fix(kubescape): remount scanner config.json so offline posture scans persist#2439
fix(kubescape): remount scanner config.json so offline posture scans persist#2439devantler wants to merge 1 commit into
Conversation
…persist
The kubescape-operator 1.40.2 scanner Deployment mounts the empty
`kubescape-volume` emptyDir onto the FILE path
/home/nonroot/.kubescape/config.json (subPath config.json). kubelet
materialises the non-existent target as a DIRECTORY, so the scanner's
config write fails ("open .../config.json: is a directory"), the scan
aborts at finalize, the aggregate ConfigurationScanSummary is never
written, and no posture (Cluster)SecurityException is ever applied — so
the compliance dashboard freezes (last persisted scan 2026-06-27) and
every by-design exception (e.g. C-0007) renders failed.
Reproduce upstream fix kubescape/helm-charts#862 (issue #857) via a Flux
postRenderer that remounts the volume at the parent dir, until a chart
release ships it. Offline mode / submit=false unchanged.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
📜 Recent review details⏰ Context from checks skipped due to timeout. (4)
🧰 Additional context used📓 Path-based instructions (4)**/*.{yaml,yml}📄 CodeRabbit inference engine (AGENTS.md)
Files:
k8s/**📄 CodeRabbit inference engine (AGENTS.md)
Files:
k8s/bases/infrastructure/**📄 CodeRabbit inference engine (AGENTS.md)
Files:
k8s/bases/infrastructure/**/*.{yaml,yml}📄 CodeRabbit inference engine (AGENTS.md)
Files:
🧠 Learnings (1)📚 Learning: 2026-07-01T21:13:36.950ZApplied to files:
🔇 Additional comments (3)
📝 WalkthroughWalkthroughAdds a Flux ChangesKubescape HelmRelease Patch
Estimated code review effort: 2 (Simple) | ~10 minutes Related PRs: None found. Suggested labels: kubescape, kubernetes, patch Suggested reviewers: None determined. 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Closing as a duplicate of #2443, and superseded by the same reasoning that closed #2444. This PR fixes only the (I re-derived this root cause independently before finding #2443/#2444 already covered it — apologies for the duplicate.) |
Why
The in-cluster Kubescape compliance dashboard (Headlamp) is frozen — it serves stale data from 2026-06-27 and shows controls like C-0007 "Roles with delete capabilities" as 0 of 26 passed. Root cause: an offline-mode bug in the kubescape chart mounts the scanner's config file as a directory, so every scan aborts before it finishes — no fresh results are stored and none of the platform's by-design posture exceptions are ever applied (aggregate compliance reads 0.00 on every framework).
What
Reproduces the merged upstream fix (kubescape/helm-charts#862, issue #857) with a Flux post-render that remounts the config volume correctly, so scans finalize again, the dashboard refreshes, and the exception CRs already shipped in #2316 finally take effect. Offline/air-gapped mode is untouched — no cloud submit is re-enabled. Revert this once the chart ships a release containing the upstream fix.
Note: this unblocks the whole dashboard but does not on its own make C-0007 pass — that control's exception needs a separate match-type fix (follow-up PR). After promotion Flux reconciles the HelmRelease; a fresh scan should then persist and the score reappear. Related: #2264.