Skip to content

Datree offers cluster integration that allows you to validate your resources against your configured policy upon pushing them into a cluster, by using an admission webhook.

License

Notifications You must be signed in to change notification settings

datreeio/admission-webhook-datree

Repository files navigation

Datree Admission Webhook

Overview

Datree offers cluster integration that allows you to validate your resources against your configured policy upon pushing them into a cluster, by using an admission webhook.

The webhook will catch create, apply and edit operations and initiate a policy check against the configs associated with each operation. If any misconfigurations are found, the webhook will reject the operation, and display a detailed output with instructions on how to resolve each misconfiguration.

👉🏻 For the full documentation click here.

Values

The following table lists the configurable parameters of the Datree chart and their default values.

Values

Parameter Description Default
namespace The name of the namespace all resources will be created in, if not specified in the release.
""
replicaCount The number of Datree webhook-server replicas to deploy for the webhook.
2
customLabels Additional labels to add to all resources.
{}
customAnnotations Additional annotations to add to all resources.
{}
rbac.serviceAccount Create service Account for the webhook
{
  "create": true,
  "name": "datree-webhook-server"
}
rbac.clusterRole Create service Role for the webhook
{
  "create": true,
  "name": "datree-webhook-server-cluster-role"
}
datree.token The token used to link Datree to your dashboard. (string, required)
null
datree.existingSecret The token may also be provided via secret, note if the existingSecret is provided the token field above is ignored.
{
  "key": "",
  "name": ""
}
datree.verbose Display 'How to Fix' link for failed rules in output. (boolean, optional)
null
datree.output The format output of the policy check results: yaml, json, xml, simple, JUnit. (string, optional)
null
datree.noRecord Don’t send policy checks metadata to the backend. (boolean, optional)
null
datree.enabledWarnings Choose which warnings to enable. (string array ,optional)
[
  "failedPolicyCheck",
  "skippedBySkipList",
  "passedPolicyCheck",
  "RBACBypassed"
]
datree.clusterName The name of the cluster link for cluster name in your dashboard (string ,optional)
null
datree.scanIntervalHours How often should the scan run in hours. (int, optional, default: 1 )
1
datree.configFromHelm If false, the webhook will be configured from the dashboard, otherwise it will be configured from here. Affected configurations: policy, enforce, customSkipList.
false
datree.policy The name of the policy to check, e.g: staging. (string, optional)
null
datree.enforce Block resources that fail the policy check. (boolean ,optional)
null
datree.customSkipList Excluded resources from policy checks. ("namespace;kind;name" ,optional)
[
  "(.*);(.*);(^aws-node.*)",
  "(^openshift.*);(.*);(.*)"
]
datree.labelKubeSystem set admission.datree/validate=skip label on kube-system resources. (openshift/okd users should set it to false)
true
datree.logLevel log level for the webhook-server, -1 - debug, 0 - info, 1 - warning, 2 - error, 3 - fatal
0
image.repository Image repository for the webhook
"datree/admission-webhook"
image.tag The image release tag to use for the webhook
null
image.pullPolicy Image pull policy for the webhook
"Always"
imageCredentials For private registry which contains all the required images
{
  "email": null,
  "enabled": false,
  "password": null,
  "registry": null,
  "username": null
}
securityContext Security context applied on the containers
{
  "allowPrivilegeEscalation": false,
  "capabilities": {
    "drop": [
      "ALL"
    ]
  },
  "readOnlyRootFilesystem": true,
  "runAsNonRoot": true,
  "runAsUser": 25000,
  "seccompProfile": {
    "type": "RuntimeDefault"
  }
}
resources The resource request/limits for the webhook container image
{}
nodeSelector Used to select on which node a pod is scheduled to run
{}
affinity
{}
tolerations
[]
clusterScanner.resources The resource request/limits for the scanner container image
{}
clusterScanner.annotations
{}
clusterScanner.rbac.serviceAccount Create service Account for the scanner
{
  "create": true,
  "name": "cluster-scanner-service-account"
}
clusterScanner.rbac.clusterRole Create service Role for the scanner
{
  "create": true,
  "name": "cluster-scanner-role"
}
clusterScanner.rbac.clusterRoleBinding Create service RoleBinding for the scanner
{
  "name": "cluster-scanner-role-binding"
}
clusterScanner.image.repository Image repository for the scanner
"datree/cluster-scanner"
clusterScanner.image.pullPolicy Image pull policy for the scanner
"Always"
clusterScanner.image.tag The image release tag to use for the scanner
null
clusterScanner.image.resources
{}
clusterScanner.livenessProbe.enabled
true
clusterScanner.livenessProbe.scheme
null
clusterScanner.livenessProbe.initialDelaySeconds
null
clusterScanner.livenessProbe.periodSeconds
null
clusterScanner.readinessProbe.enabled
true
clusterScanner.readinessProbe.scheme
null
clusterScanner.readinessProbe.initialDelaySeconds
null
clusterScanner.readinessProbe.periodSeconds
null
hooks.timeoutTime The timeout time the hook will wait for the webhook-server is ready.
null
hooks.ttlSecondsAfterFinished
null
hooks.image.repository
"clastix/kubectl"
hooks.image.tag
"v1.25"
hooks.image.pullPolicy
"IfNotPresent"
validatingWebhookConfiguration.failurePolicy
"Ignore"
livenessProbe.enabled
true
livenessProbe.scheme
null
livenessProbe.initialDelaySeconds
null
livenessProbe.periodSeconds
null
readinessProbe.enabled
true
readinessProbe.scheme
null
readinessProbe.initialDelaySeconds
null
readinessProbe.periodSeconds
null
devMode.enabled
false

About

Datree offers cluster integration that allows you to validate your resources against your configured policy upon pushing them into a cluster, by using an admission webhook.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published