Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/datreeio/admission-webhook-datree

Datree offers cluster integration that allows you to validate your resources against your configured policy upon pushing them into a cluster, by using an admission webhook.
https://github.com/datreeio/admission-webhook-datree

kubernetes

Last synced: 7 months ago
JSON representation

Datree offers cluster integration that allows you to validate your resources against your configured policy upon pushing them into a cluster, by using an admission webhook.

Awesome Lists containing this project

README 

          
# Datree Admission Webhook









 

# Overview

Datree offers cluster integration that allows you to validate your resources against your configured policy upon pushing them into a cluster, by using an admission webhook.



The webhook will catch **create**, **apply** and **edit** operations and initiate a policy check against the configs associated with each operation. If any misconfigurations are found, the webhook will reject the operation, and display a detailed output with instructions on how to resolve each misconfiguration.



πŸ‘‰πŸ» For the full documentation click [here](https://hub.datree.io).



# Values



The following table lists the configurable parameters of the Datree chart and their default values.



## Values



	

		Parameter

		Description

		Default

	

	

		

			namespace

			The name of the namespace all resources will be created in, if not specified in the release.

			

""




		

		

			replicaCount

			The number of Datree webhook-server replicas to deploy for the webhook.

			

2




		

		

			customLabels

			Additional labels to add to all resources.

			

{}




		

		

			customAnnotations

			Additional annotations to add to all resources.

			

{}




		

		

			rbac.serviceAccount

			Create service Account for the webhook

			

{

  "create": true,

  "name": "datree-webhook-server"

}




		

		

			rbac.clusterRole

			Create service Role for the webhook

			

{

  "create": true,

  "name": "datree-webhook-server-cluster-role"

}




		

		

			datree.token

			The token used to link Datree to your dashboard. (string, required)

			

null




		

		

			datree.existingSecret

			The token may also be provided via secret, note if the existingSecret is provided the token field above is ignored.

			

{

  "key": "",

  "name": ""

}




		

		

			datree.verbose

			Display 'How to Fix' link for failed rules in output. (boolean, optional)

			

null




		

		

			datree.output

			The format output of the policy check results: yaml, json, xml, simple, JUnit. (string, optional)

			

null




		

		

			datree.noRecord

			Don’t send policy checks metadata to the backend. (boolean, optional)

			

null




		

		

			datree.enabledWarnings

			Choose which warnings to enable. (string array ,optional)

			

[

  "failedPolicyCheck",

  "skippedBySkipList",

  "passedPolicyCheck",

  "RBACBypassed"

]




		

		

			datree.clusterName

			The name of the cluster link for cluster name in your dashboard (string ,optional)

			

null




		

		

			datree.scanIntervalHours

			How often should the scan run in hours. (int, optional, default: 1 )

			

1




		

		

			datree.configFromHelm

			If false, the webhook will be configured from the dashboard, otherwise it will be configured from here. Affected configurations: policy, enforce, customSkipList.

			

false




		

		

			datree.policy

			The name of the policy to check, e.g: staging. (string, optional)

			

null




		

		

			datree.enforce

			Block resources that fail the policy check. (boolean ,optional)

			

null




		

		

			datree.customSkipList

			Excluded resources from policy checks. ("namespace;kind;name" ,optional)

			

[

  "(.*);(.*);(^aws-node.*)",

  "(^openshift.*);(.*);(.*)"

]




		

		

			datree.labelKubeSystem

			set admission.datree/validate=skip label on kube-system resources. (openshift/okd users should set it to false)

			

true




		

		

			datree.logLevel

			log level for the webhook-server, -1 - debug, 0 - info, 1 - warning, 2 - error, 3 - fatal

			

0




		

		

			image.repository

			Image repository for the webhook

			

"datree/admission-webhook"




		

		

			image.tag

			The image release tag to use for the webhook

			

null




		

		

			image.pullPolicy

			Image pull policy for the webhook

			

"Always"




		

		

			imageCredentials

			For private registry which contains all the required images

			

{

  "email": null,

  "enabled": false,

  "password": null,

  "registry": null,

  "username": null

}




		

		

			securityContext

			Security context applied on the containers

			

{

  "allowPrivilegeEscalation": false,

  "capabilities": {

    "drop": [

      "ALL"

    ]

  },

  "readOnlyRootFilesystem": true,

  "runAsNonRoot": true,

  "runAsUser": 25000,

  "seccompProfile": {

    "type": "RuntimeDefault"

  }

}




		

		

			resources

			The resource request/limits for the webhook container image

			

{}




		

		

			nodeSelector

			Used to select on which node a pod is scheduled to run

			

{}




		

		

			affinity

			

			

{}




		

		

			tolerations

			

			

[]




		

		

			clusterScanner.resources

			The resource request/limits for the scanner container image

			

{}




		

		

			clusterScanner.annotations

			

			

{}




		

		

			clusterScanner.rbac.serviceAccount

			Create service Account for the scanner

			

{

  "create": true,

  "name": "cluster-scanner-service-account"

}




		

		

			clusterScanner.rbac.clusterRole

			Create service Role for the scanner

			

{

  "create": true,

  "name": "cluster-scanner-role"

}




		

		

			clusterScanner.rbac.clusterRoleBinding

			Create service RoleBinding for the scanner

			

{

  "name": "cluster-scanner-role-binding"

}




		

		

			clusterScanner.image.repository

			Image repository for the scanner

			

"datree/cluster-scanner"




		

		

			clusterScanner.image.pullPolicy

			Image pull policy for the scanner

			

"Always"




		

		

			clusterScanner.image.tag

			The image release tag to use for the scanner

			

null




		

		

			clusterScanner.image.resources

			

			

{}




		

		

			clusterScanner.livenessProbe.enabled

			

			

true




		

		

			clusterScanner.livenessProbe.scheme

			

			

null




		

		

			clusterScanner.livenessProbe.initialDelaySeconds

			

			

null




		

		

			clusterScanner.livenessProbe.periodSeconds

			

			

null




		

		

			clusterScanner.readinessProbe.enabled

			

			

true




		

		

			clusterScanner.readinessProbe.scheme

			

			

null




		

		

			clusterScanner.readinessProbe.initialDelaySeconds

			

			

null




		

		

			clusterScanner.readinessProbe.periodSeconds

			

			

null




		

		

			hooks.timeoutTime

			The timeout time the hook will wait for the webhook-server is ready.

			

null




		

		

			hooks.ttlSecondsAfterFinished

			

			

null




		

		

			hooks.image.repository

			

			

"clastix/kubectl"




		

		

			hooks.image.tag

			

			

"v1.25"




		

		

			hooks.image.pullPolicy

			

			

"IfNotPresent"




		

		

			validatingWebhookConfiguration.failurePolicy

			

			

"Ignore"




		

		

			livenessProbe.enabled

			

			

true




		

		

			livenessProbe.scheme

			

			

null




		

		

			livenessProbe.initialDelaySeconds

			

			

null




		

		

			livenessProbe.periodSeconds

			

			

null




		

		

			readinessProbe.enabled

			

			

true




		

		

			readinessProbe.scheme

			

			

null




		

		

			readinessProbe.initialDelaySeconds

			

			

null




		

		

			readinessProbe.periodSeconds

			

			

null




		

		

			devMode.enabled

			

			

false