fix(kubescape): bump posture scanner to v4.0.10 so exception CRs apply offline#2452
Conversation
…y offline The compliance dashboard shows accepted-risk controls (C-0018 readiness, C-0056 liveness, plus the RBAC/SA/admission exceptions) failing on infra/batch workloads even though the platform's ClusterSecurityException CRs except them — the exceptions were inert end-to-end at the deployed versions: - Scanner v4.0.9's CRD exceptions getter (kubescape#2291) LISTs the CRDs at apiVersion kubescape.io/v1, but chart 1.40.2 serves ONLY v1beta1, so the List 404s and — as the secondary/merged source — is silently swallowed → zero exceptions applied (observed: C-0018 status=failed, subStatus="" on every excepted workload). kubescape#2366 (first shipped in v4.0.10) switches the getter to v1beta1. Bumping the existing kubescape.image.tag override v4.0.9 → v4.0.10 makes the scanner read the CRs and write passed/w-exceptions into the stored summaries, which the Headlamp plugin renders directly — clearing the dashboard AND the real posture with no per-browser exception-group selection. - Add a batch-workloads ClusterSecurityException excepting C-0018/C-0056 for Job/CronJob kinds, closing the one C-0018 gap not covered by the namespace-scoped health-probes CR (openbao vault-snapshot-init, a run-to-completion Job where probes are inapplicable). Matched by workload kind so long-running Deployments/StatefulSets still require probes. The headlamp-exceptions mirror ConfigMap is kept in sync (batch policy added) as a fallback and is now removable once a v4.0.10 scan is confirmed marking exceptions in prod (comments updated). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
📝 WalkthroughWalkthroughAdds a new Kubescape ClusterSecurityException for batch Job/CronJob workloads to ignore readiness/liveness controls, wires it into kustomization resources, mirrors the exception in the Headlamp ConfigMap, and updates HelmRelease/ClusterRole documentation and image tag to v4.0.10. ChangesBatch workload security exceptions
Estimated code review effort: 2 (Simple) | ~12 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
|
@coderabbitai review |
✅ Action performedReview finished.
|
|
@coderabbitai review |
✅ Action performedReview finished.
|
|
🎉 This PR is included in version 1.96.10 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Keep #2452's v4.0.10 scanner override and this branch's keepLocal scheduler request-body — both layers of the posture fix are required. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Why
The compliance dashboard flags readiness/liveness (and the RBAC/SA/admission) controls as failing on infrastructure and batch workloads we have already formally accepted as false-positives. Root cause: the in-cluster posture scanner never actually reads our exception CRs. #2316 bumped the scanner to v4.0.9 to gain the exception reader, but v4.0.9 looks the CRs up at the wrong API version (v1, while our CRDs serve v1beta1), so it silently applies zero exceptions. This is the keystone: it's why none of the in-flight kubescape exception work (#2442, #2446, #2440, #2434, and the existing health-probes rules) visibly takes effect.
What
Depends on
Notes