diff --git a/kubernetes/datree/README-2023.md b/kubernetes/datree/README-2023.md new file mode 100644 index 0000000..88c944c --- /dev/null +++ b/kubernetes/datree/README-2023.md @@ -0,0 +1,172 @@ + +# Whats new 👉🏽 Datree in 2023 + +## Create a Kubernetes cluster + +Let's start by creating a local `kind` [cluster](https://kind.sigs.k8s.io/) + +Note that we create a Kubernetes 1.23 cluster.
+So we want to use `datree` to validate and ensure our manifests comply with that version of Kubernetes.
+ +``` +kind create cluster --name datree --image kindest/node:v1.23.6 +``` + +## Installation + +Best place to start is the [documentation](https://hub.datree.io/) + +I like to start all my work inside a docker container.
+Let's run a small Alpine linux container + +``` +docker run -it -v ${PWD}:/work -v ${HOME}/.kube/:/root/.kube/ -w /work --net host alpine sh +``` +### Install Kubectl + +Let's install `kubectl` in our container
+ +``` +apk add curl jq +curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.23.6/bin/linux/amd64/kubectl +chmod +x ./kubectl +mv ./kubectl /usr/local/bin/kubectl +``` + +### Install Helm + +Let's install `helm` in our container
+ +``` +curl -L https://get.helm.sh/helm-v3.5.4-linux-amd64.tar.gz -o /tmp/helm.tar.gz && \ +tar -xzf /tmp/helm.tar.gz -C /tmp && \ +chmod +x /tmp/linux-amd64/helm && \ +mv /tmp/linux-amd64/helm /usr/local/bin/helm + +``` + +## Install Datree on our cluster + +Add the Helm repo: +``` +helm repo add datree-webhook https://datreeio.github.io/admission-webhook-datree +helm search repo datree-webhook --versions +``` + +Grab the manifest: +``` +CHART_VERSION="0.3.22" +APP_VERSION="0.1.41" +DATREE_TOKEN="" + +mkdir ./kubernetes/datree/manifests/ + +helm template datree-webhook datree-webhook/datree-admission-webhook \ +--create-namespace \ +--set datree.token=${DATREE_TOKEN} \ +--set datree.clusterName=$(kubectl config current-context) \ +--version ${CHART_VERSION} \ +--namespace datree \ +> ./kubernetes/datree/manifests/datree.${APP_VERSION}.yaml + +``` + +Apply the manifests: +``` +kubectl create namespace datree +kubectl apply -n datree -f kubernetes/datree/manifests/ +``` +Check the install + +``` +kubectl -n datree get pods +``` + +## View our Cluster Score + +Now with Datree installed in our cluster, we can review it's current scoring in the Datree [Dashboard](https://app.datree.io/overview)
+ +As we are running a test cluster or if you run in the cloud, there may be some cloud components in namespaces that you may want to ignore.
+ +We can do this by labeling a namespace which is [documented here](https://hub.datree.io/configuration/behavior#ignore-a-namespace) + +``` +kubectl label namespaces local-path-storage "admission.datree/validate=skip" +``` + +According to the dashboard, we still have a `D` score, let's rerun the scan: + +``` +kubectl get job "scan-job" -n datree -o json | jq 'del(.spec.selector)' | jq 'del(.spec.template.metadata.labels)' | kubectl replace --force -f - +``` + +Now we can see that we have an `A` score.
+ +## Deploy some workloads to our cluster + +For most companies and larger teams, it's extremely difficult to fix policy issues.
+Let's walk through what this may look like.
+ +Deploy some sample workloads: + +``` +kubectl create namespace cms +kubectl -n cms create configmap mysql \ +--from-literal MYSQL_RANDOM_ROOT_PASSWORD=1 + +kubectl -n cms create secret generic wordpress \ +--from-literal WORDPRESS_DB_HOST=mysql \ +--from-literal WORDPRESS_DB_USER=exampleuser \ +--from-literal WORDPRESS_DB_PASSWORD=examplepassword \ +--from-literal WORDPRESS_DB_NAME=exampledb + +kubectl -n cms create secret generic mysql \ +--from-literal MYSQL_USER=exampleuser \ +--from-literal MYSQL_PASSWORD=examplepassword \ +--from-literal MYSQL_DATABASE=exampledb + +kubectl -n cms apply -f kubernetes/datree/example/cms/ +``` + +Check out workloads + +``` +kubectl -n cms get all +``` + +Rerun our scan: + +``` +kubectl get job "scan-job" -n datree -o json | jq 'del(.spec.selector)' | jq 'del(.spec.template.metadata.labels)' | kubectl replace --force -f - +``` + +Now we can follow the dashboard, to check our `namespace` for policy issues and start fixing them.
+ +Datree has a ton of features and capabilities.
+We can even run it locally using the CLI + +## Datree CLI : Testing our YAML locally + +We can install the latest version of Datree with the command advertised: + +``` +curl https://get.datree.io | /bin/bash +``` + +### Policy check + +Let's test my example manifests under our datree folder `kubernetes\datree\example` + +``` +datree test ./kubernetes/datree/example/cms/ +``` + +# CI/CD examples + +The tools as well as the dashboards help us solve these policy issues locally.
+Once we have sorted out our policy issues, we can add Datree to our CI/CD pipeline.
+ +Checkout the [CI/CD integrations](https://hub.datree.io/cicd-examples) page.
+ + + diff --git a/kubernetes/datree/example/cms/deploy.yaml b/kubernetes/datree/example/cms/deploy.yaml new file mode 100644 index 0000000..121fefe --- /dev/null +++ b/kubernetes/datree/example/cms/deploy.yaml @@ -0,0 +1,42 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: wordpress-deployment + labels: + app: wordpress +spec: + replicas: 2 + selector: + matchLabels: + app: wordpress + template: + metadata: + labels: + app: wordpress + spec: + containers: + - name: wordpress + image: aimvector/wordpress-example + ports: + - containerPort: 80 + env: + - name: WORDPRESS_DB_HOST + valueFrom: + secretKeyRef: + name: wordpress + key: WORDPRESS_DB_HOST + - name: WORDPRESS_DB_USER + valueFrom: + secretKeyRef: + name: wordpress + key: WORDPRESS_DB_USER + - name: WORDPRESS_DB_PASSWORD + valueFrom: + secretKeyRef: + name: wordpress + key: WORDPRESS_DB_PASSWORD + - name: WORDPRESS_DB_NAME + valueFrom: + secretKeyRef: + name: wordpress + key: WORDPRESS_DB_NAME \ No newline at end of file diff --git a/kubernetes/datree/example/cms/ingress.yaml b/kubernetes/datree/example/cms/ingress.yaml new file mode 100644 index 0000000..77ccdc0 --- /dev/null +++ b/kubernetes/datree/example/cms/ingress.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: wordpress + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / +spec: + ingressClassName: nginx + rules: + - http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: wordpress + port: + number: 80 diff --git a/kubernetes/datree/example/cms/service.yaml b/kubernetes/datree/example/cms/service.yaml new file mode 100644 index 0000000..87112d9 --- /dev/null +++ b/kubernetes/datree/example/cms/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: wordpress + labels: + app: wordpress +spec: + ports: + - port: 80 + name: wordpress + targetPort: 80 + type: ClusterIP + selector: + app: wordpress \ No newline at end of file diff --git a/kubernetes/datree/example/cms/statefulset.yaml b/kubernetes/datree/example/cms/statefulset.yaml new file mode 100644 index 0000000..c377d64 --- /dev/null +++ b/kubernetes/datree/example/cms/statefulset.yaml @@ -0,0 +1,69 @@ +apiVersion: v1 +kind: Service +metadata: + name: mysql + labels: + app: mysql +spec: + ports: + - port: 3306 + name: db + type: ClusterIP + selector: + app: mysql +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: mysql +spec: + selector: + matchLabels: + app: mysql # has to match .spec.template.metadata.labels + serviceName: "mysql" + replicas: 1 + template: + metadata: + labels: + app: mysql # has to match .spec.selector.matchLabels + spec: + terminationGracePeriodSeconds: 10 + containers: + - name: mysql + image: aimvector/mysql-example + ports: + - containerPort: 3306 + name: db + env: + - name: MYSQL_DATABASE + valueFrom: + secretKeyRef: + name: mysql + key: MYSQL_DATABASE + - name: MYSQL_USER + valueFrom: + secretKeyRef: + name: mysql + key: MYSQL_USER + - name: MYSQL_PASSWORD + valueFrom: + secretKeyRef: + name: mysql + key: MYSQL_PASSWORD + - name: MYSQL_RANDOM_ROOT_PASSWORD + valueFrom: + configMapKeyRef: + name: mysql + key: MYSQL_RANDOM_ROOT_PASSWORD + volumeMounts: + - name: db + mountPath: /var/lib/mysql + volumeClaimTemplates: + - metadata: + name: db + spec: + accessModes: [ "ReadWriteOnce" ] + storageClassName: "standard" + resources: + requests: + storage: 500Mi \ No newline at end of file diff --git a/kubernetes/datree/manifests/datree.0.1.41.yaml b/kubernetes/datree/manifests/datree.0.1.41.yaml new file mode 100644 index 0000000..7b0e76e --- /dev/null +++ b/kubernetes/datree/manifests/datree.0.1.41.yaml @@ -0,0 +1,718 @@ +--- +# Source: datree-admission-webhook/templates/cluster-scan-cronjob.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cluster-scan-job-service-account + namespace: datree +--- +# Source: datree-admission-webhook/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: datree-webhook-server + namespace: datree + labels: + app.kubernetes.io/name: datree-admission-webhook + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "datree-webhook" + app.kubernetes.io/version: 0.1.41 + app.kubernetes.io/part-of: "datree" + meta.helm.sh/release-name: "datree-admission-webhook" + meta.helm.sh/release-namespace: "datree" + helm.sh/chart: datree-admission-webhook-0.3.22 +--- +# Source: datree-admission-webhook/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: datree-label-namespaces-hook-post-install + labels: + app.kubernetes.io/name: datree-admission-webhook + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "datree-webhook" + app.kubernetes.io/version: 0.1.41 + app.kubernetes.io/part-of: "datree" + meta.helm.sh/release-name: "datree-admission-webhook" + meta.helm.sh/release-namespace: "datree" + helm.sh/chart: datree-admission-webhook-0.3.22 +--- +# Source: datree-admission-webhook/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: datree-cleanup-namespaces-hook-pre-delete + labels: + app.kubernetes.io/name: datree-admission-webhook + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "datree-webhook" + app.kubernetes.io/version: 0.1.41 + app.kubernetes.io/part-of: "datree" + meta.helm.sh/release-name: "datree-admission-webhook" + meta.helm.sh/release-namespace: "datree" + helm.sh/chart: datree-admission-webhook-0.3.22 +--- +# Source: datree-admission-webhook/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: datree-wait-server-ready-hook-post-install + labels: + app.kubernetes.io/name: datree-admission-webhook + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "datree-webhook" + app.kubernetes.io/version: 0.1.41 + app.kubernetes.io/part-of: "datree" + meta.helm.sh/release-name: "datree-admission-webhook" + meta.helm.sh/release-namespace: "datree" + helm.sh/chart: datree-admission-webhook-0.3.22 +--- +# Source: datree-admission-webhook/templates/webhook-with-cert-secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + name: datree-ca-tls + labels: + app.kubernetes.io/name: datree-admission-webhook + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "datree-webhook" + app.kubernetes.io/version: 0.1.41 + app.kubernetes.io/part-of: "datree" + meta.helm.sh/release-name: "datree-admission-webhook" + meta.helm.sh/release-namespace: "datree" + helm.sh/chart: datree-admission-webhook-0.3.22 + namespace: datree +type: kubernetes.io/tls +data: + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBN0tDOWljWjhUdlZwd1NUZk45S1hDNU8xZXo1alFXY1U4WE1qT1lFaDNLS3MrREIrCkJYM2luZVFMdTJ3TnJPdHA0MVllVTI5K1VrQ0RWQTdVdnpEVW5mT1RaenJwenRXcVFuc0hIVkpSSU0yTlViNjEKQnVPMjdGTzBqcTFLYWtZMFlNTUtDYVdiMHFOalloZEcwWlM0aUhOVlNWamxTeFFLRUJsMWh5OXJaTFN1NzE4UgorL2RmakxPR1JvT1QrR2ptUEpTVVBQYmlHZjVVTlpyaE9EcGtVc0o2NG9iU2t2bC9kNy9NN0dTbXRoWTd4UHVWCmJBZXdlaENzNng5Z0JaMEVEakVMR3prckJhR3dEWWl5OFVLcVZtYlpJNkFxMDNMYm9hVStVMGRheG4rY2dKZjMKd2tPa2V0eEFWUkZRSVlnNUVLL1l0UE1BQk1xNnpicWZ1MHEwOXdJREFRQUJBb0lCQVFEckJXdTduOHh2a0FpTgpzVldUV0RKMWFTdmpVTCs4Z2Vtbk5yaFJzUlEwMDg0QVpBbUc0dFZtQk00eVJNd0FaNEV3THFUSU1nREJLUnBICkxzUFhjV1I3elNVbWJya3ltYjBWY3FSS1Z5d0U3S1BrQVFwRDRZQVprYm5QekFZUkw5RnVHY21xY3pZbEsrclYKemxDa2NKWW4wSVZ3NkQ0MUo1NG5CMkpYOXAwdjB1eTZlV01zZHRZdU9MNkppOSswb0J3Q2Qzd0VqZXo1WUFUMwpHMmZVUTdJbXpnMUd4VnA4VG5ZdnBGTXFFKzdrMGZMY3o0a3ZZZzNtdTVSMmI5ZjBmYlJtK3VsVDVwdnpVS0IvCmNkTGNIalFQSHNqeER2NzJUM3l6bHVEWE0xU3NjTitjM1lwSjB2K3JVZWY3SnlFbUhpWFI5bEpWc3Vrc1djNkIKa05aL2NvZmhBb0dCQVBzYWt0UUpyMVREbFliYkQvTE1JY0loamJVYVlJaVJacG9kR0pZKzN6TWkrd1RwcDJHagpmR1E4elFac0hDWHYyTXFLVitGTVdFK09CbzlhVDVOand5OHpiRlN0WW1KRFRXY3pKeEFiTytDT0NFcUlxNXQrCkRBVW1KYy95UXErRE54TnFPSjlDWkNDNkxLTTJNdUk5eUowK1V4YWJCbWM1UGZYd1p4N2NnYnE5QW9HQkFQRTkKNkcwdVdqZXA1T3VxNTBSN0ErTFRPdHJQQzRNMWtyOGVGNXNBZkFlNVhlTEl4V0o4eFRIRDdkY2l1eWFsS3ozNgovdXhXUXN0UHhadU5UV2dYSTVma1dnVVRiZ3MvdVRBTFNDQkpxa2tyL0h4em9HbGVQN3VsNFZ2S3M4c2V3NmFQCndMWTNDK3RGNlJtRmtYQU9RZ29aaEFYbmYrVmxKQ3laM3lzSm9rUERBb0dBUmgrdnJXTmZBVzcxVFFuVU5GdnAKZVl0aFJaZ3VLVFZoejl3Y1I2a2JMKzZ1NXpwUk1pVXowZEpnOTFBdHRESjgrbU1VRTZqOGFJc2pMZGxzcTU2SwpuWjNndk8wR3NxWlU4V01KbjZmYld1U1BVREZHcTAvU0Q0WU52VHJNZ0xOR0tEZmJ4QzRJUkZONXI4S3RCeDExCjd1TysxR3RLcUgwRjNxN2FQWFliRElrQ2dZRUFvcGNBOGFVTjlQb3lhWXR6OXptWnN1UitoRDZMR2RHZnArT1cKTVVld1VGeGtwSmFBUWhLcHJSTEtWL2IyZitOT002WFk3bHh0QkM0dGx0c3pVblpWN09kZ3JJOGQyY01IQXhSMwpkaHR3QTRUNzFMenhYbExCVGExTko5cUVOdC96S1cwMWl4bXFsTlUzZDVZSUlhZmFab2d2N1BMTHhrWFdqYURmClFsaHAzcFVDZ1lBZkNudGJRak53SmM3M3draUFheGl4Q0tlTDE1eFFzdkl6ZlZqUHpRODBaNm42ZVZDYVU1a1YKc0hGZHZJZmM1eVQ4c0xKcGpLeXJYVXF5Q0pSTFFXcXZKaDladDhrdTNHOWRGWlQyUyt4dEFFcmo0LzkrZVNMbgo3ZmpQclFwVVl0SkxWQXdlZUkxUUhRejVya1NZVWtkWW9hcFpYUGpxbFNxaXZJK0tMVitPS0E9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVakNDQWpxZ0F3SUJBZ0lSQUxKOUsyZ3FEaUVxdXNPNUlWREJBWmt3RFFZSktvWklodmNOQVFFTEJRQXcKTXpFeE1DOEdBMVVFQXhNb0wwTk9QVUZrYldsemMybHZiaUJEYjI1MGNtOXNiR1Z5SUZkbFltaHZiMnNnUkdWdApieUJEUVRBZUZ3MHlNakV5TWpZd01ERTJNRFJhRncweU56RXlNamN3TURFMk1EUmFNRE14TVRBdkJnTlZCQU1UCktDOURUajFCWkcxcGMzTnBiMjRnUTI5dWRISnZiR3hsY2lCWFpXSm9iMjlySUVSbGJXOGdRMEV3Z2dFaU1BMEcKQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURzb0wySnhueE85V25CSk44MzBwY0xrN1Y3UG1OQgpaeFR4Y3lNNWdTSGNvcXo0TUg0RmZlS2Q1QXU3YkEyczYybmpWaDVUYjM1U1FJTlVEdFMvTU5TZDg1Tm5PdW5PCjFhcENld2NkVWxFZ3pZMVJ2clVHNDdic1U3U09yVXBxUmpSZ3d3b0pwWnZTbzJOaUYwYlJsTGlJYzFWSldPVkwKRkFvUUdYV0hMMnRrdEs3dlh4SDc5MStNczRaR2c1UDRhT1k4bEpRODl1SVovbFExbXVFNE9tUlN3bnJpaHRLUworWDkzdjh6c1pLYTJGanZFKzVWc0I3QjZFS3pySDJBRm5RUU9NUXNiT1NzRm9iQU5pTEx4UXFwV1p0a2pvQ3JUCmN0dWhwVDVUUjFyR2Y1eUFsL2ZDUTZSNjNFQlZFVkFoaURrUXI5aTA4d0FFeXJyTnVwKzdTclQzQWdNQkFBR2oKWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDcERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSApBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVMEs1OFlROERCM3dVYXZxVEw0QVBUK0RqClFId3dEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQU9uUE9YMjNEdldoVWY3WUhwbHE0LzhpN1F1cnlZbVdHenoKUXlMMGRQZm92d2VyQ080NUY1ZGY4dVdqSW5yc2xKN1gwVkR3VVQ3QXg0aHI4dkFqVjRyRGltOWw2dm96cDJPbwp5Zm1wcHlvWDU0VnVvVGFEYkxFUkpTaXVBaXJDcGxURkFxQ0NRM29qa0Rpb0ZjdU1oZEZQNFdDSHV0YUEybTYrCkVyTkd6WkFnZ3UrNWRpcnN6WTZ6L0NtSnNwcnhxeFFzNm16a3RpN3dhNWVNR21BeUNNaDBDcnRsTmRaQ0xBL08KZll3eFRvOFVralUxNGhKVUVsOHlaOEhPS3duN0dTUkJleFdKeHJDWkw4MExYeGRzMnpwMWVIQ3kxZXEvNTQrSAplV2w2Z3dJOFNkc3lScnFUbEcwTGw4aUJ5MjBYSGtRaU5CY2FER3AyU1BUYkp3Sk1LVmM9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K +--- +# Source: datree-admission-webhook/templates/webhook-with-cert-secrets.yaml +apiVersion: v1 +kind: Secret +metadata: + name: webhook-server-tls + labels: + app.kubernetes.io/name: datree-admission-webhook + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "datree-webhook" + app.kubernetes.io/version: 0.1.41 + app.kubernetes.io/part-of: "datree" + meta.helm.sh/release-name: "datree-admission-webhook" + meta.helm.sh/release-namespace: "datree" + helm.sh/chart: datree-admission-webhook-0.3.22 + namespace: datree + annotations: + self-signed-cert: "true" +type: kubernetes.io/tls +data: + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBeUVOamtDUU1ZK0NwKzhndE5zK014dnJ1WFA4dnVIa2pYS255aEF5YXBMb2VDdU80Ci90L0FlRWE1SFMyZHk3MVppemNNZ0xaanFqcGxBdk5qTFhEbjE3dG00eTVZUFJwQUgzWDhwcUN2bW0ya1dzM1QKUEZhY3BrRkljc2VCdTROVEJvSHVMbVcvTm9RMVcrS21DbHFEd3ZYKzk4ZzZQUmc1dkVCRmszUUkvM0RrRWlGdQo1R3lHQWZ2Tnp5cUVTbDNaajEzYm5rY0RuOXZ3VHE3RXY2YWhlbi83QjhELzB2YnBScFpYSkw4UTF4T1JOZDk0Cmh1VDh6U1QwekRZZnRLZDNYY0YrVWxKZklkNkNYSHc4THFkVUxJM3E4blhIb3NVeEtaY0ZWQ3YweGlaaWQvTk4KL3lTZGt0V3lNWEZHZDVIWjdqenVlVFdXZjB5bjJ4Vm5WbGNweVFJREFRQUJBb0lCQVFDZGlQVnZWQXd6SFc1YQpWRFBOSkNQWCsxazY2cnM5WUgzQ3pTV3JYc2Jmd2xFVHUrT3hDNDY2anRmYjdpQnRQenlMV1BpSzMrOHkzOURLCksyL2ZOU3dMOXEyUEZNdnc5UTl3TUQ1WlRab1YzeDRsR0RpTkJJMGg4OFRzRmFrbU9yNDdKa2FaVlF5LzgreU4KcFpOOEhZdjg5OHBrWEt3RGwyVURnNE8zNU5XWEtuQzdTaGNtL281RU5aOTRETjVBVFRxL1N1em0xYVJycXZiVQo2OEFrZllMNnFDbUFyaDlsb2w0aE9iTmE1MlZsdGtCNGE0R3hsNWlETjBNQlhJV1lmVUM2c1JIam1UUWJyUkd6CllRTE5tNmdwYTRPMUJDVjU1eVp5aFZrMlVyRENrandqaERiVGRHVGlDU25BRU9iSFJIUjhoYnFlQWwwbk5XQ1cKa3F5dXp5b0JBb0dCQU9sRGlMb1pEVEJuR2ZpYWhoY1lINmFvSUt3c2dLRHVPNDdOZkltSjAwZzRBTzFmOXNPNgptb1MyNUdMSVpFS1p0WmFtK2NGckk3RVBJSTVxV3lmQ3h5QURzdDhSdG5RVU5vUmFtVEVISE5sODBXVDVBd2xuCm9VYUdoaVV5RC9lYkNEU0wreGF2cFVtS29DeTR1Y095RjVHNEhsSmNCZE9HUWJiVUhtbzhsNkloQW9HQkFOdkkKYWtacGhUbmlBc3ZwV2VaN1daKzgrUTR2Z3FoVGE4Q1Q4WlU4a2hldXJETk5DaEFqNlljMnVKMldjd1JIMFExZApZOFhycHJXTDhjd2xRYmFmRmFMNnF1c2s4ZUtna0ltWm1DdWJZejNmSHRQNDg4N3FXSVZtQ2ZSbm0vcUZPdGo5CmZ5UTIxM3l0eTBIVlE0STI0eXNKeVBkZFNkaHZ3bC9QdllVTm5PS3BBb0dBUDc0eHZkRWN0bzVtSFhaMGtCa0sKaFN0S2ltSTY0RDlaelNOQUZnR3cxL3BkM29BcjJiN0RmT0xSdEdEWWJRNjkvYVl4ZC9hRU1WMVY0elVUSmVGbgpNc3R2OU45TlFabEljSkNsYmkxb1o5SmhFanV0NWNNSTRsSGVsSW1DcllJVEV2RHhzM2hhTGFlUkw4ZG5GQ0ExCnFwOXF3Y3pkMXJqSWVtS3EwUk12eUtFQ2dZQmlNVWhKN1JyNG9XRmVlUU1SVmtyVWN6bFNmU2VDek1KM1o2R24KYTBoYURGQWpHMmhEamNmb0FTcTZQVjFsckRCYUtEOUxUZDFOZnhpb2ZIeS9lcFBRSE8zLzRLR3cvc3VVcm1xdQpFTjVsNWlsL3l0b2l0OUNVeU9IcHIrQ2dMS1grREVPaGlsNzc5U202WCsycFg1eGV2aUJyWStKNk1IUkhHaWt5CktNTFBBUUtCZ1FDNXdvMFU2REF6NlN4Z3lCQkM3N2lBVWtsbU5vOFhoZnlEWGlwUWJDalMwV0RycWZPd2EyVDgKRkR1aXhhOHBmM0taWEdDQzQ1eU1BblZmWUY0dW1GU09xZkRPR0QyZFBlOWk3RWl1cWtOT1BZR0VXbk9hNzVuSApvdlNMN0Qvakg2L2Z0Tmh2UkVtdER2elBiT2x6VmY5bkk4M1pYZmpXQWl3YVFjMDlyYVlUbFE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURmRENDQW1TZ0F3SUJBZ0lSQU1yQTQreVRCL1dzejJDVzVKTkZRd1F3RFFZSktvWklodmNOQVFFTEJRQXcKTXpFeE1DOEdBMVVFQXhNb0wwTk9QVUZrYldsemMybHZiaUJEYjI1MGNtOXNiR1Z5SUZkbFltaHZiMnNnUkdWdApieUJEUVRBZUZ3MHlNakV5TWpZd01ERTJNRFJhRncweU56RXlNamN3TURFMk1EUmFNQzh4TFRBckJnTlZCQU1UCkpDOURUajFrWVhSeVpXVXRkMlZpYUc5dmF5MXpaWEoyWlhJdVpHRjBjbVZsTG5OMll6Q0NBU0l3RFFZSktvWkkKaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNaERZNUFrREdQZ3FmdklMVGJQak1iNjdsei9MN2g1STF5cAo4b1FNbXFTNkhncmp1UDdmd0hoR3VSMHRuY3U5V1lzM0RJQzJZNm82WlFMell5MXc1OWU3WnVNdVdEMGFRQjkxCi9LYWdyNXB0cEZyTjB6eFduS1pCU0hMSGdidURVd2FCN2k1bHZ6YUVOVnZpcGdwYWc4TDEvdmZJT2owWU9ieEEKUlpOMENQOXc1QkloYnVSc2hnSDd6YzhxaEVwZDJZOWQyNTVIQTUvYjhFNnV4TCttb1hwLyt3ZkEvOUwyNlVhVwpWeVMvRU5jVGtUWGZlSWJrL00wazlNdzJIN1NuZDEzQmZsSlNYeUhlZ2x4OFBDNm5WQ3lONnZKMXg2TEZNU21YCkJWUXI5TVltWW5melRmOGtuWkxWc2pGeFJuZVIyZTQ4N25rMWxuOU1wOXNWWjFaWEtja0NBd0VBQWFPQmpqQ0IKaXpBT0JnTlZIUThCQWY4RUJBTUNCYUF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQwpNQXdHQTFVZEV3RUIvd1FDTUFBd0h3WURWUjBqQkJnd0ZvQVUwSzU4WVE4REIzd1VhdnFUTDRBUFQrRGpRSHd3Ckt3WURWUjBSQkNRd0lvSWdaR0YwY21WbExYZGxZbWh2YjJzdGMyVnlkbVZ5TG1SaGRISmxaUzV6ZG1Nd0RRWUoKS29aSWh2Y05BUUVMQlFBRGdnRUJBSGc0UmYwaU9TajR2cFozdUNtVXlUM2ZCV0Z6L3ZDOEcxeUVzWVZXR1NYSwo2Ni8zRHEyazR0Vkd0MWhSaFp3a1R4dVRXTkpiejRzcmZYOEhIVi8va2RsbmlmbldLQnFKNFVYVHFSS1ZjaWc5ClkyYWtleXEydEN5MUFTcVltMVBLWGVxUjFrZkpoZVhKZU80UVorWnpoaE45VmNqWUpQTCs0OWhFc2tFRmJRenIKSHZPUDVwamsyYjl3K0plUExaMkVHZC9KeG11cjhmVzA4YjFkMTYvUjVxMUZ2bnN0Z2RFUjV2b2k4UmJhSmV0agplSmtyc096YUovUC93K3NaaUZVU2todnlNZkpiZ0RVSTh2aG80VFl6aFlZV0NPUnJoRzdGSFVsWWpMNU0xVnQwCjFEWkJvNEdkUFhPRFErRTRQdzIvM0xwdGs3RDBPWlJRVWhZRFgrL2VmMHM9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K +--- +# Source: datree-admission-webhook/templates/cluster-scan-cronjob.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cluster-scan-job-role +rules: + - apiGroups: + - "*" + resources: + - "*" + verbs: + - "get" + - "list" +--- +# Source: datree-admission-webhook/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: datree-webhook-server-read + labels: + app.kubernetes.io/name: datree-admission-webhook + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "datree-webhook" + app.kubernetes.io/version: 0.1.41 + app.kubernetes.io/part-of: "datree" + meta.helm.sh/release-name: "datree-admission-webhook" + meta.helm.sh/release-namespace: "datree" + helm.sh/chart: datree-admission-webhook-0.3.22 +rules: + - apiGroups: + - "" + resources: + - "nodes" + - "namespaces" + verbs: + - "get" + - "list" +--- +# Source: datree-admission-webhook/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: datree-namespaces-update + labels: + app.kubernetes.io/name: datree-admission-webhook + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "datree-webhook" + app.kubernetes.io/version: 0.1.41 + app.kubernetes.io/part-of: "datree" + meta.helm.sh/release-name: "datree-admission-webhook" + meta.helm.sh/release-namespace: "datree" + helm.sh/chart: datree-admission-webhook-0.3.22 +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - update + - patch + resourceNames: + - kube-system + - datree +--- +# Source: datree-admission-webhook/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: datree-validationwebhook-delete + labels: + app.kubernetes.io/name: datree-admission-webhook + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "datree-webhook" + app.kubernetes.io/version: 0.1.41 + app.kubernetes.io/part-of: "datree" + meta.helm.sh/release-name: "datree-admission-webhook" + meta.helm.sh/release-namespace: "datree" + helm.sh/chart: datree-admission-webhook-0.3.22 +rules: + - apiGroups: + - "admissionregistration.k8s.io" + resources: + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + resourceNames: + - datree-webhook +--- +# Source: datree-admission-webhook/templates/cluster-scan-cronjob.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-scan-job-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-scan-job-role +subjects: + - kind: ServiceAccount + name: cluster-scan-job-service-account + namespace: datree +--- +# Source: datree-admission-webhook/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: datree-webhook-server-read + labels: + app.kubernetes.io/name: datree-admission-webhook + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "datree-webhook" + app.kubernetes.io/version: 0.1.41 + app.kubernetes.io/part-of: "datree" + meta.helm.sh/release-name: "datree-admission-webhook" + meta.helm.sh/release-namespace: "datree" + helm.sh/chart: datree-admission-webhook-0.3.22 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: datree-webhook-server-read # datree-webhook-server-read +subjects: + - kind: ServiceAccount + name: datree-webhook-server # datree-webhook-server + namespace: datree +--- +# Source: datree-admission-webhook/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: datree-namespaces-update + labels: + app.kubernetes.io/name: datree-admission-webhook + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "datree-webhook" + app.kubernetes.io/version: 0.1.41 + app.kubernetes.io/part-of: "datree" + meta.helm.sh/release-name: "datree-admission-webhook" + meta.helm.sh/release-namespace: "datree" + helm.sh/chart: datree-admission-webhook-0.3.22 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: datree-namespaces-update +subjects: + - kind: ServiceAccount + name: "datree-label-namespaces-hook-post-install" + namespace: "datree" + - kind: ServiceAccount + name: "datree-cleanup-namespaces-hook-pre-delete" + namespace: "datree" +--- +# Source: datree-admission-webhook/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: datree-validationwebhook-delete + labels: + app.kubernetes.io/name: datree-admission-webhook + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "datree-webhook" + app.kubernetes.io/version: 0.1.41 + app.kubernetes.io/part-of: "datree" + meta.helm.sh/release-name: "datree-admission-webhook" + meta.helm.sh/release-namespace: "datree" + helm.sh/chart: datree-admission-webhook-0.3.22 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: datree-validationwebhook-delete +subjects: + - kind: ServiceAccount + name: "datree-cleanup-namespaces-hook-pre-delete" + namespace: "datree" +--- +# Source: datree-admission-webhook/templates/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: datree-pods-reader + labels: + app.kubernetes.io/name: datree-admission-webhook + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "datree-webhook" + app.kubernetes.io/version: 0.1.41 + app.kubernetes.io/part-of: "datree" + meta.helm.sh/release-name: "datree-admission-webhook" + meta.helm.sh/release-namespace: "datree" + helm.sh/chart: datree-admission-webhook-0.3.22 +rules: + - apiGroups: + - "" + resources: + - "pods" + - "jobs" + verbs: + - "get" + - "list" + - "watch" +--- +# Source: datree-admission-webhook/templates/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: datree-pods-reader + labels: + app.kubernetes.io/name: datree-admission-webhook + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "datree-webhook" + app.kubernetes.io/version: 0.1.41 + app.kubernetes.io/part-of: "datree" + meta.helm.sh/release-name: "datree-admission-webhook" + meta.helm.sh/release-namespace: "datree" + helm.sh/chart: datree-admission-webhook-0.3.22 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: datree-pods-reader +subjects: + - kind: ServiceAccount + name: datree-wait-server-ready-hook-post-install + namespace: "datree" +--- +# Source: datree-admission-webhook/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: datree-webhook-server + namespace: datree + labels: + app.kubernetes.io/name: datree-admission-webhook + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "datree-webhook" + app.kubernetes.io/version: 0.1.41 + app.kubernetes.io/part-of: "datree" + meta.helm.sh/release-name: "datree-admission-webhook" + meta.helm.sh/release-namespace: "datree" + helm.sh/chart: datree-admission-webhook-0.3.22 +spec: + selector: + app: "datree-webhook-server" + ports: + - port: 443 + targetPort: webhook-api +--- +# Source: datree-admission-webhook/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: datree-webhook-server + namespace: datree + labels: + app.kubernetes.io/name: datree-admission-webhook + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "datree-webhook" + app.kubernetes.io/version: 0.1.41 + app.kubernetes.io/part-of: "datree" + meta.helm.sh/release-name: "datree-admission-webhook" + meta.helm.sh/release-namespace: "datree" + helm.sh/chart: datree-admission-webhook-0.3.22 + owner: datree + app: "datree-webhook-server" +spec: + replicas: 2 + selector: + matchLabels: + app: "datree-webhook-server" + template: + metadata: + labels: + app.kubernetes.io/name: datree-admission-webhook + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "datree-webhook" + app.kubernetes.io/version: 0.1.41 + app.kubernetes.io/part-of: "datree" + meta.helm.sh/release-name: "datree-admission-webhook" + meta.helm.sh/release-namespace: "datree" + helm.sh/chart: datree-admission-webhook-0.3.22 + app: "datree-webhook-server" + spec: + serviceAccountName: datree-webhook-server + containers: + - name: server + # caution: don't change the order of the environment variables + # changing the order will harm resource patching + env: + - name: DATREE_TOKEN + value: "ef7088eb-3096-4533-97d8-f16fb3a5b0c1" + - name: DATREE_POLICY + value: Starter + - name: DATREE_VERBOSE + value: "" + - name: DATREE_OUTPUT + value: "" + - name: DATREE_NO_RECORD + value: "" + - name: DATREE_ENFORCE + value: "" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 25000 + livenessProbe: + httpGet: + path: /health + port: 8443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /ready + port: 8443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + {} + image: "datree/admission-webhook:0.1.41" + imagePullPolicy: Always + ports: + - containerPort: 8443 + name: webhook-api + volumeMounts: + - name: webhook-tls-certs + mountPath: /run/secrets/tls + readOnly: true + - name: webhook-config + mountPath: /config + readOnly: true + volumes: + - name: webhook-tls-certs + secret: + secretName: webhook-server-tls + - name: webhook-config + configMap: + name: webhook-scanning-filters + optional: true +--- +# Source: datree-admission-webhook/templates/cluster-scan-cronjob.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: scan-job + namespace: datree +spec: + backoffLimit: 4 + template: + spec: + serviceAccountName: cluster-scan-job-service-account + restartPolicy: Never + containers: + - name: scan-job + env: + - name: DATREE_TOKEN + value: ef7088eb-3096-4533-97d8-f16fb3a5b0c1 + - name: DATREE_POLICY + value: Starter + - name: CLUSTER_NAME + value: kind-datree + securityContext: + + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 25000 + seccompProfile: + type: RuntimeDefault + image: "datree/scan-job:0.0.13" + imagePullPolicy: Always + resources: + {} + volumeMounts: + - name: webhook-config + mountPath: /config + readOnly: true + volumes: + - name: webhook-config + configMap: + name: webhook-scanning-filters + optional: true +--- +# Source: datree-admission-webhook/templates/cluster-scan-cronjob.yaml +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: scan-cronjob + namespace: datree +spec: + # get the current time, subtract 5 minutes, extract the minutes and inject it into the cron expression + # if helm installation was done at 13:35, the cron expression will be 30 * * * *, which means the job will run at 14:30, 15:30, 16:30, etc. + schedule: "11 * * * *" # every hour, starting 55 minutes after helm installation + jobTemplate: + spec: + backoffLimit: 4 + template: + spec: + serviceAccountName: cluster-scan-job-service-account + restartPolicy: Never + containers: + - name: scan-job + env: + - name: DATREE_TOKEN + value: ef7088eb-3096-4533-97d8-f16fb3a5b0c1 + - name: DATREE_POLICY + value: Starter + - name: CLUSTER_NAME + value: kind-datree + securityContext: + + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 25000 + seccompProfile: + type: RuntimeDefault + image: "datree/scan-job:0.0.13" + imagePullPolicy: Always + resources: + {} + volumeMounts: + - name: webhook-config + mountPath: /config + readOnly: true + volumes: + - name: webhook-config + configMap: + name: webhook-scanning-filters + optional: true +--- +# Source: datree-admission-webhook/templates/namespace-post-delete.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: datree-cleanup-namespaces-hook-pre-delete + labels: + app.kubernetes.io/name: datree-admission-webhook + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "datree-webhook" + app.kubernetes.io/version: 0.1.41 + app.kubernetes.io/part-of: "datree" + meta.helm.sh/release-name: "datree-admission-webhook" + meta.helm.sh/release-namespace: "datree" + helm.sh/chart: datree-admission-webhook-0.3.22 + namespace: datree + annotations: + "helm.sh/hook": pre-delete, pre-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, hook-failed +spec: + template: + metadata: + labels: + app.kubernetes.io/name: datree-admission-webhook + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "datree-webhook" + app.kubernetes.io/version: 0.1.41 + app.kubernetes.io/part-of: "datree" + meta.helm.sh/release-name: "datree-admission-webhook" + meta.helm.sh/release-namespace: "datree" + helm.sh/chart: datree-admission-webhook-0.3.22 + spec: + restartPolicy: OnFailure + serviceAccount: datree-cleanup-namespaces-hook-pre-delete + nodeSelector: + kubernetes.io/os: linux + containers: + - name: kubectl-label + image: "clastix/kubectl:v1.25" + imagePullPolicy: IfNotPresent + command: + - sh + - "-c" + - >- + kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io datree-webhook -n datree; + kubectl label ns kube-system datree datree.io/skip-; +--- +# Source: datree-admission-webhook/templates/namespace-post-install.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: datree-label-namespaces-hook-post-install + namespace: datree + labels: + app.kubernetes.io/name: datree-admission-webhook + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "datree-webhook" + app.kubernetes.io/version: 0.1.41 + app.kubernetes.io/part-of: "datree" + meta.helm.sh/release-name: "datree-admission-webhook" + meta.helm.sh/release-namespace: "datree" + helm.sh/chart: datree-admission-webhook-0.3.22 + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded, hook-failed +spec: + template: + metadata: + labels: + app.kubernetes.io/name: datree-admission-webhook + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "datree-webhook" + app.kubernetes.io/version: 0.1.41 + app.kubernetes.io/part-of: "datree" + meta.helm.sh/release-name: "datree-admission-webhook" + meta.helm.sh/release-namespace: "datree" + helm.sh/chart: datree-admission-webhook-0.3.22 + spec: + serviceAccount: datree-label-namespaces-hook-post-install + restartPolicy: OnFailure + nodeSelector: + kubernetes.io/os: linux + containers: + - name: kubectl-label + image: "clastix/kubectl:v1.25" + imagePullPolicy: IfNotPresent + args: + - label + - ns + - kube-system + - datree + - admission.datree/validate=skip + - --overwrite +--- +# Source: datree-admission-webhook/templates/wait-server-ready-post-install.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: datree-wait-server-ready-hook-post-install + namespace: datree + labels: + app.kubernetes.io/name: datree-admission-webhook + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "datree-webhook" + app.kubernetes.io/version: 0.1.41 + app.kubernetes.io/part-of: "datree" + meta.helm.sh/release-name: "datree-admission-webhook" + meta.helm.sh/release-namespace: "datree" + helm.sh/chart: datree-admission-webhook-0.3.22 + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded, hook-failed +spec: + template: + metadata: + name: datree-wait-server-ready-hook-post-install + labels: + app.kubernetes.io/name: datree-admission-webhook + app.kubernetes.io/managed-by: "Helm" + app.kubernetes.io/instance: "datree-webhook" + app.kubernetes.io/version: 0.1.41 + app.kubernetes.io/part-of: "datree" + meta.helm.sh/release-name: "datree-admission-webhook" + meta.helm.sh/release-namespace: "datree" + helm.sh/chart: datree-admission-webhook-0.3.22 + spec: + serviceAccountName: datree-wait-server-ready-hook-post-install + restartPolicy: Never + containers: + - name: kubectl-client + image: "clastix/kubectl:v1.25" + imagePullPolicy: IfNotPresent + command: + - sh + - "-c" + - >- + kubectl wait --for=condition=ready pod -l app=datree-webhook-server --timeout="180s" +--- +# Source: datree-admission-webhook/templates/webhook-with-cert-secrets.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: datree-webhook + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-weight": "-5" +webhooks: + - name: webhook-server.datree.svc + sideEffects: None + timeoutSeconds: 30 + failurePolicy: Ignore + admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: datree-webhook-server + namespace: datree + path: "/validate" + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVakNDQWpxZ0F3SUJBZ0lSQUxKOUsyZ3FEaUVxdXNPNUlWREJBWmt3RFFZSktvWklodmNOQVFFTEJRQXcKTXpFeE1DOEdBMVVFQXhNb0wwTk9QVUZrYldsemMybHZiaUJEYjI1MGNtOXNiR1Z5SUZkbFltaHZiMnNnUkdWdApieUJEUVRBZUZ3MHlNakV5TWpZd01ERTJNRFJhRncweU56RXlNamN3TURFMk1EUmFNRE14TVRBdkJnTlZCQU1UCktDOURUajFCWkcxcGMzTnBiMjRnUTI5dWRISnZiR3hsY2lCWFpXSm9iMjlySUVSbGJXOGdRMEV3Z2dFaU1BMEcKQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURzb0wySnhueE85V25CSk44MzBwY0xrN1Y3UG1OQgpaeFR4Y3lNNWdTSGNvcXo0TUg0RmZlS2Q1QXU3YkEyczYybmpWaDVUYjM1U1FJTlVEdFMvTU5TZDg1Tm5PdW5PCjFhcENld2NkVWxFZ3pZMVJ2clVHNDdic1U3U09yVXBxUmpSZ3d3b0pwWnZTbzJOaUYwYlJsTGlJYzFWSldPVkwKRkFvUUdYV0hMMnRrdEs3dlh4SDc5MStNczRaR2c1UDRhT1k4bEpRODl1SVovbFExbXVFNE9tUlN3bnJpaHRLUworWDkzdjh6c1pLYTJGanZFKzVWc0I3QjZFS3pySDJBRm5RUU9NUXNiT1NzRm9iQU5pTEx4UXFwV1p0a2pvQ3JUCmN0dWhwVDVUUjFyR2Y1eUFsL2ZDUTZSNjNFQlZFVkFoaURrUXI5aTA4d0FFeXJyTnVwKzdTclQzQWdNQkFBR2oKWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDcERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSApBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVMEs1OFlROERCM3dVYXZxVEw0QVBUK0RqClFId3dEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQU9uUE9YMjNEdldoVWY3WUhwbHE0LzhpN1F1cnlZbVdHenoKUXlMMGRQZm92d2VyQ080NUY1ZGY4dVdqSW5yc2xKN1gwVkR3VVQ3QXg0aHI4dkFqVjRyRGltOWw2dm96cDJPbwp5Zm1wcHlvWDU0VnVvVGFEYkxFUkpTaXVBaXJDcGxURkFxQ0NRM29qa0Rpb0ZjdU1oZEZQNFdDSHV0YUEybTYrCkVyTkd6WkFnZ3UrNWRpcnN6WTZ6L0NtSnNwcnhxeFFzNm16a3RpN3dhNWVNR21BeUNNaDBDcnRsTmRaQ0xBL08KZll3eFRvOFVralUxNGhKVUVsOHlaOEhPS3duN0dTUkJleFdKeHJDWkw4MExYeGRzMnpwMWVIQ3kxZXEvNTQrSAplV2w2Z3dJOFNkc3lScnFUbEcwTGw4aUJ5MjBYSGtRaU5CY2FER3AyU1BUYkp3Sk1LVmM9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + namespaceSelector: + matchExpressions: + - key: admission.datree/validate + operator: DoesNotExist + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["*"] + apiVersions: ["*"] + resources: ["*"]