fix(helm): Check HELM_NAMESPACE env var in CKV_K8S_21

checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import os
 from typing import Any
 
 from checkov.common.models.enums import CheckCategories, CheckResult
@@ -37,6 +38,8 @@ def scan_spec_conf(self, conf: dict[str, Any]) -> CheckResult:
         if metadata:
             if "namespace" in metadata and metadata["namespace"] != "default":
                 return CheckResult.PASSED
+            if os.getenv('HELM_NAMESPACE') and os.getenv('HELM_NAMESPACE') != "default":
+                return CheckResult.PASSED
 
             # If namespace not defined it is default -> Ignore default Service account and kubernetes service
             if conf["kind"] == "ServiceAccount" and metadata["name"] == "default":

tests/kubernetes/checks/test_DefaultNamespace.py

@@ -21,6 +21,19 @@ def test_summary(self):
         self.assertEqual(summary['skipped'], 0)
         self.assertEqual(summary['parsing_errors'], 0)
 
+    def test_summary_with_env_var(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+        os.environ['HELM_NAMESPACE'] = 'non-default'
+        test_files_dir = current_dir + "/example_DefaultNamespace"
+        report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        self.assertEqual(summary['passed'], 11)
+        self.assertEqual(summary['failed'], 0)
+        self.assertEqual(summary['skipped'], 0)
+        self.assertEqual(summary['parsing_errors'], 0)
+
 
 if __name__ == '__main__':
     unittest.main()