Skip to content

fix(kubescape): anchor the remaining literal CSE name matchers#2479

Merged
devantler merged 1 commit into
mainfrom
claude/kubescape-anchor-cse-matchers
Jul 4, 2026
Merged

fix(kubescape): anchor the remaining literal CSE name matchers#2479
devantler merged 1 commit into
mainfrom
claude/kubescape-anchor-cse-matchers

Conversation

@devantler

Copy link
Copy Markdown
Contributor

🤖 Generated by the Daily AI Assistant

Why

Kubescape matches security-exception resource names as unanchored regexes, so a literal like flux-operator can silently suppress findings on future RBAC objects whose names merely contain it — quietly widening an exception's blast radius.

What

Anchors the last 10 literal matchers (in the exec-into-container and wildcard-RBAC exceptions) with ^…$, matching what the Headlamp mirror already does. Same fix CodeRabbit flagged as Major on the secret-reader exception in #2442; no behaviour change for the intended matches.

Related to #2441.

🤖 Generated with Claude Code

Kubescape matches ClusterSecurityException resource names as unanchored
regexes; exec-into-container-rbac and wildcard-rbac carried the last 10
unanchored literals (secret-reader-rbac is fixed on its own PR). The
Headlamp mirror ConfigMap was anchored all along.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Compact metadata: This PR modifies two Kubescape ClusterSecurityException YAML manifests, converting match.resources[].name values from literal strings to anchored regex patterns (^...$) for RBAC bindings tied to Velero, CloudNativePG, and Flux components.

Changes

File Change Summary
exec-into-container-rbac.yaml Changed name match values for C-0002 exception (Velero, CloudNativePG, Flux RoleBinding/Role/ClusterRoleBinding entries) from literal names to anchored regex patterns
wildcard-rbac.yaml Changed name match values for C-0187 exception (cluster-reconciler-flux-system, flux-operator, velero-server) from literal names to anchored regex patterns

Sequence Diagram(s)

Not applicable — this change is a configuration-only update to regex match patterns and does not involve a code execution flow.

Related issues: No related issues linked in the provided information.

Related PRs: No related PRs linked in the provided information.

Suggested labels: kubernetes, security, configuration

Suggested reviewers: No specific reviewer information available.

Poem:
A rabbit hopped through YAML fields,
Where literal names once stood as shields,
Now anchored regex, tight and true,
Guards each binding, old and new,
Velero, Flux, and CNPG too—
Matched precisely, through and through. 🐰

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly describes the main change: anchoring the remaining literal Kubescape CSE name matchers.
Description check ✅ Passed The description is directly related to the changeset and accurately summarizes the Kubescape matcher anchoring update.

Comment @coderabbitai help to get the list of available commands.

@devantler devantler marked this pull request as ready for review July 4, 2026 21:49
@devantler devantler added this pull request to the merge queue Jul 4, 2026
Merged via the queue into main with commit 362cfec Jul 4, 2026
15 checks passed
@devantler devantler deleted the claude/kubescape-anchor-cse-matchers branch July 4, 2026 22:14
@github-project-automation github-project-automation Bot moved this from 🫴 Ready to ✅ Done in 🌊 Project Board Jul 4, 2026
@botantler-1

botantler-1 Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 1.98.5 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@botantler-1 botantler-1 Bot added the released label Jul 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

Status: ✅ Done

Development

Successfully merging this pull request may close these issues.

1 participant