README
¶
Datree Admission Webhook
Overview
Datree offers cluster integration that allows you to validate your resources against your configured policy upon pushing them into a cluster, by using an admission webhook.
The webhook will catch create, apply and edit operations and initiate a policy check against the configs associated with each operation. If any misconfigurations are found, the webhook will reject the operation, and display a detailed output with instructions on how to resolve each misconfiguration.
👉🏻 For the full documentation click here.
Values
The following table lists the configurable parameters of the Datree chart and their default values.
Values
| Parameter | Description | Default |
|---|---|---|
| namespace | The name of the namespace all resources will be created in, if not specified in the release. | ""
|
| replicaCount | The number of Datree webhook-server replicas to deploy for the webhook. | 2
|
| customLabels | Additional labels to add to all resources. | {}
|
| customAnnotations | Additional annotations to add to all resources. | {}
|
| rbac.serviceAccount | Create service Account for the webhook | {
"create": true,
"name": "datree-webhook-server"
}
|
| rbac.clusterRole | Create service Role for the webhook | {
"create": true,
"name": "datree-webhook-server-cluster-role"
}
|
| datree.token | The token used to link Datree to your dashboard. (string, required) | null
|
| datree.existingSecret | The token may also be provided via secret, note if the existingSecret is provided the token field above is ignored. | {
"key": "",
"name": ""
}
|
| datree.verbose | Display 'How to Fix' link for failed rules in output. (boolean, optional) | null
|
| datree.output | The format output of the policy check results: yaml, json, xml, simple, JUnit. (string, optional) | null
|
| datree.noRecord | Don’t send policy checks metadata to the backend. (boolean, optional) | null
|
| datree.enabledWarnings | Choose which warnings to enable. (string array ,optional) | [
"failedPolicyCheck",
"skippedBySkipList",
"passedPolicyCheck",
"RBACBypassed"
]
|
| datree.clusterName | The name of the cluster link for cluster name in your dashboard (string ,optional) | null
|
| datree.scanIntervalHours | How often should the scan run in hours. (int, optional, default: 1 ) | 1
|
| datree.configFromHelm | If false, the webhook will be configured from the dashboard, otherwise it will be configured from here. Affected configurations: policy, enforce, customSkipList. | false
|
| datree.policy | The name of the policy to check, e.g: staging. (string, optional) | null
|
| datree.enforce | Block resources that fail the policy check. (boolean ,optional) | null
|
| datree.customSkipList | Excluded resources from policy checks. ("namespace;kind;name" ,optional) | [
"(.*);(.*);(^aws-node.*)",
"(^openshift.*);(.*);(.*)"
]
|
| datree.labelKubeSystem | set admission.datree/validate=skip label on kube-system resources. (openshift/okd users should set it to false) | true
|
| datree.logLevel | log level for the webhook-server, -1 - debug, 0 - info, 1 - warning, 2 - error, 3 - fatal | 0
|
| image.repository | Image repository for the webhook | "datree/admission-webhook"
|
| image.tag | The image release tag to use for the webhook | null
|
| image.pullPolicy | Image pull policy for the webhook | "Always"
|
| imageCredentials | For private registry which contains all the required images | {
"email": null,
"enabled": false,
"password": null,
"registry": null,
"username": null
}
|
| securityContext | Security context applied on the containers | {
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": [
"ALL"
]
},
"readOnlyRootFilesystem": true,
"runAsNonRoot": true,
"runAsUser": 25000,
"seccompProfile": {
"type": "RuntimeDefault"
}
}
|
| resources | The resource request/limits for the webhook container image | {}
|
| nodeSelector | Used to select on which node a pod is scheduled to run | {}
|
| affinity | {}
|
|
| tolerations | []
|
|
| clusterScanner.resources | The resource request/limits for the scanner container image | {}
|
| clusterScanner.annotations | {}
|
|
| clusterScanner.rbac.serviceAccount | Create service Account for the scanner | {
"create": true,
"name": "cluster-scanner-service-account"
}
|
| clusterScanner.rbac.clusterRole | Create service Role for the scanner | {
"create": true,
"name": "cluster-scanner-role"
}
|
| clusterScanner.rbac.clusterRoleBinding | Create service RoleBinding for the scanner | {
"name": "cluster-scanner-role-binding"
}
|
| clusterScanner.image.repository | Image repository for the scanner | "datree/cluster-scanner"
|
| clusterScanner.image.pullPolicy | Image pull policy for the scanner | "Always"
|
| clusterScanner.image.tag | The image release tag to use for the scanner | null
|
| clusterScanner.image.resources | {}
|
|
| clusterScanner.livenessProbe.enabled | true
|
|
| clusterScanner.livenessProbe.scheme | null
|
|
| clusterScanner.livenessProbe.initialDelaySeconds | null
|
|
| clusterScanner.livenessProbe.periodSeconds | null
|
|
| clusterScanner.readinessProbe.enabled | true
|
|
| clusterScanner.readinessProbe.scheme | null
|
|
| clusterScanner.readinessProbe.initialDelaySeconds | null
|
|
| clusterScanner.readinessProbe.periodSeconds | null
|
|
| hooks.timeoutTime | The timeout time the hook will wait for the webhook-server is ready. | null
|
| hooks.ttlSecondsAfterFinished | null
|
|
| hooks.image.repository | "clastix/kubectl"
|
|
| hooks.image.tag | "v1.25"
|
|
| hooks.image.pullPolicy | "IfNotPresent"
|
|
| validatingWebhookConfiguration.failurePolicy | "Ignore"
|
|
| livenessProbe.enabled | true
|
|
| livenessProbe.scheme | null
|
|
| livenessProbe.initialDelaySeconds | null
|
|
| livenessProbe.periodSeconds | null
|
|
| readinessProbe.enabled | true
|
|
| readinessProbe.scheme | null
|
|
| readinessProbe.initialDelaySeconds | null
|
|
| readinessProbe.periodSeconds | null
|
|
| devMode.enabled | false
|
Documentation
¶
There is no documentation for this package.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.