π€ Generated by the Daily AI Assistant
Part of #2447.
Problem
The in-cluster Kubescape config scan crashes on every run and has never produced real data. The kubescape scanner Deployment mounts kubescape-volume β an empty emptyDir β at /home/nonroot/.kubescape/config.json with subPath: config.json. Because the emptyDir has no such file, the kubelet materialises the subPath as a directory, so the CLI's open(config.json) fails and the scan aborts before scoring.
Live evidence (prod, 2026-07-04):
- Scanner log:
failed to generate account ID β¦ open /home/nonroot/.kubescape/config.json: is a directory β scanning failed, repeating ~451Γ/24h.
workloadconfigurationscans: 1542/1542 with controls: null; 1126 still at resourceVersion: 1.
configurationscansummaries: compliance 0.00 across all 9 frameworks (security, NSA, MITRE, CIS Γ2, ArmoBest, DevOpsBest, SOC2, AllControls).
- Newest scan object dates to 2026-06-27 β ~7 days stale, and was never real.
This is why the "0 failed controls per namespace" reading looked clean β no controls are evaluated at all. It also means the in-cluster posture signal the daily-maintainer survey relies on has been dead. (First noted 2026-06-28 as "out of scope, did not chase"; now the top of the epic.)
Proposed direction
Correct the mount so config.json is a file, not a directory. The broken mount is baked into the kubescape-operator chart template (1.40.2), so evaluate, in order:
- A chart value that changes the volume/mount shape (mount the emptyDir at the directory
β¦/.kubescape without the subPath, letting the CLI write config.json itself), if the chart exposes one.
- Otherwise a Flux
HelmRelease.spec.postRenderers Kustomize patch on the scanner Deployment to drop the subPath / fix the mount.
- If neither is clean, fix upstream in
kubescape/helm-charts and pin ahead (same pattern already used for the scanner image + exceptions RBAC), and open the upstream PR.
Confirm the interaction with kubescapeOffline: enable (the failing step is account-ID generation, which offline mode may still trigger). Validate with ksail --config ksail.prod.yaml workload validate; verify on the docker overlay first.
Rough size
SβM (single component; the mechanism choice is the main unknown).
Acceptance criteria
- Scanner no longer logs
config.json: is a directory; scans complete.
configurationscansummaries show real (non-zero) compliance scores and workloadconfigurationscans carry populated controls.
- Change is declarative and validates; docker overlay unaffected.
Part of #2447.
Problem
The in-cluster Kubescape config scan crashes on every run and has never produced real data. The
kubescapescanner Deployment mountskubescape-volumeβ an emptyemptyDirβ at/home/nonroot/.kubescape/config.jsonwithsubPath: config.json. Because the emptyDir has no such file, the kubelet materialises the subPath as a directory, so the CLI'sopen(config.json)fails and the scan aborts before scoring.Live evidence (prod, 2026-07-04):
failed to generate account ID β¦ open /home/nonroot/.kubescape/config.json: is a directoryβscanning failed, repeating ~451Γ/24h.workloadconfigurationscans: 1542/1542 withcontrols: null; 1126 still atresourceVersion: 1.configurationscansummaries: compliance 0.00 across all 9 frameworks (security, NSA, MITRE, CIS Γ2, ArmoBest, DevOpsBest, SOC2, AllControls).This is why the "0 failed controls per namespace" reading looked clean β no controls are evaluated at all. It also means the in-cluster posture signal the daily-maintainer survey relies on has been dead. (First noted 2026-06-28 as "out of scope, did not chase"; now the top of the epic.)
Proposed direction
Correct the mount so
config.jsonis a file, not a directory. The broken mount is baked into thekubescape-operatorchart template (1.40.2), so evaluate, in order:β¦/.kubescapewithout thesubPath, letting the CLI writeconfig.jsonitself), if the chart exposes one.HelmRelease.spec.postRenderersKustomize patch on the scanner Deployment to drop thesubPath/ fix the mount.kubescape/helm-chartsand pin ahead (same pattern already used for the scanner image + exceptions RBAC), and open the upstream PR.Confirm the interaction with
kubescapeOffline: enable(the failing step is account-ID generation, which offline mode may still trigger). Validate withksail --config ksail.prod.yaml workload validate; verify on the docker overlay first.Rough size
SβM (single component; the mechanism choice is the main unknown).
Acceptance criteria
config.json: is a directory; scans complete.configurationscansummariesshow real (non-zero) compliance scores andworkloadconfigurationscanscarry populatedcontrols.