You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# ... K8S006, K8S007, K8S008, K8S013 all use the same `ignore:` shape
167
179
```
168
180
169
181
-`K8S002.min_replicas`: Global minimum replica threshold (default: 2). Must be >= 1.
170
-
- `K8S002.ignore`: List of resources (by name + namespace) to exclude from the minimum replicas check.
171
-
- `K8S002.overrides`: Per-resource minimum replica threshold. Overrides the global default.
172
-
- `K8S004.ignore`: List of resources (by name + namespace) to exclude from the PodDisruptionBudget check.
173
-
- Ignore takes precedence over overrides when both match the same resource.
182
+
-`K8S002.overrides`: Per-resource minimum replica threshold (globs supported). Overrides the global default.
183
+
-`ignore` takes precedence over `overrides` when both match the same resource.
174
184
- Unknown fields in the configuration file are rejected with an error.
185
+
186
+
#### The `checks.all` block
187
+
188
+
`checks.all.ignore` applies across **every** workload check. Selectors listed here are merged with each check's own `ignore` list, so you can suppress noisy namespaces or naming patterns in one place instead of repeating the same entry under every code.
189
+
190
+
#### Glob syntax
191
+
192
+
`name` and `namespace` selectors support standard glob syntax:
193
+
194
+
-`*` — matches any sequence of characters (including empty)
195
+
-`?` — matches exactly one character
196
+
-`[abc]` / `[a-z]` — character classes
197
+
-`{a,b,c}` — brace expansion (alternation)
198
+
199
+
Literal strings still work and continue to behave as exact matches — existing configs without globs remain valid.
200
+
201
+
#### Workload checks that support `ignore`
202
+
203
+
The following workload checks accept the `ignore:` shape shown above (each rule is matched against the resource's `name` + `namespace`):
204
+
205
+
-`K8S002` — minimum replicas
206
+
-`K8S003` — minimum ready seconds
207
+
-`K8S004` — PodDisruptionBudget present
208
+
-`K8S005` — pod topology spread / anti-affinity
209
+
-`K8S006` — readiness probe configured
210
+
-`K8S007` — termination grace period
211
+
-`K8S008` — Docker socket mount
212
+
-`K8S013` — `ingress-nginx` controller retirement
213
+
214
+
#### Cluster-level checks (no `ignore` support)
215
+
216
+
Cluster-level checks do not support `ignore` because their findings have no resource `name` + `namespace` to match against:
217
+
218
+
-`AWS001` – `AWS005` — AWS-side checks
219
+
-`EKS001` – `EKS010` — EKS-side checks
220
+
-`K8S001` — Kubernetes version skew
221
+
-`K8S009` — Pod Security Policies
222
+
-`K8S010` — EBS CSI driver
223
+
-`K8S011` — kube-proxy / kubelet version skew
224
+
-`K8S012` — kube-proxy IPVS mode (singleton DaemonSet; finding has no per-resource fields)
225
+
226
+
The right control for a cluster-level check is "disable the check entirely" — a separate, future feature.
227
+
228
+
#### `--show-suppressed` flag
229
+
230
+
Both `eksup analyze` and `eksup create playbook` accept `--show-suppressed`. By default, suppressed findings are hidden and a single-line summary (e.g. `3 findings suppressed by .eksup.yaml (use --show-suppressed to view)`) is printed. With the flag set, suppressed findings are rendered inline under a `Suppressed by .eksup.yaml (N):` section so you can audit exactly what your config is filtering out.
231
+
232
+
#### JSON output: `suppressed` key
233
+
234
+
The JSON output (`--format json`) always includes a top-level `suppressed:` key alongside the regular findings, regardless of `--show-suppressed`. Programmatic consumers can inspect every suppressed finding without re-running the analysis. The `--show-suppressed` flag only affects human-readable stdout/playbook rendering.
0 commit comments