fix(kubescape): keep scheduled posture scans local so results persist#2443
Conversation
The scheduled configuration scan has aborted every run since the v4.0.9 scanner bump (#2316), freezing the Kubescape compliance dashboard on stale 06-17 results: every control — including those already exempted by the ClusterSecurityException CRs (e.g. C-0016 on longhorn/velero/coroot) — shows failing and the score reads 0. Root cause: with kubescapeOffline enabled, chart 1.40.2 still leaves the scheduled scan's request-body Submit path active, so the scanner tries to submit its report to the ARMO cloud and write a generated account ID to /home/nonroot/.kubescape/config.json. That path is an empty emptyDir mounted via subPath, which kubelet materialises as a directory, so the write fails ("is a directory"), the scan is marked failed, and no fresh WorkloadConfigurationScan results are persisted. Force the scheduled scan to keep results local (scanV1.keepLocal:true), which makes the scanner run local-only — no cloud submit, no account-ID write, the config.json mount never opened — so scans complete and persist fresh results each run, with the existing exceptions applied. This mirrors the merged but unreleased upstream fix (kubescape/helm-charts#862, issue #857); drop the override once the chart releases past 1.40.2. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
🔗 Linked repositories identifiedCodeRabbit considers these linked repositories for cross-repo context during reviews:
📜 Recent review details
|
| Layer / File(s) | Summary |
|---|---|
Document offline limitation and enforce keepLocal k8s/bases/infrastructure/controllers/kubescape/helm-release.yaml |
Expands comments explaining the offline scan behavior and adds a kubescapeScheduler.requestBody override that sets scanV1.keepLocal: true for scheduled scans. |
Possibly related issues
- roadmap: Kubescape security stack → 100% and hold (posture · CVE · runtime) #2447 — The PR changes Kubescape offline posture scanning and the
keepLocalbehavior in the Helm release values.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
| Check name | Status | Explanation |
|---|---|---|
| Title check | ✅ Passed | The title clearly summarizes the main change: keeping scheduled Kubescape scans local so results persist. |
| Description check | ✅ Passed | The description matches the change and explains the local-only scan fix and why it was needed. |
| Docstring Coverage | ✅ Passed | No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check. |
| Linked Issues check | ✅ Passed | Check skipped because no linked issues were found for this pull request. |
| Out of Scope Changes check | ✅ Passed | Check skipped because no linked issues were found for this pull request. |
Comment @coderabbitai help to get the list of available commands.
Heads-up on the sequencing: unfreezing scans here is necessary but not sufficient to make posture exceptions apply. The scanner's CRD exceptions getter in v4.0.9 lists the CRs at Bumping the scanner to v4.0.10 is #2452. The full offline pipeline is #2316 (merged: reader + RBAC) → this (#2443, unfreeze) → #2452 (v4.0.10, read CRs at v1beta1) — after which the per-control authoring PRs (#2442/#2446/#2440/#2434) take effect. (Note: this corrects the assumption baked into #2316 that v4.0.9's getter reads the right version — it doesn't.) |
Keep #2452's v4.0.10 scanner override and this branch's keepLocal scheduler request-body — both layers of the posture fix are required. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
🎉 This PR is included in version 1.97.3 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Why
The Kubescape compliance dashboard has been frozen on week-old results — every control shows failing and the score reads 0, even for workloads already exempted by policy (e.g. privilege escalation on longhorn/velero/coroot). Since the scanner was bumped to v4.0.9, the scheduled posture scan has aborted before it can save any results, so the exceptions and fresh findings never surface.
What
Forces the scheduled scan to run local-only so it stops trying to submit its report to the cloud — the step that crashes on a volume-mount bug in the current chart. Fresh results then persist every run, with the existing exceptions applied, unfreezing the whole dashboard. No functional scanning is lost (this cluster has no cloud account anyway).
Interim override mirroring a merged-but-unreleased upstream chart fix (kubescape/helm-charts#862, issue #857); drop it once that ships in a chart release past 1.40.2.