Giters

zegl / kube-score

Kubernetes object analysis with recommendations for improved reliability and security. kube-score actively prevents downtime and bugs in your Kubernetes YAML and Charts. Static code analysis for Kubernetes.

Home Page:https://kube-score.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Namespace validation should be ignored if is not defined

alita1991 opened this issue · comments

commented

Which version of kube-score are you using?

kube-score version: 1.16.1

What did you do?

Executing kube-score against helm charts like mimir-distributed, loki-distributed and tempo-distributed via helm template --skip-tests /chart | kube-score score -

What did you expect to see?

No issue when the chart is implementing the best practices

What did you see instead?

Example: mimir-alertmanager

[CRITICAL] StatefulSet has ServiceName
        · StatefulSet does not have a valid serviceName
            StatefulSets currently require a Headless Service to be responsible
            for the network identity of the Pods. You are responsible for
            creating this Service.
            https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#limitations

What is causing the issue?

Kube-score can't identify correctly the namespace if is not defined in the helm chart manifest. When the chart is in my control, I have to add manually in the helm chart manifest the namespace: {{ .Release.Namespace }}, which can solve the problem, but in this case, the helm chart is owned by bitnami.

Any workaround that can either skip the namespace validation or that can add a namespace to each resource is highly appreciated.

commented

Hey! Could you please share the full template of what’s not working.

The output that you’ve included is mentioning serviceName which is not the same as the name of a namespace, so I’m a bit confused. kube-score works fine if no namespace is defined, and will match up non-namespaced objects with other non-namespaced objects.

commented

For example, this is an issue found on tempo-compactor:

v1/Service tempo-compactor                                                    💥
    [CRITICAL] Service Targets Pod
        · The services selector does not match any pods

To solve the issue, I added namespace: {{ .Release.Namespace }}, this is the manifest:

apiVersion: v1
kind: Service
metadata:
  name: {{ template "tempo.resourceName" (dict "ctx" . "component" "compactor") }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "tempo.labels" (dict "ctx" . "component" "compactor") | nindent 4 }}
  {{- with .Values.compactor.service.annotations }}
  annotations:
  {{- toYaml . | nindent 4 }}
  {{- end }}
spec:
  type: ClusterIP
  ports:
    - name: http-metrics
      port: 3100
      targetPort: 3100
      protocol: TCP
  selector:
    {{- include "tempo.selectorLabels" (dict "ctx" . "component" "compactor") | nindent 4 }}

Output

v1/Service release-name-tempo-compactor in example-namespace ✅

commented

I guess that means that the template you're using is setting the namespace on the Pod/Deployment/StatefulSet that the Service is creating?

Either all resources needs to have a namespace set, or none of them. Otherwise kube-score can not do it's resource matching.

commented

Is there a workaround if I do not own the chart? I am not sure if I can convince Grafana developers to update their charts by adding the namespace, because, at deploy time, there is no real issue, because the namespace is added automatically by helm.

commented

You can ignore the test for that specific resource with an annotation.

https://github.com/zegl/kube-score?tab=readme-ov-file#ignoring-a-test