feat(kubescape): first deploy operator and headlamp plugin

[Smana]

PR Type

Enhancement

---

Description

• Add Kubescape Helm repository resource.

• Introduce Kubescape operator HelmRelease config.

• Integrate Kubescape base in cluster overlay.

• Update Headlamp plugin initContainer deployment.

---

Changes walkthrough 📝

	Relevant files
Configuration changes	helmrepo-kubescape.yaml Add Kubescape HelmRepository resource                                        flux/sources/helmrepo-kubescape.yaml Create HelmRepository for Kubescape. Set namespace to security. Configure interval and repository URL. +8/-0      helmrelease.yaml Introduce Kubescape operator HelmRelease                                  security/base/kubescape/helmrelease.yaml Add HelmRelease spec for Kubescape operator. Specify chart version and interval. Configure scanning capabilities and persistence. Define resources for components and operator. +364/-0  kustomization.yaml Add Kubescape base kustomization                                                  security/base/kubescape/kustomization.yaml Add Kustomization manifest for Kubescape base. Reference the new helmrelease.yaml resource. +5/-0      kustomization.yaml Include Kubescape in cluster overlay                                          security/mycluster-0/kustomization.yaml Insert Kubescape base into cluster overlay. Adjust resource order in kustomization. +2/-1
Enhancement	helmrelease.yaml Update Headlamp with Kubescape plugin                                        tooling/base/headlamp/helmrelease.yaml Add initContainer for Kubescape plugin. Update headlamp-plugin image to latest. Change plugins volume to emptyDir type. +13/-6

---

Need help?

Type /help how to ... in the comments thread for any questions about PR-Agent usage.

Check out the documentation for more information.

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 4 🔵🔵🔵🔵⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Missing imagePullPolicy The newly added initContainer kubescape-plugin does not specify an imagePullPolicy, which may lead to inconsistent image versions being used. Consider adding imagePullPolicy: Always to the container spec. - command: - /bin/sh - "-c" - mkdir -p /build/plugins && cp -r /plugins/* /build/plugins/ image: ghcr.io/kubebeam/kubescape-headlamp-plugin:latest name: kubescape-plugin volumeMounts: - mountPath: /build/plugins Ephemeral plugin data The headlamp-plugins volume is configured as an emptyDir, making plugin data ephemeral. If you need to persist plugins across pod restarts, consider using a PersistentVolumeClaim. - name: headlamp-plugins mountPath: /build/plugins volumes: - name: headlamp-plugins emptyDir: {} Placeholder resolution The clusterName is set to "${cluster_name}", which may not be rendered by Helm or Kustomize without proper templating. Ensure a mechanism is in place to inject the actual cluster name value. clusterName: "${cluster_name}"

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Fix CPU unit formatting Kubernetes CPU resource quantities must use valid units; the m suffix accepts only integer values. Update CPU values to millicores or decimal cores. security/base/kubescape/helmrelease.yaml [187-194] hostScanner: resources: limits: - cpu: 0.4m + cpu: 400m memory: 400Mi requests: - cpu: 0.1m + cpu: 100m memory: 200Mi Suggestion importance[1-10]: 8 __ Why: The CPU resource units 0.4m and 0.1m are invalid because fractional millicores are not supported; changing them to 400m and 100m ensures the values parse correctly and reflect the intended capacity.	Medium
Security	Pin plugin image tag Avoid using the latest tag for mutable images; pin to a fixed version or digest to ensure reproducible and secure deployments. tooling/base/headlamp/helmrelease.yaml [40] -image: ghcr.io/headlamp-k8s/headlamp-plugin-flux:latest +image: ghcr.io/headlamp-k8s/headlamp-plugin-flux:v0.1.0-beta-2@sha256:c63dc4e10d7ddb95c966194b5e6fbe2012feb7f932bafa24692daed3cf6c248a Suggestion importance[1-10]: 7 __ Why: Using the latest tag leads to non-reproducible and potentially insecure deployments; pinning to a specific version or digest ensures consistency and traceability.	Medium

[Smana]

Currently paused, because it consumes a lot of resources.