Datree offers cluster integration that allows you to validate your resources against your configured policy upon pushing them into a cluster, by using an admission webhook.
The webhook will catch create, apply and edit operations and initiate a policy check against the configs associated with each operation. If any misconfigurations are found, the webhook will reject the operation, and display a detailed output with instructions on how to resolve each misconfiguration.
šš» For the full documentation click here.
The following table lists the configurable parameters of the Datree chart and their default values.
| Parameter | Description | Default |
|---|---|---|
| replicaCount | The number of Datree webhook-server replicas to deploy for the webhook. | 2 |
| customLabels | Additional labels for Datree webhook-server pods. | {} |
| customAnnotations | Additional annotations to add to all resources. | {} |
| rbac.serviceAccount.create | Create a ServiceAccount | true |
| rbac.serviceAccount.name | The ServiceAccount name | webhook-server-datree |
| rbac.clusterRole.create | Create a ClusterRole | true |
| rbac.clusterRole.name | The ClusterRole name | webhook-server-datree |
| image.repository | Image repository. | datree/admission-webhook |
| image.tag | The image release tag to use. | Defaults to Chart appVersion |
| image.pullPolicy | Image pull policy | Always |
| securityContext | Security context applied on the container. | {"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true, "runAsNonRoot":true, "runAsUser":25000} |
| resources | The resource request/limits for the container image. | limits :cpu: 1000m, memory: 512Mi requests: cpu:100m, memory:256Mi |
| datree.token | The token used to link the CLI to your dashboard. (required) | nil |
| datree.clusterName | The name of the cluster link for cluster name in your dashboard | nil |
| datree.policy | The name of the policy to check, e.g: staging. (optional) | "" (i.e "default") |
| datree.verbose | Display 'How to Fix' link for failed rules in output. (optional) | false |
| datree.output | The format output of the policy check results: yaml, json, xml, simple, JUnit. (optional) | "" (i.e beautifulš) |
| datree.noRecord | Donāt send policy checks metadata to the backend. (optional) | false |
| datree.enforce | Block resources that fail the policy check. (optional) | false |
| datree.customSkipList | The Recommended resources to exclude from your policy checks. (optional) | [ "(.*);(.*);(^aws-node.*)" ] |
| hooks.waitForServerRollout.sleepyTime | The waiting time before the webhook-server is ready to receive requests. | nil |
| hooks.waitForServerRollout.image | An image for running sleep command | {"repository": "alpine", "sha":"sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870", "pullPolicy":"Always"} |
| hooks.labelNamespace.image. | An image for running kubectl label command | {"repository": "bitnami/kubectl", "sha":"sha256:d3c17f1dc6e665dcc78e8c14a83ae630bc3d65b07ea11c5f1a012c2c6786d039", "pullPolicy":"Always"} |
| nodeSelector | Used to select on which node a pod is scheduled to run | nil |
| affinity | Offers more expressive syntax for fine-grained control of how Pods are scheduled to specific nodes | nil |