From 3c888cbd03d96439a9f136a80f3123aea3d41edc Mon Sep 17 00:00:00 2001
From: iifrach <iifrach@paloaltonetworks.com>
Date: Thu, 23 Oct 2025 21:31:16 +0300
Subject: [PATCH 1/4] Check HELM_NAMESPACE env var in CKV_K8S_21

---
 checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py b/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py
index 9f05328542..1583d6540f 100644
--- a/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py
+++ b/checkov/kubernetes/checks/resource/k8s/DefaultNamespace.py
@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import os
 from typing import Any
 
 from checkov.common.models.enums import CheckCategories, CheckResult
@@ -37,6 +38,8 @@ def scan_spec_conf(self, conf: dict[str, Any]) -> CheckResult:
         if metadata:
             if "namespace" in metadata and metadata["namespace"] != "default":
                 return CheckResult.PASSED
+            if os.getenv('HELM_NAMESPACE') and os.getenv('HELM_NAMESPACE') != "default":
+                return CheckResult.PASSED
 
             # If namespace not defined it is default -> Ignore default Service account and kubernetes service
             if conf["kind"] == "ServiceAccount" and metadata["name"] == "default":

From 9a579afd478651d160f9c0f0b3e256d0736fab87 Mon Sep 17 00:00:00 2001
From: iifrach <iifrach@paloaltonetworks.com>
Date: Wed, 29 Oct 2025 15:11:32 +0200
Subject: [PATCH 2/4] Add test

---
 tests/kubernetes/checks/test_DefaultNamespace.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/tests/kubernetes/checks/test_DefaultNamespace.py b/tests/kubernetes/checks/test_DefaultNamespace.py
index 1f5788c253..8f13a98d82 100644
--- a/tests/kubernetes/checks/test_DefaultNamespace.py
+++ b/tests/kubernetes/checks/test_DefaultNamespace.py
@@ -21,6 +21,19 @@ def test_summary(self):
         self.assertEqual(summary['skipped'], 0)
         self.assertEqual(summary['parsing_errors'], 0)
 
+    def test_summary_with_env_var(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+        os.environ['HELM_NAMESPACE'] = 'non-default'
+        test_files_dir = current_dir + "/example_DefaultNamespace"
+        report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        self.assertEqual(summary['passed'], 11)
+        self.assertEqual(summary['failed'], 0)
+        self.assertEqual(summary['skipped'], 0)
+        self.assertEqual(summary['parsing_errors'], 0)
+
 
 if __name__ == '__main__':
     unittest.main()

From efcb2cec1b0561402c0f96a519f65a3c95ca3316 Mon Sep 17 00:00:00 2001
From: iifrach <iifrach@paloaltonetworks.com>
Date: Wed, 29 Oct 2025 15:22:22 +0200
Subject: [PATCH 3/4] Remove HELM_NAMESPACE env var after test

---
 tests/kubernetes/checks/test_DefaultNamespace.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tests/kubernetes/checks/test_DefaultNamespace.py b/tests/kubernetes/checks/test_DefaultNamespace.py
index 8f13a98d82..c20855e16b 100644
--- a/tests/kubernetes/checks/test_DefaultNamespace.py
+++ b/tests/kubernetes/checks/test_DefaultNamespace.py
@@ -33,6 +33,7 @@ def test_summary_with_env_var(self):
         self.assertEqual(summary['failed'], 0)
         self.assertEqual(summary['skipped'], 0)
         self.assertEqual(summary['parsing_errors'], 0)
+        os.environ.pop("HELM_NAMESPACE", None)
 
 
 if __name__ == '__main__':

From 4a11253a1d29a49bb03bfbb0da794e9226f64989 Mon Sep 17 00:00:00 2001
From: iifrach <iifrach@paloaltonetworks.com>
Date: Wed, 29 Oct 2025 15:26:26 +0200
Subject: [PATCH 4/4] Use mock patch

---
 tests/kubernetes/checks/test_DefaultNamespace.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/kubernetes/checks/test_DefaultNamespace.py b/tests/kubernetes/checks/test_DefaultNamespace.py
index c20855e16b..8b64a4c78b 100644
--- a/tests/kubernetes/checks/test_DefaultNamespace.py
+++ b/tests/kubernetes/checks/test_DefaultNamespace.py
@@ -1,5 +1,6 @@
 import os
 import unittest
+from unittest import mock
 
 from checkov.kubernetes.checks.resource.k8s.DefaultNamespace import check
 from checkov.kubernetes.runner import Runner
@@ -21,19 +22,18 @@ def test_summary(self):
         self.assertEqual(summary['skipped'], 0)
         self.assertEqual(summary['parsing_errors'], 0)
 
+    @mock.patch.dict(os.environ, {"HELM_NAMESPACE": "non-default"})
     def test_summary_with_env_var(self):
         runner = Runner()
         current_dir = os.path.dirname(os.path.realpath(__file__))
-        os.environ['HELM_NAMESPACE'] = 'non-default'
         test_files_dir = current_dir + "/example_DefaultNamespace"
-        report = runner.run(root_folder=test_files_dir,runner_filter=RunnerFilter(checks=[check.id]))
+        report = runner.run(root_folder=test_files_dir, runner_filter=RunnerFilter(checks=[check.id]))
         summary = report.get_summary()
 
         self.assertEqual(summary['passed'], 11)
         self.assertEqual(summary['failed'], 0)
         self.assertEqual(summary['skipped'], 0)
         self.assertEqual(summary['parsing_errors'], 0)
-        os.environ.pop("HELM_NAMESPACE", None)
 
 
 if __name__ == '__main__':