search

zegl / kube-score

Kubernetes object analysis with recommendations for improved reliability and security. kube-score actively prevents downtime and bugs in your Kubernetes YAML and Charts. Static code analysis for Kubernetes.
https://kube-score.com
MIT License
2.72k stars 174 forks source link

Can't mix implicit and explicit namespaces #443

Open MikaelSmith opened 2 years ago

MikaelSmith commented 2 years ago

Which version of kube-score are you using?

kube-score version: v1.13.0

What did you do?

Using a Helm chart that explicitly sets namespaces, with resources that rely on the execution context to set the namespace, means that resources that work together produce an error. For example

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
  labels:
    app.kubernetes.io/name: app
  namespace: default
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: app
  template:
    metadata:
      name: my-app
      labels:
        app.kubernetes.io/name: app
    spec:      
      containers:
        - name: my-app
          image: nginx

and

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: my-app
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: app
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app.kubernetes.io/name: app

errors because the deployment and network policy don't both explicitly identify the same namespace.

What did you expect to see?

I expected kube-score to have a concept of the current namespace to use when not explicitly stated.

What did you see instead?

An error

[CRITICAL] Pod NetworkPolicy · The pod does not have a matching NetworkPolicy

MikeK184 commented 2 years ago

Hi Mikael,

we've encountered the same issue, but we haven't had specified a namespace in the deployment object but instead on the netpols. The issue was easily fixed by replacing the hardcoded namespace through {{ .Release.Namespace }}.

MikaelSmith commented 2 years ago

That's a little tricky to do in my case.

Are you running helm render or something that replaces {{ .Release.Namespace }} with an empty string?

MikeK184 commented 2 years ago

No, kubeScore replaces it with the "default" Namespace. But yes our applications get deployed with ArgoCD so it takes care of inserting the correct value into {{ .Release.Namespace }} But I don't see an issue with appending the namespace field in the netpols itself as they are namespaced anyway.

However it would be nice to have a parameter to set wanted namespace.