[BUG] Ignore-paths parameter does not work with subcharts

darmenliu commented 1 year ago

System info:

OS: [e.g. Linux? MaxOS? Windows?]
Linux

Describe the bug I have a project and I want use kube-linter to san the helm chart, but I failed to ignore test path to use ignore-paths parameter.

myproject$ ls
templates  kube_linter.yaml  value.yaml

myproject/templates$ ls
test  others.yaml

myproject$  kube-linter lint ./ --config ./kube_linter.yaml --ignore-paths ./templates/test/
templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) found matching serviceAccount ("") (check: default-service-account, remediation: Create a dedicated service account for your pod. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ for details.)

templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) container "robot-pod-container" does not specify a liveness probe (check: no-liveness-probe, remediation: Specify a liveness probe in your container. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ for details.)

templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) container "robot-pod-container" is not set to runAsNonRoot (check: run-as-non-root, remediation: Set runAsUser to a non-zero number and runAsNonRoot to true in your pod or container securityContext. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for details.)

templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) resource specifies unsafe sysctl "net.ipv4.ip_local_port_range". (check: unsafe-sysctls, remediation: Ensure container does not allow unsafe allocation of system resources by removing unsafe sysctls configurations. For more details see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ https://docs.docker.com/engine/reference/commandline/run/#configure-namespaced-kernel-parameters-sysctls-at-runtime.)

Use this command to scan my project seems my test file still was reported by kube-linter, hope some one can help me what's wrong for my command, and I also try configure this with configuration like: checks: ignorePaths:

./templates/test/robot.yaml

but I still failed.

To Reproduce

Add a test directory in a project of helm charts.
Add a test yaml in test directory
Use kube-linter scan the project and take the parameter ignore-paths like above or config .kube-linter.yaml to ignore test path.

Expected behavior Test directory can be ignored

Screenshots

Additional context

janisz commented 1 year ago

Could you try using **/* to match everything in directory or explicitly name files?

myproject$  kube-linter lint ./ --config ./kube_linter.yaml --ignore-paths ./templates/test/robot.yaml

refs:

https://github.com/stackrox/kube-linter/issues/467#issuecomment-1551250884

darmenliu commented 1 year ago

Thanks your feedback, I will try to test with this.

darmenliu commented 1 year ago

Hi, I try to use these two commands, seems problem is till here.

$ kube-linter lint ./ --config ./kube_linter.yaml --ignore-paths ./templates/test/**/*
KubeLinter development

templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) found matching serviceAccount ("") (check: default-service-account, remediation: Create a dedicated service account for your pod. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ for details.)

templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) container "robot-pod-container" does not specify a liveness probe (check: no-liveness-probe, remediation: Specify a liveness probe in your container. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ for details.)

templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) container "robot-pod-container" is not set to runAsNonRoot (check: run-as-non-root, remediation: Set runAsUser to a non-zero number and runAsNonRoot to true in your pod or container securityContext. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for details.)

templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) resource specifies unsafe sysctl "net.ipv4.ip_local_port_range". (check: unsafe-sysctls, remediation: Ensure container does not allow unsafe allocation of system resources by removing unsafe sysctls configurations. For more details see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ https://docs.docker.com/engine/reference/commandline/run/#configure-namespaced-kernel-parameters-sysctls-at-runtime.)

$ kube-linter lint ./ --config ./kube_linter.yaml --ignore-paths ./templates/test/robot.yaml
templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) found matching serviceAccount ("") (check: default-service-account, remediation: Create a dedicated service account for your pod. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ for details.)

templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) container "robot-pod-container" does not specify a liveness probe (check: no-liveness-probe, remediation: Specify a liveness probe in your container. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ for details.)

templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) container "robot-pod-container" is not set to runAsNonRoot (check: run-as-non-root, remediation: Set runAsUser to a non-zero number and runAsNonRoot to true in your pod or container securityContext. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for details.)

templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) resource specifies unsafe sysctl "net.ipv4.ip_local_port_range". (check: unsafe-sysctls, remediation: Ensure container does not allow unsafe allocation of system resources by removing unsafe sysctls configurations. For more details see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ https://docs.docker.com/engine/reference/commandline/run/#configure-namespaced-kernel-parameters-sysctls-at-runtime.)

templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) object in default namespace (check: use-namespace, remediation: Create namespaces for objects in your deployment.)

bebosudo commented 1 year ago

I also face the same problem, even when I use --ignore-paths subcharts are linted. Here's a run without any paths to ignore:

$ kube-linter lint .
KubeLinter v0.6.4-0-g4f0b1e01fd
...
charts/redis/templates/replicas/statefulset.yaml: (object: default/test-release-redis-replicas apps/v1, Kind=StatefulSet) container "redis" has memory request 0 (check: unset-memory-requirements, remediation: Set memory requests and limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.)
charts/redis/templates/replicas/statefulset.yaml: (object: default/test-release-redis-replicas apps/v1, Kind=StatefulSet) container "redis" has memory limit 0 (check: unset-memory-requirements, remediation: Set memory requests and limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.)

Error: found 51 lint errors

Here's when I try to exclude one specific file:

$ kube-linter lint --ignore-paths charts/redis/templates/replicas/statefulset.yaml .
...
Error: found 51 lint errors

And here when I try to exclude all tgz archives of subcharts:

$ kube-linter lint --ignore-paths '**/*.tgz' .
...
Error: found 51 lint errors

I also tried with a config file, with no success:

$ cat config.yaml 
checks:
  ignorePaths:
    - "charts/**"
    - "**/*.tgz"

$ kube-linter lint --config config.yaml .
...
Error: found 51 lint errors

Here's my dir structure:

$ tree
.
├── Chart.lock
├── charts
│   ├── common-2.4.0.tgz
│   ├── mysql-9.10.1.tgz
│   └── redis-17.11.3.tgz
├── Chart.yaml
├── config.yaml
├── README.md
├── templates
│   ├── deployment-backend.yaml
│   ├── deployment-frontend.yaml
│   ├── _helpers.tpl
│   ├── ingress.yaml
│   ├── NOTES.txt
│   ├── secret.yaml
│   ├── serviceaccount.yaml
│   └── service.yaml
└── values.yaml

I'm using KubeLinter v0.6.4-0-g4f0b1e01fd on Fedora.

benni-as commented 1 year ago

I can confirm this bug. I also want to ignore subcharts like bitnamis postgres or redis charts. But --ignore-paths charts/* isnt' working. Any workarounds or fixes available?

darmenliu commented 1 year ago

@janisz Can you help to response this issue, seems this is a bug for kube-linter.

janisz commented 1 year ago

I'm sorry for delay. I was able to reproduce. I used tests/testdata and placed chart package as a subchart of mychart

diff --git a/tests/testdata/mychart/Chart.yaml b/tests/testdata/mychart/Chart.yaml
index ac8a018..78862fe 100644
--- a/tests/testdata/mychart/Chart.yaml
+++ b/tests/testdata/mychart/Chart.yaml
@@ -4,3 +4,6 @@ description: A Helm chart for Kubernetes
 name: mychart
 type: application
 version: 0.1.0
+dependencies:
+  - name: mychart
+    version: "0.1.0"

I can confirm that ignore-paths does not work with subcharts. This is because we use Load function that automatically loads full chart.

https://github.com/stackrox/kube-linter/blob/ab8a80b4653c8f08fb7dd395aa1a0bc1b7d04bc0/pkg/lintcontext/parse_yaml.go#L93

The workaround will be to add ignored files in .helmignore

diff --git a/tests/testdata/mychart/.helmignore b/tests/testdata/mychart/.helmignore
index 0e8a0eb..44e93ed 100644
--- a/tests/testdata/mychart/.helmignore
+++ b/tests/testdata/mychart/.helmignore
@@ -21,3 +21,4 @@
 .idea/
 *.tmproj
 .vscode/
+*.tgz

Right now I see following solutions

change the way how we load helm – that's risky and could end up in reimplementing helm loader as effectively we will implement custom helmignore.
somehow change helm code to allow passing custom filtering rules. Currently they are loaded from the .helmignore it it exists.
filter results for ignored paths – this might work but helm loader uncrompresses tgz so in final report we extracted paths not archive:
tests/testdata/mychart/charts/mychart/templates/tests/test-connection.yaml
tests/testdata/mychart/charts/mychart-0.2.0.tgz

benni-as commented 1 year ago

@janisz thanks for looking into it. Sadly, the workround with exluding the subcharts in the .helmignore file will not work, as helm requires to have the dependencies downloaded. This what I get, when I add the *.tgz filter:

Error: An error occurred while checking for chart dependencies. You may need to run `helm dependency build` to fetch missing dependencies: found in Chart.yaml, but missing in charts/ directory: postgresql, redis

bebosudo commented 1 year ago

Any possible development on this?

echoblag commented 1 year ago

I think we just ran into this issue specifically when trying to exclude subcharts.

Trojan295 commented 11 months ago

I will prepare a PR for this.

Dirrk commented 10 months ago

Was this working in a previous version that I could use instead or has this been the behavior? I am currently on the latest 0.6.5 build.

stackrox / kube-linter

[BUG] Ignore-paths parameter does not work with subcharts #575