Replace host sensor with node agent sensing

[Bezbran]

Overview

The host-scanner is a K8s daemonset which sensing some basic stuff from a K8s node and expose them in a K8s YAML-like format via HTTP handlers and it runs by Kubescape only for the period of Kubescape scanning process.
We want to merge host-scanner into node-agent and let the node-agent itself to sense the stuff and send it to K8s API server as new CRDs.
The motivation for this change is well explained in this slack thread

we're trying to reduce the footprint of KS helm chart so it will be easier to install.
In addition the current implementation requires the host-scanner to open a port for KS to scrape the data which is a security posture we want to avoid. (privileged pod with open port - not so good)

How to Test

As ususal

Related issues/PRs:

#773
kubescape/kubescape#1916
kubescape/node-agent#681

Summary by CodeRabbit

• New Features

  • Node agent adds a configurable host sensor (enabled by default) with a 5m sampling interval.
  • New Kubernetes APIs (CRDs) expose host info: OS, kernel, open ports, CNI, kubelet/proxy, control plane and provider data.

• Chores

  • Chart and app versions bumped; service image tags updated.
  • Legacy host-scanner daemon removed and related configuration keys eliminated; host filesystem mount introduced.

• Documentation

  • README updated to clarify CRD placement and lifecycle.

[slashben]

🥇 awesome @Bezbran

[matthyx]

almost LGTM, thanks @Bezbran !
can you follow https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-operator/tests#update for the unit test and check my comments?

[Bezbran]

almost LGTM, thanks @Bezbran ! can you follow https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-operator/tests#update for the unit test and check my comments?

We are still missing the new version.
I think the order should be:

1. have new node-agent
2. have new KS
3. have Helm chart with new version and changes above

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Removes the standalone host-scanner DaemonSet and related assets; introduces nodeAgent hostSensor values and ConfigMap keys, multiple hostdata.kubescape.cloud CRD templates, and conditional RBAC rules; updates chart metadata, README, .helmignore, and values to consolidate host scanning into node-agent.

Changes

Cohort / File(s)	Summary
Chart metadata & docs charts/kubescape-operator/Chart.yaml, charts/kubescape-operator/README.md, charts/kubescape-operator/.helmignore	Bump chart/app version to 1.31.0, update README badge/content, and add templates/node-agent-crds/README.md to .helmignore.
Values & images charts/kubescape-operator/values.yaml	Remove host-scanner values and blocks; add nodeAgent.config.hostSensor (enabled, interval), host-filesystem hostPath volume/volumeMount, and update component image tags.
Removed host-scanner asset charts/kubescape-operator/assets/host-scanner-definition.yaml	Delete the host-scanner DaemonSet manifest and its Helm conditionals (container, probes, env, volumes, scheduling, OTEL instrumentation).
Templates: common/env annotations charts/kubescape-operator/templates/_common.tpl, charts/kubescape-operator/templates/kubescape/deployment.yaml	Remove hostScanner checksum from checksums template; update Deployment pod annotation/env to reference .Values.nodeAgent.config.hostSensor.enabled.
RBAC additions charts/kubescape-operator/templates/kubescape/clusterrole.yaml, charts/kubescape-operator/templates/node-agent/clusterrole.yaml	Add conditional RBAC blocks granting read (kubescape) and read/write (node-agent) verbs for hostdata.kubescape.cloud resources when nodeAgent.config.hostSensor.enabled is true.
Node-agent CRDs & docs charts/kubescape-operator/templates/node-agent-crds/... charts/kubescape-operator/templates/node-agent-crds/README.md	Add multiple CRD templates (OsReleaseFile, KernelVersion, LinuxSecurityHardeningStatus, OpenPortsList, LinuxKernelVariables, KubeletInfo, KubeProxyInfo, ControlPlaneInfo, CloudProviderInfo, CNIInfo) under group hostdata.kubescape.cloud, all gated by components.nodeAgent.enabled and .Values.nodeAgent.config.hostSensor.enabled, with OpenAPI v3 schemas (preserve unknown fields) and printer columns.
Node-agent config charts/kubescape-operator/templates/node-agent/configmap.yaml	Insert hostSensorEnabled and hostSensorInterval into the node-agent ConfigMap JSON from Helm values.
Node-agent rules charts/kubescape-operator/templates/node-agent/default-rules.yaml	Adjust detection rule tags and some rule states/ids (add context:kubernetes ordering and context:host where applicable; modify a few rule uniqueId/state/ports).

Sequence Diagram(s)

sequenceDiagram
  participant Helm as Helm (install/upgrade)
  participant Chart as kubescape-operator chart
  participant KubeAPI as Kubernetes API (CRDs & RBAC)
  participant NodeAgent as node-agent
  participant Kubescape as kubescape controller

  Helm->>Chart: render & apply (components.nodeAgent.enabled + hostSensor.enabled)
  Chart->>KubeAPI: create CRDs (hostdata.kubescape.cloud/*)
  Chart->>KubeAPI: apply RBAC for kubescape & node-agent
  KubeAPI-->>NodeAgent: RBAC allows create/watch/update of host CRs
  NodeAgent->>KubeAPI: create/update host data CRs (OsReleaseFile, OpenPortsList, ...)
  Kubescape->>KubeAPI: read/watch host CRs for processing

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• prepare new release #794 — Similar kubescape-operator chart changes (Chart.yaml, README, values) and image/version updates.
• prepare next release #808 — Overlapping chart metadata and values modifications for kubescape-operator (version/image bumps).
• add k8s context tag #785 — Related changes to node-agent/default-rules.yaml tag adjustments and rule updates.

Suggested reviewers

• slashben

Poem

🐰 I nibbled a DaemonSet by the pale moonlight,
Now node-agent hums and keeps watch through the night.
Ten tiny CRDs line up in a row,
RBAC opens doors so the host-data can flow.
The rabbit applauds, carrot clutched just right. 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Replace host sensor with node agent sensing' clearly and concisely summarizes the primary change: the migration of host sensor functionality from a separate host-scanner DaemonSet component into the node-agent. This is directly supported by the raw summary showing the removal of host-scanner and integration of host sensor capabilities into node-agent through new CRDs and configuration updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch node-agent-replace-host-sensor

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@charts/kubescape-operator/values.yaml`:
- Around line 535-539: The chart defines a host-filesystem volume (name:
host-filesystem, hostPath: /) but it is not mounted; update
nodeAgent.volumeMounts to include a matching volumeMount (name: host-filesystem)
with the intended mountPath (e.g., mountPath: / or another appropriate path) and
any needed readOnly setting, or remove the host-filesystem volume block entirely
if it is unused; edit the nodeAgent.volumeMounts section and the host-filesystem
volume definition (the unique identifiers: nodeAgent.volumeMounts and
host-filesystem) so they are consistent.

🧹 Nitpick comments (3)

charts/kubescape-operator/templates/node-agent/clusterrole.yaml (1)

69-69: Nitpick: Extra blank line creates inconsistent spacing.

The blank line at 69 between the conditional block and the next rule is inconsistent with the formatting elsewhere in the file.

Suggested fix

   verbs: ["create", "get", "update", "patch", "list", "watch"]
 {{- end }}
-
 - apiGroups: ["kubescape.io"]

charts/kubescape-operator/templates/node-agent-crds/cloudproviderinfo-crd.yaml (2)

30-36: Consider adding the Age printer column for consistency.

The osreleasefile-crd.yaml includes an Age column using .metadata.creationTimestamp, but this CRD only has Node and Last Sensed. Adding it would provide a consistent kubectl get experience across all hostdata CRDs.

Suggested addition

     - name: Last Sensed
       type: string
       jsonPath: .status.lastSensed
+    - name: Age
+      type: date
+      jsonPath: .metadata.creationTimestamp
 {{- end }}

---

6-8: Optional: Add controller-gen annotation for consistency.

The osreleasefile-crd.yaml includes a controller-gen.kubebuilder.io/version annotation in metadata. If this CRD is generated by controller-gen or you want to maintain consistency across all hostdata CRDs, consider adding it here as well.

Suggested addition

 metadata:
   name: cloudproviderinfos.hostdata.kubescape.cloud
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.11.1
 spec:

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

charts/kubescape-operator/values.yaml (1)

645-648: ⚠️ Potential issue | 🟡 Minor

host-filesystem is still orphaned/redundant.

At Lines 645-648, the added host-filesystem volume has no matching volumeMount, and root / is already exposed via the existing host volume/mount (/host). Please remove this block or mount it intentionally.

Proposed cleanup

-    - hostPath:
-        path: /
-        type: Directory
-      name: host-filesystem

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/kubescape-operator/values.yaml` around lines 645 - 648, The new volume
block named "host-filesystem" (hostPath path: /) is orphaned—there is no
matching volumeMount and the root filesystem is already exposed via the existing
"host" volume/mount (mounted at /host); either delete the "host-filesystem"
volume block or, if you intended to use it, add a corresponding volumeMount that
uses name: "host-filesystem" in the container spec with the intended mountPath.
Locate the "host-filesystem" volume definition and remove it, or create a
volumeMount entry referencing "host-filesystem" (instead of duplicating root) to
resolve the redundancy.

🧹 Nitpick comments (2)

charts/kubescape-operator/templates/node-agent-crds/controlplaneinfo-crd.yaml (1)

1-38: Factor the hostdata CRD boilerplate into a shared helper.

This template has the same gate, version block, schema skeleton, and printer columns as the sibling hostdata CRDs in this PR. Keeping that structure duplicated across many files will drift the next time one of those common fields changes.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@charts/kubescape-operator/templates/node-agent-crds/controlplaneinfo-crd.yaml`
around lines 1 - 38, This CRD duplicates boilerplate (the gate check using
.Values.nodeAgent.config.hostSensor.enabled, the apiVersion/kind
CustomResourceDefinition spec version block, openAPIV3Schema skeleton and
additionalPrinterColumns) used by other hostdata CRDs; extract that repeated
version/schema/printer-columns block into a shared helper template (e.g.,
_helpers.tpl) and replace the duplicated content in ControlPlaneInfo (the
current template that uses include "components" and the gate
.Values.nodeAgent.config.hostSensor.enabled) with a call to that helper, passing
any unique values (kind/name/plural/singular and jsonPath values like
.spec.nodeName and .status.lastSensed) so the CRD file becomes the minimal
wrapper that only supplies resource-specific identifiers while reusing the
shared boilerplate.

charts/kubescape-operator/templates/node-agent-crds/osreleasefile-crd.yaml (1)

22-55: Consider keeping this CRD as open as the sibling hostdata CRDs.

This is the only reviewed hostdata CRD with a closed spec/status schema. That makes OsReleaseFile much less tolerant of chart/node-agent skew: new fields from a newer agent will be pruned until the chart upgrades the CRD. If strict lockstep is not intentional, aligning this with the x-kubernetes-preserve-unknown-fields pattern used by the other hostdata CRDs will be safer.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/kubescape-operator/templates/node-agent-crds/osreleasefile-crd.yaml`
around lines 22 - 55, The OsReleaseFile CRD currently defines closed schemas for
spec and status (properties: content/nodeName and lastSensed/error), which will
prune unknown fields; to match the other hostdata CRDs and tolerate agent/chart
skew, make spec and status preserve unknown fields by adding
x-kubernetes-preserve-unknown-fields: true to the spec and status object schemas
(leave the existing properties like content, nodeName, lastSensed, error in
place so they’re still documented) so the OsReleaseFile CRD aligns with the
hostdata pattern and won’t drop extra fields from newer agents.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@charts/kubescape-operator/templates/node-agent-crds/cniinfo-crd.yaml`:
- Around line 2-3: The CRD rendering is currently gated by the host sensor flag
(.Values.nodeAgent.config.hostSensor.enabled) which can cause Helm to delete the
CRD when that runtime flag is disabled; update the template so the CRD is not
tied to hostSensor.enabled—only gate it by the broader node agent enablement
($components.nodeAgent.enabled) or render it unconditionally for cluster scope;
remove the inner if that checks .Values.nodeAgent.config.hostSensor.enabled
around the CRD (and mirror the same change for the other occurrence noted) so
CRD lifecycle is independent of the hostSensor runtime flag.

---

Duplicate comments:
In `@charts/kubescape-operator/values.yaml`:
- Around line 645-648: The new volume block named "host-filesystem" (hostPath
path: /) is orphaned—there is no matching volumeMount and the root filesystem is
already exposed via the existing "host" volume/mount (mounted at /host); either
delete the "host-filesystem" volume block or, if you intended to use it, add a
corresponding volumeMount that uses name: "host-filesystem" in the container
spec with the intended mountPath. Locate the "host-filesystem" volume definition
and remove it, or create a volumeMount entry referencing "host-filesystem"
(instead of duplicating root) to resolve the redundancy.

---

Nitpick comments:
In
`@charts/kubescape-operator/templates/node-agent-crds/controlplaneinfo-crd.yaml`:
- Around line 1-38: This CRD duplicates boilerplate (the gate check using
.Values.nodeAgent.config.hostSensor.enabled, the apiVersion/kind
CustomResourceDefinition spec version block, openAPIV3Schema skeleton and
additionalPrinterColumns) used by other hostdata CRDs; extract that repeated
version/schema/printer-columns block into a shared helper template (e.g.,
_helpers.tpl) and replace the duplicated content in ControlPlaneInfo (the
current template that uses include "components" and the gate
.Values.nodeAgent.config.hostSensor.enabled) with a call to that helper, passing
any unique values (kind/name/plural/singular and jsonPath values like
.spec.nodeName and .status.lastSensed) so the CRD file becomes the minimal
wrapper that only supplies resource-specific identifiers while reusing the
shared boilerplate.

In `@charts/kubescape-operator/templates/node-agent-crds/osreleasefile-crd.yaml`:
- Around line 22-55: The OsReleaseFile CRD currently defines closed schemas for
spec and status (properties: content/nodeName and lastSensed/error), which will
prune unknown fields; to match the other hostdata CRDs and tolerate agent/chart
skew, make spec and status preserve unknown fields by adding
x-kubernetes-preserve-unknown-fields: true to the spec and status object schemas
(leave the existing properties like content, nodeName, lastSensed, error in
place so they’re still documented) so the OsReleaseFile CRD aligns with the
hostdata pattern and won’t drop extra fields from newer agents.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 58b39180-b444-4276-82cc-cc0330778ad9

📥 Commits

Reviewing files that changed from the base of the PR and between 691e0af and c07edfe.

⛔ Files ignored due to path filters (1)

• charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap is excluded by !**/*.snap

📒 Files selected for processing (20)

• charts/kubescape-operator/.helmignore
• charts/kubescape-operator/Chart.yaml
• charts/kubescape-operator/README.md
• charts/kubescape-operator/assets/host-scanner-definition.yaml
• charts/kubescape-operator/templates/_common.tpl
• charts/kubescape-operator/templates/kubescape/clusterrole.yaml
• charts/kubescape-operator/templates/kubescape/deployment.yaml
• charts/kubescape-operator/templates/node-agent-crds/README.md
• charts/kubescape-operator/templates/node-agent-crds/cloudproviderinfo-crd.yaml
• charts/kubescape-operator/templates/node-agent-crds/cniinfo-crd.yaml
• charts/kubescape-operator/templates/node-agent-crds/controlplaneinfo-crd.yaml
• charts/kubescape-operator/templates/node-agent-crds/kernelversion-crd.yaml
• charts/kubescape-operator/templates/node-agent-crds/kubeletinfo-crd.yaml
• charts/kubescape-operator/templates/node-agent-crds/kubeproxyinfo-crd.yaml
• charts/kubescape-operator/templates/node-agent-crds/linuxkernelvariables-crd.yaml
• charts/kubescape-operator/templates/node-agent-crds/linuxsecurityhardening-crd.yaml
• charts/kubescape-operator/templates/node-agent-crds/openports-crd.yaml
• charts/kubescape-operator/templates/node-agent-crds/osreleasefile-crd.yaml
• charts/kubescape-operator/templates/node-agent/clusterrole.yaml
• charts/kubescape-operator/values.yaml

💤 Files with no reviewable changes (2)

• charts/kubescape-operator/templates/_common.tpl
• charts/kubescape-operator/assets/host-scanner-definition.yaml

✅ Files skipped from review due to trivial changes (2)

• charts/kubescape-operator/Chart.yaml
• charts/kubescape-operator/templates/node-agent-crds/README.md

🚧 Files skipped from review as they are similar to previous changes (4)

• charts/kubescape-operator/README.md
• charts/kubescape-operator/.helmignore
• charts/kubescape-operator/templates/kubescape/deployment.yaml
• charts/kubescape-operator/templates/kubescape/clusterrole.yaml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@charts/kubescape-operator/templates/node-agent/configmap.yaml`:
- Around line 32-33: The JSON in the ConfigMap template renders
hostSensor.interval unquoted causing invalid JSON; update the template so both
"hostSensorEnabled" and "hostSensorInterval" use Helm's toJson filter (apply |
toJson to .Values.nodeAgent.config.hostSensor.enabled and to
.Values.nodeAgent.config.hostSensor.interval) so the values are properly
JSON-encoded (booleans and duration strings will be correctly quoted/formatted)
in the rendered config.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7e914763-48bd-43cd-8eb5-8859ffbfe7f7

📥 Commits

Reviewing files that changed from the base of the PR and between c07edfe and f4307f9.

⛔ Files ignored due to path filters (1)

• charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap is excluded by !**/*.snap

📒 Files selected for processing (1)

• charts/kubescape-operator/templates/node-agent/configmap.yaml