Skip to content

fix(kubescape): bump posture scanner to v4.0.10 so exception CRs apply offline#2452

Merged
devantler merged 1 commit into
mainfrom
claude/kubescape-c0018-exceptions
Jul 4, 2026
Merged

fix(kubescape): bump posture scanner to v4.0.10 so exception CRs apply offline#2452
devantler merged 1 commit into
mainfrom
claude/kubescape-c0018-exceptions

Conversation

@devantler

@devantler devantler commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

🤖 Generated by the Daily AI Assistant

Why

The compliance dashboard flags readiness/liveness (and the RBAC/SA/admission) controls as failing on infrastructure and batch workloads we have already formally accepted as false-positives. Root cause: the in-cluster posture scanner never actually reads our exception CRs. #2316 bumped the scanner to v4.0.9 to gain the exception reader, but v4.0.9 looks the CRs up at the wrong API version (v1, while our CRDs serve v1beta1), so it silently applies zero exceptions. This is the keystone: it's why none of the in-flight kubescape exception work (#2442, #2446, #2440, #2434, and the existing health-probes rules) visibly takes effect.

What

  • Bumps the posture scanner one more patch (v4.0.9 → v4.0.10), which fixes the API-version bug so the scanner reads and applies our exception CRs.
  • Adds one rule for run-to-completion Jobs/CronJobs (probes don't apply to batch pods), closing the only readiness gap the per-namespace rules missed (openbao's snapshot job).

Depends on

Notes

  • Scanner tag is a one-patch-ahead-of-chart override (same pattern as node-agent); reverts once the chart ships v4.0.10.
  • Own PR: needs a direct merge after promotion.

…y offline

The compliance dashboard shows accepted-risk controls (C-0018 readiness,
C-0056 liveness, plus the RBAC/SA/admission exceptions) failing on
infra/batch workloads even though the platform's ClusterSecurityException
CRs except them — the exceptions were inert end-to-end at the deployed
versions:

- Scanner v4.0.9's CRD exceptions getter (kubescape#2291) LISTs the CRDs at
  apiVersion kubescape.io/v1, but chart 1.40.2 serves ONLY v1beta1, so the
  List 404s and — as the secondary/merged source — is silently swallowed →
  zero exceptions applied (observed: C-0018 status=failed, subStatus="" on
  every excepted workload). kubescape#2366 (first shipped in v4.0.10)
  switches the getter to v1beta1. Bumping the existing kubescape.image.tag
  override v4.0.9 → v4.0.10 makes the scanner read the CRs and write
  passed/w-exceptions into the stored summaries, which the Headlamp plugin
  renders directly — clearing the dashboard AND the real posture with no
  per-browser exception-group selection.

- Add a batch-workloads ClusterSecurityException excepting C-0018/C-0056 for
  Job/CronJob kinds, closing the one C-0018 gap not covered by the
  namespace-scoped health-probes CR (openbao vault-snapshot-init, a
  run-to-completion Job where probes are inapplicable). Matched by workload
  kind so long-running Deployments/StatefulSets still require probes.

The headlamp-exceptions mirror ConfigMap is kept in sync (batch policy
added) as a fallback and is now removable once a v4.0.10 scan is confirmed
marking exceptions in prod (comments updated).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a new Kubescape ClusterSecurityException for batch Job/CronJob workloads to ignore readiness/liveness controls, wires it into kustomization resources, mirrors the exception in the Headlamp ConfigMap, and updates HelmRelease/ClusterRole documentation and image tag to v4.0.10.

Changes

Batch workload security exceptions

Layer / File(s) Summary
ClusterSecurityException for batch Job/CronJob probes
k8s/bases/infrastructure/cluster-security-exceptions/batch-workloads.yaml, k8s/bases/infrastructure/cluster-security-exceptions/kustomization.yaml
New ClusterSecurityException resource ignores controls C-0018 and C-0056 for batch Job/CronJob kinds, added to the kustomization resources list.
Mirrored Headlamp exception policy
k8s/bases/infrastructure/controllers/kubescape/config-map-headlamp-exceptions.yaml
Adds a batch-workloads exceptionPolicies entry mirroring the CRD exception, and revises header comments describing the ConfigMap as a Headlamp-only fallback and interim manual step.
Kubescape v4.0.10 scanner tag and RBAC/getter documentation
k8s/bases/infrastructure/controllers/kubescape/helm-release.yaml, k8s/bases/infrastructure/controllers/kubescape/cluster-role.yaml
Bumps kubescape.image.tag from v4.0.9 to v4.0.10 and updates comments explaining CRD apiVersion/getter behavior and RBAC requirements for scanning exceptions.

Estimated code review effort: 2 (Simple) | ~12 minutes

Possibly related PRs

  • devantler-tech/platform#2316: Builds on prior work aligning Kubescape's CRD getter/version and RBAC to make ClusterSecurityException posture exceptions effective.
  • devantler-tech/platform#2320: Extends the existing pattern of mirroring ClusterSecurityException CRs into the Headlamp plugin ConfigMap.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title accurately summarizes the main change: bumping Kubescape to v4.0.10 so exception CRs work offline.
Description check ✅ Passed The description matches the changeset, covering the scanner bump and the new batch-workload exception rule.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/kubescape-c0018-exceptions

Comment @coderabbitai help to get the list of available commands.

@devantler

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@devantler

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@devantler devantler marked this pull request as ready for review July 4, 2026 14:35
@devantler devantler added this pull request to the merge queue Jul 4, 2026
Merged via the queue into main with commit 832e075 Jul 4, 2026
15 checks passed
@devantler devantler deleted the claude/kubescape-c0018-exceptions branch July 4, 2026 16:14
@github-project-automation github-project-automation Bot moved this from 🫴 Ready to ✅ Done in 🌊 Project Board Jul 4, 2026
@botantler-1

botantler-1 Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 1.96.10 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@botantler-1 botantler-1 Bot added the released label Jul 4, 2026
devantler added a commit that referenced this pull request Jul 4, 2026
Keep #2452's v4.0.10 scanner override and this branch's keepLocal
scheduler request-body — both layers of the posture fix are required.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

Status: ✅ Done

Development

Successfully merging this pull request may close these issues.

1 participant