Add SecurityException CRDs, RBAC, and riskAcceptance capability#817
Add SecurityException CRDs, RBAC, and riskAcceptance capability#817
Conversation
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 34 minutes and 26 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (6)
📝 WalkthroughWalkthroughAdds two new Kubernetes CRDs (SecurityException, ClusterSecurityException), conditional RBAC rules to allow reading them, a Helm values flag to toggle the feature, and updates snapshot tests to enable the flag in selected scenarios. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
charts/kubescape-operator/values.yaml (1)
123-124: Clarify accepted values forriskAcceptance.Consider adding a short inline note on Line 124 (e.g.,
# enable|disable) to make the expected value contract explicit for chart users.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@charts/kubescape-operator/values.yaml` around lines 123 - 124, The chart values file sets riskAcceptance: enable but doesn't document allowed values; update the values.yaml next to the riskAcceptance key to include a short inline note (e.g., "# enable|disable") so users know the accepted options; reference the riskAcceptance key in values.yaml and ensure the comment is concise and placed on the same line or immediately above the entry.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@charts/kubescape-operator/crds/cluster-security-exception.crd.yaml`:
- Around line 20-24: The CRD is missing a root-level required for the spec
object, allowing manifests to omit spec and bypass nested validation; update the
cluster-security-exception CRD schema by adding a required: ["spec"] entry
alongside the top-level properties so the spec object (which contains fields
like expiresAt, status, justification, and action) must be present and its
nested validations are enforced.
In `@charts/kubescape-operator/crds/security-exception.crd.yaml`:
- Around line 20-24: The CRD root schema allows objects without a spec; add a
required: [spec] entry at the root schema level (alongside the existing type:
object and properties:) so that the root object must include spec and therefore
triggers validation of the spec properties; update the top-level schema block in
security-exception.crd.yaml to include required: [spec].
In `@charts/kubescape-operator/templates/operator/clusterrole.yaml`:
- Around line 44-48: The snapshot test expectations are out of date because a
conditional RBAC block was added around .Values.capabilities.riskAcceptance ==
"enable" that grants apiGroups ["kubescape.io"] resources
["securityexceptions","clustersecurityexceptions"] with verbs
["get","list","watch"]; update the test fixtures/snapshots to include the new
rendered output when riskAcceptance is "enable" and also add or update the
disabled-case snapshot (when riskAcceptance is not "enable") so the CI snapshot
matcher reflects both states of the conditional rendering.
---
Nitpick comments:
In `@charts/kubescape-operator/values.yaml`:
- Around line 123-124: The chart values file sets riskAcceptance: enable but
doesn't document allowed values; update the values.yaml next to the
riskAcceptance key to include a short inline note (e.g., "# enable|disable") so
users know the accepted options; reference the riskAcceptance key in values.yaml
and ensure the comment is concise and placed on the same line or immediately
above the entry.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 44dc7216-3739-40bb-a279-776a43ea44bc
📒 Files selected for processing (5)
charts/kubescape-operator/crds/cluster-security-exception.crd.yamlcharts/kubescape-operator/crds/security-exception.crd.yamlcharts/kubescape-operator/templates/kubevuln/clusterrole.yamlcharts/kubescape-operator/templates/operator/clusterrole.yamlcharts/kubescape-operator/values.yaml
| {{- if eq .Values.capabilities.riskAcceptance "enable" }} | ||
| - apiGroups: ["kubescape.io"] | ||
| resources: ["securityexceptions", "clustersecurityexceptions"] | ||
| verbs: ["get", "list", "watch"] | ||
| {{- end }} |
There was a problem hiding this comment.
Update snapshot fixtures for the new conditional RBAC rule.
CI is currently failing with a snapshot mismatch tied to this block. Please update the expected rendered output (including the disabled path) to unblock merge.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@charts/kubescape-operator/templates/operator/clusterrole.yaml` around lines
44 - 48, The snapshot test expectations are out of date because a conditional
RBAC block was added around .Values.capabilities.riskAcceptance == "enable" that
grants apiGroups ["kubescape.io"] resources
["securityexceptions","clustersecurityexceptions"] with verbs
["get","list","watch"]; update the test fixtures/snapshots to include the new
rendered output when riskAcceptance is "enable" and also add or update the
disabled-case snapshot (when riskAcceptance is not "enable") so the CI snapshot
matcher reflects both states of the conditional rendering.
matthyx
left a comment
matthyx
left a comment
There was a problem hiding this comment.
can you add a test case in charts/kubescape-operator/tests/snapshot_test.yaml where you enable this, probably in the "all capabilities" one?
| syncSBOM: disable | ||
|
|
||
| # ====== Risk acceptance ====== | ||
| riskAcceptance: enable |
There was a problem hiding this comment.
does it make sense to enable it now (without the new kubevuln)?
There was a problem hiding this comment.
Good point — changed to disable by default. Will flip to enable when kubevuln ships.
There was a problem hiding this comment.
🧹 Nitpick comments (1)
charts/kubescape-operator/tests/snapshot_test.yaml (1)
61-61: Consider one explicit disabled-path snapshot for resilience.You already validate the enabled path well; adding a dedicated case with
capabilities.riskAcceptance: disablewould make the negative-path assertion robust against future default-value changes.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@charts/kubescape-operator/tests/snapshot_test.yaml` at line 61, Add an explicit negative-path snapshot that sets capabilities.riskAcceptance: disable to ensure future default changes don't break tests; create a separate test case in the snapshot suite mirroring the existing enabled case but with riskAcceptance: disable, give it a clear name (e.g., "riskAcceptance disabled snapshot"), and include the expected negative-output assertions so the test harness verifies the disabled path independently of the current defaults.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@charts/kubescape-operator/tests/snapshot_test.yaml`:
- Line 61: Add an explicit negative-path snapshot that sets
capabilities.riskAcceptance: disable to ensure future default changes don't
break tests; create a separate test case in the snapshot suite mirroring the
existing enabled case but with riskAcceptance: disable, give it a clear name
(e.g., "riskAcceptance disabled snapshot"), and include the expected
negative-output assertions so the test harness verifies the disabled path
independently of the current defaults.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 6e62c2ca-a1ae-49e8-ac6f-902b34fd5a01
⛔ Files ignored due to path filters (1)
charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snapis excluded by!**/*.snap
📒 Files selected for processing (1)
charts/kubescape-operator/tests/snapshot_test.yaml
Namespaced SecurityException and cluster-scoped ClusterSecurityException under kubescape.io/v1 with OpenAPI validation and enum constraints. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Ben <ben@armosec.io>
Default enabled. Grants kubevuln and operator get/list/watch on securityexceptions and clustersecurityexceptions. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Ben <ben@armosec.io>
- Change API version from v1 to v1beta1 (new API, may evolve) - Add status subresource to both CRDs (consistent with other CRDs) - Add required: [spec] at root schema level - Default riskAcceptance to disable (enable when kubevuln ships) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Ben <ben@armosec.io>
Add riskAcceptance: enable to all-capabilities test cases and update snapshots to include SecurityException RBAC rules. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Ben <ben@armosec.io> Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
matthyx
force-pushed
the
feature/security-exception-crds
branch
from
3d0a045 to
f79e87c
Compare
2 participants
Summary
SecurityException(namespaced) andClusterSecurityException(cluster-scoped) CRD YAMLs underkubescape.io/v1riskAcceptance: enablecapability (default enabled)get/list/watchRBAC to kubevuln and operator clusterroles (gated on capability)Part of NAUT-1258: GitOps-native risk acceptance via SecurityException CRDs.
Test plan
helm templaterenders CRD rules in kubevuln/operator ClusterRoleshelm template --set capabilities.riskAcceptance=disableomits CRD ruleskubectl apply --dry-run=serveron a test cluster🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Tests