Datree offers cluster integration that allows you to validate your resources against your configured policy upon pushing them into a cluster, by using an admission webhook.
The webhook will catch create, apply and edit operations and initiate a policy check against the configs associated with each operation. If any misconfigurations are found, the webhook will reject the operation, and display a detailed output with instructions on how to resolve each misconfiguration.
👉🏻 For the full documentation click here.
The following table lists the configurable parameters of the Datree chart and their default values.
Parameter | Description | Default |
---|---|---|
namespace | The name of the namespace all resources will be created in, if not specified in the release. | "" |
replicaCount | The number of Datree webhook-server replicas to deploy for the webhook. | 2 |
customLabels | Additional labels to add to all resources. | {} |
customAnnotations | Additional annotations to add to all resources. | {} |
rbac.serviceAccount | Create service Account for the webhook | {
"create": true,
"name": "datree-webhook-server"
} |
rbac.clusterRole | Create service Role for the webhook | {
"create": true,
"name": "datree-webhook-server-cluster-role"
} |
datree.token | The token used to link Datree to your dashboard. (string, required) | null |
datree.existingSecret | The token may also be provided via secret, note if the existingSecret is provided the token field above is ignored. | {
"key": "",
"name": ""
} |
datree.verbose | Display 'How to Fix' link for failed rules in output. (boolean, optional) | null |
datree.output | The format output of the policy check results: yaml, json, xml, simple, JUnit. (string, optional) | null |
datree.noRecord | Don’t send policy checks metadata to the backend. (boolean, optional) | null |
datree.clusterName | The name of the cluster link for cluster name in your dashboard (string ,optional) | null |
datree.scanIntervalHours | How often should the scan run in hours. (int, optional, default: 1 ) | 1 |
datree.configFromHelm | If false, the webhook will be configured from the dashboard, otherwise it will be configured from here. Affected configurations: policy, enforce, customSkipList. | false |
datree.policy | The name of the policy to check, e.g: staging. (string, optional) | null |
datree.enforce | Block resources that fail the policy check. (boolean ,optional) | null |
datree.customSkipList | Excluded resources from policy checks. ("namespace;kind;name" ,optional) | [
"(.*);(.*);(^aws-node.*)"
] |
image.repository | Image repository for the webhook | "datree/admission-webhook" |
image.tag | The image release tag to use for the webhook | null |
image.pullPolicy | Image pull policy for the webhook | "Always" |
imageCredentials | For private registry which contains all the required images | {
"email": null,
"enabled": false,
"password": null,
"registry": null,
"username": null
} |
securityContext | Security context applied on the containers | {
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": [
"ALL"
]
},
"readOnlyRootFilesystem": true,
"runAsNonRoot": true,
"runAsUser": 25000,
"seccompProfile": {
"type": "RuntimeDefault"
}
} |
resources | The resource request/limits for the webhook container image | {} |
nodeSelector | Used to select on which node a pod is scheduled to run | {} |
affinity | {} |
|
tolerations | [] |
|
clusterScanner.resources | The resource request/limits for the scanner container image | {} |
clusterScanner.annotations | {} |
|
clusterScanner.rbac.serviceAccount | Create service Account for the scanner | {
"create": true,
"name": "cluster-scanner-service-account"
} |
clusterScanner.rbac.clusterRole | Create service Role for the scanner | {
"create": true,
"name": "cluster-scanner-role"
} |
clusterScanner.rbac.clusterRoleBinding | Create service RoleBinding for the scanner | {
"name": "cluster-scanner-role-binding"
} |
clusterScanner.image.repository | Image repository for the scanner | "datree/cluster-scanner" |
clusterScanner.image.pullPolicy | Image pull policy for the scanner | "Always" |
clusterScanner.image.tag | The image release tag to use for the scanner | null |
hooks.timeoutTime | The timeout time the hook will wait for the webhook-server is ready. | null |
hooks.ttlSecondsAfterFinished | null |
|
hooks.image.repository | "clastix/kubectl" |
|
hooks.image.tag | "v1.25" |
|
hooks.image.pullPolicy | "IfNotPresent" |
|
validatingWebhookConfiguration.failurePolicy | "Ignore" |