fix(kubescape): repair offline config.json mount so posture scans persist#2454
fix(kubescape): repair offline config.json mount so posture scans persist#2454devantler wants to merge 1 commit into
Conversation
…sist
Chart 1.40.2's `kubescapeOffline: enable` mounts the empty kubescape-volume
emptyDir directly at the file path /home/nonroot/.kubescape/config.json
(subPath config.json). kubelet auto-creates the non-existent subPath as a
directory, so config.json is a directory, not a file. The v4.0.9 scanner's
account-ID step then fails every scan ("open .../config.json: is a directory")
after generating results locally but before persisting them, so
workloadconfigurationscans have been frozen since 2026-06-27 and the
C-0030/C-0054/C-0260 ClusterSecurityException (which exempts the Cilium-based
network controls kubescape can't read) never applies — the compliance score is
stuck at 0.
Re-point the mount at the parent dir /home/nonroot/.kubescape via a
postRenderer (the fix already on the chart's unreleased main, which dropped the
offline conditional), so config.json becomes a real writable file co-existing
with the nested host-scanner.yaml mount. Keeps `kubescapeOffline: enable`
(KS_OFFLINE=true, no cloud submit) and the v4.0.9 exceptions-getter override
from #2316. Validated: kustomize renders the corrected mount with host-scanner
and the other five mounts intact; both cluster overlays build.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Warning Review limit reached
Next review available in: 15 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Closing as a duplicate of #2443 (and of the already-closed mount-only attempts #2439 / #2444). I independently re-root-caused the C-0030 "0 of 16" false-positive to the frozen posture scanner and shipped a post-render fix for the broken The load-bearing fix is #2443's |
Why: The Kubescape compliance dashboard has been stuck at 0 with a wave of false "network policy" failures (C-0030 Ingress and Egress blocked, plus C-0054/C-0260) since 2026-06-27. Root cause: the posture scanner has been silently failing to save its results on every scan, so the platform's existing cluster-wide exemption for those controls — we enforce network segmentation with CiliumNetworkPolicies, which Kubescape doesn't recognise as native NetworkPolicy — never actually gets applied to the live results.
What: Fixes the scanner's config-file mount (a chart 1.40.2 bug that only triggers in offline/air-gapped mode) so it can write its state and persist results again, restoring live compliance scoring and the C-0030/C-0054/C-0260 exemption. Keeps offline mode and the scanner version the exemption feature needs. Mirrors the fix already on the chart's unreleased upstream
main; a temporary workaround to remove once a chart > 1.40.2 ships it.Hotfix for broken posture scanning (no prior issue). Needs a direct merge after promotion (own PR — auto-merge is bot-only).