Datree admission webhook


Datree offers cluster integration that allows you to validate your resources against your configured policy upon pushing them into a cluster, by using an admission webhook.

The webhook will catch kubectl create, apply and edit operations and initiate a policy check against the resources associated with each operation. If any misconfigurations are found, the webhook will reject the operation, and display a detailed output with instructions on how to resolve each misconfiguration.


The webhook officially supports Kubernetes version 1.19 and higher, and has been tested with EKS.


Prerequisites The following applications need to be installed on the machine:

  • kubectl
  • openssl – required for creating a certificate authority (CA).
  • curl

Installation Simply copy the following command and run it in your terminal:

bash <(curl https://get.datree.io/webhook)

[NOTE] the link above will prompt you to enter your Datree token during installation. To install without a prompt, you can provide your token as part of the installation command, by running this in your terminal:

DATREE_TOKEN=<your-token> bash <(curl https://get.datree.io/webhook)


Once the webhook is installed, every hooked operation will trigger a Datree policy check. If any misconfigurations are found, the following output will be displayed:


If no misconfigurations are found, the resource will be applied/updated normally.


The webhook’s behavior is configured within the datree-webhook resource. The following settings are supported:

Setting Values Description
DATREE_TOKEN Your Datree token, see our docs for instructions on how to obtain it
DATREE_POLICY e.g. “Argo”, “NSA” The name of the desired Datree policy to run
DATREE_VERBOSE true, false Display ‘How to Fix’ link for failed rules in output
DATREE_NO_RECORD true, false Don’t send policy checks metadata to the backend
DATREE_OUTPUT json, yaml, xml, JUnit Output the policy check results in the requested format

To change the behavior:

  1. Create a YAML file in your repository with this content:

        - name: server
            - name: DATREE_POLICY
              value: ""
            - name: DATREE_VERBOSE
              value: ""
            - name: DATREE_OUTPUT
              value: ""
            - name: DATREE_NO_RECORD
              value: ""
  1. Change the values of your settings as you desire.
  2. Run the following command to apply your changes to the webhook resource:
kubectl patch deployment webhook-server -n datree --patch-file /path/to/patch/file.yaml

🤫 Since your token is sensitive and you would not want to keep it in your repository, we recommend to set/change it by running a separate kubectl patch command:

kubectl patch deployment webhook-server -n datree -p '
        - name: server
            - name: DATREE_TOKEN
              value: "<your-token>"'

Simply replace <your-token> with your actual token, then copy the entire command and run it in your terminal.


To uninstall the webhook, copy the following command and run it in your terminal:

bash <(curl https://get.datree.io/webhook-uninstall)

Local development

To run the webhook locally (in development), view our developer guide.


View Github