Datree offers cluster integration that allows you to validate your resources against your configured policy upon pushing them into a cluster, by using an admission webhook.
The webhook will catch create, apply and edit operations and initiate a policy check against the configs associated with each operation. If any misconfigurations are found, the webhook will reject the operation, and display a detailed output with instructions on how to resolve each misconfiguration.
👉🏻 For the full documentation click here.
The following table lists the configurable parameters of the Datree chart and their default values.
| Parameter | Description | Default |
|---|---|---|
| namespace | The name of the namespace all resources will be created in, if not specified in the release. | "" |
| replicaCount | The number of Datree webhook-server replicas to deploy for the webhook. | 2 |
| customLabels | Additional labels to add to all resources. | {} |
| customAnnotations | Additional annotations to add to all resources. | {} |
| rbac.serviceAccount | Create service Account for the webhook | { "create": true, "name": "datree-webhook-server" } |
| rbac.clusterRole | Create service Role for the webhook | { "create": true, "name": "datree-webhook-server-cluster-role" } |
| datree.token | The token used to link Datree to your dashboard. (string, required) | null |
| datree.existingSecret | The token may also be provided via secret, note if the existingSecret is provided the token field above is ignored. | { "key": "", "name": "" } |
| datree.verbose | Display 'How to Fix' link for failed rules in output. (boolean, optional) | null |
| datree.output | The format output of the policy check results: yaml, json, xml, simple, JUnit. (string, optional) | null |
| datree.noRecord | Don’t send policy checks metadata to the backend. (boolean, optional) | null |
| datree.enabledWarnings | Choose which warnings to enable. (string array ,optional) | [ "failedPolicyCheck", "skippedBySkipList", "passedPolicyCheck", "RBACBypassed" ] |
| datree.clusterName | The name of the cluster link for cluster name in your dashboard (string ,optional) | null |
| datree.scanIntervalHours | How often should the scan run in hours. (int, optional, default: 1 ) | 1 |
| datree.configFromHelm | If false, the webhook will be configured from the dashboard, otherwise it will be configured from here. Affected configurations: policy, enforce, customSkipList. | false |
| datree.policy | The name of the policy to check, e.g: staging. (string, optional) | null |
| datree.enforce | Block resources that fail the policy check. (boolean ,optional) | null |
| datree.customSkipList | Excluded resources from policy checks. ("namespace;kind;name" ,optional) | [ "(.*);(.*);(^aws-node.*)", "(^openshift.*);(.*);(.*)" ] |
| datree.labelKubeSystem | set admission.datree/validate=skip label on kube-system resources. (openshift/okd users should set it to false) | true |
| datree.logLevel | log level for the webhook-server, -1 - debug, 0 - info, 1 - warning, 2 - error, 3 - fatal | 0 |
| image.repository | Image repository for the webhook | "datree/admission-webhook" |
| image.tag | The image release tag to use for the webhook | null |
| image.pullPolicy | Image pull policy for the webhook | "Always" |
| imageCredentials | For private registry which contains all the required images | { "email": null, "enabled": false, "password": null, "registry": null, "username": null } |
| securityContext | Security context applied on the containers | { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "readOnlyRootFilesystem": true, "runAsNonRoot": true, "runAsUser": 25000, "seccompProfile": { "type": "RuntimeDefault" } } |
| resources | The resource request/limits for the webhook container image | {} |
| nodeSelector | Used to select on which node a pod is scheduled to run | {} |
| affinity | {} | |
| tolerations | [] | |
| clusterScanner.resources | The resource request/limits for the scanner container image | {} |
| clusterScanner.annotations | {} | |
| clusterScanner.rbac.serviceAccount | Create service Account for the scanner | { "create": true, "name": "cluster-scanner-service-account" } |
| clusterScanner.rbac.clusterRole | Create service Role for the scanner | { "create": true, "name": "cluster-scanner-role" } |
| clusterScanner.rbac.clusterRoleBinding | Create service RoleBinding for the scanner | { "name": "cluster-scanner-role-binding" } |
| clusterScanner.image.repository | Image repository for the scanner | "datree/cluster-scanner" |
| clusterScanner.image.pullPolicy | Image pull policy for the scanner | "Always" |
| clusterScanner.image.tag | The image release tag to use for the scanner | null |
| clusterScanner.image.resources | {} | |
| clusterScanner.livenessProbe.enabled | true | |
| clusterScanner.livenessProbe.scheme | null | |
| clusterScanner.livenessProbe.initialDelaySeconds | null | |
| clusterScanner.livenessProbe.periodSeconds | null | |
| clusterScanner.readinessProbe.enabled | true | |
| clusterScanner.readinessProbe.scheme | null | |
| clusterScanner.readinessProbe.initialDelaySeconds | null | |
| clusterScanner.readinessProbe.periodSeconds | null | |
| hooks.timeoutTime | The timeout time the hook will wait for the webhook-server is ready. | null |
| hooks.ttlSecondsAfterFinished | null | |
| hooks.image.repository | "clastix/kubectl" | |
| hooks.image.tag | "v1.25" | |
| hooks.image.pullPolicy | "IfNotPresent" | |
| validatingWebhookConfiguration.failurePolicy | "Ignore" | |
| livenessProbe.enabled | true | |
| livenessProbe.scheme | null | |
| livenessProbe.initialDelaySeconds | null | |
| livenessProbe.periodSeconds | null | |
| readinessProbe.enabled | true | |
| readinessProbe.scheme | null | |
| readinessProbe.initialDelaySeconds | null | |
| readinessProbe.periodSeconds | null | |
| devMode.enabled | false |