"kube-score list" generates a go panic

[lucj]

Which version of kube-score are you using?

1.19.0

What did you do?

I installed kube-score both on MacOS (with Brew) and on a Linux machine (from release), but each installation generate a go panic when I run the kube-score list command.

MacOS

(base) ~ $ brew install kube-score
==> Downloading https://formulae.brew.sh/api/formula.jws.json
############################################################################################################################### 100.0%
==> Downloading https://formulae.brew.sh/api/cask.jws.json
############################################################################################################################### 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/kube-score/manifests/1.19.0
############################################################################################################################### 100.0%
==> Fetching kube-score
==> Downloading https://ghcr.io/v2/homebrew/core/kube-score/blobs/sha256:f0983996db902e80972d36c5603393d1acbdcdb5dddc27372ca6aefc3a6bc
############################################################################################################################### 100.0%
==> Pouring kube-score--1.19.0.arm64_sequoia.bottle.tar.gz
🍺  /opt/homebrew/Cellar/kube-score/1.19.0: 6 files, 14.3MB
==> Running `brew cleanup kube-score`...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
(base) ~ $ kube-score list
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x0 pc=0x105263d5c]

goroutine 1 [running]:
github.com/zegl/kube-score/score.RegisterAllChecks({0x10551d530, 0x1400022e360}, 0x0?, 0x0)
	github.com/zegl/kube-score/score/score.go:34 +0x1dc
main.listChecks({0x16b292dc0, 0xa}, {0x140000dc000, 0x0, 0x0})
	github.com/zegl/kube-score/cmd/kube-score/main.go:298 +0x1b4
main.main.func2({0x16b292dc0?, 0x14000193f08?}, {0x140000dc000?, 0x4?, 0x105285f0e?})
	github.com/zegl/kube-score/cmd/kube-score/main.go:44 +0x24
main.main()
	github.com/zegl/kube-score/cmd/kube-score/main.go:68 +0x378

Linux:

root@docker:~# kube-score version
kube-score version: 1.19.0, commit: a0a0f48c808611965e2690d8af1b1d8a5415fd0b, built: 2024-10-01T09:36:35Z
root@docker:~# kube-score list
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xb82a43]

goroutine 1 [running]:
github.com/zegl/kube-score/score.RegisterAllChecks({0xe2e6f0, 0xc00020c240}, 0x0?, 0x0)
        /Users/gustav/src/kube-score/score/score.go:34 +0x283
main.listChecks({0x7ffdba695860, 0xa}, {0xc000128000, 0x0, 0x0})
        /Users/gustav/src/kube-score/cmd/kube-score/main.go:298 +0x1d8
main.main.func2({0x7ffdba695860?, 0xc00016bf10?}, {0xc000128000?, 0x4?, 0xc00011e8a0?})
        /Users/gustav/src/kube-score/cmd/kube-score/main.go:44 +0x1d
main.main()
        /Users/gustav/src/kube-score/cmd/kube-score/main.go:68 +0x391
root@docker:~#

What did you expect to see?

The list of the available kube-score checks.

What did you see instead?

A panic dump.

[kmarteaux]

• [ ]- [ ] @lucj, I was not able to replicate the issue in my local development environment when building from source code :-|
• @zegl, 1.19.0 was release oct 2024. Are we due for a new release?

$ PATH=.:$PATH
$ git checkout master
$ git pull
$ go mod vender
go: downloading k8s.io/apimachinery v0.32.0
go: downloading k8s.io/api v0.32.0
go: downloading github.com/stretchr/testify v1.10.0
go: downloading golang.org/x/term v0.28.0
go: downloading k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738
go: downloading golang.org/x/sys v0.29.0
go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.4.2
go: downloading sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3
go: downloading golang.org/x/net v0.33.0
go: downloading golang.org/x/text v0.21.0
$ go build $(pwd)/cmd/kube-score
$ go test -v $(pwd)/cmd/kube-score
=== RUN TestParseCli
--- PASS: TestParseCli (0.00s)
=== RUN TestExecName
--- PASS: TestExecName (0.00s)
PASS
ok github.com/zegl/kube-score/cmd/kube-score 0.424s
$ ./kube-score list
deployment-strategy,Deployment,Makes sure that all Deployments targeted by service use RollingUpdate strategy,default
deployment-replicas,Deployment,Makes sure that Deployment has multiple replicas,default
ingress-targets-service,Ingress,Makes sure that the Ingress targets a Service,default
cronjob-has-deadline,CronJob,Makes sure that all CronJobs has a configured deadline,default
cronjob-restartpolicy,CronJob,Makes sure CronJobs have a valid RestartPolicy,default
container-resources,Pod,Makes sure that all pods have resource limits and requests set. The --ignore-container-cpu-limit flag can be used to disable the requirement of having a CPU limit,default
container-resource-requests-equal-limits,Pod,Makes sure that all pods have the same requests as limits on resources set.,optional
container-cpu-requests-equal-limits,Pod,Makes sure that all pods have the same CPU requests as limits set.,optional
container-memory-requests-equal-limits,Pod,Makes sure that all pods have the same memory requests as limits set.,optional
container-image-tag,Pod,Makes sure that a explicit non-latest tag is used,default
container-image-pull-policy,Pod,Makes sure that the pullPolicy is set to Always. This makes sure that imagePullSecrets are always validated.,default
container-ephemeral-storage-request-and-limit,Pod,Makes sure all pods have ephemeral-storage requests and limits set,default
container-ephemeral-storage-request-equals-limit,Pod,Make sure all pods have matching ephemeral-storage requests and limits,optional
container-ports-check,Pod,Container Ports Checks,optional
environment-variable-key-duplication,Pod,Makes sure that duplicated environment variable keys are not duplicated,default
statefulset-has-poddisruptionbudget,StatefulSet,Makes sure that all StatefulSets are targeted by a PDB,default
deployment-has-poddisruptionbudget,Deployment,Makes sure that all Deployments are targeted by a PDB,default
poddisruptionbudget-has-policy,PodDisruptionBudget,Makes sure that PodDisruptionBudgets specify minAvailable or maxUnavailable,default
pod-networkpolicy,Pod,Makes sure that all Pods are targeted by a NetworkPolicy,default
networkpolicy-targets-pod,NetworkPolicy,Makes sure that all NetworkPolicies targets at least one Pod,default
pod-probes,Pod,Makes sure that all Pods have safe probe configurations,default
container-security-context-user-group-id,Pod,Makes sure that all pods have a security context with valid UID and GID set ,default
container-security-context-privileged,Pod,Makes sure that all pods have a unprivileged security context set,default
container-security-context-readonlyrootfilesystem,Pod,Makes sure that all pods have a security context with read only filesystem set,default
container-seccomp-profile,Pod,Makes sure that all pods have at a seccomp policy configured.,optional
service-targets-pod,Service,Makes sure that all Services targets a Pod,default
service-type,Service,Makes sure that the Service type is not NodePort,default
stable-version,all,Checks if the object is using a deprecated apiVersion,default
deployment-has-host-podantiaffinity,Deployment,Makes sure that a podAntiAffinity has been set that prevents multiple pods from being scheduled on the same node. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/,default
statefulset-has-host-podantiaffinity,StatefulSet,Makes sure that a podAntiAffinity has been set that prevents multiple pods from being scheduled on the same node. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/,default
deployment-targeted-by-hpa-does-not-have-replicas-configured,Deployment,Makes sure that Deployments using a HorizontalPodAutoscaler doesn't have a statically configured replica count set,default
statefulset-has-servicename,StatefulSet,Makes sure that StatefulSets have an existing headless serviceName.,default
deployment-pod-selector-labels-match-template-metadata-labels,Deployment,Ensure the StatefulSet selector labels match the template metadata labels.,default
statefulset-pod-selector-labels-match-template-metadata-labels,StatefulSet,Ensure the StatefulSet selector labels match the template metadata labels.,default
label-values,all,Validates label values,default
horizontalpodautoscaler-has-target,HorizontalPodAutoscaler,Makes sure that the HPA targets a valid object,default
horizontalpodautoscaler-replicas,HorizontalPodAutoscaler,Makes sure that the HPA has multiple replicas,default
pod-topology-spread-constraints,Pod,Pod Topology Spread Constraints,default

[lucj]

@kmarteaux, can you spin up a new Ubuntu VM (I did my test on 22.04)?
That may be something on my end, but I'm getting the error both on macOS and on a fresh Linux VM :(

[rnnr]

Just have installed v 1.19.0 via krew and it segfaults too.
Kube-score built from sources works well.

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xb82a43]

goroutine 1 [running]:
github.com/zegl/kube-score/score.RegisterAllChecks({0xe2e6f0, 0xc000234000}, 0x1?, 0x0)
        /Users/gustav/src/kube-score/score/score.go:34 +0x283
main.listChecks({0xc00014ec90, 0xd}, {0xc000034110, 0x1, 0x1})
        /Users/gustav/src/kube-score/cmd/kube-score/main.go:298 +0x1d8
main.main.func2({0xc00014ec90?, 0xc000113f10?}, {0xc000034110?, 0x4?, 0xc000034900?})
        /Users/gustav/src/kube-score/cmd/kube-score/main.go:44 +0x1d
main.main()
        /Users/gustav/src/kube-score/cmd/kube-score/main.go:68 +0x391

[kmarteaux]

@lucj et al. I fixed this in the commit associated with pod seccomp updates (Fix optional check for seccomp #590), which was merged on 25 Nov 2024. When @zegl creates a new release, this problem will be addressed.

The specific update can be seen here -- 3c0ad34#diff-9ed426f8448c8e7ff62f7454e4e5a5ae02707773da68f2781bcc86ecab4e983eR31

I experience this problem while testing the feature and fixed it (without thinking too much about it).

[lucj]

Thanks @kmarteaux 👍
@zegl any ETA for the next release ? 😀