search

zegl / kube-score

Kubernetes object analysis with recommendations for improved reliability and security. kube-score actively prevents downtime and bugs in your Kubernetes YAML and Charts. Static code analysis for Kubernetes.
https://kube-score.com
MIT License
2.72k stars 174 forks source link

Ephemeral storage limit check not skipped when `"kube-score/ignore": "container-resources"` annotation is set #449

Closed zliebersbach closed 2 years ago

zliebersbach commented 2 years ago

Which version of kube-score are you using?

kube-score version: 1.14.0

What did you do?

I expect the "kube-score/ignore": "container-resources" to ignore the ephemeral storage resource limit checks.

v1/Pod test-connection                     💥
    [CRITICAL] Container Ephemeral Storage Request and Limit
        · wget -> Ephemeral Storage limit is not set
            Resource limits are recommended to avoid resource DDOS. Set
            resources.limits.ephemeral-storage

Pod spec:

apiVersion: v1
kind: Pod
metadata:
  name: "test-connection"
  annotations:
    "helm.sh/hook": test
    "kube-score/ignore": 'container-resources,container-image-pull-policy,pod-probes,container-security-context-user-group-id,container-security-context-readonlyrootfilesystem'
spec:
  containers:
    - name: wget
      image: busybox:1
      command: ['wget']
      args: ['http://my-api/health/live']
  restartPolicy: Never

What did you expect to see?

The ephemeral storage resource limit check is skipped.

What did you see instead?

The ephemeral storage resource limit check was not skipped.

kmarteaux commented 2 years ago

@zliebersbach Yes, this is a bug. At present, the "container/resources" only applies to CPU and memory resource checks. I will fix this. Until then, you can suppress the ephemeral storage test by adding this to the runtime flags specified:

--ignore-test container-ephemeral-storage-request-and-limit or simply add it to the list of annotations

zegl commented 2 years ago

Fixed by #450