Skip to content

fix(kubescape): except C-0007 delete-capable RBAC by object, not namespace#2446

Draft
devantler wants to merge 4 commits into
mainfrom
claude/kubescape-c0007-rbac-exception
Draft

fix(kubescape): except C-0007 delete-capable RBAC by object, not namespace#2446
devantler wants to merge 4 commits into
mainfrom
claude/kubescape-c0007-rbac-exception

Conversation

@devantler

@devantler devantler commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

🤖 Generated by the Daily AI Assistant

Why

Control C-0007 "Roles with delete capabilities" shows every one of its 26 legitimate infra-controller / tenant service accounts (Flux, Velero, Longhorn, CNPG, Kyverno, cert-manager, KubeVirt, Crossplane…) as failing. Its exception used a namespace match, which Kubescape ignores for RBAC findings — 19 of the 26 are cluster-scoped bindings with no namespace at all — so the exception never applied.

What

Move C-0007 to the kind+name match that actually works for RBAC objects: a new delete-rbac.yaml matching each delete-capable binding, plus the mirrored Headlamp ConfigMap change. This is the same pattern and same 4 files as the sibling per-control PRs (#2442 C-0015, #2440 C-0002, #2434 C-0026) — it fills the missing C-0007 case (the largest, at 26 findings). The list stays explicit so a new/accidental delete grant is still flagged; two churn-prone entries (the Crossplane provider revision hash, the on-demand tofu-runner) are flagged inline for periodic refresh.

Sequencing: takes effect only after #2443 (the keepLocal scan-persistence fix) unfreezes in-cluster scanning — reconcile the binding list against a fresh scan then. Shares files with #2442/#2440/#2434, so whichever merges after the first needs a trivial rebase. Related: #2264.

…space

Control C-0007 ("Roles with delete capabilities") is exempted only via
controller-rbac.yaml's namespaceSelector, which cannot match RBAC
findings: Kubescape keys them on the Role/ClusterRole/binding object, and
19 of C-0007's 26 findings terminate on cluster-scoped ClusterRoleBindings
whose namespace is empty. So the exception is a silent no-op and every
delete-capable controller renders failed.

Move C-0007 to a kind+name resources match (new delete-rbac.yaml),
mirroring wildcard-rbac.yaml / C-0187 — the proven mechanism for RBAC
objects. Matches each of the 26 delete-capable bindings by kind+name so
C-0007 still flags any new/accidental delete grant. Mirror the change in
the Headlamp plugin ConfigMap (which keys on the owning SA's namespace).

Depends on the scanner-mount fix (config.json postRenderer) landing first
before it can take effect on the in-cluster scan.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 77987621-6e99-48c8-af56-b6706d23d527

📥 Commits

Reviewing files that changed from the base of the PR and between 7b82f1e and 70d5a05.

📒 Files selected for processing (3)
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • devantler-tech/actions (auto-detected)
  • devantler-tech/aws (auto-detected)
  • devantler-tech/reusable-workflows (auto-detected)
  • devantler-tech/ksail (auto-detected)
  • devantler-tech/ascoachingogvaner (auto-detected)
  • devantler-tech/wedding-app (auto-detected)
  • devantler-tech/agent-skills (auto-detected)
📜 Recent review details
🧰 Additional context used
📓 Path-based instructions (4)
**/*.{yaml,yml}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{yaml,yml}: Use Kustomize overlays rather than editing base resources directly; k8s/bases/ is immutable from overlays and changes should be made with patches: in provider or cluster overlays.
Keep manifest changes small and use YAML/schema validation before submitting a manifest PR; for files with cluster context, prefer ksail workload validate / kubectl kustomize / kubectl apply --dry-run=client as appropriate.

Files:

  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
k8s/**

📄 CodeRabbit inference engine (AGENTS.md)

k8s/**: Respect Flux dependency order: bootstrapinfrastructure-controllersinfrastructureapps, with the prod-only infrastructure-overprovisioning layer hanging off infrastructure without gating apps.
Follow the hierarchical Kustomization flow: base configurations in k8s/bases/ feed provider overlays in k8s/providers/, which feed cluster overlays in k8s/clusters/.

Files:

  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
k8s/bases/infrastructure/**

📄 CodeRabbit inference engine (AGENTS.md)

k8s/bases/infrastructure/**: Under k8s/bases/infrastructure/, organize resources component-folder-first: a component's HelmRelease/HelmRepository and its own CRs should live together in a folder named after the component unless a split is required.
Split a custom resource into its own plural-Kind folder only when it cannot live with its component, such as for CRD dependency ordering or because it is cluster-scoped/cross-cutting.

Files:

  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
k8s/bases/infrastructure/**/*.{yaml,yml}

📄 CodeRabbit inference engine (AGENTS.md)

k8s/bases/infrastructure/**/*.{yaml,yml}: For component-folder files, name manifests after the resource Kind in kebab-case; if a folder contains multiple resources of the same Kind, qualify filenames with a purpose suffix.
For CR-folder files, omit the folder-implied Kind from the filename and use the verb-purpose.yaml form.
Name Flux Kustomization resources flux-kustomization*.yaml; keep the kustomize build file named exactly kustomization.yaml.

Files:

  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
🧠 Learnings (2)
📚 Learning: 2026-07-01T21:13:36.950Z
Learnt from: devantler
Repo: devantler-tech/platform PR: 2359
File: k8s/bases/apps/actual-budget/helm-release.yaml:62-111
Timestamp: 2026-07-01T21:13:36.950Z
Learning: When reviewing Kustomize/Helm YAML in this repo, keep the base vs provider overlay split: `k8s/bases/apps/**` and `k8s/bases/infrastructure/**` should contain each app’s full, environment-agnostic configuration (including base-level postRenderer Kustomize patches such as deployment strategy, topology spread, probes, and env injection). `k8s/providers/{docker,hetzner}/**` should only add small provider-specific deltas (e.g., `interval`, `persistence.size`) via patch files (like `k8s/providers/<provider>/apps/<app>/patches/helm-release-patch.yaml`). If configuration is identical across providers (e.g., OIDC/OAuth env vars where `${domain}` is resolved per cluster via envsubst), it belongs in the base and must not be duplicated into provider overlays.

Applied to files:

  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
📚 Learning: 2026-07-04T13:30:04.759Z
Learnt from: devantler
Repo: devantler-tech/platform PR: 2446
File: k8s/bases/infrastructure/cluster-security-exceptions/delete-rbac.yaml:38-125
Timestamp: 2026-07-04T13:30:04.759Z
Learning: For Kubescape ClusterSecurityException (apiVersion kubescape.io/v1beta1) and the mirrored Headlamp exception config, do NOT pin `spec.match.resources[].name` (and Headlamp `attributes.name`) to a single literal value when the identifier includes a generated hash. These fields are compared using `regexCompare`, so match such resources with an anchored regular expression that covers the stable prefix and the hash pattern (e.g., `^crossplane:provider:provider-upjet-github-[0-9a-f]+:system$`) rather than the current hash, so the exception remains valid across provider re-installs/revisions.

Applied to files:

  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
🔇 Additional comments (3)
k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml (1)

27-28: LGTM!

Also applies to: 36-49

k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml (1)

9-9: LGTM!

k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml (1)

153-188: LGTM! The delete-capable-rbac-by-design policy correctly mirrors delete-rbac.yaml via kind+name matches (per the prior review resolution) and already applies the anchored [0-9a-f]+ hash regex for the crossplane:provider:... entry, consistent with the retrieved learning on regexCompare semantics.


📝 Walkthrough

Walkthrough

This PR moves Kubescape control C-0007 handling into a dedicated exception manifest that matches specific RBAC bindings by kind and name, removes the old ignore entry from controller-rbac, adds the new manifest to the base kustomization, and updates the Headlamp exception config to mirror the new policy.

Possibly related issues

Possibly related PRs

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: switching the C-0007 RBAC exception from namespace-based to object-based matching.
Description check ✅ Passed The description matches the RBAC exception change, the new delete-rbac.yaml, and the mirrored Headlamp config update.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Comment @coderabbitai help to get the list of available commands.

@devantler

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@k8s/bases/infrastructure/cluster-security-exceptions/delete-rbac.yaml`:
- Around line 38-124: The Crossplane provider ClusterRoleBinding exception is
pinned to a revision-specific literal name, so it will break on the next
provider reinstall. Update the delete-rbac exception entry in the
ClusterRoleBinding section to match the provider binding by a stable pattern or
selector-based approach instead of the exact hashed name, so the rule continues
to apply across provider churn.

In
`@k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml`:
- Around line 92-119: The delete-capable-rbac-by-design exception is matching by
namespace, which misses cluster-scoped RBAC bindings seen by delete-rbac.yaml.
Update the postureExceptionPolicy entry in the config-map-headlamp-exceptions
manifest to mirror the same RBAC object targeting used by the delete-rbac logic,
using kind+name matches for ClusterRoleBinding and RoleBinding instead of
relying on namespace, while preserving the explicit crossplane-masters Group
rule.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 14faa482-258c-4ce9-becc-f084c63cf4f9

📥 Commits

Reviewing files that changed from the base of the PR and between 32ce888 and db4eacd.

📒 Files selected for processing (4)
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/delete-rbac.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
📜 Review details
🧰 Additional context used
📓 Path-based instructions (4)
**/*.{yaml,yml}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{yaml,yml}: Use Kustomize overlays rather than editing base resources directly; k8s/bases/ is immutable from overlays and changes should be made with patches: in provider or cluster overlays.
Keep manifest changes small and use YAML/schema validation before submitting a manifest PR; for files with cluster context, prefer ksail workload validate / kubectl kustomize / kubectl apply --dry-run=client as appropriate.

Files:

  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/delete-rbac.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
k8s/**

📄 CodeRabbit inference engine (AGENTS.md)

k8s/**: Respect Flux dependency order: bootstrapinfrastructure-controllersinfrastructureapps, with the prod-only infrastructure-overprovisioning layer hanging off infrastructure without gating apps.
Follow the hierarchical Kustomization flow: base configurations in k8s/bases/ feed provider overlays in k8s/providers/, which feed cluster overlays in k8s/clusters/.

Files:

  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/delete-rbac.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
k8s/bases/infrastructure/**

📄 CodeRabbit inference engine (AGENTS.md)

k8s/bases/infrastructure/**: Under k8s/bases/infrastructure/, organize resources component-folder-first: a component's HelmRelease/HelmRepository and its own CRs should live together in a folder named after the component unless a split is required.
Split a custom resource into its own plural-Kind folder only when it cannot live with its component, such as for CRD dependency ordering or because it is cluster-scoped/cross-cutting.

Files:

  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/delete-rbac.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
k8s/bases/infrastructure/**/*.{yaml,yml}

📄 CodeRabbit inference engine (AGENTS.md)

k8s/bases/infrastructure/**/*.{yaml,yml}: For component-folder files, name manifests after the resource Kind in kebab-case; if a folder contains multiple resources of the same Kind, qualify filenames with a purpose suffix.
For CR-folder files, omit the folder-implied Kind from the filename and use the verb-purpose.yaml form.
Name Flux Kustomization resources flux-kustomization*.yaml; keep the kustomize build file named exactly kustomization.yaml.

Files:

  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/delete-rbac.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
🧠 Learnings (1)
📚 Learning: 2026-07-01T21:13:36.950Z
Learnt from: devantler
Repo: devantler-tech/platform PR: 2359
File: k8s/bases/apps/actual-budget/helm-release.yaml:62-111
Timestamp: 2026-07-01T21:13:36.950Z
Learning: When reviewing Kustomize/Helm YAML in this repo, keep the base vs provider overlay split: `k8s/bases/apps/**` and `k8s/bases/infrastructure/**` should contain each app’s full, environment-agnostic configuration (including base-level postRenderer Kustomize patches such as deployment strategy, topology spread, probes, and env injection). `k8s/providers/{docker,hetzner}/**` should only add small provider-specific deltas (e.g., `interval`, `persistence.size`) via patch files (like `k8s/providers/<provider>/apps/<app>/patches/helm-release-patch.yaml`). If configuration is identical across providers (e.g., OIDC/OAuth env vars where `${domain}` is resolved per cluster via envsubst), it belongs in the base and must not be duplicated into provider overlays.

Applied to files:

  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/delete-rbac.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
🔇 Additional comments (3)
k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml (1)

38-50: LGTM!

k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml (1)

8-8: LGTM!

k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml (1)

72-90: LGTM!

@github-project-automation github-project-automation Bot moved this from 🫴 Ready to 🏃🏻‍♂️ In Progress in 🌊 Project Board Jul 4, 2026
devantler and others added 2 commits July 4, 2026 15:28
…ttern

Exception names are regex-compared, so the provider-revision hash can be
matched by pattern instead of pinned — the entry survives provider
re-installs.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…mp exceptions

C-0007 findings terminate on the binding objects (19 of 26 cluster-scoped,
namespace empty), so the namespace designator never covered them — mirror
the CSE's kind+name matches instead, keeping the crossplane-masters Group.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml (1)

49-471: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Consider validating the embedded JSON blob before merge.

This is a large hand-maintained JSON string inside a YAML block scalar; a stray comma or missing bracket would silently break exception application (Headlamp would just show no exceptions) without any schema error surfacing at the Kustomize layer.

🔍 Suggested verification script
#!/bin/bash
# Extract the `exceptionPolicies` block scalar value and validate as JSON.
python3 - <<'EOF'
import yaml, json
with open("k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml") as f:
    doc = yaml.safe_load(f)
raw = doc["data"]["exceptionPolicies"]
json.loads(raw)
print("Valid JSON, entries:", len(json.loads(raw)))
EOF
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml`
around lines 49 - 471, The embedded exceptionPolicies JSON blob needs validation
before merge to catch syntax mistakes that would make Headlamp load no
exceptions. Add a verification step that parses the YAML block scalar from the
config map and JSON-decodes it, using the data.exceptionPolicies field as the
target. If possible, wire this check into CI or a pre-merge script so any stray
comma or missing bracket in the postureExceptionPolicy entries is caught early.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml`:
- Around line 49-471: The embedded exceptionPolicies JSON blob needs validation
before merge to catch syntax mistakes that would make Headlamp load no
exceptions. Add a verification step that parses the YAML block scalar from the
config map and JSON-decodes it, using the data.exceptionPolicies field as the
target. If possible, wire this check into CI or a pre-merge script so any stray
comma or missing bracket in the postureExceptionPolicy entries is caught early.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 8a3f06af-e80a-484f-8b76-e9b9ceaf1817

📥 Commits

Reviewing files that changed from the base of the PR and between db4eacd and 7b82f1e.

📒 Files selected for processing (2)
  • k8s/bases/infrastructure/cluster-security-exceptions/delete-rbac.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • k8s/bases/infrastructure/cluster-security-exceptions/delete-rbac.yaml
📜 Review details
🧰 Additional context used
📓 Path-based instructions (4)
**/*.{yaml,yml}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{yaml,yml}: Use Kustomize overlays rather than editing base resources directly; k8s/bases/ is immutable from overlays and changes should be made with patches: in provider or cluster overlays.
Keep manifest changes small and use YAML/schema validation before submitting a manifest PR; for files with cluster context, prefer ksail workload validate / kubectl kustomize / kubectl apply --dry-run=client as appropriate.

Files:

  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
k8s/**

📄 CodeRabbit inference engine (AGENTS.md)

k8s/**: Respect Flux dependency order: bootstrapinfrastructure-controllersinfrastructureapps, with the prod-only infrastructure-overprovisioning layer hanging off infrastructure without gating apps.
Follow the hierarchical Kustomization flow: base configurations in k8s/bases/ feed provider overlays in k8s/providers/, which feed cluster overlays in k8s/clusters/.

Files:

  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
k8s/bases/infrastructure/**

📄 CodeRabbit inference engine (AGENTS.md)

k8s/bases/infrastructure/**: Under k8s/bases/infrastructure/, organize resources component-folder-first: a component's HelmRelease/HelmRepository and its own CRs should live together in a folder named after the component unless a split is required.
Split a custom resource into its own plural-Kind folder only when it cannot live with its component, such as for CRD dependency ordering or because it is cluster-scoped/cross-cutting.

Files:

  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
k8s/bases/infrastructure/**/*.{yaml,yml}

📄 CodeRabbit inference engine (AGENTS.md)

k8s/bases/infrastructure/**/*.{yaml,yml}: For component-folder files, name manifests after the resource Kind in kebab-case; if a folder contains multiple resources of the same Kind, qualify filenames with a purpose suffix.
For CR-folder files, omit the folder-implied Kind from the filename and use the verb-purpose.yaml form.
Name Flux Kustomization resources flux-kustomization*.yaml; keep the kustomize build file named exactly kustomization.yaml.

Files:

  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
🧠 Learnings (2)
📚 Learning: 2026-07-01T21:13:36.950Z
Learnt from: devantler
Repo: devantler-tech/platform PR: 2359
File: k8s/bases/apps/actual-budget/helm-release.yaml:62-111
Timestamp: 2026-07-01T21:13:36.950Z
Learning: When reviewing Kustomize/Helm YAML in this repo, keep the base vs provider overlay split: `k8s/bases/apps/**` and `k8s/bases/infrastructure/**` should contain each app’s full, environment-agnostic configuration (including base-level postRenderer Kustomize patches such as deployment strategy, topology spread, probes, and env injection). `k8s/providers/{docker,hetzner}/**` should only add small provider-specific deltas (e.g., `interval`, `persistence.size`) via patch files (like `k8s/providers/<provider>/apps/<app>/patches/helm-release-patch.yaml`). If configuration is identical across providers (e.g., OIDC/OAuth env vars where `${domain}` is resolved per cluster via envsubst), it belongs in the base and must not be duplicated into provider overlays.

Applied to files:

  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
📚 Learning: 2026-07-04T13:30:04.759Z
Learnt from: devantler
Repo: devantler-tech/platform PR: 2446
File: k8s/bases/infrastructure/cluster-security-exceptions/delete-rbac.yaml:38-125
Timestamp: 2026-07-04T13:30:04.759Z
Learning: For Kubescape ClusterSecurityException (apiVersion kubescape.io/v1beta1) and the mirrored Headlamp exception config, do NOT pin `spec.match.resources[].name` (and Headlamp `attributes.name`) to a single literal value when the identifier includes a generated hash. These fields are compared using `regexCompare`, so match such resources with an anchored regular expression that covers the stable prefix and the hash pattern (e.g., `^crossplane:provider:provider-upjet-github-[0-9a-f]+:system$`) rather than the current hash, so the exception remains valid across provider re-installs/revisions.

Applied to files:

  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
🔇 Additional comments (1)
k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml (1)

92-127: LGTM!

@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Assistant

Review-body nitpick resolution record (no thread exists for it): validate the embedded JSON blob — verified against the current head: data.exceptionPolicies parses as valid JSON (array, 13 exception policies; checked with yq '.data.exceptionPolicies' | jq -e). No CI guard added: the file is an explicitly temporary presentation-layer mirror (header documents it is DELETED once the Headlamp plugin reads the ClusterSecurityException CRDs natively), so a one-time verification is proportionate; the CRs remain the source of truth.

…7-rbac-exception

# Conflicts:
#	k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
#	k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
#	k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Assistant

CodeRabbit body-finding resolution record (🧹 Nitpick, config-map-headlamp-exceptions.yaml: validate the embedded JSON blob / wire a CI check):

  • The JSON blob was re-validated with exactly the suggested parse (15 policy entries, parses clean) as part of resolving this branch's merge conflict with main.
  • Declining the CI-check wiring: this ConfigMap is an explicitly temporary presentation-layer fallback — its own header says to DELETE it once the v4.0.10 scanner is confirmed marking excepted controls in prod (or the Headlamp plugin reads the CRDs natively). Adding CI validation for a file scheduled for deletion is not worth the moving part; the durable exception source of truth is the ClusterSecurityException CRs, which kustomize-validate already covers.

@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Assistant

Resolution record for the CodeRabbit review-body nitpick (2026-07-04 13:32Z review — no inline thread exists):

Validate the embedded JSON blob before merge — verified against the current head: data.exceptionPolicies parses as valid JSON with 15 exception-policy entries (checked with exactly the suggested extraction + json.loads flow). The broader ask — catching this class of breakage in CI so a stray comma can never ship silently — is real but bigger than this PR, so it is captured as #2480 (embedded-JSON ConfigMap validation step in the validate workflow).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: 🏃🏻‍♂️ In Progress

Development

Successfully merging this pull request may close these issues.

1 participant