
For more information, see the Kubernetes docs

Rule Skipping​

info

Example YAML with skipped rules:​

Note

Rule Skipping

Example YAML with skipped rules: