Skip to content

Add SecurityException CRDs, RBAC, and riskAcceptance capability #817

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
matthyx merged 4 commits into from
Apr 15, 2026
Merged

Add SecurityException CRDs, RBAC, and riskAcceptance capability #817

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
aa08fe2
feat: add SecurityException and ClusterSecurityException CRD definitions
slashben Apr 12, 2026
ba085b7
feat: add riskAcceptance capability and SecurityException RBAC
slashben Apr 12, 2026
090253f
fix: address review feedback on SecurityException CRDs
slashben Apr 15, 2026
f79e87c
test: add riskAcceptance to snapshot tests
slashben Apr 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
126 changes: 126 additions & 0 deletions charts/kubescape-operator/crds/cluster-security-exception.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
apiVersion: apiextensions.k8s.io/v1
Comment thread
matthyx marked this conversation as resolved.
kind: CustomResourceDefinition
metadata:
name: clustersecurityexceptions.kubescape.io
spec:
group: kubescape.io
names:
plural: clustersecurityexceptions
singular: clustersecurityexception
kind: ClusterSecurityException
shortNames:
- cse
scope: Cluster
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required: ["spec"]
properties:
spec:
type: object
properties:
Comment thread
coderabbitai[bot] marked this conversation as resolved.
author:
type: string
reason:
type: string
expiresAt:
type: string
format: date-time
match:
type: object
properties:
namespaceSelector:
type: object
x-kubernetes-preserve-unknown-fields: true
objectSelector:
type: object
x-kubernetes-preserve-unknown-fields: true
resources:
type: array
items:
type: object
required:
- kind
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
images:
type: array
items:
type: string
vulnerabilities:
type: array
items:
type: object
required:
- vulnerability
- status
properties:
vulnerability:
type: object
required:
- id
properties:
id:
type: string
aliases:
type: array
items:
type: string
status:
type: string
enum:
- not_affected
- fixed
- under_investigation
justification:
type: string
enum:
- component_not_present
- vulnerable_code_not_present
- vulnerable_code_not_in_execute_path
- vulnerable_code_cannot_be_controlled_by_adversary
- inline_mitigations_already_exist
impactStatement:
type: string
expiredOnFix:
type: boolean
posture:
type: array
items:
type: object
required:
- controlID
- action
properties:
controlID:
type: string
frameworkName:
type: string
action:
type: string
enum:
- ignore
- alert_only
status:
type: object
additionalPrinterColumns:
- name: Reason
type: string
jsonPath: .spec.reason
- name: Expires
type: string
jsonPath: .spec.expiresAt
- name: Age
type: date
jsonPath: .metadata.creationTimestamp
Comment thread
matthyx marked this conversation as resolved.
subresources:
status: {}
123 changes: 123 additions & 0 deletions charts/kubescape-operator/crds/security-exception.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: securityexceptions.kubescape.io
spec:
group: kubescape.io
names:
plural: securityexceptions
singular: securityexception
kind: SecurityException
shortNames:
- se
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required: ["spec"]
properties:
spec:
type: object
properties:
Comment thread
coderabbitai[bot] marked this conversation as resolved.
author:
type: string
reason:
type: string
expiresAt:
type: string
format: date-time
match:
type: object
properties:
objectSelector:
type: object
x-kubernetes-preserve-unknown-fields: true
resources:
type: array
items:
type: object
required:
- kind
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
images:
type: array
items:
type: string
vulnerabilities:
type: array
items:
type: object
required:
- vulnerability
- status
properties:
vulnerability:
type: object
required:
- id
properties:
id:
type: string
aliases:
type: array
items:
type: string
status:
type: string
enum:
- not_affected
- fixed
- under_investigation
justification:
type: string
enum:
- component_not_present
- vulnerable_code_not_present
- vulnerable_code_not_in_execute_path
- vulnerable_code_cannot_be_controlled_by_adversary
- inline_mitigations_already_exist
impactStatement:
type: string
expiredOnFix:
type: boolean
posture:
type: array
items:
type: object
required:
- controlID
- action
properties:
controlID:
type: string
frameworkName:
type: string
action:
type: string
enum:
- ignore
- alert_only
status:
type: object
additionalPrinterColumns:
- name: Reason
type: string
jsonPath: .spec.reason
- name: Expires
type: string
jsonPath: .spec.expiresAt
- name: Age
type: date
jsonPath: .metadata.creationTimestamp
subresources:
status: {}
5 changes: 5 additions & 0 deletions charts/kubescape-operator/templates/kubevuln/clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,9 @@ rules:
- apiGroups: ["spdx.softwarecomposition.kubescape.io"]
resources: ["containerprofiles"]
verbs: ["get", "watch", "list"]
{{- if eq .Values.capabilities.riskAcceptance "enable" }}
- apiGroups: ["kubescape.io"]
resources: ["securityexceptions", "clustersecurityexceptions"]
verbs: ["get", "list", "watch"]
{{- end }}
{{- end }}
5 changes: 5 additions & 0 deletions charts/kubescape-operator/templates/operator/clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,4 +41,9 @@ rules:
- apiGroups: ["kubescape.io"]
resources: ["operatorcommands/status"]
verbs: ["get", "watch", "list", "update", "patch"]
{{- if eq .Values.capabilities.riskAcceptance "enable" }}
- apiGroups: ["kubescape.io"]
resources: ["securityexceptions", "clustersecurityexceptions"]
verbs: ["get", "list", "watch"]
{{- end }}
Comment on lines +44 to +48
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Update snapshot fixtures for the new conditional RBAC rule.

CI is currently failing with a snapshot mismatch tied to this block. Please update the expected rendered output (including the disabled path) to unblock merge.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@charts/kubescape-operator/templates/operator/clusterrole.yaml` around lines
44 - 48, The snapshot test expectations are out of date because a conditional
RBAC block was added around .Values.capabilities.riskAcceptance == "enable" that
grants apiGroups ["kubescape.io"] resources
["securityexceptions","clustersecurityexceptions"] with verbs
["get","list","watch"]; update the test fixtures/snapshots to include the new
rendered output when riskAcceptance is "enable" and also add or update the
disabled-case snapshot (when riskAcceptance is not "enable") so the CI snapshot
matcher reflects both states of the conditional rendering.

{{- end }}
Loading
Loading