Giters

stackrox / kube-linter

KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.

Home Page:https://docs.kubelinter.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[FEATURE_REQUEST] Ignoring violations for Containers and initContainers

ohnickmoy opened this issue · comments

commented

Description of the problem/feature request
As per the Kubernetes spec, Containers and initContainers do not have capabilities to be annotated, since they have no metadata field to populate.

Therefore, it's not possible ignore a check for a container or initContainer. It would be nice for some feature to allow some alternative way to allow ignoring checks for fields nested within the yaml file.

For instance, the below yaml is a CronJob that has a initContainer that utilizes an image that violates the latest-tag check. There's no way to annotate the initContainer given the spec.

---
apiVersion: batch/v1beta1
kind: CronJob
spec:
  jobTemplate:
    metadata:
      annotation:
        ignore-check.kube-linter.io/latest-tag
    spec:
      template:
        spec:
          serviceAccountName: redacted-sa-name
          initContainers:
            - name: secret-render
              command:
              - /bin/sh
                do-other-things
              image: image-that-violates-latest-tag:latest

Description of the existing behavior vs. expected behavior
initContainer above would still violate the check despite being annotated at a higher level field

commented

Apologies again...i figured out the issue.