search

zegl / kube-score

Kubernetes object analysis with recommendations for improved reliability and security. kube-score actively prevents downtime and bugs in your Kubernetes YAML and Charts. Static code analysis for Kubernetes.
https://kube-score.com
MIT License
2.72k stars 174 forks source link

NetworkPolicy rule false positive when podSelector is empty #420

Closed MPvHarmelen closed 2 years ago

MPvHarmelen commented 2 years ago

I'm creating a near copy of #293 because I'm having the same issue using the latest version.

Which version of kube-score are you using?

kube-score version: kube-score version: 1.13.0, commit: d1ad91defc1a5814f7c7395ed64cd7039d259158, built: 2021-10-28T13:31:29Z

What did you do?

I defined a NetworkPolicy applicable to all pods in a namespace.

Per the NetworkPolicy documentation An empty podSelector selects all pods in the namespace - see under https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-resource. There's even an example in the docs at https://kubernetes.io/docs/concepts/services-networking/network-policies/#default-deny-all-ingress-traffic

The NetworkPolicy in question is:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
spec:
  podSelector: {}
  policyTypes:
  - Ingress

What did you expect to see?

I didn't expect any failures.

What did you see instead?

The NetworkPolicy check generates false positives for podSelector: {} like:

networking.k8s.io/v1/NetworkPolicy allow-all-ingress in default               💥
    [CRITICAL] NetworkPolicy targets Pod
        · The NetworkPolicys selector doesn't match any pods
MPvHarmelen commented 2 years ago

Sorry I misread some error messages