[FEATURE_REQUEST] customize pod anti-affinity topologyKey

[faust64]

Description of the problem/feature request

Testing kube-linter against my code base, I'm seeing issues reported, with message anti-affinity's topology key does not match \"my-custom-zone-label\", Faulty deployments would have an anti-affinity configured. Using that "my-custom-zone-label" as a topologyKey. Which makes that diagnostic message a bit confusing -- my topology key does match "my-custom-zone-label" for sure. Although we can guess it doesn't match something else ...

I've been digging around for an option I could set in my .kube-linter.yaml, and ended up on the following: https://github.com/stackrox/kube-linter/blob/bf748084ff15596e25c8b088153bb5d55d1d56ce/pkg/templates/antiaffinity/template.go#L27

Too bad, looks like it's hardcoded. Could we have an option changing this? While hostname is a good first step, setting pod anti-affinities, I'm dealing with clusters distributed on several zones, and would like to ensure my deployments make use of that custom zone label. Instead of kubernetes.io/hostname, or disabling that test.

Description of the existing behavior vs. expected behavior

existing:

{
  "Diagnostic": {
    "Message": "anti-affinity's topology key does not match \"my-custom-zone-label\""
  },
  "Check": "no-anti-affinity",
...

expected:

• have some way to set custom anti-affinity label in kube-linter configuration - defaults to kubernetes.io/hostname
• do not complain about that custom label being used setting up anti-affinities.
• do complain about deployments with replicas>1, where anti-affinity missing or not using said label as topologyKey

[janisz]

You should be able to configure this check with custom topologyKey

• https://docs.kubelinter.io/#/generated/templates?id=anti-affinity-not-specified

[faust64]

oh, my mistake. Thanks for pointing it out, I'll give it a try ...

[TribuneX]

Did you manage to get it working? I tried the following .kube-linter.yml:

customChecks:
  - name: anti-affinity-zone
    template: anti-affinity
    params:
      minReplicas: 2
      topologyKey: "topology.kubernetes.io/zone"

But I still get the error:

anti-affinity's topology key does not match "topology.kubernetes.io/zone" (check: no-anti-affinity, remediation: Specify anti-affinity in your pod specification to ensure that the orchestrator attempts to schedule replicas on different nodes. Using podAntiAffinity, specify a labelSelector that matches pods for the deployment, and set the topologyKey to kubernetes.io/hostname. Refer to https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity for details.)

My deployment.yml includes:

[...]
    spec:
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchLabels:
                  app.kubernetes.io/component: web
              topologyKey: topology.kubernetes.io/zone