Skip to content

fix(kubescape): config-scan aborts every run β€” config.json mounted as a directory (compliance 0.00)Β #2448

Description

@devantler

πŸ€– Generated by the Daily AI Assistant

Part of #2447.

Problem

The in-cluster Kubescape config scan crashes on every run and has never produced real data. The kubescape scanner Deployment mounts kubescape-volume β€” an empty emptyDir β€” at /home/nonroot/.kubescape/config.json with subPath: config.json. Because the emptyDir has no such file, the kubelet materialises the subPath as a directory, so the CLI's open(config.json) fails and the scan aborts before scoring.

Live evidence (prod, 2026-07-04):

  • Scanner log: failed to generate account ID … open /home/nonroot/.kubescape/config.json: is a directory β†’ scanning failed, repeating ~451Γ—/24h.
  • workloadconfigurationscans: 1542/1542 with controls: null; 1126 still at resourceVersion: 1.
  • configurationscansummaries: compliance 0.00 across all 9 frameworks (security, NSA, MITRE, CIS Γ—2, ArmoBest, DevOpsBest, SOC2, AllControls).
  • Newest scan object dates to 2026-06-27 β†’ ~7 days stale, and was never real.

This is why the "0 failed controls per namespace" reading looked clean β€” no controls are evaluated at all. It also means the in-cluster posture signal the daily-maintainer survey relies on has been dead. (First noted 2026-06-28 as "out of scope, did not chase"; now the top of the epic.)

Proposed direction

Correct the mount so config.json is a file, not a directory. The broken mount is baked into the kubescape-operator chart template (1.40.2), so evaluate, in order:

  1. A chart value that changes the volume/mount shape (mount the emptyDir at the directory …/.kubescape without the subPath, letting the CLI write config.json itself), if the chart exposes one.
  2. Otherwise a Flux HelmRelease.spec.postRenderers Kustomize patch on the scanner Deployment to drop the subPath / fix the mount.
  3. If neither is clean, fix upstream in kubescape/helm-charts and pin ahead (same pattern already used for the scanner image + exceptions RBAC), and open the upstream PR.

Confirm the interaction with kubescapeOffline: enable (the failing step is account-ID generation, which offline mode may still trigger). Validate with ksail --config ksail.prod.yaml workload validate; verify on the docker overlay first.

Rough size

S–M (single component; the mechanism choice is the main unknown).

Acceptance criteria

  • Scanner no longer logs config.json: is a directory; scans complete.
  • configurationscansummaries show real (non-zero) compliance scores and workloadconfigurationscans carry populated controls.
  • Change is declarative and validates; docker overlay unaffected.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    βœ… Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions