Datree admission webhook
Datree offers cluster integration that allows you to validate your resources against your configured policy upon pushing them into a cluster, by using an admission webhook.
The webhook will catch kubectl create, apply and edit operations and initiate a policy check against the resources associated with each operation. If any misconfigurations are found, the webhook will reject the operation, and display a detailed output with instructions on how to resolve each misconfiguration.
The webhook officially supports Kubernetes version 1.19 and higher, and has been tested with EKS.
Prerequisites The following applications need to be installed on the machine:
- openssl – required for creating a certificate authority (CA).
Installation Simply copy the following command and run it in your terminal:
bash <(curl https://get.datree.io/webhook)
[NOTE] the link above will prompt you to enter your Datree token during installation. To install without a prompt, you can provide your token as part of the installation command, by running this in your terminal:
DATREE_TOKEN=<your-token> bash <(curl https://get.datree.io/webhook)
Once the webhook is installed, every hooked operation will trigger a Datree policy check. If any misconfigurations are found, the following output will be displayed:
If no misconfigurations are found, the resource will be applied/updated normally.
The webhook’s behavior is configured within the
The following settings are supported:
|DATREE_TOKEN||Your Datree token, see our docs for instructions on how to obtain it|
|DATREE_POLICY||e.g. “Argo”, “NSA”||The name of the desired Datree policy to run|
|DATREE_VERBOSE||true, false||Display ‘How to Fix’ link for failed rules in output|
|DATREE_NO_RECORD||true, false||Don’t send policy checks metadata to the backend|
|DATREE_OUTPUT||json, yaml, xml, JUnit||Output the policy check results in the requested format|
To change the behavior:
- Create a YAML file in your repository with this content:
spec: template: spec: containers: - name: server env: - name: DATREE_POLICY value: "" - name: DATREE_VERBOSE value: "" - name: DATREE_OUTPUT value: "" - name: DATREE_NO_RECORD value: ""
- Change the values of your settings as you desire.
- Run the following command to apply your changes to the webhook resource:
kubectl patch deployment webhook-server -n datree --patch-file /path/to/patch/file.yaml
🤫 Since your token is sensitive and you would not want to keep it in your repository, we recommend to set/change it by running a separate
kubectl patch command:
kubectl patch deployment webhook-server -n datree -p ' spec: template: spec: containers: - name: server env: - name: DATREE_TOKEN value: "<your-token>"'
<your-token> with your actual token, then copy the entire command and run it in your terminal.
To uninstall the webhook, copy the following command and run it in your terminal:
bash <(curl https://get.datree.io/webhook-uninstall)
To run the webhook locally (in development), view our developer guide.