Skip to content

fix(kubescape): repair offline config.json mount so posture scans persist#2454

Closed
devantler wants to merge 1 commit into
mainfrom
claude/kubescape-offline-config-fix
Closed

fix(kubescape): repair offline config.json mount so posture scans persist#2454
devantler wants to merge 1 commit into
mainfrom
claude/kubescape-offline-config-fix

Conversation

@devantler

Copy link
Copy Markdown
Contributor

🤖 Generated by the Daily AI Assistant

Why: The Kubescape compliance dashboard has been stuck at 0 with a wave of false "network policy" failures (C-0030 Ingress and Egress blocked, plus C-0054/C-0260) since 2026-06-27. Root cause: the posture scanner has been silently failing to save its results on every scan, so the platform's existing cluster-wide exemption for those controls — we enforce network segmentation with CiliumNetworkPolicies, which Kubescape doesn't recognise as native NetworkPolicy — never actually gets applied to the live results.

What: Fixes the scanner's config-file mount (a chart 1.40.2 bug that only triggers in offline/air-gapped mode) so it can write its state and persist results again, restoring live compliance scoring and the C-0030/C-0054/C-0260 exemption. Keeps offline mode and the scanner version the exemption feature needs. Mirrors the fix already on the chart's unreleased upstream main; a temporary workaround to remove once a chart > 1.40.2 ships it.

Hotfix for broken posture scanning (no prior issue). Needs a direct merge after promotion (own PR — auto-merge is bot-only).

…sist

Chart 1.40.2's `kubescapeOffline: enable` mounts the empty kubescape-volume
emptyDir directly at the file path /home/nonroot/.kubescape/config.json
(subPath config.json). kubelet auto-creates the non-existent subPath as a
directory, so config.json is a directory, not a file. The v4.0.9 scanner's
account-ID step then fails every scan ("open .../config.json: is a directory")
after generating results locally but before persisting them, so
workloadconfigurationscans have been frozen since 2026-06-27 and the
C-0030/C-0054/C-0260 ClusterSecurityException (which exempts the Cilium-based
network controls kubescape can't read) never applies — the compliance score is
stuck at 0.

Re-point the mount at the parent dir /home/nonroot/.kubescape via a
postRenderer (the fix already on the chart's unreleased main, which dropped the
offline conditional), so config.json becomes a real writable file co-existing
with the nested host-scanner.yaml mount. Keeps `kubescapeOffline: enable`
(KS_OFFLINE=true, no cloud submit) and the v4.0.9 exceptions-getter override
from #2316. Validated: kustomize renders the corrected mount with host-scanner
and the other five mounts intact; both cluster overlays build.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@devantler, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 15 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: f7b1554a-fb7d-4c70-9021-1e2842ed7ad4

📥 Commits

Reviewing files that changed from the base of the PR and between 32ce888 and 640d1a2.

📒 Files selected for processing (1)
  • k8s/bases/infrastructure/controllers/kubescape/helm-release.yaml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/kubescape-offline-config-fix

Comment @coderabbitai help to get the list of available commands.

@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Assistant

Closing as a duplicate of #2443 (and of the already-closed mount-only attempts #2439 / #2444).

I independently re-root-caused the C-0030 "0 of 16" false-positive to the frozen posture scanner and shipped a post-render fix for the broken kubescapeOffline config.json mount — but the mount fix alone is insufficient, for the same reason #2439/#2444 were closed: KS_OFFLINE/offline mode does not set Submit=false, so the scheduled scan still submits to ARMO cloud and aborts with a 402 (no account) even once config.json is writable.

The load-bearing fix is #2443's keepLocal: true in the scheduler request → Submit=falseNewReportMock → config.json is never opened at all, so results persist. Full chain: #2316 (merged: v4.0.9 getter + scanner RBAC) → #2443 (keepLocal unfreeze) → #2452 (v4.0.10 so the getter lists the CRs at the right apiVersion). No new PR needed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: ✅ Done

Development

Successfully merging this pull request may close these issues.

1 participant