kube-score
kube-score copied to clipboard
zegl
Can't mix implicit and explicit namespaces
Which version of kube-score are you using?
kube-score version: v1.13.0
What did you do?
Using a Helm chart that explicitly sets namespaces, with resources that rely on the execution context to set the namespace, means that resources that work together produce an error. For example
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
labels:
app.kubernetes.io/name: app
namespace: default
spec:
selector:
matchLabels:
app.kubernetes.io/name: app
template:
metadata:
name: my-app
labels:
app.kubernetes.io/name: app
spec:
containers:
- name: my-app
image: nginx
and
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: my-app
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: app
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: app
errors because the deployment and network policy don't both explicitly identify the same namespace.
What did you expect to see?
I expected kube-score to have a concept of the current namespace to use when not explicitly stated.
What did you see instead?
An error
[CRITICAL] Pod NetworkPolicy · The pod does not have a matching NetworkPolicy
Hi Mikael,
we've encountered the same issue, but we haven't had specified a namespace in the deployment object but instead on the netpols. The issue was easily fixed by replacing the hardcoded namespace through {{ .Release.Namespace }}.
That's a little tricky to do in my case.
Are you running helm render or something that replaces {{ .Release.Namespace }} with an empty string?
No, kubeScore replaces it with the "default" Namespace. But yes our applications get deployed with ArgoCD so it takes care of inserting the correct value into {{ .Release.Namespace }}
But I don't see an issue with appending the namespace field in the netpols itself as they are namespaced anyway.
However it would be nice to have a parameter to set wanted namespace.