zegl · psibi · May 4, 2021
diff --git a/cmd/kube-score/main.go b/cmd/kube-score/main.go
@@ -105,6 +105,7 @@ func scoreFiles(binName string, args []string) error {
 	outputVersion := fs.String("output-version", "", "Changes the version of the --output-format. The 'json' format has version 'v2' (default) and 'v1' (deprecated, will be removed in v1.7.0). The 'human' and 'ci' formats has only version 'v1' (default). If not explicitly set, the default version for that particular output format will be used.")
 	optionalTests := fs.StringSlice("enable-optional-test", []string{}, "Enable an optional test, can be set multiple times")
 	ignoreTests := fs.StringSlice("ignore-test", []string{}, "Disable a test, can be set multiple times")
+	ignoreNamespaces := fs.StringSlice("ignore-namespace", []string{}, "Disable test on specific namespace, can be set multiple times")
 	disableIgnoreChecksAnnotation := fs.Bool("disable-ignore-checks-annotations", false, "Set to true to disable the effect of the 'kube-score/ignore' annotations")
 	kubernetesVersion := fs.String("kubernetes-version", "v1.18", "Setting the kubernetes-version will affect the checks ran against the manifests. Set this to the version of Kubernetes that you're using in production for the best results.")
 	setDefault(fs, binName, "score", false)
@@ -154,6 +155,7 @@ Use "-" as filename to read from STDIN.`, execName(binName))
 	}
 
 	ignoredTests := listToStructMap(ignoreTests)
+	ignoredNamespaces := listToStructMap(ignoreNamespaces)
 	enabledOptionalTests := listToStructMap(optionalTests)
 
 	kubeVer, err := config.ParseSemver(*kubernetesVersion)
@@ -166,6 +168,7 @@ Use "-" as filename to read from STDIN.`, execName(binName))
 		VerboseOutput:                         *verboseOutput,
 		IgnoreContainerCpuLimitRequirement:    *ignoreContainerCpuLimit,
 		IgnoreContainerMemoryLimitRequirement: *ignoreContainerMemoryLimit,
+		IgnoredNamespaces:                     ignoredNamespaces,
 		IgnoredTests:                          ignoredTests,
 		EnabledOptionalTests:                  enabledOptionalTests,
 		UseIgnoreChecksAnnotation:             !*disableIgnoreChecksAnnotation,

diff --git a/config/config.go b/config/config.go
@@ -14,6 +14,7 @@ type Configuration struct {
 	VerboseOutput                         int
 	IgnoreContainerCpuLimitRequirement    bool
 	IgnoreContainerMemoryLimitRequirement bool
+	IgnoredNamespaces                     map[string]struct{}
 	IgnoredTests                          map[string]struct{}
 	EnabledOptionalTests                  map[string]struct{}
 	UseIgnoreChecksAnnotation             bool

diff --git a/score/score.go b/score/score.go
@@ -48,7 +48,7 @@ func Score(allObjects ks.AllTypes, cnf config.Configuration) (*scorecard.Scoreca
 	scoreCard := scorecard.New()
 
 	newObject := func(typeMeta metav1.TypeMeta, objectMeta metav1.ObjectMeta) *scorecard.ScoredObject {
-		return scoreCard.NewObject(typeMeta, objectMeta, cnf.UseIgnoreChecksAnnotation)
+		return scoreCard.NewObject(typeMeta, objectMeta, cnf.UseIgnoreChecksAnnotation, cnf.IgnoredNamespaces)
 	}
 
 	for _, ingress := range allObjects.Ingresses() {

diff --git a/score/security_test.go b/score/security_test.go
@@ -389,3 +389,31 @@ func TestContainerSecurityContextReadOnlyRootFilesystemNoSecurityContext(t *test
 		Description: "Set securityContext to run the container in a more secure context.",
 	})
 }
+
+func TestServiceIgnoreNamespace(t *testing.T) {
+	t.Parallel()
+
+	structMap := make(map[string]struct{})
+	structMap["site"] = struct{}{}
+
+	s, err := testScore(config.Configuration{
+		VerboseOutput:     0,
+		AllFiles:          []ks.NamedReader{testFile("service-externalname.yaml")},
+		IgnoredNamespaces: structMap,
+	})
+	assert.Nil(t, err)
+	assert.Len(t, s, 1)
+
+	tested := false
+
+	for _, o := range s {
+		for _, c := range o.Checks {
+			if c.Check.ID == "service-targets-pod" {
+				assert.True(t, c.Skipped)
+				assert.Equal(t, scorecard.GradeAllOK, c.Grade)
+				tested = true
+			}
+		}
+	}
+	assert.True(t, tested)
+}
diff --git a/scorecard/scorecard.go b/scorecard/scorecard.go
@@ -19,11 +19,12 @@ func New() Scorecard {
 	return make(Scorecard)
 }
 
-func (s Scorecard) NewObject(typeMeta metav1.TypeMeta, objectMeta metav1.ObjectMeta, useIgnoreChecksAnnotation bool) *ScoredObject {
+func (s Scorecard) NewObject(typeMeta metav1.TypeMeta, objectMeta metav1.ObjectMeta, useIgnoreChecksAnnotation bool, ignoredNamespaces map[string]struct{}) *ScoredObject {
 	o := &ScoredObject{
-		TypeMeta:   typeMeta,
-		ObjectMeta: objectMeta,
-		Checks:     make([]TestScore, 0),
+		TypeMeta:          typeMeta,
+		ObjectMeta:        objectMeta,
+		Checks:            make([]TestScore, 0),
+		ignoredNamespaces: ignoredNamespaces,
 	}
 
 	// If this object already exists, return the previous version
@@ -54,7 +55,8 @@ type ScoredObject struct {
 	FileLocation ks.FileLocation
 	Checks       []TestScore
 
-	ignoredChecks map[string]struct{}
+	ignoredChecks     map[string]struct{}
+	ignoredNamespaces map[string]struct{}
 }
 
 func (s ScoredObject) AnyBelowOrEqualToGrade(threshold Grade) bool {
@@ -99,6 +101,11 @@ func (so *ScoredObject) Add(ts TestScore, check ks.Check, locationer ks.FileLoca
 		ts.Comments = []TestScoreComment{{Summary: fmt.Sprintf("Skipped because %s is ignored", check.ID)}}
 	}
 
+	if _, ok := so.ignoredNamespaces[so.ObjectMeta.Namespace]; ok {
+		ts.Skipped = true
+		ts.Comments = []TestScoreComment{{Summary: fmt.Sprintf("Skipped because the %s namespace is ignored", so.ObjectMeta.Namespace)}}
+	}
+
 	so.Checks = append(so.Checks, ts)
 }