kube-linter icon indicating copy to clipboard operation
kube-linter copied to clipboard

Published 20 hours ago verified publisher icon stackrox

Annotations that are given at template level are not considered and complains that annotation doesn't exist.

Open s-u-b-h-a-k-a-r opened this issue 2 years ago • 4 comments

System info:

  • OS: Linux

Describe the bug Annotations that are given at template level are not considered and complains that annotation doesn't exist.

To Reproduce

Sample YAML input config.yaml

checks:
  addAllBuiltIn: false
  doNotAutoAddDefaults: true
  include:
  - no-liveness-probe
  - no-readiness-probe
  - unset-cpu-requirements
  - unset-memory-requirements
  - dangling-service
  - default-service-account
  - deprecated-service-account-field
  - env-var-secret
  - no-extensions-v1beta
  - mismatching-selector
  exclude:
customChecks:
  - name: required-annotation-app-ui
    template: required-annotation
    params:
      key: app/ui
    remediation: set the app/ui  annotation please :)
    scope:
      objectKinds:
        - DeploymentLike

deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-deployment
  labels:
    app.kubernetes.io/instance: RELEASE-NAME
spec:
  replicas:
  revisionHistoryLimit: 3
  selector:
    matchLabels:
      app.kubernetes.io/name: test-deployment
      app.kubernetes.io/instance: RELEASE-NAME
  template:
    metadata:
      annotations:
        app/ui: true
      labels:
        app.kubernetes.io/name: test-deployment
        app.kubernetes.io/instance: RELEASE-NAME

Expected behavior When we run kube-linter lint deployment.yaml --config config.yaml the linter complains that annotation is not present. but it should not complain as we have annotation at template level which will be propogated to pod

s-u-b-h-a-k-a-r avatar Aug 23 '21 14:08 s-u-b-h-a-k-a-r

Hmm, this is by design. It's checking that the deployment has the required annotation, not the underlying pods. Checking for the underlying pods would require writing a new template. What is your use case for having the annotations on the pod and not the deployment? Typically, in my experience, it's more natural to put the annotations on the higher level controller.

viswajithiii avatar Aug 23 '21 15:08 viswajithiii

Hmm, this is by design. It's checking that the deployment has the required annotation, not the underlying pods. Checking for the underlying pods would require writing a new template. What is your use case for having the annotations on the pod and not the deployment? Typically, in my experience, it's more natural to put the annotations on the higher level controller. Use case: When ever we create a helm chart by default we have podAnnotations that are added to template and they are propogated from deployment to pod but they are not added to the deployment annotations. e.g helm create test image

s-u-b-h-a-k-a-r avatar Aug 24 '21 06:08 s-u-b-h-a-k-a-r

Got it. Anyway, this is valid use case, and will require a new check. I'll add it to the roadmap.

viswajithiii avatar Aug 24 '21 16:08 viswajithiii

Is there any update here? I would also have use for this with labels.

jamesbwilkinson avatar May 10 '23 09:05 jamesbwilkinson