search

zegl / kube-score

Kubernetes object analysis with recommendations for improved reliability and security. kube-score actively prevents downtime and bugs in your Kubernetes YAML and Charts. Static code analysis for Kubernetes.
https://kube-score.com
MIT License
2.78k stars 178 forks source link

NetworkPolicy rule false positive when podSelector is empty #293

Closed Iristyle closed 4 years ago

Iristyle commented 4 years ago

Which version of kube-score are you using?

kube-score version: 1.8.0, commit: 5c3ed1b02ff59a510776a84b7ecadfb21e151e11, built: 2020-08-10T19:29:19Z

What did you do?

I defined a NetworkPolicy applicable to all pods in a namespace.

Per the NetworkPolicy documentation An empty podSelector selects all pods in the namespace - see under https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-resource. There's even an example in the docs at https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-allow-all-ingress-traffic

The NetworkPolicy in question is:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  namespace: default
  name: allow-all-ingress
spec:
  podSelector: {}
  ingress:
  - {}
  policyTypes:
  - Ingress

What did you expect to see?

I didn't expect any failures.

What did you see instead?

The NetworkPolicy check generates false positives when podSelector: {} like:

[CRITICAL] Pod NetworkPolicy
        · The pod does not have a matching network policy
            Create a NetworkPolicy that targets this pod

I can work around the problem by explicitly defining a match based on a label set on all the pods like this:

  podSelector:
    matchLabels:
      app.kubernetes.io/part-of: myapp

But I think the check should be fixed.

zegl commented 4 years ago

Thanks for a good bug report, the issue has been fixed! :-)

Iristyle commented 4 years ago

Wow, thanks for the super fast turnaround @zegl !