score: allow to disable scoring of objects in specific namespaces

This features adds the ability to disable tests on the specified namespaces. Specific usage example: ``` kube-score score --ignore-namespace=logging,minio - ``` This usecase is specifically for ignoring the checks on namespace like istio-system which isn't managed by a specific team. ``` RELNOTE: score: allow to disable scoring of objects in specific namespaces ```
zegl · May 4, 2021 · 565b594 · 565b594
1 parent 510401f
commit 565b594
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 2 deletions.
diff --git a/cmd/kube-score/main.go b/cmd/kube-score/main.go
@@ -105,6 +105,7 @@ func scoreFiles(binName string, args []string) error {
 	outputVersion := fs.String("output-version", "", "Changes the version of the --output-format. The 'json' format has version 'v2' (default) and 'v1' (deprecated, will be removed in v1.7.0). The 'human' and 'ci' formats has only version 'v1' (default). If not explicitly set, the default version for that particular output format will be used.")
 	optionalTests := fs.StringSlice("enable-optional-test", []string{}, "Enable an optional test, can be set multiple times")
 	ignoreTests := fs.StringSlice("ignore-test", []string{}, "Disable a test, can be set multiple times")
+	ignoreNamespaces := fs.StringSlice("ignore-namespace", []string{}, "Disable test on specific namespace, can be set multiple times")
 	disableIgnoreChecksAnnotation := fs.Bool("disable-ignore-checks-annotations", false, "Set to true to disable the effect of the 'kube-score/ignore' annotations")
 	kubernetesVersion := fs.String("kubernetes-version", "v1.18", "Setting the kubernetes-version will affect the checks ran against the manifests. Set this to the version of Kubernetes that you're using in production for the best results.")
 	setDefault(fs, binName, "score", false)
@@ -154,6 +155,7 @@ Use "-" as filename to read from STDIN.`, execName(binName))
 	}
 
 	ignoredTests := listToStructMap(ignoreTests)
+	ignoredNamespaces := listToStructMap(ignoreNamespaces)
 	enabledOptionalTests := listToStructMap(optionalTests)
 
 	kubeVer, err := config.ParseSemver(*kubernetesVersion)
@@ -166,6 +168,7 @@ Use "-" as filename to read from STDIN.`, execName(binName))
 		VerboseOutput:                         *verboseOutput,
 		IgnoreContainerCpuLimitRequirement:    *ignoreContainerCpuLimit,
 		IgnoreContainerMemoryLimitRequirement: *ignoreContainerMemoryLimit,
+		IgnoredNamespaces:                     ignoredNamespaces,
 		IgnoredTests:                          ignoredTests,
 		EnabledOptionalTests:                  enabledOptionalTests,
 		UseIgnoreChecksAnnotation:             !*disableIgnoreChecksAnnotation,

diff --git a/config/config.go b/config/config.go
@@ -14,6 +14,7 @@ type Configuration struct {
 	VerboseOutput                         int
 	IgnoreContainerCpuLimitRequirement    bool
 	IgnoreContainerMemoryLimitRequirement bool
+	IgnoredNamespaces                     map[string]struct{}
 	IgnoredTests                          map[string]struct{}
 	EnabledOptionalTests                  map[string]struct{}
 	UseIgnoreChecksAnnotation             bool

diff --git a/score/score.go b/score/score.go
@@ -48,7 +48,7 @@ func Score(allObjects ks.AllTypes, cnf config.Configuration) (*scorecard.Scoreca
 	scoreCard := scorecard.New()
 
 	newObject := func(typeMeta metav1.TypeMeta, objectMeta metav1.ObjectMeta) *scorecard.ScoredObject {
-		return scoreCard.NewObject(typeMeta, objectMeta, cnf.UseIgnoreChecksAnnotation)
+		return scoreCard.NewObject(typeMeta, objectMeta, cnf.UseIgnoreChecksAnnotation, cnf.IgnoredNamespaces)
 	}
 
 	for _, ingress := range allObjects.Ingresses() {

diff --git a/score/security_test.go b/score/security_test.go
@@ -389,3 +389,31 @@ func TestContainerSecurityContextReadOnlyRootFilesystemNoSecurityContext(t *test
 		Description: "Set securityContext to run the container in a more secure context.",
 	})
 }
+
+func TestServiceIgnoreNamespace(t *testing.T) {
+	t.Parallel()
+
+	structMap := make(map[string]struct{})
+	structMap["site"] = struct{}{}
+
+	s, err := testScore(config.Configuration{
+		VerboseOutput:     0,
+		AllFiles:          []ks.NamedReader{testFile("service-externalname.yaml")},
+		IgnoredNamespaces: structMap,
+	})
+	assert.Nil(t, err)
+	assert.Len(t, s, 1)
+
+	tested := false
+
+	for _, o := range s {
+		for _, c := range o.Checks {
+			if c.Check.ID == "service-targets-pod" {
+				assert.True(t, c.Skipped)
+				assert.Equal(t, scorecard.GradeAllOK, c.Grade)
+				tested = true
+			}
+		}
+	}
+	assert.True(t, tested)
+}
diff --git a/scorecard/scorecard.go b/scorecard/scorecard.go
@@ -19,11 +19,12 @@ func New() Scorecard {
 	return make(Scorecard)
 }
 
-func (s Scorecard) NewObject(typeMeta metav1.TypeMeta, objectMeta metav1.ObjectMeta, useIgnoreChecksAnnotation bool) *ScoredObject {
+func (s Scorecard) NewObject(typeMeta metav1.TypeMeta, objectMeta metav1.ObjectMeta, useIgnoreChecksAnnotation bool, ignoredNamespaces map[string]struct{}) *ScoredObject {
 	o := &ScoredObject{
 		TypeMeta:   typeMeta,
 		ObjectMeta: objectMeta,
 		Checks:     make([]TestScore, 0),
+		ignoredNamespaces: ignoredNamespaces,
 	}
 
 	// If this object already exists, return the previous version
@@ -55,6 +56,7 @@ type ScoredObject struct {
 	Checks       []TestScore
 
 	ignoredChecks map[string]struct{}
+	ignoredNamespaces          map[string]struct{}
 }
 
 func (s ScoredObject) AnyBelowOrEqualToGrade(threshold Grade) bool {
@@ -99,6 +101,11 @@ func (so *ScoredObject) Add(ts TestScore, check ks.Check, locationer ks.FileLoca
 		ts.Comments = []TestScoreComment{{Summary: fmt.Sprintf("Skipped because %s is ignored", check.ID)}}
 	}
 
+	if _, ok := so.ignoredNamespaces[so.ObjectMeta.Namespace]; ok {
+		ts.Skipped = true
+		ts.Comments = []TestScoreComment{{Summary: fmt.Sprintf("Skipped because the %s namespace is ignored", so.ObjectMeta.Namespace)}}
+	}
+
 	so.Checks = append(so.Checks, ts)
 }