kubescape · Bezbran · Dec 31, 2025 · Mar 17, 2026 · Mar 17, 2026 · coderabbitai
diff --git a/charts/kubescape-operator/.helmignore b/charts/kubescape-operator/.helmignore
@@ -1 +1,2 @@
 tests
+templates/node-agent-crds/README.md
diff --git a/charts/kubescape-operator/Chart.yaml b/charts/kubescape-operator/Chart.yaml
@@ -9,14 +9,14 @@ type: application
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 
-version: 1.30.5
+version: 1.31.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 
-appVersion: 1.30.5
+appVersion: 1.31.0
 
 maintainers:
 - name: Ben Hirschberg

diff --git a/charts/kubescape-operator/README.md b/charts/kubescape-operator/README.md
@@ -1,6 +1,6 @@
 # Kubescape Operator
 
-![Version: 1.30.5](https://img.shields.io/badge/Version-1.30.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.30.5](https://img.shields.io/badge/AppVersion-v1.30.5-informational?style=flat-square)
+![Version: 1.31.0](https://img.shields.io/badge/Version-1.31.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.31.0](https://img.shields.io/badge/AppVersion-v1.31.0-informational?style=flat-square)
 
 [Kubescape operator documentation](https://kubescape.io/docs/install-operator/)
 
@@ -153,8 +153,6 @@ However, we recommend that you give Kubescape no less than 500m CPU no matter th
 | operator.nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) |
 | operator.volumes | object | `[]` | Additional volumes for the web socket |
 | operator.volumeMounts | object | `[]` | Additional volumeMounts for the web socket |
-| hostScanner.volumes | object | `[]` | Additional volumes for the host scanner |
-| hostScanner.volumeMounts | object | `[]` | Additional volumeMounts for the host scanner |
 | awsIamRoleArn | string | `nil` | AWS IAM arn role |
 | cloudProviderMetadata.secretRef.name | string | `nil` | secret name to define values for the provider's metadata |
 | cloudProviderMetadata.cloudRegion | string or through `cloudProviderMetadata.secretRef.cloudRegionKey` if `cloudProviderMetadata.secretRef.name` is set | `nil` | cloud region |

diff --git a/charts/kubescape-operator/assets/host-scanner-definition.yaml b/charts/kubescape-operator/assets/host-scanner-definition.yaml
diff --git a/charts/kubescape-operator/templates/_common.tpl b/charts/kubescape-operator/templates/_common.tpl
@@ -7,7 +7,6 @@
 capabilitiesConfig: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "components-configmap.yaml") . | replace .Chart.AppVersion "" | sha256sum }}
 cloudConfig: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "cloudapi-configmap.yaml") . | replace .Chart.AppVersion "" | sha256sum }}
 cloudSecret: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "cloud-secret.yaml" ) . | replace .Chart.AppVersion "" | sha256sum }}
-hostScannerConfig: {{ include (printf "%s/kubescape/host-scanner-definition-configmap.yaml" $.Template.BasePath ) . | replace .Chart.AppVersion "" | sha256sum }}
 matchingRulesConfig: {{ include (printf "%s/%s/%s" $.Template.BasePath $.Values.global.configMapsDirectory "matchingRules-configmap.yaml") . | replace .Chart.AppVersion "" | sha256sum }}
 nodeAgentConfig: {{ include (printf "%s/node-agent/configmap.yaml" $.Template.BasePath) . | replace .Chart.AppVersion "" | sha256sum }}
 operatorConfig: {{ include (printf "%s/operator/configmap.yaml" $.Template.BasePath) . | replace .Chart.AppVersion "" | sha256sum }}
@@ -50,8 +49,6 @@ submit: {{ $submit }}
 {{- $nodeScanEnabled := and (eq .Values.capabilities.nodeScan "enable") (not $configurations.backendStorageEnabled) }}
 {{- $configurationScanEnabled := and (eq .Values.capabilities.configurationScan "enable") (not $configurations.backendStorageEnabled) }}
 {{- $vulnerabilityScanEnabled := and (eq .Values.capabilities.vulnerabilityScan "enable") (not $configurations.backendStorageEnabled) }}
-hostScanner:
-  enabled: {{ $nodeScanEnabled }}
 kubescape:
   enabled: {{ $configurationScanEnabled }}
 kubescapeScheduler:

diff --git a/charts/kubescape-operator/templates/kubescape/clusterrole.yaml b/charts/kubescape-operator/templates/kubescape/clusterrole.yaml
@@ -86,4 +86,20 @@ rules:
 - apiGroups: ["kubescape.io"]
   resources: ["servicesscanresults"]
   verbs: ["get", "watch", "list"]
+{{- if .Values.nodeAgent.config.hostSensor.enabled }}
+- apiGroups: ["hostdata.kubescape.cloud"]
+  resources:
+    - osreleasefiles
+    - kernelversions
+    - linuxsecurityhardeningstatuses
+    - openportslists
+    - linuxkernelvariables
+    - kubeletinfos
+    - kubeproxyinfos
+    - controlplaneinfos
+    - cloudproviderinfos
+    - cniinfos
+  verbs: ["get", "list", "watch"]
+{{- end }}
+
 {{ end }}
diff --git a/charts/kubescape-operator/templates/kubescape/deployment.yaml b/charts/kubescape-operator/templates/kubescape/deployment.yaml
@@ -29,7 +29,6 @@ spec:
       annotations:
         {{- include "kubescape-operator.annotations" (dict "Values" .Values) | nindent 8 }}
         {{- with .Values.kubescape.podAnnotations }}{{- toYaml . | nindent 8 }}{{- end }}
-        checksum/host-scanner-configmap: {{ $checksums.hostScannerConfig }}
         checksum/cloud-secret: {{ $checksums.cloudSecret }}
         checksum/cloud-config: {{ $checksums.cloudConfig }}
       {{- if ne .Values.global.proxySecretFile "" }}
@@ -153,7 +152,7 @@ spec:
         - name: KS_DEFAULT_CLOUD_CONFIGMAP_NAME
           value: {{ .Values.global.cloudConfig }}
         - name: KS_ENABLE_HOST_SCANNER
-          value: "{{ $components.hostScanner.enabled }}"
+          value: "{{ .Values.nodeAgent.config.hostSensor.enabled }}"
         - name: KS_SKIP_UPDATE_CHECK
           value: "{{ .Values.kubescape.skipUpdateCheck }}"
         - name: KS_HOST_SCAN_YAML

diff --git a/charts/kubescape-operator/templates/node-agent-crds/README.md b/charts/kubescape-operator/templates/node-agent-crds/README.md
@@ -0,0 +1,7 @@
+### CRDs location inside the chart tree
+These CRDs are placed in the `templates/` directory instead of the standard `crds/` directory to allow Helm to manage their full lifecycle. 
+This ensures they are updated during `helm upgrade` and removed during `helm uninstall`, supporting the evolving sensing capabilities of the node-agent.
+No need to install them before kubescape operator chart since they are about to be used only after node-agent is up and running.
+
+### tech debt
+1. move CRDs group from `kubescape.cloud` to `kubescape.io`
diff --git a/charts/kubescape-operator/templates/node-agent-crds/cloudproviderinfo-crd.yaml b/charts/kubescape-operator/templates/node-agent-crds/cloudproviderinfo-crd.yaml
@@ -0,0 +1,38 @@
+{{- $components := fromYaml (include "components" .) }}
+{{- if $components.nodeAgent.enabled }}
+{{- if .Values.nodeAgent.config.hostSensor.enabled }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: cloudproviderinfos.hostdata.kubescape.cloud
+spec:
+  group: hostdata.kubescape.cloud
+  names:
+    kind: CloudProviderInfo
+    listKind: CloudProviderInfoList
+    plural: cloudproviderinfos
+    singular: cloudproviderinfo
+  scope: Cluster
+  versions:
+  - name: v1beta1
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+          status:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+    additionalPrinterColumns:
+    - name: Node
+      type: string
+      jsonPath: .spec.nodeName
+    - name: Last Sensed
+      type: string
+      jsonPath: .status.lastSensed
+{{- end }}
+{{- end }}
diff --git a/charts/kubescape-operator/templates/node-agent-crds/cniinfo-crd.yaml b/charts/kubescape-operator/templates/node-agent-crds/cniinfo-crd.yaml
@@ -0,0 +1,38 @@
+{{- $components := fromYaml (include "components" .) }}
+{{- if $components.nodeAgent.enabled }}
+{{- if .Values.nodeAgent.config.hostSensor.enabled }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: cniinfos.hostdata.kubescape.cloud
+spec:
+  group: hostdata.kubescape.cloud
+  names:
+    kind: CNIInfo
+    listKind: CNIInfoList
+    plural: cniinfos
+    singular: cniinfo
+  scope: Cluster
+  versions:
+  - name: v1beta1
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+          status:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+    additionalPrinterColumns:
+    - name: Node
+      type: string
+      jsonPath: .spec.nodeName
+    - name: Last Sensed
+      type: string
+      jsonPath: .status.lastSensed
+{{- end }}
+{{- end }}
diff --git a/charts/kubescape-operator/templates/node-agent-crds/controlplaneinfo-crd.yaml b/charts/kubescape-operator/templates/node-agent-crds/controlplaneinfo-crd.yaml
@@ -0,0 +1,38 @@
+{{- $components := fromYaml (include "components" .) }}
+{{- if $components.nodeAgent.enabled }}
+{{- if .Values.nodeAgent.config.hostSensor.enabled }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: controlplaneinfos.hostdata.kubescape.cloud
+spec:
+  group: hostdata.kubescape.cloud
+  names:
+    kind: ControlPlaneInfo
+    listKind: ControlPlaneInfoList
+    plural: controlplaneinfos
+    singular: controlplaneinfo
+  scope: Cluster
+  versions:
+  - name: v1beta1
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+          status:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+    additionalPrinterColumns:
+    - name: Node
+      type: string
+      jsonPath: .spec.nodeName
+    - name: Last Sensed
+      type: string
+      jsonPath: .status.lastSensed
+{{- end }}
+{{- end }}
diff --git a/charts/kubescape-operator/templates/node-agent-crds/kernelversion-crd.yaml b/charts/kubescape-operator/templates/node-agent-crds/kernelversion-crd.yaml
@@ -0,0 +1,38 @@
+{{- $components := fromYaml (include "components" .) }}
+{{- if $components.nodeAgent.enabled }}
+{{- if .Values.nodeAgent.config.hostSensor.enabled }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: kernelversions.hostdata.kubescape.cloud
+spec:
+  group: hostdata.kubescape.cloud
+  names:
+    kind: KernelVersion
+    listKind: KernelVersionList
+    plural: kernelversions
+    singular: kernelversion
+  scope: Cluster
+  versions:
+  - name: v1beta1
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+          status:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+    additionalPrinterColumns:
+    - name: Node
+      type: string
+      jsonPath: .spec.nodeName
+    - name: Last Sensed
+      type: string
+      jsonPath: .status.lastSensed
+{{- end }}
+{{- end }}