Skip to content

fix(kubescape): except C-0007 delete-capable RBAC by object, not namespace#2446

Merged
botantler-1[bot] merged 5 commits into
mainfrom
claude/kubescape-c0007-rbac-exception
Jul 5, 2026
Merged

fix(kubescape): except C-0007 delete-capable RBAC by object, not namespace#2446
botantler-1[bot] merged 5 commits into
mainfrom
claude/kubescape-c0007-rbac-exception

Conversation

@devantler

@devantler devantler commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

🤖 Generated by the Daily AI Assistant

Why

Control C-0007 "Roles with delete capabilities" shows every one of its 26 legitimate infra-controller / tenant service accounts (Flux, Velero, Longhorn, CNPG, Kyverno, cert-manager, KubeVirt, Crossplane…) as failing. Its exception used a namespace match, which Kubescape ignores for RBAC findings — 19 of the 26 are cluster-scoped bindings with no namespace at all — so the exception never applied.

What

Move C-0007 to the kind+name match that actually works for RBAC objects: a new delete-rbac.yaml matching each delete-capable binding, plus the mirrored Headlamp ConfigMap change. This is the same pattern and same 4 files as the sibling per-control PRs (#2442 C-0015, #2440 C-0002, #2434 C-0026) — it fills the missing C-0007 case (the largest, at 26 findings). The list stays explicit so a new/accidental delete grant is still flagged; two churn-prone entries (the Crossplane provider revision hash, the on-demand tofu-runner) are flagged inline for periodic refresh.

Sequencing: takes effect only after #2443 (the keepLocal scan-persistence fix) unfreezes in-cluster scanning — reconcile the binding list against a fresh scan then. Shares files with #2442/#2440/#2434, so whichever merges after the first needs a trivial rebase. Related: #2264.

…space

Control C-0007 ("Roles with delete capabilities") is exempted only via
controller-rbac.yaml's namespaceSelector, which cannot match RBAC
findings: Kubescape keys them on the Role/ClusterRole/binding object, and
19 of C-0007's 26 findings terminate on cluster-scoped ClusterRoleBindings
whose namespace is empty. So the exception is a silent no-op and every
delete-capable controller renders failed.

Move C-0007 to a kind+name resources match (new delete-rbac.yaml),
mirroring wildcard-rbac.yaml / C-0187 — the proven mechanism for RBAC
objects. Matches each of the 26 delete-capable bindings by kind+name so
C-0007 still flags any new/accidental delete grant. Mirror the change in
the Headlamp plugin ConfigMap (which keys on the owning SA's namespace).

Depends on the scanner-mount fix (config.json postRenderer) landing first
before it can take effect on the in-cluster scan.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: cc3b9f71-0e1a-4931-9edc-ba869ee0586d

📥 Commits

Reviewing files that changed from the base of the PR and between 70d5a05 and b2a06cc.

📒 Files selected for processing (3)
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • devantler-tech/actions (auto-detected)
  • devantler-tech/aws (auto-detected)
  • devantler-tech/ksail (auto-detected)
  • devantler-tech/reusable-workflows (auto-detected)
  • devantler-tech/ascoachingogvaner (auto-detected)
  • devantler-tech/unifi (auto-detected)
  • devantler-tech/wedding-app (auto-detected)
  • devantler-tech/provider-upjet-unifi (auto-detected)
  • devantler-tech/agent-skills (auto-detected)
📜 Recent review details
⚠️ CI failures not shown inline (2)

GitHub Actions: 🔀 Enable Auto-Merge / 0_auto-merge.txt: fix(kubescape): except C-0007 delete-capable RBAC by object, not namespace

Conclusion: failure

View job details

##[group]Run set +e
 �[36;1mset +e�[0m
 �[36;1mREVIEW_OUTPUT=$(gh pr review "$PR_NUMBER" --approve --repo "$REPOSITORY" 2>&1)�[0m
 �[36;1mREVIEW_EXIT_CODE=$?�[0m
 �[36;1mset -e�[0m
 �[36;1m�[0m
 �[36;1mif [[ $REVIEW_EXIT_CODE -eq 0 ]]; then�[0m
 �[36;1m  echo "✅ PR #${PR_NUMBER} approved"�[0m
 �[36;1melif [[ "$REVIEW_OUTPUT" == *"Can not approve your own pull request"* ]]; then�[0m
 �[36;1m  echo "::warning::Could not approve PR #${PR_NUMBER} because GitHub does not allow self-approval. Skipping approval."�[0m
 �[36;1melse�[0m
 �[36;1m  echo "::error::Failed to approve PR #${PR_NUMBER}."�[0m

GitHub Actions: 🔀 Enable Auto-Merge / auto-merge: fix(kubescape): except C-0007 delete-capable RBAC by object, not namespace

Conclusion: failure

View job details

##[group]Run set +e
 �[36;1mset +e�[0m
 �[36;1mREVIEW_OUTPUT=$(gh pr review "$PR_NUMBER" --approve --repo "$REPOSITORY" 2>&1)�[0m
 �[36;1mREVIEW_EXIT_CODE=$?�[0m
 �[36;1mset -e�[0m
 �[36;1m�[0m
 �[36;1mif [[ $REVIEW_EXIT_CODE -eq 0 ]]; then�[0m
 �[36;1m  echo "✅ PR #${PR_NUMBER} approved"�[0m
 �[36;1melif [[ "$REVIEW_OUTPUT" == *"Can not approve your own pull request"* ]]; then�[0m
 �[36;1m  echo "::warning::Could not approve PR #${PR_NUMBER} because GitHub does not allow self-approval. Skipping approval."�[0m
 �[36;1melse�[0m
 �[36;1m  echo "::error::Failed to approve PR #${PR_NUMBER}."�[0m
🧰 Additional context used
📓 Path-based instructions (4)
**/*.{yaml,yml}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{yaml,yml}: Use Kustomize overlays rather than editing base resources directly; k8s/bases/ is immutable from overlays and changes should be made with patches: in provider or cluster overlays.
Keep manifest changes small and use YAML/schema validation before submitting a manifest PR; for files with cluster context, prefer ksail workload validate / kubectl kustomize / kubectl apply --dry-run=client as appropriate.

Files:

  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
k8s/**

📄 CodeRabbit inference engine (AGENTS.md)

k8s/**: Respect Flux dependency order: bootstrapinfrastructure-controllersinfrastructureapps, with the prod-only infrastructure-overprovisioning layer hanging off infrastructure without gating apps.
Follow the hierarchical Kustomization flow: base configurations in k8s/bases/ feed provider overlays in k8s/providers/, which feed cluster overlays in k8s/clusters/.

Files:

  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
k8s/bases/infrastructure/**

📄 CodeRabbit inference engine (AGENTS.md)

k8s/bases/infrastructure/**: Under k8s/bases/infrastructure/, organize resources component-folder-first: a component's HelmRelease/HelmRepository and its own CRs should live together in a folder named after the component unless a split is required.
Split a custom resource into its own plural-Kind folder only when it cannot live with its component, such as for CRD dependency ordering or because it is cluster-scoped/cross-cutting.

Files:

  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
k8s/bases/infrastructure/**/*.{yaml,yml}

📄 CodeRabbit inference engine (AGENTS.md)

k8s/bases/infrastructure/**/*.{yaml,yml}: For component-folder files, name manifests after the resource Kind in kebab-case; if a folder contains multiple resources of the same Kind, qualify filenames with a purpose suffix.
For CR-folder files, omit the folder-implied Kind from the filename and use the verb-purpose.yaml form.
Name Flux Kustomization resources flux-kustomization*.yaml; keep the kustomize build file named exactly kustomization.yaml.

Files:

  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
🧠 Learnings (3)
📚 Learning: 2026-07-01T21:13:36.950Z
Learnt from: devantler
Repo: devantler-tech/platform PR: 2359
File: k8s/bases/apps/actual-budget/helm-release.yaml:62-111
Timestamp: 2026-07-01T21:13:36.950Z
Learning: When reviewing Kustomize/Helm YAML in this repo, keep the base vs provider overlay split: `k8s/bases/apps/**` and `k8s/bases/infrastructure/**` should contain each app’s full, environment-agnostic configuration (including base-level postRenderer Kustomize patches such as deployment strategy, topology spread, probes, and env injection). `k8s/providers/{docker,hetzner}/**` should only add small provider-specific deltas (e.g., `interval`, `persistence.size`) via patch files (like `k8s/providers/<provider>/apps/<app>/patches/helm-release-patch.yaml`). If configuration is identical across providers (e.g., OIDC/OAuth env vars where `${domain}` is resolved per cluster via envsubst), it belongs in the base and must not be duplicated into provider overlays.

Applied to files:

  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
📚 Learning: 2026-07-04T13:30:04.759Z
Learnt from: devantler
Repo: devantler-tech/platform PR: 2446
File: k8s/bases/infrastructure/cluster-security-exceptions/delete-rbac.yaml:38-125
Timestamp: 2026-07-04T13:30:04.759Z
Learning: For Kubescape ClusterSecurityException (apiVersion kubescape.io/v1beta1) and the mirrored Headlamp exception config, do NOT pin `spec.match.resources[].name` (and Headlamp `attributes.name`) to a single literal value when the identifier includes a generated hash. These fields are compared using `regexCompare`, so match such resources with an anchored regular expression that covers the stable prefix and the hash pattern (e.g., `^crossplane:provider:provider-upjet-github-[0-9a-f]+:system$`) rather than the current hash, so the exception remains valid across provider re-installs/revisions.

Applied to files:

  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
📚 Learning: 2026-07-04T22:21:38.572Z
Learnt from: devantler
Repo: devantler-tech/platform PR: 2442
File: k8s/bases/infrastructure/cluster-security-exceptions/secret-reader-rbac.yaml:244-253
Timestamp: 2026-07-04T22:21:38.572Z
Learning: In this repo’s Kubescape ClusterSecurityException manifests (apiVersion kubescape.io/v1beta1), the CRD’s `spec.match.resources[]` schema supports only `apiGroup`, `kind`, and `name` (no `namespace`). Because the CRD is structurally pruned, adding a `namespace` field will be silently dropped. Therefore, when reviewing RBAC-related matchers (e.g., `Role` name matchers like `^operator$`, `^longhorn$`, `^vault-config$`, `^velero-server$`), do not suggest scoping them by namespace at the CRD level; `namespaceSelector` is also inert for RBAC-object controls such as C-0015/C-0187 in this CRD’s exception processing (it compares only top-level RBAC kind+name, not namespace). Only suggest namespace scoping if upstream Kubescape adds a `namespace` attribute to this CRD schema.

Applied to files:

  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
🔀 Multi-repo context

Linked repositories findings

devantler-tech/ksail

  • pkg/cli/cmd/workload/scan.go:36-40, 137-140ksail workload scan exposes a --exceptions flag for a Kubescape exceptions file in native PostureExceptionPolicy JSON format. This means the PR’s exception-manifest shape and control IDs are user-visible to KSail consumers, so the new delete-rbac.yaml / controller-rbac mirror should stay consistent with that expected format.
  • charts/ksail-operator/crds/ksail.io_clusters.yaml:1035-1039 — the CRD schema documents the same Kubescape exceptions file contract (--exceptions, native JSON array of PostureExceptionPolicy objects). No API mismatch found, but this confirms the exceptions file is an external input consumed by KSail.
  • schemas/ksail-config.schema.json:1100-1116 — the spec.workload.scan.exceptions config field is documented as a Kubescape exceptions file path. This is the other public surface that could break if the exception policy format changed; it doesn’t appear to require code changes from this PR.

No relevant references were found in devantler-tech/actions, devantler-tech/aws, devantler-tech/reusable-workflows, or devantler-tech/unifi.

🔇 Additional comments (4)
k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml (1)

34-49: LGTM!

The updated NOTE accurately reflects the migration: the posture ignore list changes so the C-0007 ignore entry is removed, causing the list to go directly from the prior ignored control (C-0053) to C-0037, and the expanded comment correctly documents the kind+name-based sibling exceptions and the 19-cluster-scoped-binding rationale, consistent with the sibling wildcard-rbac.yaml and secret-reader-rbac.yaml files' documented behavior.

k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml (1)

9-9: LGTM!

delete-rbac.yaml is correctly wired into the base resources list and alphabetically placed between controller-rbac.yaml and exec-into-container-rbac.yaml, consistent with the sibling manifest's actual C-0007 ignore + kind/name matching contract shown in the linked context snippet.

k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml (2)

73-91: LGTM!

controller-rbac policy's posturePolicies now mirrors the CR's posture list (C-0053, C-0037, C-0031, C-0063, C-0035, C-0188) exactly and drops C-0007, consistent with the CR change in controller-rbac.yaml.


150-185: LGTM!

The new delete-capable-rbac-by-design policy correctly matches by kind+name (ClusterRoleBinding/RoleBinding) rather than namespace, addressing the earlier review finding that was already fixed and confirmed in a prior commit. Cross-checked the entry counts: expanding the cert-manager-controller-(issuers|clusterissuers|certificates|challenges) alternation, the ClusterRoleBinding list totals 19 entries and the RoleBinding list totals 7, summing to 26 — matching the PR's stated "26 legitimate ... including 19 cluster-scoped bindings" exactly. The crossplane provider hash name also correctly uses an anchored regex ([0-9a-f]+) rather than a pinned literal, per the pattern already established for other hash-based Crossplane resource names in this file.


📝 Walkthrough

Walkthrough

This PR moves Kubescape control C-0007 handling into a dedicated exception manifest that matches specific RBAC bindings by kind and name, removes the old ignore entry from controller-rbac, adds the new manifest to the base kustomization, and updates the Headlamp exception config to mirror the new policy.

Possibly related issues

Possibly related PRs

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: moving the C-0007 RBAC exception from namespace to object matching.
Description check ✅ Passed The description is directly about the same C-0007 RBAC exception change and the mirrored Headlamp update.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Comment @coderabbitai help to get the list of available commands.

@devantler

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@k8s/bases/infrastructure/cluster-security-exceptions/delete-rbac.yaml`:
- Around line 38-124: The Crossplane provider ClusterRoleBinding exception is
pinned to a revision-specific literal name, so it will break on the next
provider reinstall. Update the delete-rbac exception entry in the
ClusterRoleBinding section to match the provider binding by a stable pattern or
selector-based approach instead of the exact hashed name, so the rule continues
to apply across provider churn.

In
`@k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml`:
- Around line 92-119: The delete-capable-rbac-by-design exception is matching by
namespace, which misses cluster-scoped RBAC bindings seen by delete-rbac.yaml.
Update the postureExceptionPolicy entry in the config-map-headlamp-exceptions
manifest to mirror the same RBAC object targeting used by the delete-rbac logic,
using kind+name matches for ClusterRoleBinding and RoleBinding instead of
relying on namespace, while preserving the explicit crossplane-masters Group
rule.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 14faa482-258c-4ce9-becc-f084c63cf4f9

📥 Commits

Reviewing files that changed from the base of the PR and between 32ce888 and db4eacd.

📒 Files selected for processing (4)
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/delete-rbac.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
📜 Review details
🧰 Additional context used
📓 Path-based instructions (4)
**/*.{yaml,yml}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{yaml,yml}: Use Kustomize overlays rather than editing base resources directly; k8s/bases/ is immutable from overlays and changes should be made with patches: in provider or cluster overlays.
Keep manifest changes small and use YAML/schema validation before submitting a manifest PR; for files with cluster context, prefer ksail workload validate / kubectl kustomize / kubectl apply --dry-run=client as appropriate.

Files:

  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/delete-rbac.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
k8s/**

📄 CodeRabbit inference engine (AGENTS.md)

k8s/**: Respect Flux dependency order: bootstrapinfrastructure-controllersinfrastructureapps, with the prod-only infrastructure-overprovisioning layer hanging off infrastructure without gating apps.
Follow the hierarchical Kustomization flow: base configurations in k8s/bases/ feed provider overlays in k8s/providers/, which feed cluster overlays in k8s/clusters/.

Files:

  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/delete-rbac.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
k8s/bases/infrastructure/**

📄 CodeRabbit inference engine (AGENTS.md)

k8s/bases/infrastructure/**: Under k8s/bases/infrastructure/, organize resources component-folder-first: a component's HelmRelease/HelmRepository and its own CRs should live together in a folder named after the component unless a split is required.
Split a custom resource into its own plural-Kind folder only when it cannot live with its component, such as for CRD dependency ordering or because it is cluster-scoped/cross-cutting.

Files:

  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/delete-rbac.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
k8s/bases/infrastructure/**/*.{yaml,yml}

📄 CodeRabbit inference engine (AGENTS.md)

k8s/bases/infrastructure/**/*.{yaml,yml}: For component-folder files, name manifests after the resource Kind in kebab-case; if a folder contains multiple resources of the same Kind, qualify filenames with a purpose suffix.
For CR-folder files, omit the folder-implied Kind from the filename and use the verb-purpose.yaml form.
Name Flux Kustomization resources flux-kustomization*.yaml; keep the kustomize build file named exactly kustomization.yaml.

Files:

  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/delete-rbac.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
🧠 Learnings (1)
📚 Learning: 2026-07-01T21:13:36.950Z
Learnt from: devantler
Repo: devantler-tech/platform PR: 2359
File: k8s/bases/apps/actual-budget/helm-release.yaml:62-111
Timestamp: 2026-07-01T21:13:36.950Z
Learning: When reviewing Kustomize/Helm YAML in this repo, keep the base vs provider overlay split: `k8s/bases/apps/**` and `k8s/bases/infrastructure/**` should contain each app’s full, environment-agnostic configuration (including base-level postRenderer Kustomize patches such as deployment strategy, topology spread, probes, and env injection). `k8s/providers/{docker,hetzner}/**` should only add small provider-specific deltas (e.g., `interval`, `persistence.size`) via patch files (like `k8s/providers/<provider>/apps/<app>/patches/helm-release-patch.yaml`). If configuration is identical across providers (e.g., OIDC/OAuth env vars where `${domain}` is resolved per cluster via envsubst), it belongs in the base and must not be duplicated into provider overlays.

Applied to files:

  • k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/delete-rbac.yaml
  • k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
🔇 Additional comments (3)
k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml (1)

38-50: LGTM!

k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml (1)

8-8: LGTM!

k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml (1)

72-90: LGTM!

@github-project-automation github-project-automation Bot moved this from 🫴 Ready to 🏃🏻‍♂️ In Progress in 🌊 Project Board Jul 4, 2026
devantler and others added 2 commits July 4, 2026 15:28
…ttern

Exception names are regex-compared, so the provider-revision hash can be
matched by pattern instead of pinned — the entry survives provider
re-installs.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…mp exceptions

C-0007 findings terminate on the binding objects (19 of 26 cluster-scoped,
namespace empty), so the namespace designator never covered them — mirror
the CSE's kind+name matches instead, keeping the crossplane-masters Group.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml (1)

49-471: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Consider validating the embedded JSON blob before merge.

This is a large hand-maintained JSON string inside a YAML block scalar; a stray comma or missing bracket would silently break exception application (Headlamp would just show no exceptions) without any schema error surfacing at the Kustomize layer.

🔍 Suggested verification script
#!/bin/bash
# Extract the `exceptionPolicies` block scalar value and validate as JSON.
python3 - <<'EOF'
import yaml, json
with open("k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml") as f:
    doc = yaml.safe_load(f)
raw = doc["data"]["exceptionPolicies"]
json.loads(raw)
print("Valid JSON, entries:", len(json.loads(raw)))
EOF
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml`
around lines 49 - 471, The embedded exceptionPolicies JSON blob needs validation
before merge to catch syntax mistakes that would make Headlamp load no
exceptions. Add a verification step that parses the YAML block scalar from the
config map and JSON-decodes it, using the data.exceptionPolicies field as the
target. If possible, wire this check into CI or a pre-merge script so any stray
comma or missing bracket in the postureExceptionPolicy entries is caught early.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml`:
- Around line 49-471: The embedded exceptionPolicies JSON blob needs validation
before merge to catch syntax mistakes that would make Headlamp load no
exceptions. Add a verification step that parses the YAML block scalar from the
config map and JSON-decodes it, using the data.exceptionPolicies field as the
target. If possible, wire this check into CI or a pre-merge script so any stray
comma or missing bracket in the postureExceptionPolicy entries is caught early.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 8a3f06af-e80a-484f-8b76-e9b9ceaf1817

📥 Commits

Reviewing files that changed from the base of the PR and between db4eacd and 7b82f1e.

📒 Files selected for processing (2)
  • k8s/bases/infrastructure/cluster-security-exceptions/delete-rbac.yaml
  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • k8s/bases/infrastructure/cluster-security-exceptions/delete-rbac.yaml
📜 Review details
🧰 Additional context used
📓 Path-based instructions (4)
**/*.{yaml,yml}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{yaml,yml}: Use Kustomize overlays rather than editing base resources directly; k8s/bases/ is immutable from overlays and changes should be made with patches: in provider or cluster overlays.
Keep manifest changes small and use YAML/schema validation before submitting a manifest PR; for files with cluster context, prefer ksail workload validate / kubectl kustomize / kubectl apply --dry-run=client as appropriate.

Files:

  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
k8s/**

📄 CodeRabbit inference engine (AGENTS.md)

k8s/**: Respect Flux dependency order: bootstrapinfrastructure-controllersinfrastructureapps, with the prod-only infrastructure-overprovisioning layer hanging off infrastructure without gating apps.
Follow the hierarchical Kustomization flow: base configurations in k8s/bases/ feed provider overlays in k8s/providers/, which feed cluster overlays in k8s/clusters/.

Files:

  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
k8s/bases/infrastructure/**

📄 CodeRabbit inference engine (AGENTS.md)

k8s/bases/infrastructure/**: Under k8s/bases/infrastructure/, organize resources component-folder-first: a component's HelmRelease/HelmRepository and its own CRs should live together in a folder named after the component unless a split is required.
Split a custom resource into its own plural-Kind folder only when it cannot live with its component, such as for CRD dependency ordering or because it is cluster-scoped/cross-cutting.

Files:

  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
k8s/bases/infrastructure/**/*.{yaml,yml}

📄 CodeRabbit inference engine (AGENTS.md)

k8s/bases/infrastructure/**/*.{yaml,yml}: For component-folder files, name manifests after the resource Kind in kebab-case; if a folder contains multiple resources of the same Kind, qualify filenames with a purpose suffix.
For CR-folder files, omit the folder-implied Kind from the filename and use the verb-purpose.yaml form.
Name Flux Kustomization resources flux-kustomization*.yaml; keep the kustomize build file named exactly kustomization.yaml.

Files:

  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
🧠 Learnings (2)
📚 Learning: 2026-07-01T21:13:36.950Z
Learnt from: devantler
Repo: devantler-tech/platform PR: 2359
File: k8s/bases/apps/actual-budget/helm-release.yaml:62-111
Timestamp: 2026-07-01T21:13:36.950Z
Learning: When reviewing Kustomize/Helm YAML in this repo, keep the base vs provider overlay split: `k8s/bases/apps/**` and `k8s/bases/infrastructure/**` should contain each app’s full, environment-agnostic configuration (including base-level postRenderer Kustomize patches such as deployment strategy, topology spread, probes, and env injection). `k8s/providers/{docker,hetzner}/**` should only add small provider-specific deltas (e.g., `interval`, `persistence.size`) via patch files (like `k8s/providers/<provider>/apps/<app>/patches/helm-release-patch.yaml`). If configuration is identical across providers (e.g., OIDC/OAuth env vars where `${domain}` is resolved per cluster via envsubst), it belongs in the base and must not be duplicated into provider overlays.

Applied to files:

  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
📚 Learning: 2026-07-04T13:30:04.759Z
Learnt from: devantler
Repo: devantler-tech/platform PR: 2446
File: k8s/bases/infrastructure/cluster-security-exceptions/delete-rbac.yaml:38-125
Timestamp: 2026-07-04T13:30:04.759Z
Learning: For Kubescape ClusterSecurityException (apiVersion kubescape.io/v1beta1) and the mirrored Headlamp exception config, do NOT pin `spec.match.resources[].name` (and Headlamp `attributes.name`) to a single literal value when the identifier includes a generated hash. These fields are compared using `regexCompare`, so match such resources with an anchored regular expression that covers the stable prefix and the hash pattern (e.g., `^crossplane:provider:provider-upjet-github-[0-9a-f]+:system$`) rather than the current hash, so the exception remains valid across provider re-installs/revisions.

Applied to files:

  • k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
🔇 Additional comments (1)
k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml (1)

92-127: LGTM!

@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Assistant

Review-body nitpick resolution record (no thread exists for it): validate the embedded JSON blob — verified against the current head: data.exceptionPolicies parses as valid JSON (array, 13 exception policies; checked with yq '.data.exceptionPolicies' | jq -e). No CI guard added: the file is an explicitly temporary presentation-layer mirror (header documents it is DELETED once the Headlamp plugin reads the ClusterSecurityException CRDs natively), so a one-time verification is proportionate; the CRs remain the source of truth.

…7-rbac-exception

# Conflicts:
#	k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
#	k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
#	k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Assistant

CodeRabbit body-finding resolution record (🧹 Nitpick, config-map-headlamp-exceptions.yaml: validate the embedded JSON blob / wire a CI check):

  • The JSON blob was re-validated with exactly the suggested parse (15 policy entries, parses clean) as part of resolving this branch's merge conflict with main.
  • Declining the CI-check wiring: this ConfigMap is an explicitly temporary presentation-layer fallback — its own header says to DELETE it once the v4.0.10 scanner is confirmed marking excepted controls in prod (or the Headlamp plugin reads the CRDs natively). Adding CI validation for a file scheduled for deletion is not worth the moving part; the durable exception source of truth is the ClusterSecurityException CRs, which kustomize-validate already covers.

@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Assistant

Resolution record for the CodeRabbit review-body nitpick (2026-07-04 13:32Z review — no inline thread exists):

Validate the embedded JSON blob before merge — verified against the current head: data.exceptionPolicies parses as valid JSON with 15 exception-policy entries (checked with exactly the suggested extraction + json.loads flow). The broader ask — catching this class of breakage in CI so a stray comma can never ship silently — is real but bigger than this PR, so it is captured as #2480 (embedded-JSON ConfigMap validation step in the validate workflow).

@devantler devantler marked this pull request as ready for review July 5, 2026 07:00
@devantler devantler added this pull request to the merge queue Jul 5, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to a conflict with the base branch Jul 5, 2026
…7-rbac-exception

# Conflicts:
#	k8s/bases/infrastructure/cluster-security-exceptions/controller-rbac.yaml
#	k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
@botantler-1 botantler-1 Bot enabled auto-merge July 5, 2026 08:16
@botantler-1 botantler-1 Bot added this pull request to the merge queue Jul 5, 2026
Merged via the queue into main with commit c328264 Jul 5, 2026
16 checks passed
@botantler-1 botantler-1 Bot deleted the claude/kubescape-c0007-rbac-exception branch July 5, 2026 08:25
@github-project-automation github-project-automation Bot moved this from 🏃🏻‍♂️ In Progress to ✅ Done in 🌊 Project Board Jul 5, 2026
@botantler-1

botantler-1 Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 1.102.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

Status: ✅ Done

Development

Successfully merging this pull request may close these issues.

1 participant