Skip to main content

Troubleshooting

tip

If Datree fails to run or the admission webhook encounters an error, Datree will simply refrain from taking any action against your resources. It will not block your cluster or prevent you from working with it in any way.

Webhook installation debug script

If you fail to install Datree for any reason, run the following command to generate a log:

curl https://raw.githubusercontent.com/datreeio/admission-webhook-datree/main/scripts/troubleshoot.sh | /bin/bash > troubleshoot.logs 2>&1
cat troubleshoot.logs

Then, send us the troubleshoot.log file.

Tokens mismatch

troubleshooting_token_mismatch

If you see this message in your dashboard, it means that we identified there are two account tokens associate with your account - one in your CLI and a different one in your dashboard. This can be an issue because it will break the connection between the policy checks that are executed (CLI) and the centralized policy (dashboard). As a result, you will not be able to control your policies or see results in your activity-log page.

How to fix tokens mismatch?

You will need to set your CLI token to match your dashboard token:

  1. Get your dashboard account token

  2. Set your dashboard account token in your CLI

Seems like your token does not exist

If you deleted your account, then ran a policy check - you will get this output: "Seems like your token does not exist".
To fix this, delete your config file ($HOME/.datree/config.yaml), then run another policy check.

Running Datree on Alpine (Linux) image

Alpine is missing some dependencies that are required to successfully install Datree.

How to fix missing dependencies?

Adding the following command to the CI should fix this: apk add curl bash This will add curl and bash commands which our install scripts require in order to run.

Schema validation failure

TL;DR
If you get the following message in your CLI: 

❌  k8s schema validation error: could not find schema for [kindName]

It means the schema validation check failed and there are three possible root causes:

Wrong Kubernetes schema version

If Datree's schema validation version does not match your Kubernetes cluster version, it can produce this type of error.
To check your Kubernetes cluster version, you can run kubectl version --short and read your Server Version: 

➜ kubectl version --short
Server Version: v1.20.0

Your Datree schema validation version can be found on your dashboard (under SETTINGS) or in your policy check summary: 

(Summary)
- Passing YAML validation: 1/1
- Passing Kubernetes (1.20.0) schema validation: 0/1

How to solve this?

Update the default schema version in the dashboard to be the same Kubernetes version as your cluster, or pass the --schema-version flag (read more).

Deprecated API versions

New Kubernetes releases may contain deprecations of APIs for different K8s objects. For example, Ingress v1beta1 API is no longer served on Kubernetes version 1.22.0. Therefore, if the Kubernetes schema validation version is set to 1.22.0 and an Ingress config with the v1beta1 API will be passed to Datree, it will not be found, and the schema validation step will fail.

apiVersion: networking.k8s.io/v1beta1 # deprecated API version
kind: Ingress  
metadata:  
  name: example

How to solve this?

Update your manifests to match the Kubernetes schema definition, or your cluster will not accept it (read more).

Missing schema for a CRD

CustomResources (CRs) are not Kubernetes native objects, so they are not part of the official Kubernetes schema. To overcome this, we created the CRDs-catalog project, but if you're trying to validate CRs that don't exist in the CRD-catalog, the schema validation step will fail.

How to solve this?

You will need to use the CRD Extractor to validate them (read more).

Webhook installation failures

Prerequisites

Below you can find all of the installation failures caused by unmet prerequisites.

Helm install

If you get the following message in your terminal: 

helm: command not found

It means that you don't have Helm installed on your machine. Fix this issue by installing Helm on your machine, restart the terminal and reinstall Datree.

Cluster not reachable

If you get the following message in your terminal: 

INSTALLATION FAILED: Kubernetes cluster unreachable

It means that you don't have a Kubernetes cluster up and running. To be able to install the webhook, make sure you have kubectl installed and an accessible Kubernetes cluster, only then try to install Datree again.

Windows users

If you are a Windows user, you can not install Datree webhook within PowerShell. Instead, you should use WSL for running linux based machine on Windows.

Haven't found a solution to your problem?

Let us know by opening an issue in our GitHub open-source project and we will gladly help!