fix(kubernetes-mcp-server): align template standards#669
Conversation
Standards Check (GR-079) — PASSEvery changed chart fully passes standards-check. |
📝 WalkthroughWalkthroughThis PR updates chart validation, ingress, and NetworkPolicy rendering, bumps the default image tag to v0.0.63, and expands the chart README, NOTES, values schema, and tests to match the new behavior. ChangesChart validation, networking, and image updates
Estimated code review effort: 3 (Moderate) | ~25 minutes Sequence Diagram(s)sequenceDiagram
participant Helm
participant validate_yaml as validate.yaml
participant ValidateHelper as kubernetes-mcp-server.validate
participant networkpolicy_yaml as networkpolicy.yaml
Helm->>validate_yaml: render chart
validate_yaml->>ValidateHelper: include validation checks
ValidateHelper-->>validate_yaml: fail or pass
Helm->>networkpolicy_yaml: render NetworkPolicy
networkpolicy_yaml->>networkpolicy_yaml: build egress policy and rules
networkpolicy_yaml-->>Helm: rendered manifest
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
🟢 Security Scan:
|
| Framework | Score |
|---|---|
| MITRE + NSA + SOC2 | 74.242424% |
✅ Security posture acceptable.
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (2)
charts/kubernetes-mcp-server/templates/networkpolicy.yaml (1)
3-3: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick winBaseline DNS/HTTPS egress unreachable without a dummy
extraEgressentry.The entire egress block (including the "built-in" DNS/HTTPS rules) only renders when
$extraEgressis non-empty. There's no independent toggle to enable egress isolation with just the baseline DNS+HTTPS allowances — a user who wants to restrict egress to only DNS/HTTPS (no custom rules) has no way to do so without adding a placeholder entry toextraEgress. This contradicts the values.yaml comment, which implies the baseline rules are a standing allowance thatextraEgressmerely appends to.Consider gating the
EgresspolicyType and baseline rules on a dedicated flag (e.g., reuse.Values.networkPolicy.enabledor add an explicitegressEnabled), and treatextraEgresspurely as additive.Also applies to: 16-18, 29-49
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@charts/kubernetes-mcp-server/templates/networkpolicy.yaml` at line 3, The NetworkPolicy egress section is currently tied to extraEgress being non-empty, so the built-in DNS/HTTPS allowances never render on their own. Update the networkpolicy.yaml logic around the networkPolicy template to gate the Egress policyType and baseline DNS/HTTPS rules with a dedicated flag such as .Values.networkPolicy.enabled or a new egressEnabled setting, and keep .Values.networkPolicy.extraEgress purely additive. Make sure the main template condition and the egress rendering block in the network policy manifest use the same controlling symbol so baseline egress works without a dummy entry.charts/kubernetes-mcp-server/tests/validation_test.yaml (1)
29-35: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueConsider adding a symmetric test for
app.kubernetes.io/nameoverride.Only the
app.kubernetes.io/instanceoverride branch is covered; theapp.kubernetes.io/namefail branch inkubernetes-mcp-server.validate(charts/kubernetes-mcp-server/templates/_helpers.tpl, lines 28-30) has no matching test.✅ Suggested additional test case
- it: fails when podLabels override selector labels set: podLabels: app.kubernetes.io/instance: custom asserts: - failedTemplate: errorMessage: "podLabels must not override the selector label app.kubernetes.io/instance" + - it: fails when podLabels override the name selector label + set: + podLabels: + app.kubernetes.io/name: custom + asserts: + - failedTemplate: + errorMessage: "podLabels must not override the selector label app.kubernetes.io/name"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@charts/kubernetes-mcp-server/tests/validation_test.yaml` around lines 29 - 35, Add a matching validation test for the other selector label override in kubernetes-mcp-server.validate so both fail branches are covered. Update validation_test.yaml alongside the existing failedTemplate case for podLabels/app.kubernetes.io/instance by adding a symmetric case that sets podLabels.app.kubernetes.io/name to a custom value and asserts the expected error message from kubernetes-mcp-server.validate. Keep the test structure consistent with the current Helm chart validation tests so the new case clearly exercises the name override path in _helpers.tpl.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@charts/kubernetes-mcp-server/templates/networkpolicy.yaml`:
- Around line 29-37: The egress DNS rule in the NetworkPolicy template is too
broad because the current egress stanza under the $extraEgress block uses
namespaceSelector: {} and allows port 53 to any namespace. Tighten the scope in
templates/networkpolicy.yaml by updating the egress target in this policy to
only match the DNS service pods used by the cluster (for example via a more
specific podSelector and/or namespaceSelector for CoreDNS/kube-dns), while
keeping the existing UDP/TCP 53 ports. Refer to the egress block inside the
NetworkPolicy template so the selector change is applied in the right place.
---
Nitpick comments:
In `@charts/kubernetes-mcp-server/templates/networkpolicy.yaml`:
- Line 3: The NetworkPolicy egress section is currently tied to extraEgress
being non-empty, so the built-in DNS/HTTPS allowances never render on their own.
Update the networkpolicy.yaml logic around the networkPolicy template to gate
the Egress policyType and baseline DNS/HTTPS rules with a dedicated flag such as
.Values.networkPolicy.enabled or a new egressEnabled setting, and keep
.Values.networkPolicy.extraEgress purely additive. Make sure the main template
condition and the egress rendering block in the network policy manifest use the
same controlling symbol so baseline egress works without a dummy entry.
In `@charts/kubernetes-mcp-server/tests/validation_test.yaml`:
- Around line 29-35: Add a matching validation test for the other selector label
override in kubernetes-mcp-server.validate so both fail branches are covered.
Update validation_test.yaml alongside the existing failedTemplate case for
podLabels/app.kubernetes.io/instance by adding a symmetric case that sets
podLabels.app.kubernetes.io/name to a custom value and asserts the expected
error message from kubernetes-mcp-server.validate. Keep the test structure
consistent with the current Helm chart validation tests so the new case clearly
exercises the name override path in _helpers.tpl.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 6182e5c7-6733-407b-82b6-44fc6f482672
📒 Files selected for processing (12)
charts/kubernetes-mcp-server/README.mdcharts/kubernetes-mcp-server/templates/NOTES.txtcharts/kubernetes-mcp-server/templates/_helpers.tplcharts/kubernetes-mcp-server/templates/deployment.yamlcharts/kubernetes-mcp-server/templates/ingress.yamlcharts/kubernetes-mcp-server/templates/networkpolicy.yamlcharts/kubernetes-mcp-server/templates/validate.yamlcharts/kubernetes-mcp-server/tests/networkpolicy_test.yamlcharts/kubernetes-mcp-server/tests/templates_test.yamlcharts/kubernetes-mcp-server/tests/validation_test.yamlcharts/kubernetes-mcp-server/values.schema.jsoncharts/kubernetes-mcp-server/values.yaml
4f4c21e to
061337f
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@charts/kubernetes-mcp-server/values.yaml`:
- Around line 70-82: The network policy configuration currently ties the
built-in DNS/HTTPS egress rules to extraEgress, so networkPolicy.enabled alone
does not emit an egress policy. Update the values handling around networkPolicy,
policyTypes, and the egress block so the default DNS/HTTPS rules are included
whenever networkPolicy.enabled is true, and append extraEgress only if it is
provided. Use the networkPolicy configuration keys and the egress policy
assembly logic to locate the change.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 7d53ec09-f399-4465-a8a0-560cf79e3e0d
📒 Files selected for processing (12)
charts/kubernetes-mcp-server/README.mdcharts/kubernetes-mcp-server/templates/NOTES.txtcharts/kubernetes-mcp-server/templates/_helpers.tplcharts/kubernetes-mcp-server/templates/deployment.yamlcharts/kubernetes-mcp-server/templates/ingress.yamlcharts/kubernetes-mcp-server/templates/networkpolicy.yamlcharts/kubernetes-mcp-server/templates/validate.yamlcharts/kubernetes-mcp-server/tests/networkpolicy_test.yamlcharts/kubernetes-mcp-server/tests/templates_test.yamlcharts/kubernetes-mcp-server/tests/validation_test.yamlcharts/kubernetes-mcp-server/values.schema.jsoncharts/kubernetes-mcp-server/values.yaml
✅ Files skipped from review due to trivial changes (4)
- charts/kubernetes-mcp-server/templates/ingress.yaml
- charts/kubernetes-mcp-server/README.md
- charts/kubernetes-mcp-server/templates/deployment.yaml
- charts/kubernetes-mcp-server/templates/NOTES.txt
🚧 Files skipped from review as they are similar to previous changes (5)
- charts/kubernetes-mcp-server/tests/networkpolicy_test.yaml
- charts/kubernetes-mcp-server/tests/validation_test.yaml
- charts/kubernetes-mcp-server/templates/networkpolicy.yaml
- charts/kubernetes-mcp-server/tests/templates_test.yaml
- charts/kubernetes-mcp-server/templates/_helpers.tpl
061337f to
d52cfa8
Compare
Summary
networkPolicy.enabled=true, with built-in DNS and HTTPS allowances plus configurablenetworkPolicy.dnsEgressPeersdefaulting to kube-system/kube-dnsnetworkPolicy.extraEgressadditive for API server or proxy rules, and sync values schema defaults plus unit coverage for selector label overrides, existingClaim scaling, scoped DNS egress, and baseline egressValidation
Issue: #633
Site PR: helmforgedev/site#347
Summary by CodeRabbit
networkPolicy.extraEgressandnetworkPolicy.dnsEgressPeersto extend/shape egress rules beyond built-in DNS/HTTPS allowances.ingress.ingressClassNameis now rendered only when explicitly set (non-empty).v0.0.63.