admission-webhook-datree
admission-webhook-datree copied to clipboard
datreeio
Datree offers cluster integration that allows you to validate your resources against your configured policy upon pushing them into a cluster, by using an admission webhook.
trafficstars
Datree Admission Webhook
Overview
Datree offers cluster integration that allows you to validate your resources against your configured policy upon pushing them into a cluster, by using an admission webhook.
The webhook will catch create, apply and edit operations and initiate a policy check against the configs associated with each operation. If any misconfigurations are found, the webhook will reject the operation, and display a detailed output with instructions on how to resolve each misconfiguration.
ππ» For the full documentation click here.
Values
The following table lists the configurable parameters of the Datree chart and their default values.
Values
| Parameter | Description | Default |
|---|---|---|
| namespace | The name of the namespace all resources will be created in, if not specified in the release. |
""
|
| replicaCount | The number of Datree webhook-server replicas to deploy for the webhook. |
2
|
| customLabels | Additional labels to add to all resources. |
{}
|
| customAnnotations | Additional annotations to add to all resources. |
{}
|
| rbac.serviceAccount | Create service Account for the webhook |
{
"create": true,
"name": "datree-webhook-server"
}
|
| rbac.clusterRole | Create service Role for the webhook |
{
"create": true,
"name": "datree-webhook-server-cluster-role"
}
|
| datree.token | The token used to link Datree to your dashboard. (string, required) |
null
|
| datree.existingSecret | The token may also be provided via secret, note if the existingSecret is provided the token field above is ignored. |
{
"key": "",
"name": ""
}
|
| datree.verbose | Display 'How to Fix' link for failed rules in output. (boolean, optional) |
null
|
| datree.output | The format output of the policy check results: yaml, json, xml, simple, JUnit. (string, optional) |
null
|
| datree.noRecord | Donβt send policy checks metadata to the backend. (boolean, optional) |
null
|
| datree.enabledWarnings | Choose which warnings to enable. (string array ,optional) |
[
"failedPolicyCheck",
"skippedBySkipList",
"passedPolicyCheck",
"RBACBypassed"
]
|
| datree.clusterName | The name of the cluster link for cluster name in your dashboard (string ,optional) |
null
|
| datree.scanIntervalHours | How often should the scan run in hours. (int, optional, default: 1 ) |
1
|
| datree.configFromHelm | If false, the webhook will be configured from the dashboard, otherwise it will be configured from here. Affected configurations: policy, enforce, customSkipList. |
false
|
| datree.policy | The name of the policy to check, e.g: staging. (string, optional) |
null
|
| datree.enforce | Block resources that fail the policy check. (boolean ,optional) |
null
|
| datree.customSkipList | Excluded resources from policy checks. ("namespace;kind;name" ,optional) |
[
"(.*);(.*);(^aws-node.*)",
"(^openshift.*);(.*);(.*)"
]
|
| datree.labelKubeSystem | set admission.datree/validate=skip label on kube-system resources. (openshift/okd users should set it to false) |
true
|
| datree.logLevel | log level for the webhook-server, -1 - debug, 0 - info, 1 - warning, 2 - error, 3 - fatal |
0
|
| image.repository | Image repository for the webhook |
"datree/admission-webhook"
|
| image.tag | The image release tag to use for the webhook |
null
|
| image.pullPolicy | Image pull policy for the webhook |
"Always"
|
| imageCredentials | For private registry which contains all the required images |
{
"email": null,
"enabled": false,
"password": null,
"registry": null,
"username": null
}
|
| securityContext | Security context applied on the containers |
{
"allowPrivilegeEscalation": false,
"capabilities": {
"drop": [
"ALL"
]
},
"readOnlyRootFilesystem": true,
"runAsNonRoot": true,
"runAsUser": 25000,
"seccompProfile": {
"type": "RuntimeDefault"
}
}
|
| resources | The resource request/limits for the webhook container image |
{}
|
| nodeSelector | Used to select on which node a pod is scheduled to run |
{}
|
| affinity |
{}
|
|
| tolerations |
[]
|
|
| clusterScanner.resources | The resource request/limits for the scanner container image |
{}
|
| clusterScanner.annotations |
{}
|
|
| clusterScanner.rbac.serviceAccount | Create service Account for the scanner |
{
"create": true,
"name": "cluster-scanner-service-account"
}
|
| clusterScanner.rbac.clusterRole | Create service Role for the scanner |
{
"create": true,
"name": "cluster-scanner-role"
}
|
| clusterScanner.rbac.clusterRoleBinding | Create service RoleBinding for the scanner |
{
"name": "cluster-scanner-role-binding"
}
|
| clusterScanner.image.repository | Image repository for the scanner |
"datree/cluster-scanner"
|
| clusterScanner.image.pullPolicy | Image pull policy for the scanner |
"Always"
|
| clusterScanner.image.tag | The image release tag to use for the scanner |
null
|
| clusterScanner.image.resources |
{}
|
|
| clusterScanner.livenessProbe.enabled |
true
|
|
| clusterScanner.livenessProbe.scheme |
null
|
|
| clusterScanner.livenessProbe.initialDelaySeconds |
null
|
|
| clusterScanner.livenessProbe.periodSeconds |
null
|
|
| clusterScanner.readinessProbe.enabled |
true
|
|
| clusterScanner.readinessProbe.scheme |
null
|
|
| clusterScanner.readinessProbe.initialDelaySeconds |
null
|
|
| clusterScanner.readinessProbe.periodSeconds |
null
|
|
| hooks.timeoutTime | The timeout time the hook will wait for the webhook-server is ready. |
null
|
| hooks.ttlSecondsAfterFinished |
null
|
|
| hooks.image.repository |
"clastix/kubectl"
|
|
| hooks.image.tag |
"v1.25"
|
|
| hooks.image.pullPolicy |
"IfNotPresent"
|
|
| validatingWebhookConfiguration.failurePolicy |
"Ignore"
|
|
| livenessProbe.enabled |
true
|
|
| livenessProbe.scheme |
null
|
|
| livenessProbe.initialDelaySeconds |
null
|
|
| livenessProbe.periodSeconds |
null
|
|
| readinessProbe.enabled |
true
|
|
| readinessProbe.scheme |
null
|
|
| readinessProbe.initialDelaySeconds |
null
|
|
| readinessProbe.periodSeconds |
null
|
|
| devMode.enabled |
false
|
datreeio