Datree offers cluster integration that allows you to validate your resources against your configured policy upon pushing them into a cluster, by using an admission webhook.
The webhook will catch create, apply and edit operations and initiate a policy check against the configs associated with each operation. If any misconfigurations are found, the webhook will reject the operation, and display a detailed output with instructions on how to resolve each misconfiguration.
👉🏻 For the full documentation click here.
The following table lists the configurable parameters of the Datree chart and their default values.
| Parameter | Description | Default |
|---|---|---|
| namespace | The name of the namespace all resources will be created in, if not specified in the release. | "" |
| replicaCount | The number of Datree webhook-server replicas to deploy for the webhook. | 2 |
| customLabels | Additional labels to add to all resources. | {} |
| customAnnotations | Additional annotations to add to all resources. | {} |
| rbac.serviceAccount | Create service Account for the webhook | {
"create": true,
"name": "datree-webhook-server"
} |
| rbac.clusterRole | Create service Role for the webhook | {
"create": true,
"name": "datree-webhook-server-cluster-role"
} |
| datree.token | The token used to link Datree to your dashboard. (string, required) | null |
| datree.existingSecret | The token may also be provided via secret, note if the existingSecret is provided the token field above is ignored. | {
"key": "",
"name": ""
} |
| datree.verbose | Display 'How to Fix' link for failed rules in output. (boolean, optional) | null |
| datree.output | The format output of the policy check results: yaml, json, xml, simple, JUnit. (string, optional) | null |
| datree.noRecord | Don’t send policy checks metadata to the backend. (boolean, optional) | null |
| datree.enabledWarnings | Choose which warnings to enable. (string array ,optional) | [
"failedPolicyCheck",
"skippedBySkipList",
"passedPolicyCheck",
"RBACBypassed"
] |
| datree.clusterName | The name of the cluster link for cluster name in your dashboard (string ,optional) | null |
| datree.scanIntervalHours | How often should the scan run in hours. (int, optional, default: 1 ) | 1 |
| datree.configFromHelm | If false, the webhook will be configured from the dashboard, otherwise it will be configured from here. Affected configurations: policy, enforce, customSkipList. | false |
| datree.policy | The name of the policy to check, e.g: staging. (string, optional) | null |
| datree.enforce | Block resources that fail the policy check. (boolean ,optional) | null |
| datree.customSkipList | Excluded resources from policy checks. ("namespace;kind;name" ,optional) | [
"(.*);(.*);(^aws-node.*)",
"(^openshift.*);(.*);(.*)"
] |
| datree.labelKubeSystem | set admission.datree/validate=skip label on kube-system resources. (openshift/okd users should set it to false) | true |
| datree.logLevel | log level for the webhook-server, -1 - debug, 0 - info, 1 - warning, 2 - error, 3 - fatal | 0 |
| image.repository | Image repository for the webhook | "datree/admission-webhook" |
| image.tag | The image release tag to use for the webhook | null |
| image.pullPolicy | Image pull policy for the webhook | "Always" |
| imageCredentials | For private registry which contains all the required images | {
"email": null,
"enabled": false,
"password": null,
"registry": null,
"username": null
} |
| securityContext | Security context applied on the containers | {
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": [
"ALL"
]
},
"readOnlyRootFilesystem": true,
"runAsNonRoot": true,
"runAsUser": 25000,
"seccompProfile": {
"type": "RuntimeDefault"
}
} |
| resources | The resource request/limits for the webhook container image | {} |
| nodeSelector | Used to select on which node a pod is scheduled to run | {} |
| affinity | {} |
|
| tolerations | [] |
|
| clusterScanner.resources | The resource request/limits for the scanner container image | {} |
| clusterScanner.annotations | {} |
|
| clusterScanner.rbac.serviceAccount | Create service Account for the scanner | {
"create": true,
"name": "cluster-scanner-service-account"
} |
| clusterScanner.rbac.clusterRole | Create service Role for the scanner | {
"create": true,
"name": "cluster-scanner-role"
} |
| clusterScanner.rbac.clusterRoleBinding | Create service RoleBinding for the scanner | {
"name": "cluster-scanner-role-binding"
} |
| clusterScanner.image.repository | Image repository for the scanner | "datree/cluster-scanner" |
| clusterScanner.image.pullPolicy | Image pull policy for the scanner | "Always" |
| clusterScanner.image.tag | The image release tag to use for the scanner | null |
| clusterScanner.image.resources | {} |
|
| clusterScanner.livenessProbe.enabled | true |
|
| clusterScanner.livenessProbe.scheme | null |
|
| clusterScanner.livenessProbe.initialDelaySeconds | null |
|
| clusterScanner.livenessProbe.periodSeconds | null |
|
| clusterScanner.readinessProbe.enabled | true |
|
| clusterScanner.readinessProbe.scheme | null |
|
| clusterScanner.readinessProbe.initialDelaySeconds | null |
|
| clusterScanner.readinessProbe.periodSeconds | null |
|
| hooks.timeoutTime | The timeout time the hook will wait for the webhook-server is ready. | null |
| hooks.ttlSecondsAfterFinished | null |
|
| hooks.image.repository | "clastix/kubectl" |
|
| hooks.image.tag | "v1.25" |
|
| hooks.image.pullPolicy | "IfNotPresent" |
|
| validatingWebhookConfiguration.failurePolicy | "Ignore" |
|
| livenessProbe.enabled | true |
|
| livenessProbe.scheme | null |
|
| livenessProbe.initialDelaySeconds | null |
|
| livenessProbe.periodSeconds | null |
|
| readinessProbe.enabled | true |
|
| readinessProbe.scheme | null |
|
| readinessProbe.initialDelaySeconds | null |
|
| readinessProbe.periodSeconds | null |
|
| devMode.enabled | false |