Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Ignore-paths parameter does not work with subcharts #575

Open
darmenliu opened this issue May 29, 2023 · 12 comments
Open

[BUG] Ignore-paths parameter does not work with subcharts #575

darmenliu opened this issue May 29, 2023 · 12 comments
Labels
bug Something isn't working

Comments

@darmenliu
Copy link

System info:

  • OS: [e.g. Linux? MaxOS? Windows?]
  • Linux

Describe the bug
I have a project and I want use kube-linter to san the helm chart, but I failed to ignore test path to use ignore-paths parameter.

myproject$ ls
templates  kube_linter.yaml  value.yaml

myproject/templates$ ls
test  others.yaml

myproject$  kube-linter lint ./ --config ./kube_linter.yaml --ignore-paths ./templates/test/
templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) found matching serviceAccount ("") (check: default-service-account, remediation: Create a dedicated service account for your pod. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ for details.)

templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) container "robot-pod-container" does not specify a liveness probe (check: no-liveness-probe, remediation: Specify a liveness probe in your container. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ for details.)

templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) container "robot-pod-container" is not set to runAsNonRoot (check: run-as-non-root, remediation: Set runAsUser to a non-zero number and runAsNonRoot to true in your pod or container securityContext. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for details.)

templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) resource specifies unsafe sysctl "net.ipv4.ip_local_port_range". (check: unsafe-sysctls, remediation: Ensure container does not allow unsafe allocation of system resources by removing unsafe sysctls configurations. For more details see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ https://docs.docker.com/engine/reference/commandline/run/#configure-namespaced-kernel-parameters-sysctls-at-runtime.)

Use this command to scan my project seems my test file still was reported by kube-linter, hope some one can help me what's wrong for my command, and I also try configure this with configuration like:
checks:
ignorePaths:

  • ./templates/test/robot.yaml

but I still failed.

To Reproduce

  1. Add a test directory in a project of helm charts.
  2. Add a test yaml in test directory
  3. Use kube-linter scan the project and take the parameter ignore-paths like above or config .kube-linter.yaml to ignore test path.

Expected behavior
Test directory can be ignored

Screenshots

Additional context
@janisz janisz added the bug Something isn't working label May 31, 2023
@janisz
Copy link
Collaborator

janisz commented May 31, 2023

Could you try using **/* to match everything in directory or explicitly name files?

myproject$  kube-linter lint ./ --config ./kube_linter.yaml --ignore-paths ./templates/test/robot.yaml

refs:

@darmenliu
Copy link
Author

Thanks your feedback, I will try to test with this.

@darmenliu
Copy link
Author

darmenliu commented Jun 7, 2023
edited

Hi, I try to use these two commands, seems problem is till here.

$ kube-linter lint ./ --config ./kube_linter.yaml --ignore-paths ./templates/test/**/*
KubeLinter development

templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) found matching serviceAccount ("") (check: default-service-account, remediation: Create a dedicated service account for your pod. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ for details.)

templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) container "robot-pod-container" does not specify a liveness probe (check: no-liveness-probe, remediation: Specify a liveness probe in your container. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ for details.)

templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) container "robot-pod-container" is not set to runAsNonRoot (check: run-as-non-root, remediation: Set runAsUser to a non-zero number and runAsNonRoot to true in your pod or container securityContext. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for details.)

templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) resource specifies unsafe sysctl "net.ipv4.ip_local_port_range". (check: unsafe-sysctls, remediation: Ensure container does not allow unsafe allocation of system resources by removing unsafe sysctls configurations. For more details see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ https://docs.docker.com/engine/reference/commandline/run/#configure-namespaced-kernel-parameters-sysctls-at-runtime.)

$ kube-linter lint ./ --config ./kube_linter.yaml --ignore-paths ./templates/test/robot.yaml
templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) found matching serviceAccount ("") (check: default-service-account, remediation: Create a dedicated service account for your pod. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ for details.)

templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) container "robot-pod-container" does not specify a liveness probe (check: no-liveness-probe, remediation: Specify a liveness probe in your container. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ for details.)

templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) container "robot-pod-container" is not set to runAsNonRoot (check: run-as-non-root, remediation: Set runAsUser to a non-zero number and runAsNonRoot to true in your pod or container securityContext. Refer to https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for details.)

templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) resource specifies unsafe sysctl "net.ipv4.ip_local_port_range". (check: unsafe-sysctls, remediation: Ensure container does not allow unsafe allocation of system resources by removing unsafe sysctls configurations. For more details see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ https://docs.docker.com/engine/reference/commandline/run/#configure-namespaced-kernel-parameters-sysctls-at-runtime.)

templates/test/robot.yaml: (object: <no namespace>/robot-pod /v1, Kind=Pod) object in default namespace (check: use-namespace, remediation: Create namespaces for objects in your deployment.)

@bebosudo
Copy link

I also face the same problem, even when I use --ignore-paths subcharts are linted.
Here's a run without any paths to ignore:

$ kube-linter lint .
KubeLinter v0.6.4-0-g4f0b1e01fd
...
charts/redis/templates/replicas/statefulset.yaml: (object: default/test-release-redis-replicas apps/v1, Kind=StatefulSet) container "redis" has memory request 0 (check: unset-memory-requirements, remediation: Set memory requests and limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.)
charts/redis/templates/replicas/statefulset.yaml: (object: default/test-release-redis-replicas apps/v1, Kind=StatefulSet) container "redis" has memory limit 0 (check: unset-memory-requirements, remediation: Set memory requests and limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.)

Error: found 51 lint errors

Here's when I try to exclude one specific file:

$ kube-linter lint --ignore-paths charts/redis/templates/replicas/statefulset.yaml .
...
Error: found 51 lint errors

And here when I try to exclude all tgz archives of subcharts:

$ kube-linter lint --ignore-paths '**/*.tgz' .
...
Error: found 51 lint errors

I also tried with a config file, with no success:

$ cat config.yaml 
checks:
  ignorePaths:
    - "charts/**"
    - "**/*.tgz"

$ kube-linter lint --config config.yaml .
...
Error: found 51 lint errors

Here's my dir structure:

$ tree
.
├── Chart.lock
├── charts
│   ├── common-2.4.0.tgz
│   ├── mysql-9.10.1.tgz
│   └── redis-17.11.3.tgz
├── Chart.yaml
├── config.yaml
├── README.md
├── templates
│   ├── deployment-backend.yaml
│   ├── deployment-frontend.yaml
│   ├── _helpers.tpl
│   ├── ingress.yaml
│   ├── NOTES.txt
│   ├── secret.yaml
│   ├── serviceaccount.yaml
│   └── service.yaml
└── values.yaml

I'm using KubeLinter v0.6.4-0-g4f0b1e01fd on Fedora.

@benni-as
Copy link

I can confirm this bug. I also want to ignore subcharts like bitnamis postgres or redis charts. But --ignore-paths charts/* isnt' working. Any workarounds or fixes available?

@darmenliu
Copy link
Author

darmenliu commented Jul 20, 2023
edited

@janisz Can you help to response this issue, seems this is a bug for kube-linter.

@janisz
Copy link
Collaborator

janisz commented Aug 7, 2023

I'm sorry for delay.
I was able to reproduce. I used tests/testdata and placed chart package as a subchart of mychart

diff --git a/tests/testdata/mychart/Chart.yaml b/tests/testdata/mychart/Chart.yaml
index ac8a018..78862fe 100644
--- a/tests/testdata/mychart/Chart.yaml
+++ b/tests/testdata/mychart/Chart.yaml
@@ -4,3 +4,6 @@ description: A Helm chart for Kubernetes
 name: mychart
 type: application
 version: 0.1.0
+dependencies:
+  - name: mychart
+    version: "0.1.0"

I can confirm that ignore-paths does not work with subcharts.
This is because we use Load function that automatically loads full chart.

kube-linter/pkg/lintcontext/parse_yaml.go

Line 93 in ab8a80b

chrt, err := loader.Load(dir)

The workaround will be to add ignored files in .helmignore

diff --git a/tests/testdata/mychart/.helmignore b/tests/testdata/mychart/.helmignore
index 0e8a0eb..44e93ed 100644
--- a/tests/testdata/mychart/.helmignore
+++ b/tests/testdata/mychart/.helmignore
@@ -21,3 +21,4 @@
 .idea/
 *.tmproj
 .vscode/
+*.tgz

Right now I see following solutions

  • change the way how we load helm – that's risky and could end up in reimplementing helm loader as effectively we will implement custom helmignore.
  • somehow change helm code to allow passing custom filtering rules. Currently they are loaded from the .helmignore it it exists.
  • filter results for ignored paths – this might work but helm loader uncrompresses tgz so in final report we extracted paths not archive:
+ tests/testdata/mychart/charts/mychart/templates/tests/test-connection.yaml
- tests/testdata/mychart/charts/mychart-0.2.0.tgz

@janisz janisz changed the title [BUG] Ignore-paths parameter can not take effect in my project [BUG] Ignore-paths parameter does not work with subcharts Aug 7, 2023
@benni-as
Copy link

benni-as commented Aug 8, 2023

@janisz thanks for looking into it. Sadly, the workround with exluding the subcharts in the .helmignore file will not work, as helm requires to have the dependencies downloaded. This what I get, when I add the *.tgz filter:

Error: An error occurred while checking for chart dependencies. You may need to run `helm dependency build` to fetch missing dependencies: found in Chart.yaml, but missing in charts/ directory: postgresql, redis

@bebosudo
Copy link

bebosudo commented Sep 5, 2023

Any possible development on this?

@echoblag
Copy link

I think we just ran into this issue specifically when trying to exclude subcharts.

@Trojan295
Copy link
Contributor

I will prepare a PR for this.

@Trojan295 Trojan295 mentioned this issue Nov 23, 2023
Merged
@Dirrk
Copy link

Dirrk commented Jan 3, 2024

Was this working in a previous version that I could use instead or has this been the behavior? I am currently on the latest 0.6.5 build.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@Dirrk @janisz @bebosudo @darmenliu @Trojan295 @benni-as @echoblag