search

zegl / kube-score

Kubernetes object analysis with recommendations for improved reliability and security. kube-score actively prevents downtime and bugs in your Kubernetes YAML and Charts. Static code analysis for Kubernetes.
https://kube-score.com
MIT License
2.68k stars 175 forks source link

Implement feature request: Annotation in the manifest can be used to specify optional #477

Closed ryo-yamaoka closed 2 years ago

ryo-yamaoka commented 2 years ago

Fixes: #476

Behavior

apiVersion: apps/v1
kind: Deployment
metadata:
  name: optional-test-manifest-deployment
  labels:
    app: optional-test-manifest
  annotations:
    kube-score/ignore: pod-networkpolicy,container-resources,container-image-pull-policy,container-security-context-privileged,container-security-context-user-group-id,container-security-context-readonlyrootfilesystem,container-ephemeral-storage-request-and-limit
    kube-score/optional: container-seccomp-profile
spec:
  replicas: 1
  selector:
    matchLabels:
      app: optional-test-manifest
  template:
    metadata:
      labels:
        app: optional-test-manifest
    spec:
      containers:
      - name: optional-test-manifest
        image: busybox:1.34
        command:
        - /bin/sh
        - -c
        - date; env; tail -f /dev/null
$ kube-score score manifest.yaml
apps/v1/Deployment optional-test-manifest-deployment                          🤔
    [WARNING] Container Seccomp Profile
        · The pod has not configured Seccomp for its containers
            Running containers with Seccomp is recommended to reduce the kernel attack surface

Annotations ignore

$ kube-score score manifest.yaml --disable-optional-checks-annotations
apps/v1/Deployment optional-test-manifest-deployment                          ✅

(FYI) Both defined

It will be marked to ignored

  annotations:
    kube-score/ignore: container-seccomp-profile
    kube-score/optional: container-seccomp-profile
$ kube-score score manifest.yaml --output-format ci | grep seccomp
[SKIPPED] optional-test-manifest-deployment apps/v1/Deployment: Skipped because container-seccomp-profile is ignored
ryo-yamaoka commented 2 years ago

Thanks for review and suggest! I think it is a good. But sorry, I'm going camping now, so the fix will have to wait until Sunday.

zegl commented 2 years ago

No worries, have fun camping! 🏕

ryo-yamaoka commented 2 years ago

@zegl Fixed https://github.com/zegl/kube-score/pull/477/commits/03d4631265ee24575e3a4f33519d5d7ee8d763ff How about this?

ryo-yamaoka commented 2 years ago

Oops test timed-out...? It succeeds in my local env. Can you rerun CircleCI workflow? https://app.circleci.com/pipelines/github/zegl/kube-score/1555/workflows/616a8b9c-0287-49ea-887b-70796e4e9b00/jobs/1814/parallel-runs/0/steps/0-104

zegl commented 2 years ago

I was thinking to only rename the new annotation that you've added. Renaming the --enable-optional-test flag is a breaking change, and while it would be nice to rename that flag as well. We need to do it in a way that doesn't break backwards compatibility.

The rest looks great tough!

zegl commented 2 years ago

I've restarted the CircleCI job

ryo-yamaoka commented 2 years ago

Sorry, breaking change was certainly out of the question. Also, I think removing the Optional halfway through in the code was not a good idea.

I reverted that and fix to only annotation renamed. https://github.com/zegl/kube-score/pull/477/commits/fc50291e9ab76c7dbf7e1f73ba9ff20835724121

zegl commented 2 years ago

bors merge

bors[bot] commented 2 years ago

Build succeeded: