Closed jsalonen closed 3 years ago
container-security-context is currently ongoing a split, into three new subtests. This was announced in v1.10, with a planned "flip" of the defaults to happen in v1.11. This did not happen and is instead scheduled to happen in v1.12.
To migrate to the future defaults you can run kube-score with the following flags:
kube-score score \
--enable-optional-test container-security-context-user-group-id \
--enable-optional-test container-security-context-privileged \
--enable-optional-test container-security-context-readonlyrootfilesystem \
--ignore-test container-security-context
If you run kube-score with these flags, you'll also be able to ignore the test as used in your example.
In the current (v1.11.0) default configuration you'd have to ignore usingkube-score/ignore: container-security-context
to ignore this error, but it also ignores some of the other security related tests, which is why this migration to the new defaults is happening.
Thank you for the swift response.
I guess the biggest issue here is that it was quite difficult to understand from documentation that this was the reason behind it all.
Closing
Which version of kube-score are you using?
What did you do?
Adding
kube-score/ignore
forcontainer-security-context-readonlyrootfilesystem
should allow kube-score to pass on containers that have non-readonly filesystem.Example template that fails:
What did you expect to see?
I expect the kube-score to pass the validation for readOnlyRootFileSystem due to ignore
The template contains other errors that of course should appear
What did you see instead?