From 9280fa301ccacae234e61af44cac7d8ba4c2ea34 Mon Sep 17 00:00:00 2001 From: Antonio Gurgel Date: Wed, 22 Nov 2023 12:00:58 -0800 Subject: [PATCH] Don't fire K8S002 on zero-replica workloads By definition, a workload with no pods can't be disrupted by an upgrade. --- eksup/src/k8s/resources.rs | 2 +- tests/deployment.yaml | 48 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+), 1 deletion(-) diff --git a/eksup/src/k8s/resources.rs b/eksup/src/k8s/resources.rs index 1561e0a..791e158 100644 --- a/eksup/src/k8s/resources.rs +++ b/eksup/src/k8s/resources.rs @@ -462,7 +462,7 @@ impl checks::K8sFindings for StdResource { match replicas { Some(replicas) => { - if replicas < 3 { + if replicas < 3 && replicas > 0 { let remediation = finding::Remediation::Required; let finding = finding::Finding { code: finding::Code::K8S002, diff --git a/tests/deployment.yaml b/tests/deployment.yaml index 7e7723b..e1e85bb 100644 --- a/tests/deployment.yaml +++ b/tests/deployment.yaml @@ -83,3 +83,51 @@ spec: - name: tmp hostPath: path: /tmp +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ignored-dpl + namespace: deployment + labels: + app: ignored-dpl +spec: + replicas: 0 + minReadySeconds: 0 + selector: + matchLabels: + app: ignored-dpl + template: + metadata: + labels: + app: ignored-dpl + spec: + topologySpreadConstraints: + - maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + topologyKey: topology.kubernetes.io/zone + labelSelector: + matchLabels: + app: ignored-dpl + containers: + - name: goproxy + image: registry.k8s.io/goproxy:0.1 + ports: + - containerPort: 8080 + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 15 + periodSeconds: 20 + volumeMounts: + - name: tmp + mountPath: /tmp + volumes: + - name: tmp + hostPath: + path: /tmp