marko/docker-development-youtube-series
1
0
Fork 0
mirror of https://github.com/marcel-dempers/docker-development-youtube-series.git synced 2025-06-06 17:01:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

datree scoring walkthrough

Browse Source
This commit is contained in:
marcel-dempers 2023-01-09 21:42:34 +11:00
parent 022ec40bef
commit ff52e92164
6 changed files with 1033 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

172
kubernetes/datree/README-2023.md Normal file
View File

@ -0,0 +1,172 @@
# Whats new 👉🏽 Datree in 2023
## Create a Kubernetes cluster
Let's start by creating a local `kind` [cluster](https://kind.sigs.k8s.io/)
Note that we create a Kubernetes 1.23 cluster. </br>
So we want to use `datree` to validate and ensure our manifests comply with that version of Kubernetes. <br/>
```
kind create cluster --name datree --image kindest/node:v1.23.6
```
## Installation
Best place to start is the [documentation](https://hub.datree.io/)
I like to start all my work inside a docker container. </br>
Let's run a small Alpine linux container
```
docker run -it -v ${PWD}:/work -v ${HOME}/.kube/:/root/.kube/ -w /work --net host alpine sh
```
### Install Kubectl
Let's install `kubectl` in our container </br>
```
apk add curl jq
curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.23.6/bin/linux/amd64/kubectl
chmod +x ./kubectl
mv ./kubectl /usr/local/bin/kubectl
```
### Install Helm
Let's install `helm` in our container </br>
```
curl -L https://get.helm.sh/helm-v3.5.4-linux-amd64.tar.gz -o /tmp/helm.tar.gz && \
tar -xzf /tmp/helm.tar.gz -C /tmp && \
chmod +x /tmp/linux-amd64/helm && \
mv /tmp/linux-amd64/helm /usr/local/bin/helm
```
## Install Datree on our cluster
Add the Helm repo:
```
helm repo add datree-webhook https://datreeio.github.io/admission-webhook-datree
helm search repo datree-webhook --versions
```
Grab the manifest:
```
CHART_VERSION="0.3.22"
APP_VERSION="0.1.41"
DATREE_TOKEN=""
mkdir ./kubernetes/datree/manifests/
helm template datree-webhook datree-webhook/datree-admission-webhook \
--create-namespace \
--set datree.token=${DATREE_TOKEN} \
--set datree.clusterName=$(kubectl config current-context) \
--version ${CHART_VERSION} \
--namespace datree \
> ./kubernetes/datree/manifests/datree.${APP_VERSION}.yaml
```
Apply the manifests:
```
kubectl create namespace datree
kubectl apply -n datree -f kubernetes/datree/manifests/
```
Check the install
```
kubectl -n datree get pods
```
## View our Cluster Score
Now with Datree installed in our cluster, we can review it's current scoring in the Datree [Dashboard](https://app.datree.io/overview) </br>
As we are running a test cluster or if you run in the cloud, there may be some cloud components in namespaces that you may want to ignore. </br>
We can do this by labeling a namespace which is [documented here](https://hub.datree.io/configuration/behavior#ignore-a-namespace)
```
kubectl label namespaces local-path-storage "admission.datree/validate=skip"
```
According to the dashboard, we still have a `D` score, let's rerun the scan:
```
kubectl get job "scan-job" -n datree -o json | jq 'del(.spec.selector)' | jq 'del(.spec.template.metadata.labels)' | kubectl replace --force -f -
```
Now we can see that we have an `A` score. </br>
## Deploy some workloads to our cluster
For most companies and larger teams, it's extremely difficult to fix policy issues. </br>
Let's walk through what this may look like. </br>
Deploy some sample workloads:
```
kubectl create namespace cms
kubectl -n cms create configmap mysql \
--from-literal MYSQL_RANDOM_ROOT_PASSWORD=1
kubectl -n cms create secret generic wordpress \
--from-literal WORDPRESS_DB_HOST=mysql \
--from-literal WORDPRESS_DB_USER=exampleuser \
--from-literal WORDPRESS_DB_PASSWORD=examplepassword \
--from-literal WORDPRESS_DB_NAME=exampledb
kubectl -n cms create secret generic mysql \
--from-literal MYSQL_USER=exampleuser \
--from-literal MYSQL_PASSWORD=examplepassword \
--from-literal MYSQL_DATABASE=exampledb
kubectl -n cms apply -f kubernetes/datree/example/cms/
```
Check out workloads
```
kubectl -n cms get all
```
Rerun our scan:
```
kubectl get job "scan-job" -n datree -o json | jq 'del(.spec.selector)' | jq 'del(.spec.template.metadata.labels)' | kubectl replace --force -f -
```
Now we can follow the dashboard, to check our `namespace` for policy issues and start fixing them. </br>
Datree has a ton of features and capabilities. </br>
We can even run it locally using the CLI
## Datree CLI : Testing our YAML locally
We can install the latest version of Datree with the command advertised:
```
curl https://get.datree.io | /bin/bash
```
### Policy check
Let's test my example manifests under our datree folder `kubernetes\datree\example`
```
datree test ./kubernetes/datree/example/cms/
```
# CI/CD examples
The tools as well as the dashboards help us solve these policy issues locally. </br>
Once we have sorted out our policy issues, we can add Datree to our CI/CD pipeline. </br>
Checkout the [CI/CD integrations](https://hub.datree.io/cicd-examples) page. </br>

42
kubernetes/datree/example/cms/deploy.yaml Normal file
View File

@ -0,0 +1,42 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: wordpress-deployment
labels:
app: wordpress
spec:
replicas: 2
selector:
matchLabels:
app: wordpress
template:
metadata:
labels:
app: wordpress
spec:
containers:
- name: wordpress
image: aimvector/wordpress-example
ports:
- containerPort: 80
env:
- name: WORDPRESS_DB_HOST
valueFrom:
secretKeyRef:
name: wordpress
key: WORDPRESS_DB_HOST
- name: WORDPRESS_DB_USER
valueFrom:
secretKeyRef:
name: wordpress
key: WORDPRESS_DB_USER
- name: WORDPRESS_DB_PASSWORD
valueFrom:
secretKeyRef:
name: wordpress
key: WORDPRESS_DB_PASSWORD
- name: WORDPRESS_DB_NAME
valueFrom:
secretKeyRef:
name: wordpress
key: WORDPRESS_DB_NAME

18
kubernetes/datree/example/cms/ingress.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wordpress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: wordpress
port:
number: 80

14
kubernetes/datree/example/cms/service.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: wordpress
labels:
app: wordpress
spec:
ports:
- port: 80
name: wordpress
targetPort: 80
type: ClusterIP
selector:
app: wordpress

69
kubernetes/datree/example/cms/statefulset.yaml Normal file
View File

@ -0,0 +1,69 @@
apiVersion: v1
kind: Service
metadata:
name: mysql
labels:
app: mysql
spec:
ports:
- port: 3306
name: db
type: ClusterIP
selector:
app: mysql
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mysql
spec:
selector:
matchLabels:
app: mysql # has to match .spec.template.metadata.labels
serviceName: "mysql"
replicas: 1
template:
metadata:
labels:
app: mysql # has to match .spec.selector.matchLabels
spec:
terminationGracePeriodSeconds: 10
containers:
- name: mysql
image: aimvector/mysql-example
ports:
- containerPort: 3306
name: db
env:
- name: MYSQL_DATABASE
valueFrom:
secretKeyRef:
name: mysql
key: MYSQL_DATABASE
- name: MYSQL_USER
valueFrom:
secretKeyRef:
name: mysql
key: MYSQL_USER
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: mysql
key: MYSQL_PASSWORD
- name: MYSQL_RANDOM_ROOT_PASSWORD
valueFrom:
configMapKeyRef:
name: mysql
key: MYSQL_RANDOM_ROOT_PASSWORD
volumeMounts:
- name: db
mountPath: /var/lib/mysql
volumeClaimTemplates:
- metadata:
name: db
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: "standard"
resources:
requests:
storage: 500Mi

718
kubernetes/datree/manifests/datree.0.1.41.yaml Normal file
View File

@ -0,0 +1,718 @@
---
# Source: datree-admission-webhook/templates/cluster-scan-cronjob.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: cluster-scan-job-service-account
namespace: datree
---
# Source: datree-admission-webhook/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: datree-webhook-server
namespace: datree
labels:
app.kubernetes.io/name: datree-admission-webhook
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "datree-webhook"
app.kubernetes.io/version: 0.1.41
app.kubernetes.io/part-of: "datree"
meta.helm.sh/release-name: "datree-admission-webhook"
meta.helm.sh/release-namespace: "datree"
helm.sh/chart: datree-admission-webhook-0.3.22
---
# Source: datree-admission-webhook/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: datree-label-namespaces-hook-post-install
labels:
app.kubernetes.io/name: datree-admission-webhook
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "datree-webhook"
app.kubernetes.io/version: 0.1.41
app.kubernetes.io/part-of: "datree"
meta.helm.sh/release-name: "datree-admission-webhook"
meta.helm.sh/release-namespace: "datree"
helm.sh/chart: datree-admission-webhook-0.3.22
---
# Source: datree-admission-webhook/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: datree-cleanup-namespaces-hook-pre-delete
labels:
app.kubernetes.io/name: datree-admission-webhook
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "datree-webhook"
app.kubernetes.io/version: 0.1.41
app.kubernetes.io/part-of: "datree"
meta.helm.sh/release-name: "datree-admission-webhook"
meta.helm.sh/release-namespace: "datree"
helm.sh/chart: datree-admission-webhook-0.3.22
---
# Source: datree-admission-webhook/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: datree-wait-server-ready-hook-post-install
labels:
app.kubernetes.io/name: datree-admission-webhook
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "datree-webhook"
app.kubernetes.io/version: 0.1.41
app.kubernetes.io/part-of: "datree"
meta.helm.sh/release-name: "datree-admission-webhook"
meta.helm.sh/release-namespace: "datree"
helm.sh/chart: datree-admission-webhook-0.3.22
---
# Source: datree-admission-webhook/templates/webhook-with-cert-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: datree-ca-tls
labels:
app.kubernetes.io/name: datree-admission-webhook
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "datree-webhook"
app.kubernetes.io/version: 0.1.41
app.kubernetes.io/part-of: "datree"
meta.helm.sh/release-name: "datree-admission-webhook"
meta.helm.sh/release-namespace: "datree"
helm.sh/chart: datree-admission-webhook-0.3.22
namespace: datree
type: kubernetes.io/tls
data:
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBN0tDOWljWjhUdlZwd1NUZk45S1hDNU8xZXo1alFXY1U4WE1qT1lFaDNLS3MrREIrCkJYM2luZVFMdTJ3TnJPdHA0MVllVTI5K1VrQ0RWQTdVdnpEVW5mT1RaenJwenRXcVFuc0hIVkpSSU0yTlViNjEKQnVPMjdGTzBqcTFLYWtZMFlNTUtDYVdiMHFOalloZEcwWlM0aUhOVlNWamxTeFFLRUJsMWh5OXJaTFN1NzE4UgorL2RmakxPR1JvT1QrR2ptUEpTVVBQYmlHZjVVTlpyaE9EcGtVc0o2NG9iU2t2bC9kNy9NN0dTbXRoWTd4UHVWCmJBZXdlaENzNng5Z0JaMEVEakVMR3prckJhR3dEWWl5OFVLcVZtYlpJNkFxMDNMYm9hVStVMGRheG4rY2dKZjMKd2tPa2V0eEFWUkZRSVlnNUVLL1l0UE1BQk1xNnpicWZ1MHEwOXdJREFRQUJBb0lCQVFEckJXdTduOHh2a0FpTgpzVldUV0RKMWFTdmpVTCs4Z2Vtbk5yaFJzUlEwMDg0QVpBbUc0dFZtQk00eVJNd0FaNEV3THFUSU1nREJLUnBICkxzUFhjV1I3elNVbWJya3ltYjBWY3FSS1Z5d0U3S1BrQVFwRDRZQVprYm5QekFZUkw5RnVHY21xY3pZbEsrclYKemxDa2NKWW4wSVZ3NkQ0MUo1NG5CMkpYOXAwdjB1eTZlV01zZHRZdU9MNkppOSswb0J3Q2Qzd0VqZXo1WUFUMwpHMmZVUTdJbXpnMUd4VnA4VG5ZdnBGTXFFKzdrMGZMY3o0a3ZZZzNtdTVSMmI5ZjBmYlJtK3VsVDVwdnpVS0IvCmNkTGNIalFQSHNqeER2NzJUM3l6bHVEWE0xU3NjTitjM1lwSjB2K3JVZWY3SnlFbUhpWFI5bEpWc3Vrc1djNkIKa05aL2NvZmhBb0dCQVBzYWt0UUpyMVREbFliYkQvTE1JY0loamJVYVlJaVJacG9kR0pZKzN6TWkrd1RwcDJHagpmR1E4elFac0hDWHYyTXFLVitGTVdFK09CbzlhVDVOand5OHpiRlN0WW1KRFRXY3pKeEFiTytDT0NFcUlxNXQrCkRBVW1KYy95UXErRE54TnFPSjlDWkNDNkxLTTJNdUk5eUowK1V4YWJCbWM1UGZYd1p4N2NnYnE5QW9HQkFQRTkKNkcwdVdqZXA1T3VxNTBSN0ErTFRPdHJQQzRNMWtyOGVGNXNBZkFlNVhlTEl4V0o4eFRIRDdkY2l1eWFsS3ozNgovdXhXUXN0UHhadU5UV2dYSTVma1dnVVRiZ3MvdVRBTFNDQkpxa2tyL0h4em9HbGVQN3VsNFZ2S3M4c2V3NmFQCndMWTNDK3RGNlJtRmtYQU9RZ29aaEFYbmYrVmxKQ3laM3lzSm9rUERBb0dBUmgrdnJXTmZBVzcxVFFuVU5GdnAKZVl0aFJaZ3VLVFZoejl3Y1I2a2JMKzZ1NXpwUk1pVXowZEpnOTFBdHRESjgrbU1VRTZqOGFJc2pMZGxzcTU2SwpuWjNndk8wR3NxWlU4V01KbjZmYld1U1BVREZHcTAvU0Q0WU52VHJNZ0xOR0tEZmJ4QzRJUkZONXI4S3RCeDExCjd1TysxR3RLcUgwRjNxN2FQWFliRElrQ2dZRUFvcGNBOGFVTjlQb3lhWXR6OXptWnN1UitoRDZMR2RHZnArT1cKTVVld1VGeGtwSmFBUWhLcHJSTEtWL2IyZitOT002WFk3bHh0QkM0dGx0c3pVblpWN09kZ3JJOGQyY01IQXhSMwpkaHR3QTRUNzFMenhYbExCVGExTko5cUVOdC96S1cwMWl4bXFsTlUzZDVZSUlhZmFab2d2N1BMTHhrWFdqYURmClFsaHAzcFVDZ1lBZkNudGJRak53SmM3M3draUFheGl4Q0tlTDE1eFFzdkl6ZlZqUHpRODBaNm42ZVZDYVU1a1YKc0hGZHZJZmM1eVQ4c0xKcGpLeXJYVXF5Q0pSTFFXcXZKaDladDhrdTNHOWRGWlQyUyt4dEFFcmo0LzkrZVNMbgo3ZmpQclFwVVl0SkxWQXdlZUkxUUhRejVya1NZVWtkWW9hcFpYUGpxbFNxaXZJK0tMVitPS0E9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVakNDQWpxZ0F3SUJBZ0lSQUxKOUsyZ3FEaUVxdXNPNUlWREJBWmt3RFFZSktvWklodmNOQVFFTEJRQXcKTXpFeE1DOEdBMVVFQXhNb0wwTk9QVUZrYldsemMybHZiaUJEYjI1MGNtOXNiR1Z5SUZkbFltaHZiMnNnUkdWdApieUJEUVRBZUZ3MHlNakV5TWpZd01ERTJNRFJhRncweU56RXlNamN3TURFMk1EUmFNRE14TVRBdkJnTlZCQU1UCktDOURUajFCWkcxcGMzTnBiMjRnUTI5dWRISnZiR3hsY2lCWFpXSm9iMjlySUVSbGJXOGdRMEV3Z2dFaU1BMEcKQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURzb0wySnhueE85V25CSk44MzBwY0xrN1Y3UG1OQgpaeFR4Y3lNNWdTSGNvcXo0TUg0RmZlS2Q1QXU3YkEyczYybmpWaDVUYjM1U1FJTlVEdFMvTU5TZDg1Tm5PdW5PCjFhcENld2NkVWxFZ3pZMVJ2clVHNDdic1U3U09yVXBxUmpSZ3d3b0pwWnZTbzJOaUYwYlJsTGlJYzFWSldPVkwKRkFvUUdYV0hMMnRrdEs3dlh4SDc5MStNczRaR2c1UDRhT1k4bEpRODl1SVovbFExbXVFNE9tUlN3bnJpaHRLUworWDkzdjh6c1pLYTJGanZFKzVWc0I3QjZFS3pySDJBRm5RUU9NUXNiT1NzRm9iQU5pTEx4UXFwV1p0a2pvQ3JUCmN0dWhwVDVUUjFyR2Y1eUFsL2ZDUTZSNjNFQlZFVkFoaURrUXI5aTA4d0FFeXJyTnVwKzdTclQzQWdNQkFBR2oKWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDcERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSApBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVMEs1OFlROERCM3dVYXZxVEw0QVBUK0RqClFId3dEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQU9uUE9YMjNEdldoVWY3WUhwbHE0LzhpN1F1cnlZbVdHenoKUXlMMGRQZm92d2VyQ080NUY1ZGY4dVdqSW5yc2xKN1gwVkR3VVQ3QXg0aHI4dkFqVjRyRGltOWw2dm96cDJPbwp5Zm1wcHlvWDU0VnVvVGFEYkxFUkpTaXVBaXJDcGxURkFxQ0NRM29qa0Rpb0ZjdU1oZEZQNFdDSHV0YUEybTYrCkVyTkd6WkFnZ3UrNWRpcnN6WTZ6L0NtSnNwcnhxeFFzNm16a3RpN3dhNWVNR21BeUNNaDBDcnRsTmRaQ0xBL08KZll3eFRvOFVralUxNGhKVUVsOHlaOEhPS3duN0dTUkJleFdKeHJDWkw4MExYeGRzMnpwMWVIQ3kxZXEvNTQrSAplV2w2Z3dJOFNkc3lScnFUbEcwTGw4aUJ5MjBYSGtRaU5CY2FER3AyU1BUYkp3Sk1LVmM9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
---
# Source: datree-admission-webhook/templates/webhook-with-cert-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: webhook-server-tls
labels:
app.kubernetes.io/name: datree-admission-webhook
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "datree-webhook"
app.kubernetes.io/version: 0.1.41
app.kubernetes.io/part-of: "datree"
meta.helm.sh/release-name: "datree-admission-webhook"
meta.helm.sh/release-namespace: "datree"
helm.sh/chart: datree-admission-webhook-0.3.22
namespace: datree
annotations:
self-signed-cert: "true"
type: kubernetes.io/tls
data:
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBeUVOamtDUU1ZK0NwKzhndE5zK014dnJ1WFA4dnVIa2pYS255aEF5YXBMb2VDdU80Ci90L0FlRWE1SFMyZHk3MVppemNNZ0xaanFqcGxBdk5qTFhEbjE3dG00eTVZUFJwQUgzWDhwcUN2bW0ya1dzM1QKUEZhY3BrRkljc2VCdTROVEJvSHVMbVcvTm9RMVcrS21DbHFEd3ZYKzk4ZzZQUmc1dkVCRmszUUkvM0RrRWlGdQo1R3lHQWZ2Tnp5cUVTbDNaajEzYm5rY0RuOXZ3VHE3RXY2YWhlbi83QjhELzB2YnBScFpYSkw4UTF4T1JOZDk0Cmh1VDh6U1QwekRZZnRLZDNYY0YrVWxKZklkNkNYSHc4THFkVUxJM3E4blhIb3NVeEtaY0ZWQ3YweGlaaWQvTk4KL3lTZGt0V3lNWEZHZDVIWjdqenVlVFdXZjB5bjJ4Vm5WbGNweVFJREFRQUJBb0lCQVFDZGlQVnZWQXd6SFc1YQpWRFBOSkNQWCsxazY2cnM5WUgzQ3pTV3JYc2Jmd2xFVHUrT3hDNDY2anRmYjdpQnRQenlMV1BpSzMrOHkzOURLCksyL2ZOU3dMOXEyUEZNdnc5UTl3TUQ1WlRab1YzeDRsR0RpTkJJMGg4OFRzRmFrbU9yNDdKa2FaVlF5LzgreU4KcFpOOEhZdjg5OHBrWEt3RGwyVURnNE8zNU5XWEtuQzdTaGNtL281RU5aOTRETjVBVFRxL1N1em0xYVJycXZiVQo2OEFrZllMNnFDbUFyaDlsb2w0aE9iTmE1MlZsdGtCNGE0R3hsNWlETjBNQlhJV1lmVUM2c1JIam1UUWJyUkd6CllRTE5tNmdwYTRPMUJDVjU1eVp5aFZrMlVyRENrandqaERiVGRHVGlDU25BRU9iSFJIUjhoYnFlQWwwbk5XQ1cKa3F5dXp5b0JBb0dCQU9sRGlMb1pEVEJuR2ZpYWhoY1lINmFvSUt3c2dLRHVPNDdOZkltSjAwZzRBTzFmOXNPNgptb1MyNUdMSVpFS1p0WmFtK2NGckk3RVBJSTVxV3lmQ3h5QURzdDhSdG5RVU5vUmFtVEVISE5sODBXVDVBd2xuCm9VYUdoaVV5RC9lYkNEU0wreGF2cFVtS29DeTR1Y095RjVHNEhsSmNCZE9HUWJiVUhtbzhsNkloQW9HQkFOdkkKYWtacGhUbmlBc3ZwV2VaN1daKzgrUTR2Z3FoVGE4Q1Q4WlU4a2hldXJETk5DaEFqNlljMnVKMldjd1JIMFExZApZOFhycHJXTDhjd2xRYmFmRmFMNnF1c2s4ZUtna0ltWm1DdWJZejNmSHRQNDg4N3FXSVZtQ2ZSbm0vcUZPdGo5CmZ5UTIxM3l0eTBIVlE0STI0eXNKeVBkZFNkaHZ3bC9QdllVTm5PS3BBb0dBUDc0eHZkRWN0bzVtSFhaMGtCa0sKaFN0S2ltSTY0RDlaelNOQUZnR3cxL3BkM29BcjJiN0RmT0xSdEdEWWJRNjkvYVl4ZC9hRU1WMVY0elVUSmVGbgpNc3R2OU45TlFabEljSkNsYmkxb1o5SmhFanV0NWNNSTRsSGVsSW1DcllJVEV2RHhzM2hhTGFlUkw4ZG5GQ0ExCnFwOXF3Y3pkMXJqSWVtS3EwUk12eUtFQ2dZQmlNVWhKN1JyNG9XRmVlUU1SVmtyVWN6bFNmU2VDek1KM1o2R24KYTBoYURGQWpHMmhEamNmb0FTcTZQVjFsckRCYUtEOUxUZDFOZnhpb2ZIeS9lcFBRSE8zLzRLR3cvc3VVcm1xdQpFTjVsNWlsL3l0b2l0OUNVeU9IcHIrQ2dMS1grREVPaGlsNzc5U202WCsycFg1eGV2aUJyWStKNk1IUkhHaWt5CktNTFBBUUtCZ1FDNXdvMFU2REF6NlN4Z3lCQkM3N2lBVWtsbU5vOFhoZnlEWGlwUWJDalMwV0RycWZPd2EyVDgKRkR1aXhhOHBmM0taWEdDQzQ1eU1BblZmWUY0dW1GU09xZkRPR0QyZFBlOWk3RWl1cWtOT1BZR0VXbk9hNzVuSApvdlNMN0Qvakg2L2Z0Tmh2UkVtdER2elBiT2x6VmY5bkk4M1pYZmpXQWl3YVFjMDlyYVlUbFE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURmRENDQW1TZ0F3SUJBZ0lSQU1yQTQreVRCL1dzejJDVzVKTkZRd1F3RFFZSktvWklodmNOQVFFTEJRQXcKTXpFeE1DOEdBMVVFQXhNb0wwTk9QVUZrYldsemMybHZiaUJEYjI1MGNtOXNiR1Z5SUZkbFltaHZiMnNnUkdWdApieUJEUVRBZUZ3MHlNakV5TWpZd01ERTJNRFJhRncweU56RXlNamN3TURFMk1EUmFNQzh4TFRBckJnTlZCQU1UCkpDOURUajFrWVhSeVpXVXRkMlZpYUc5dmF5MXpaWEoyWlhJdVpHRjBjbVZsTG5OMll6Q0NBU0l3RFFZSktvWkkKaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNaERZNUFrREdQZ3FmdklMVGJQak1iNjdsei9MN2g1STF5cAo4b1FNbXFTNkhncmp1UDdmd0hoR3VSMHRuY3U5V1lzM0RJQzJZNm82WlFMell5MXc1OWU3WnVNdVdEMGFRQjkxCi9LYWdyNXB0cEZyTjB6eFduS1pCU0hMSGdidURVd2FCN2k1bHZ6YUVOVnZpcGdwYWc4TDEvdmZJT2owWU9ieEEKUlpOMENQOXc1QkloYnVSc2hnSDd6YzhxaEVwZDJZOWQyNTVIQTUvYjhFNnV4TCttb1hwLyt3ZkEvOUwyNlVhVwpWeVMvRU5jVGtUWGZlSWJrL00wazlNdzJIN1NuZDEzQmZsSlNYeUhlZ2x4OFBDNm5WQ3lONnZKMXg2TEZNU21YCkJWUXI5TVltWW5melRmOGtuWkxWc2pGeFJuZVIyZTQ4N25rMWxuOU1wOXNWWjFaWEtja0NBd0VBQWFPQmpqQ0IKaXpBT0JnTlZIUThCQWY4RUJBTUNCYUF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQwpNQXdHQTFVZEV3RUIvd1FDTUFBd0h3WURWUjBqQkJnd0ZvQVUwSzU4WVE4REIzd1VhdnFUTDRBUFQrRGpRSHd3Ckt3WURWUjBSQkNRd0lvSWdaR0YwY21WbExYZGxZbWh2YjJzdGMyVnlkbVZ5TG1SaGRISmxaUzV6ZG1Nd0RRWUoKS29aSWh2Y05BUUVMQlFBRGdnRUJBSGc0UmYwaU9TajR2cFozdUNtVXlUM2ZCV0Z6L3ZDOEcxeUVzWVZXR1NYSwo2Ni8zRHEyazR0Vkd0MWhSaFp3a1R4dVRXTkpiejRzcmZYOEhIVi8va2RsbmlmbldLQnFKNFVYVHFSS1ZjaWc5ClkyYWtleXEydEN5MUFTcVltMVBLWGVxUjFrZkpoZVhKZU80UVorWnpoaE45VmNqWUpQTCs0OWhFc2tFRmJRenIKSHZPUDVwamsyYjl3K0plUExaMkVHZC9KeG11cjhmVzA4YjFkMTYvUjVxMUZ2bnN0Z2RFUjV2b2k4UmJhSmV0agplSmtyc096YUovUC93K3NaaUZVU2todnlNZkpiZ0RVSTh2aG80VFl6aFlZV0NPUnJoRzdGSFVsWWpMNU0xVnQwCjFEWkJvNEdkUFhPRFErRTRQdzIvM0xwdGs3RDBPWlJRVWhZRFgrL2VmMHM9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
---
# Source: datree-admission-webhook/templates/cluster-scan-cronjob.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-scan-job-role
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- "get"
- "list"
---
# Source: datree-admission-webhook/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: datree-webhook-server-read
labels:
app.kubernetes.io/name: datree-admission-webhook
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "datree-webhook"
app.kubernetes.io/version: 0.1.41
app.kubernetes.io/part-of: "datree"
meta.helm.sh/release-name: "datree-admission-webhook"
meta.helm.sh/release-namespace: "datree"
helm.sh/chart: datree-admission-webhook-0.3.22
rules:
- apiGroups:
- ""
resources:
- "nodes"
- "namespaces"
verbs:
- "get"
- "list"
---
# Source: datree-admission-webhook/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: datree-namespaces-update
labels:
app.kubernetes.io/name: datree-admission-webhook
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "datree-webhook"
app.kubernetes.io/version: 0.1.41
app.kubernetes.io/part-of: "datree"
meta.helm.sh/release-name: "datree-admission-webhook"
meta.helm.sh/release-namespace: "datree"
helm.sh/chart: datree-admission-webhook-0.3.22
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- update
- patch
resourceNames:
- kube-system
- datree
---
# Source: datree-admission-webhook/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: datree-validationwebhook-delete
labels:
app.kubernetes.io/name: datree-admission-webhook
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "datree-webhook"
app.kubernetes.io/version: 0.1.41
app.kubernetes.io/part-of: "datree"
meta.helm.sh/release-name: "datree-admission-webhook"
meta.helm.sh/release-namespace: "datree"
helm.sh/chart: datree-admission-webhook-0.3.22
rules:
- apiGroups:
- "admissionregistration.k8s.io"
resources:
- validatingwebhookconfigurations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
resourceNames:
- datree-webhook
---
# Source: datree-admission-webhook/templates/cluster-scan-cronjob.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-scan-job-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-scan-job-role
subjects:
- kind: ServiceAccount
name: cluster-scan-job-service-account
namespace: datree
---
# Source: datree-admission-webhook/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: datree-webhook-server-read
labels:
app.kubernetes.io/name: datree-admission-webhook
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "datree-webhook"
app.kubernetes.io/version: 0.1.41
app.kubernetes.io/part-of: "datree"
meta.helm.sh/release-name: "datree-admission-webhook"
meta.helm.sh/release-namespace: "datree"
helm.sh/chart: datree-admission-webhook-0.3.22
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: datree-webhook-server-read # datree-webhook-server-read
subjects:
- kind: ServiceAccount
name: datree-webhook-server # datree-webhook-server
namespace: datree
---
# Source: datree-admission-webhook/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: datree-namespaces-update
labels:
app.kubernetes.io/name: datree-admission-webhook
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "datree-webhook"
app.kubernetes.io/version: 0.1.41
app.kubernetes.io/part-of: "datree"
meta.helm.sh/release-name: "datree-admission-webhook"
meta.helm.sh/release-namespace: "datree"
helm.sh/chart: datree-admission-webhook-0.3.22
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: datree-namespaces-update
subjects:
- kind: ServiceAccount
name: "datree-label-namespaces-hook-post-install"
namespace: "datree"
- kind: ServiceAccount
name: "datree-cleanup-namespaces-hook-pre-delete"
namespace: "datree"
---
# Source: datree-admission-webhook/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: datree-validationwebhook-delete
labels:
app.kubernetes.io/name: datree-admission-webhook
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "datree-webhook"
app.kubernetes.io/version: 0.1.41
app.kubernetes.io/part-of: "datree"
meta.helm.sh/release-name: "datree-admission-webhook"
meta.helm.sh/release-namespace: "datree"
helm.sh/chart: datree-admission-webhook-0.3.22
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: datree-validationwebhook-delete
subjects:
- kind: ServiceAccount
name: "datree-cleanup-namespaces-hook-pre-delete"
namespace: "datree"
---
# Source: datree-admission-webhook/templates/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: datree-pods-reader
labels:
app.kubernetes.io/name: datree-admission-webhook
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "datree-webhook"
app.kubernetes.io/version: 0.1.41
app.kubernetes.io/part-of: "datree"
meta.helm.sh/release-name: "datree-admission-webhook"
meta.helm.sh/release-namespace: "datree"
helm.sh/chart: datree-admission-webhook-0.3.22
rules:
- apiGroups:
- ""
resources:
- "pods"
- "jobs"
verbs:
- "get"
- "list"
- "watch"
---
# Source: datree-admission-webhook/templates/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: datree-pods-reader
labels:
app.kubernetes.io/name: datree-admission-webhook
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "datree-webhook"
app.kubernetes.io/version: 0.1.41
app.kubernetes.io/part-of: "datree"
meta.helm.sh/release-name: "datree-admission-webhook"
meta.helm.sh/release-namespace: "datree"
helm.sh/chart: datree-admission-webhook-0.3.22
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: datree-pods-reader
subjects:
- kind: ServiceAccount
name: datree-wait-server-ready-hook-post-install
namespace: "datree"
---
# Source: datree-admission-webhook/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: datree-webhook-server
namespace: datree
labels:
app.kubernetes.io/name: datree-admission-webhook
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "datree-webhook"
app.kubernetes.io/version: 0.1.41
app.kubernetes.io/part-of: "datree"
meta.helm.sh/release-name: "datree-admission-webhook"
meta.helm.sh/release-namespace: "datree"
helm.sh/chart: datree-admission-webhook-0.3.22
spec:
selector:
app: "datree-webhook-server"
ports:
- port: 443
targetPort: webhook-api
---
# Source: datree-admission-webhook/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: datree-webhook-server
namespace: datree
labels:
app.kubernetes.io/name: datree-admission-webhook
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "datree-webhook"
app.kubernetes.io/version: 0.1.41
app.kubernetes.io/part-of: "datree"
meta.helm.sh/release-name: "datree-admission-webhook"
meta.helm.sh/release-namespace: "datree"
helm.sh/chart: datree-admission-webhook-0.3.22
owner: datree
app: "datree-webhook-server"
spec:
replicas: 2
selector:
matchLabels:
app: "datree-webhook-server"
template:
metadata:
labels:
app.kubernetes.io/name: datree-admission-webhook
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "datree-webhook"
app.kubernetes.io/version: 0.1.41
app.kubernetes.io/part-of: "datree"
meta.helm.sh/release-name: "datree-admission-webhook"
meta.helm.sh/release-namespace: "datree"
helm.sh/chart: datree-admission-webhook-0.3.22
app: "datree-webhook-server"
spec:
serviceAccountName: datree-webhook-server
containers:
- name: server
# caution: don't change the order of the environment variables
# changing the order will harm resource patching
env:
- name: DATREE_TOKEN
value: "ef7088eb-3096-4533-97d8-f16fb3a5b0c1"
- name: DATREE_POLICY
value: Starter
- name: DATREE_VERBOSE
value: ""
- name: DATREE_OUTPUT
value: ""
- name: DATREE_NO_RECORD
value: ""
- name: DATREE_ENFORCE
value: ""
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 25000
livenessProbe:
httpGet:
path: /health
port: 8443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
path: /ready
port: 8443
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
resources:
{}
image: "datree/admission-webhook:0.1.41"
imagePullPolicy: Always
ports:
- containerPort: 8443
name: webhook-api
volumeMounts:
- name: webhook-tls-certs
mountPath: /run/secrets/tls
readOnly: true
- name: webhook-config
mountPath: /config
readOnly: true
volumes:
- name: webhook-tls-certs
secret:
secretName: webhook-server-tls
- name: webhook-config
configMap:
name: webhook-scanning-filters
optional: true
---
# Source: datree-admission-webhook/templates/cluster-scan-cronjob.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: scan-job
namespace: datree
spec:
backoffLimit: 4
template:
spec:
serviceAccountName: cluster-scan-job-service-account
restartPolicy: Never
containers:
- name: scan-job
env:
- name: DATREE_TOKEN
value: ef7088eb-3096-4533-97d8-f16fb3a5b0c1
- name: DATREE_POLICY
value: Starter
- name: CLUSTER_NAME
value: kind-datree
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 25000
seccompProfile:
type: RuntimeDefault
image: "datree/scan-job:0.0.13"
imagePullPolicy: Always
resources:
{}
volumeMounts:
- name: webhook-config
mountPath: /config
readOnly: true
volumes:
- name: webhook-config
configMap:
name: webhook-scanning-filters
optional: true
---
# Source: datree-admission-webhook/templates/cluster-scan-cronjob.yaml
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: scan-cronjob
namespace: datree
spec:
# get the current time, subtract 5 minutes, extract the minutes and inject it into the cron expression
# if helm installation was done at 13:35, the cron expression will be 30 * * * *, which means the job will run at 14:30, 15:30, 16:30, etc.
schedule: "11 * * * *" # every hour, starting 55 minutes after helm installation
jobTemplate:
spec:
backoffLimit: 4
template:
spec:
serviceAccountName: cluster-scan-job-service-account
restartPolicy: Never
containers:
- name: scan-job
env:
- name: DATREE_TOKEN
value: ef7088eb-3096-4533-97d8-f16fb3a5b0c1
- name: DATREE_POLICY
value: Starter
- name: CLUSTER_NAME
value: kind-datree
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 25000
seccompProfile:
type: RuntimeDefault
image: "datree/scan-job:0.0.13"
imagePullPolicy: Always
resources:
{}
volumeMounts:
- name: webhook-config
mountPath: /config
readOnly: true
volumes:
- name: webhook-config
configMap:
name: webhook-scanning-filters
optional: true
---
# Source: datree-admission-webhook/templates/namespace-post-delete.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: datree-cleanup-namespaces-hook-pre-delete
labels:
app.kubernetes.io/name: datree-admission-webhook
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "datree-webhook"
app.kubernetes.io/version: 0.1.41
app.kubernetes.io/part-of: "datree"
meta.helm.sh/release-name: "datree-admission-webhook"
meta.helm.sh/release-namespace: "datree"
helm.sh/chart: datree-admission-webhook-0.3.22
namespace: datree
annotations:
"helm.sh/hook": pre-delete, pre-upgrade
"helm.sh/hook-delete-policy": hook-succeeded, hook-failed
spec:
template:
metadata:
labels:
app.kubernetes.io/name: datree-admission-webhook
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "datree-webhook"
app.kubernetes.io/version: 0.1.41
app.kubernetes.io/part-of: "datree"
meta.helm.sh/release-name: "datree-admission-webhook"
meta.helm.sh/release-namespace: "datree"
helm.sh/chart: datree-admission-webhook-0.3.22
spec:
restartPolicy: OnFailure
serviceAccount: datree-cleanup-namespaces-hook-pre-delete
nodeSelector:
kubernetes.io/os: linux
containers:
- name: kubectl-label
image: "clastix/kubectl:v1.25"
imagePullPolicy: IfNotPresent
command:
- sh
- "-c"
- >-
kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io datree-webhook -n datree;
kubectl label ns kube-system datree datree.io/skip-;
---
# Source: datree-admission-webhook/templates/namespace-post-install.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: datree-label-namespaces-hook-post-install
namespace: datree
labels:
app.kubernetes.io/name: datree-admission-webhook
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "datree-webhook"
app.kubernetes.io/version: 0.1.41
app.kubernetes.io/part-of: "datree"
meta.helm.sh/release-name: "datree-admission-webhook"
meta.helm.sh/release-namespace: "datree"
helm.sh/chart: datree-admission-webhook-0.3.22
annotations:
"helm.sh/hook": post-install, post-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded, hook-failed
spec:
template:
metadata:
labels:
app.kubernetes.io/name: datree-admission-webhook
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "datree-webhook"
app.kubernetes.io/version: 0.1.41
app.kubernetes.io/part-of: "datree"
meta.helm.sh/release-name: "datree-admission-webhook"
meta.helm.sh/release-namespace: "datree"
helm.sh/chart: datree-admission-webhook-0.3.22
spec:
serviceAccount: datree-label-namespaces-hook-post-install
restartPolicy: OnFailure
nodeSelector:
kubernetes.io/os: linux
containers:
- name: kubectl-label
image: "clastix/kubectl:v1.25"
imagePullPolicy: IfNotPresent
args:
- label
- ns
- kube-system
- datree
- admission.datree/validate=skip
- --overwrite
---
# Source: datree-admission-webhook/templates/wait-server-ready-post-install.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: datree-wait-server-ready-hook-post-install
namespace: datree
labels:
app.kubernetes.io/name: datree-admission-webhook
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "datree-webhook"
app.kubernetes.io/version: 0.1.41
app.kubernetes.io/part-of: "datree"
meta.helm.sh/release-name: "datree-admission-webhook"
meta.helm.sh/release-namespace: "datree"
helm.sh/chart: datree-admission-webhook-0.3.22
annotations:
"helm.sh/hook": post-install, post-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": hook-succeeded, hook-failed
spec:
template:
metadata:
name: datree-wait-server-ready-hook-post-install
labels:
app.kubernetes.io/name: datree-admission-webhook
app.kubernetes.io/managed-by: "Helm"
app.kubernetes.io/instance: "datree-webhook"
app.kubernetes.io/version: 0.1.41
app.kubernetes.io/part-of: "datree"
meta.helm.sh/release-name: "datree-admission-webhook"
meta.helm.sh/release-namespace: "datree"
helm.sh/chart: datree-admission-webhook-0.3.22
spec:
serviceAccountName: datree-wait-server-ready-hook-post-install
restartPolicy: Never
containers:
- name: kubectl-client
image: "clastix/kubectl:v1.25"
imagePullPolicy: IfNotPresent
command:
- sh
- "-c"
- >-
kubectl wait --for=condition=ready pod -l app=datree-webhook-server --timeout="180s"
---
# Source: datree-admission-webhook/templates/webhook-with-cert-secrets.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: datree-webhook
annotations:
"helm.sh/hook": post-install, post-upgrade
"helm.sh/hook-weight": "-5"
webhooks:
- name: webhook-server.datree.svc
sideEffects: None
timeoutSeconds: 30
failurePolicy: Ignore
admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: datree-webhook-server
namespace: datree
path: "/validate"
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVakNDQWpxZ0F3SUJBZ0lSQUxKOUsyZ3FEaUVxdXNPNUlWREJBWmt3RFFZSktvWklodmNOQVFFTEJRQXcKTXpFeE1DOEdBMVVFQXhNb0wwTk9QVUZrYldsemMybHZiaUJEYjI1MGNtOXNiR1Z5SUZkbFltaHZiMnNnUkdWdApieUJEUVRBZUZ3MHlNakV5TWpZd01ERTJNRFJhRncweU56RXlNamN3TURFMk1EUmFNRE14TVRBdkJnTlZCQU1UCktDOURUajFCWkcxcGMzTnBiMjRnUTI5dWRISnZiR3hsY2lCWFpXSm9iMjlySUVSbGJXOGdRMEV3Z2dFaU1BMEcKQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURzb0wySnhueE85V25CSk44MzBwY0xrN1Y3UG1OQgpaeFR4Y3lNNWdTSGNvcXo0TUg0RmZlS2Q1QXU3YkEyczYybmpWaDVUYjM1U1FJTlVEdFMvTU5TZDg1Tm5PdW5PCjFhcENld2NkVWxFZ3pZMVJ2clVHNDdic1U3U09yVXBxUmpSZ3d3b0pwWnZTbzJOaUYwYlJsTGlJYzFWSldPVkwKRkFvUUdYV0hMMnRrdEs3dlh4SDc5MStNczRaR2c1UDRhT1k4bEpRODl1SVovbFExbXVFNE9tUlN3bnJpaHRLUworWDkzdjh6c1pLYTJGanZFKzVWc0I3QjZFS3pySDJBRm5RUU9NUXNiT1NzRm9iQU5pTEx4UXFwV1p0a2pvQ3JUCmN0dWhwVDVUUjFyR2Y1eUFsL2ZDUTZSNjNFQlZFVkFoaURrUXI5aTA4d0FFeXJyTnVwKzdTclQzQWdNQkFBR2oKWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDcERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSApBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVMEs1OFlROERCM3dVYXZxVEw0QVBUK0RqClFId3dEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQU9uUE9YMjNEdldoVWY3WUhwbHE0LzhpN1F1cnlZbVdHenoKUXlMMGRQZm92d2VyQ080NUY1ZGY4dVdqSW5yc2xKN1gwVkR3VVQ3QXg0aHI4dkFqVjRyRGltOWw2dm96cDJPbwp5Zm1wcHlvWDU0VnVvVGFEYkxFUkpTaXVBaXJDcGxURkFxQ0NRM29qa0Rpb0ZjdU1oZEZQNFdDSHV0YUEybTYrCkVyTkd6WkFnZ3UrNWRpcnN6WTZ6L0NtSnNwcnhxeFFzNm16a3RpN3dhNWVNR21BeUNNaDBDcnRsTmRaQ0xBL08KZll3eFRvOFVralUxNGhKVUVsOHlaOEhPS3duN0dTUkJleFdKeHJDWkw4MExYeGRzMnpwMWVIQ3kxZXEvNTQrSAplV2w2Z3dJOFNkc3lScnFUbEcwTGw4aUJ5MjBYSGtRaU5CY2FER3AyU1BUYkp3Sk1LVmM9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
namespaceSelector:
matchExpressions:
- key: admission.datree/validate
operator: DoesNotExist
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["*"]
apiVersions: ["*"]
resources: ["*"]