Replace host sensor with node agent sensing

[Bezbran]

Overview

The host-scanner is a K8s daemonset which sensing some basic stuff from a K8s node and expose them in a K8s YAML-like format via HTTP handlers and it runs by Kubescape only for the period of Kubescape scanning process.
We want to merge host-scanner into node-agent and let the node-agent itself to sense the stuff and send it to K8s API server as new CRDs.
The motivation for this change is well explained in this slack thread

we're trying to reduce the footprint of KS helm chart so it will be easier to install.
In addition the current implementation requires the host-scanner to open a port for KS to scrape the data which is a security posture we want to avoid. (privileged pod with open port - not so good)

How to Test

As ususal

Related issues/PRs:

#773
kubescape/kubescape#1916
kubescape/node-agent#681

Summary by CodeRabbit

• New Features

  • Node agent adds a configurable host sensor (enabled by default) with a 5m sampling interval.
  • New Kubernetes APIs (CRDs) expose host info: OS, kernel, open ports, CNI, kubelet/proxy, control plane and provider data.

• Chores

  • Chart and app versions bumped; service image tags updated.
  • Legacy host-scanner daemon removed; host-monitoring config simplified and host filesystem mounting introduced.

[slashben]

🥇 awesome @Bezbran

[matthyx]

almost LGTM, thanks @Bezbran !
can you follow https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-operator/tests#update for the unit test and check my comments?

[Bezbran]

almost LGTM, thanks @Bezbran ! can you follow https://github.com/kubescape/helm-charts/tree/main/charts/kubescape-operator/tests#update for the unit test and check my comments?

We are still missing the new version.
I think the order should be:

1. have new node-agent
2. have new KS
3. have Helm chart with new version and changes above

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ddc8990a-ca20-4323-8c76-f9e4be4ef561

📥 Commits

Reviewing files that changed from the base of the PR and between f4307f9 and 050623a.

⛔ Files ignored due to path filters (1)

• charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap is excluded by !**/*.snap

📒 Files selected for processing (1)

• charts/kubescape-operator/templates/node-agent/configmap.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• charts/kubescape-operator/templates/node-agent/configmap.yaml

---

📝 Walkthrough

Walkthrough

Removes the standalone host-scanner DaemonSet and related Helm assets; adds nodeAgent hostSensor configuration, node-agent ConfigMap keys, multiple hostdata.kubescape.cloud CRD templates, and conditional RBAC rules; updates chart/version/docs and values to shift host scanning into node-agent.

Changes

Cohort / File(s)	Summary
Chart metadata & docs charts/kubescape-operator/Chart.yaml, charts/kubescape-operator/README.md, charts/kubescape-operator/.helmignore	Bump chart/app version to 1.31.0, update README badge/content, and add templates/node-agent-crds/README.md to .helmignore.
Values & images charts/kubescape-operator/values.yaml	Remove host-scanner values and related blocks; add nodeAgent.config.hostSensor (enabled, interval), host-filesystem hostPath volume/volumeMount, and update image tags.
Removed host-scanner asset charts/kubescape-operator/assets/host-scanner-definition.yaml	Delete entire host-scanner DaemonSet manifest and Helm conditionals (container, probes, env, volumes, scheduling, OTEL instrumentation).
Templates: common/env annotations charts/kubescape-operator/templates/_common.tpl, charts/kubescape-operator/templates/kubescape/deployment.yaml	Remove hostScanner checksum from checksums template; update Deployment pod annotation/env to reference .Values.nodeAgent.config.hostSensor.enabled.
RBAC additions charts/kubescape-operator/templates/kubescape/clusterrole.yaml, charts/kubescape-operator/templates/node-agent/clusterrole.yaml	Add conditional RBAC blocks granting read (kubescape) and read/write (node-agent) verbs for hostdata.kubescape.cloud resources when nodeAgent.config.hostSensor.enabled is true.
Node-agent CRDs & docs charts/kubescape-operator/templates/node-agent-crds/... charts/kubescape-operator/templates/node-agent-crds/README.md	Add multiple CRD templates (OsReleaseFile, KernelVersion, LinuxSecurityHardeningStatus, OpenPortsList, LinuxKernelVariables, KubeletInfo, KubeProxyInfo, ControlPlaneInfo, CloudProviderInfo, CNIInfo) under group hostdata.kubescape.cloud, all gated by components.nodeAgent.enabled and .Values.nodeAgent.config.hostSensor.enabled, with OpenAPI v3 schemas (preserve unknown fields) and printer columns.
Node-agent config charts/kubescape-operator/templates/node-agent/configmap.yaml	Insert hostSensorEnabled and hostSensorInterval into the node-agent ConfigMap JSON from Helm values.

Sequence Diagram(s)

sequenceDiagram
  participant Helm as Helm (install/upgrade)
  participant Chart as kubescape-operator chart
  participant KubeAPI as Kubernetes API (CRDs & RBAC)
  participant NodeAgent as node-agent
  participant Kubescape as kubescape controller

  Helm->>Chart: install/upgrade (components.nodeAgent.enabled + hostSensor.enabled)
  Chart->>KubeAPI: create CRDs (hostdata.kubescape.cloud/*)
  Chart->>KubeAPI: apply RBAC for kubescape & node-agent
  KubeAPI-->>NodeAgent: permissions allow create/watch of host CRs
  NodeAgent->>KubeAPI: create/update host data CRs (OsReleaseFile, OpenPortsList, ...)
  Kubescape->>KubeAPI: read/watch host CRs for processing
  Kubescape-->>KubeAPI: optionally create/patch resources using granted verbs

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• prepare new release #794 — Similar kubescape-operator chart changes (Chart.yaml, README, values) for release/version updates.

Suggested reviewers

• slashben

Poem

🐰 I munched a DaemonSet at dawn's first light,
Now node-agent hops softly through the night.
Ten tiny CRDs in tidy rows,
RBAC opens doors where host-data flows.
Hooray — the rabbit winks, carrot held tight. 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Replace host sensor with node agent sensing' accurately and clearly describes the main objective of the PR: migrating host-scanner functionality into node-agent to sense node information via CRDs instead of a separate DaemonSet.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch node-agent-replace-host-sensor

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@charts/kubescape-operator/values.yaml`:
- Around line 535-539: The chart defines a host-filesystem volume (name:
host-filesystem, hostPath: /) but it is not mounted; update
nodeAgent.volumeMounts to include a matching volumeMount (name: host-filesystem)
with the intended mountPath (e.g., mountPath: / or another appropriate path) and
any needed readOnly setting, or remove the host-filesystem volume block entirely
if it is unused; edit the nodeAgent.volumeMounts section and the host-filesystem
volume definition (the unique identifiers: nodeAgent.volumeMounts and
host-filesystem) so they are consistent.

🧹 Nitpick comments (3)

charts/kubescape-operator/templates/node-agent/clusterrole.yaml (1)

69-69: Nitpick: Extra blank line creates inconsistent spacing.

The blank line at 69 between the conditional block and the next rule is inconsistent with the formatting elsewhere in the file.

Suggested fix

   verbs: ["create", "get", "update", "patch", "list", "watch"]
 {{- end }}
-
 - apiGroups: ["kubescape.io"]

charts/kubescape-operator/templates/node-agent-crds/cloudproviderinfo-crd.yaml (2)

30-36: Consider adding the Age printer column for consistency.

The osreleasefile-crd.yaml includes an Age column using .metadata.creationTimestamp, but this CRD only has Node and Last Sensed. Adding it would provide a consistent kubectl get experience across all hostdata CRDs.

Suggested addition

     - name: Last Sensed
       type: string
       jsonPath: .status.lastSensed
+    - name: Age
+      type: date
+      jsonPath: .metadata.creationTimestamp
 {{- end }}

---

6-8: Optional: Add controller-gen annotation for consistency.

The osreleasefile-crd.yaml includes a controller-gen.kubebuilder.io/version annotation in metadata. If this CRD is generated by controller-gen or you want to maintain consistency across all hostdata CRDs, consider adding it here as well.

Suggested addition

 metadata:
   name: cloudproviderinfos.hostdata.kubescape.cloud
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.11.1
 spec:

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find the kubescape-operator values file and explore the structure
find . -name "values.yaml" -path "*kubescape-operator*" | head -20

Repository: kubescape/helm-charts

Length of output: 104

---

🏁 Script executed:

#!/bin/bash
# Check file size and read the relevant sections
wc -l ./charts/kubescape-operator/values.yaml

Repository: kubescape/helm-charts

Length of output: 109

---

🏁 Script executed:

#!/bin/bash
# Read the hostSensor and host-filesystem sections
sed -n '530,545p' ./charts/kubescape-operator/values.yaml
echo "---"
sed -n '640,655p' ./charts/kubescape-operator/values.yaml

Repository: kubescape/helm-charts

Length of output: 813

---

🏁 Script executed:

#!/bin/bash
# Search for volumeMounts in values.yaml
rg -n "volumeMounts" ./charts/kubescape-operator/values.yaml -A 5

Repository: kubescape/helm-charts

Length of output: 2133

---

🏁 Script executed:

#!/bin/bash
# Read full nodeAgent volumeMounts and volumes sections
sed -n '570,610p' ./charts/kubescape-operator/values.yaml
echo "---VOLUMES---"
sed -n '635,660p' ./charts/kubescape-operator/values.yaml

Repository: kubescape/helm-charts

Length of output: 1751

---

🏁 Script executed:

#!/bin/bash
# Read the complete volumes section
sed -n '635,700p' ./charts/kubescape-operator/values.yaml

Repository: kubescape/helm-charts

Length of output: 2088

---

🏁 Script executed:

#!/bin/bash
# Search templates directory for references to host-filesystem, hostSensor, HOST_ROOT
find ./charts/kubescape-operator/templates -type f -name "*.yaml" -o -name "*.tpl" | head -20

Repository: kubescape/helm-charts

Length of output: 1401

---

🏁 Script executed:

#!/bin/bash
# Find node-agent templates
find ./charts/kubescape-operator/templates -type f -name "*node*" 
echo "---"
# Search for host-filesystem references in all templates
rg -l "host-filesystem" ./charts/kubescape-operator/templates/

Repository: kubescape/helm-charts

Length of output: 133

---

🏁 Script executed:

#!/bin/bash
# Read the node-agent template
wc -l ./charts/kubescape-operator/templates/node-agent/_node-agent.tpl
echo "---"
# Search for host-filesystem in the template
rg -n "host-filesystem|volumeMount" ./charts/kubescape-operator/templates/node-agent/_node-agent.tpl

Repository: kubescape/helm-charts

Length of output: 638

---

🏁 Script executed:

#!/bin/bash
# Read the template more carefully, focusing on volumes and volumeMounts
sed -n '120,230p' ./charts/kubescape-operator/templates/node-agent/_node-agent.tpl

Repository: kubescape/helm-charts

Length of output: 3405

---

🏁 Script executed:

#!/bin/bash
# Search for volumes definition in the template
rg -n "volumes:|^  volumes:" ./charts/kubescape-operator/templates/node-agent/_node-agent.tpl -A 15

Repository: kubescape/helm-charts

Length of output: 1002

---

🏁 Script executed:

#!/bin/bash
# Search for the node-agent.volumes definition
rg -n "define \"node-agent.volumes\"" ./charts/kubescape-operator/templates/node-agent/_node-agent.tpl -A 50

Repository: kubescape/helm-charts

Length of output: 1664

---

🏁 Script executed:

#!/bin/bash
# Search for HOST_ROOT and hostSensor environment variables in templates
rg -n "HOST_ROOT|hostSensor" ./charts/kubescape-operator/templates/node-agent/_node-agent.tpl -B 2 -A 2

Repository: kubescape/helm-charts

Length of output: 184

---

🏁 Script executed:

#!/bin/bash
# Look for where HOST_ROOT is documented or if it's mentioned alongside hostSensor
rg -n "hostSensor" ./charts/kubescape-operator/values.yaml -B 5 -A 5
echo "---"
# Search entire repo for HOST_ROOT usage
rg -n "HOST_ROOT" . --type yaml --type md | head -20

Repository: kubescape/helm-charts

Length of output: 408

---

🏁 Script executed:

#!/bin/bash
# Search all templates for references to host-filesystem
rg -r "host-filesystem" ./charts/kubescape-operator/templates/
echo "---"
# Check values for any reference to how hostSensor uses volumes
rg -n "hostSensor" ./charts/kubescape-operator/ -r

Repository: kubescape/helm-charts

Length of output: 499

---

🏁 Script executed:

#!/bin/bash
# Search all templates for references to host-filesystem
find ./charts/kubescape-operator -type f \( -name "*.yaml" -o -name "*.tpl" \) -exec rg "host-filesystem" {} +
echo "---"
# Check if host-filesystem appears in any meaningful context
rg "host-filesystem" ./charts/kubescape-operator/

Repository: kubescape/helm-charts

Length of output: 1167

---

Add volumeMount for the host-filesystem volume or remove it if unused.

The host-filesystem volume defined at lines 645-648 (hostPath at /) has no corresponding volumeMount in nodeAgent.volumeMounts (lines 577-610). This volume appears in test snapshots but is never actually mounted into the pod. Either add the missing volumeMount entry with the appropriate mountPath, or remove the unused volume definition to maintain consistency.

🤖 Prompt for AI Agents

In `@charts/kubescape-operator/values.yaml` around lines 535 - 539, The chart
defines a host-filesystem volume (name: host-filesystem, hostPath: /) but it is
not mounted; update nodeAgent.volumeMounts to include a matching volumeMount
(name: host-filesystem) with the intended mountPath (e.g., mountPath: / or
another appropriate path) and any needed readOnly setting, or remove the
host-filesystem volume block entirely if it is unused; edit the
nodeAgent.volumeMounts section and the host-filesystem volume definition (the
unique identifiers: nodeAgent.volumeMounts and host-filesystem) so they are
consistent.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

charts/kubescape-operator/values.yaml (1)

645-648: ⚠️ Potential issue | 🟡 Minor

host-filesystem is still orphaned/redundant.

At Lines 645-648, the added host-filesystem volume has no matching volumeMount, and root / is already exposed via the existing host volume/mount (/host). Please remove this block or mount it intentionally.

Proposed cleanup

-    - hostPath:
-        path: /
-        type: Directory
-      name: host-filesystem

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/kubescape-operator/values.yaml` around lines 645 - 648, The new volume
block named "host-filesystem" (hostPath path: /) is orphaned—there is no
matching volumeMount and the root filesystem is already exposed via the existing
"host" volume/mount (mounted at /host); either delete the "host-filesystem"
volume block or, if you intended to use it, add a corresponding volumeMount that
uses name: "host-filesystem" in the container spec with the intended mountPath.
Locate the "host-filesystem" volume definition and remove it, or create a
volumeMount entry referencing "host-filesystem" (instead of duplicating root) to
resolve the redundancy.

🧹 Nitpick comments (2)

charts/kubescape-operator/templates/node-agent-crds/controlplaneinfo-crd.yaml (1)

1-38: Factor the hostdata CRD boilerplate into a shared helper.

This template has the same gate, version block, schema skeleton, and printer columns as the sibling hostdata CRDs in this PR. Keeping that structure duplicated across many files will drift the next time one of those common fields changes.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@charts/kubescape-operator/templates/node-agent-crds/controlplaneinfo-crd.yaml`
around lines 1 - 38, This CRD duplicates boilerplate (the gate check using
.Values.nodeAgent.config.hostSensor.enabled, the apiVersion/kind
CustomResourceDefinition spec version block, openAPIV3Schema skeleton and
additionalPrinterColumns) used by other hostdata CRDs; extract that repeated
version/schema/printer-columns block into a shared helper template (e.g.,
_helpers.tpl) and replace the duplicated content in ControlPlaneInfo (the
current template that uses include "components" and the gate
.Values.nodeAgent.config.hostSensor.enabled) with a call to that helper, passing
any unique values (kind/name/plural/singular and jsonPath values like
.spec.nodeName and .status.lastSensed) so the CRD file becomes the minimal
wrapper that only supplies resource-specific identifiers while reusing the
shared boilerplate.

charts/kubescape-operator/templates/node-agent-crds/osreleasefile-crd.yaml (1)

22-55: Consider keeping this CRD as open as the sibling hostdata CRDs.

This is the only reviewed hostdata CRD with a closed spec/status schema. That makes OsReleaseFile much less tolerant of chart/node-agent skew: new fields from a newer agent will be pruned until the chart upgrades the CRD. If strict lockstep is not intentional, aligning this with the x-kubernetes-preserve-unknown-fields pattern used by the other hostdata CRDs will be safer.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/kubescape-operator/templates/node-agent-crds/osreleasefile-crd.yaml`
around lines 22 - 55, The OsReleaseFile CRD currently defines closed schemas for
spec and status (properties: content/nodeName and lastSensed/error), which will
prune unknown fields; to match the other hostdata CRDs and tolerate agent/chart
skew, make spec and status preserve unknown fields by adding
x-kubernetes-preserve-unknown-fields: true to the spec and status object schemas
(leave the existing properties like content, nodeName, lastSensed, error in
place so they’re still documented) so the OsReleaseFile CRD aligns with the
hostdata pattern and won’t drop extra fields from newer agents.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@charts/kubescape-operator/templates/node-agent-crds/cniinfo-crd.yaml`:
- Around line 2-3: The CRD rendering is currently gated by the host sensor flag
(.Values.nodeAgent.config.hostSensor.enabled) which can cause Helm to delete the
CRD when that runtime flag is disabled; update the template so the CRD is not
tied to hostSensor.enabled—only gate it by the broader node agent enablement
($components.nodeAgent.enabled) or render it unconditionally for cluster scope;
remove the inner if that checks .Values.nodeAgent.config.hostSensor.enabled
around the CRD (and mirror the same change for the other occurrence noted) so
CRD lifecycle is independent of the hostSensor runtime flag.

---

Duplicate comments:
In `@charts/kubescape-operator/values.yaml`:
- Around line 645-648: The new volume block named "host-filesystem" (hostPath
path: /) is orphaned—there is no matching volumeMount and the root filesystem is
already exposed via the existing "host" volume/mount (mounted at /host); either
delete the "host-filesystem" volume block or, if you intended to use it, add a
corresponding volumeMount that uses name: "host-filesystem" in the container
spec with the intended mountPath. Locate the "host-filesystem" volume definition
and remove it, or create a volumeMount entry referencing "host-filesystem"
(instead of duplicating root) to resolve the redundancy.

---

Nitpick comments:
In
`@charts/kubescape-operator/templates/node-agent-crds/controlplaneinfo-crd.yaml`:
- Around line 1-38: This CRD duplicates boilerplate (the gate check using
.Values.nodeAgent.config.hostSensor.enabled, the apiVersion/kind
CustomResourceDefinition spec version block, openAPIV3Schema skeleton and
additionalPrinterColumns) used by other hostdata CRDs; extract that repeated
version/schema/printer-columns block into a shared helper template (e.g.,
_helpers.tpl) and replace the duplicated content in ControlPlaneInfo (the
current template that uses include "components" and the gate
.Values.nodeAgent.config.hostSensor.enabled) with a call to that helper, passing
any unique values (kind/name/plural/singular and jsonPath values like
.spec.nodeName and .status.lastSensed) so the CRD file becomes the minimal
wrapper that only supplies resource-specific identifiers while reusing the
shared boilerplate.

In `@charts/kubescape-operator/templates/node-agent-crds/osreleasefile-crd.yaml`:
- Around line 22-55: The OsReleaseFile CRD currently defines closed schemas for
spec and status (properties: content/nodeName and lastSensed/error), which will
prune unknown fields; to match the other hostdata CRDs and tolerate agent/chart
skew, make spec and status preserve unknown fields by adding
x-kubernetes-preserve-unknown-fields: true to the spec and status object schemas
(leave the existing properties like content, nodeName, lastSensed, error in
place so they’re still documented) so the OsReleaseFile CRD aligns with the
hostdata pattern and won’t drop extra fields from newer agents.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 58b39180-b444-4276-82cc-cc0330778ad9

📥 Commits

Reviewing files that changed from the base of the PR and between 691e0af and c07edfe.

⛔ Files ignored due to path filters (1)

• charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap is excluded by !**/*.snap

📒 Files selected for processing (20)

• charts/kubescape-operator/.helmignore
• charts/kubescape-operator/Chart.yaml
• charts/kubescape-operator/README.md
• charts/kubescape-operator/assets/host-scanner-definition.yaml
• charts/kubescape-operator/templates/_common.tpl
• charts/kubescape-operator/templates/kubescape/clusterrole.yaml
• charts/kubescape-operator/templates/kubescape/deployment.yaml
• charts/kubescape-operator/templates/node-agent-crds/README.md
• charts/kubescape-operator/templates/node-agent-crds/cloudproviderinfo-crd.yaml
• charts/kubescape-operator/templates/node-agent-crds/cniinfo-crd.yaml
• charts/kubescape-operator/templates/node-agent-crds/controlplaneinfo-crd.yaml
• charts/kubescape-operator/templates/node-agent-crds/kernelversion-crd.yaml
• charts/kubescape-operator/templates/node-agent-crds/kubeletinfo-crd.yaml
• charts/kubescape-operator/templates/node-agent-crds/kubeproxyinfo-crd.yaml
• charts/kubescape-operator/templates/node-agent-crds/linuxkernelvariables-crd.yaml
• charts/kubescape-operator/templates/node-agent-crds/linuxsecurityhardening-crd.yaml
• charts/kubescape-operator/templates/node-agent-crds/openports-crd.yaml
• charts/kubescape-operator/templates/node-agent-crds/osreleasefile-crd.yaml
• charts/kubescape-operator/templates/node-agent/clusterrole.yaml
• charts/kubescape-operator/values.yaml

💤 Files with no reviewable changes (2)

• charts/kubescape-operator/templates/_common.tpl
• charts/kubescape-operator/assets/host-scanner-definition.yaml

✅ Files skipped from review due to trivial changes (2)

• charts/kubescape-operator/Chart.yaml
• charts/kubescape-operator/templates/node-agent-crds/README.md

🚧 Files skipped from review as they are similar to previous changes (4)

• charts/kubescape-operator/README.md
• charts/kubescape-operator/.helmignore
• charts/kubescape-operator/templates/kubescape/deployment.yaml
• charts/kubescape-operator/templates/kubescape/clusterrole.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid tying CRD lifecycle to hostSensor.enabled.

At Line 3, disabling nodeAgent.config.hostSensor.enabled on upgrade will stop rendering this CRD, and Helm can delete it (and its stored objects). For cluster-scoped host data, this is a risky lifecycle coupling to a runtime flag.

Proposed change

 {{- $components := fromYaml (include "components" .) }}
 {{- if $components.nodeAgent.enabled }}
-{{- if .Values.nodeAgent.config.hostSensor.enabled }}
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   name: cniinfos.hostdata.kubescape.cloud
@@
-{{- end }}
 {{- end }}

Also applies to: 37-37

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/kubescape-operator/templates/node-agent-crds/cniinfo-crd.yaml` around
lines 2 - 3, The CRD rendering is currently gated by the host sensor flag
(.Values.nodeAgent.config.hostSensor.enabled) which can cause Helm to delete the
CRD when that runtime flag is disabled; update the template so the CRD is not
tied to hostSensor.enabled—only gate it by the broader node agent enablement
($components.nodeAgent.enabled) or render it unconditionally for cluster scope;
remove the inner if that checks .Values.nodeAgent.config.hostSensor.enabled
around the CRD (and mirror the same change for the other occurrence noted) so
CRD lifecycle is independent of the hostSensor runtime flag.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@charts/kubescape-operator/templates/node-agent/configmap.yaml`:
- Around line 32-33: The JSON in the ConfigMap template renders
hostSensor.interval unquoted causing invalid JSON; update the template so both
"hostSensorEnabled" and "hostSensorInterval" use Helm's toJson filter (apply |
toJson to .Values.nodeAgent.config.hostSensor.enabled and to
.Values.nodeAgent.config.hostSensor.interval) so the values are properly
JSON-encoded (booleans and duration strings will be correctly quoted/formatted)
in the rendered config.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7e914763-48bd-43cd-8eb5-8859ffbfe7f7

📥 Commits

Reviewing files that changed from the base of the PR and between c07edfe and f4307f9.

⛔ Files ignored due to path filters (1)

• charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap is excluded by !**/*.snap

📒 Files selected for processing (1)

• charts/kubescape-operator/templates/node-agent/configmap.yaml