Improve kubectl diff Behavior in New K8s Diff Step by Avoiding --namespace Flag for Cluster-Scoped Resources
Y
Yellowwood Bear
Harness recently introduced a new Kubernetes step called K8s Diff, which generally functions as expected. However, we've encountered limitations in environments where workloads span multiple namespaces or include cluster-scoped resources (such as ClusterRole, ClusterRoleBinding, CustomResourceDefinition, etc.).
Currently, the K8s Diff step always appends the --namespace=<NAMESPACE> flag to the kubectl diff command, like so:
For example, the following command is executed:
------
kubectl --kubeconfig=config diff --namespace=sysdig --filename=/opt/harness-delegate/repository/k8s/281f***********
e-
***********1/manifests-dry-run.yaml------
This fixed --namespace behavior introduces problems in the following scenarios:
- Cluster-scoped resources: These are not bound to any namespace, so forcing the --namespace flag can cause validation errors or false diffs.
- Multi-namespace deployments: Some Helm charts or manifest bundles deploy resources across multiple namespaces. Applying a single --namespace flag across all resources can lead to incorrect or incomplete diff results.
Enhancement Request:
We propose enhancing the K8s Diff step by either:
- Automatically detecting when a manifest includes cluster-scoped or multi-namespace resources and skipping the --namespace flag in those cases, or
- Providing a configurable option to disable or customize the namespace behavior.
This change would improve compatibility with complex Kubernetes workloads and charts, ensuring more accurate and reliable diff outputs.
Log In