feat(kubescape-operator): add priorityClassName support for deployments

[bl4ko]

Overview

Add optional priorityClassName support to all 5 Deployment workloads in the kubescape-operator chart:

• kubescape
• kubevuln
• operator
• prometheus-exporter
• storage

The existing priorityClass configuration only applies to the node-agent DaemonSet (hardcoded to kubescape-critical). Deployments currently have no way to set a priorityClassName, which causes policy violations in clusters enforcing require-priorityclass policies (e.g., Kyverno PSS).

Follows the existing customScheduling fallback pattern used by nodeSelector, affinity, and tolerations:

1. Per-component override: .Values.<component>.priorityClassName
2. Global fallback: .Values.customScheduling.priorityClassName

How to Test

# Global for all deployments
customScheduling:
  priorityClassName: "my-priority-class"

# Or per-component override
kubescape:
  priorityClassName: "high-priority"

Then verify with:

helm template kubescape-operator charts/kubescape-operator -f values.yaml | grep -A1 priorityClassName

Related issues/PRs:

• Resolved Use PriorityClass  #322

Summary by CodeRabbit

• New Features

  • Added cluster-wide pod PriorityClass support for operator components and scheduled jobs, with both global and per-component configuration options.
  • Node-agent now respects a per-node-agent priority override and falls back to configured defaults when unset.

• Chores

  • Updated operator image tag.

• Tests

  • Added snapshot test covering priority-class scheduling scenarios.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds conditional rendering of priorityClassName to multiple Deployment, DaemonSet, and CronJob pod templates via a new Helm helper, exposes per-component and global priorityClassName values in values.yaml, changes node-agent priority selection ordering, and bumps operator.image.tag.

Changes

Cohort / File(s)	Summary
Helm helper & values charts/kubescape-operator/templates/_helpers.tpl, charts/kubescape-operator/values.yaml	Introduce define "kubescape-operator.priorityClassName" helper (prefers component then global). Add many *.priorityClassName: "" values (including customScheduling.priorityClassName) and bump operator.image.tag to v0.2.133.
Deployments charts/kubescape-operator/templates/kubescape/deployment.yaml, charts/kubescape-operator/templates/kubevuln/deployment.yaml, charts/kubescape-operator/templates/operator/deployment.yaml, charts/kubescape-operator/templates/prometheus-exporter/deployment.yaml, charts/kubescape-operator/templates/storage/deployment.yaml, charts/kubescape-operator/templates/synchronizer/deployment.yaml	Insert conditional spec.template.spec.priorityClassName rendered via the helper (passes component-specific .Values.<component> and global: .Values.customScheduling).
CronJobs & schedulers charts/kubescape-operator/templates/autoupdater/cronjob.yaml, charts/kubescape-operator/templates/grype-offline-db/cronjob.yaml, charts/kubescape-operator/templates/kubescape-scheduler/cronjob.yaml, charts/kubescape-operator/templates/kubevuln-scheduler/cronjob.yaml	Add helper include to render spec.jobTemplate.spec.template.spec.priorityClassName for CronJob pod templates using component + global values.
Node-agent template charts/kubescape-operator/templates/node-agent/_node-agent.tpl	Adjust node-agent priority selection: prefer nodeAgent.priorityClassName if set; otherwise fall back to existing configurations.priorityClass.enabled behavior (legacy default), then customScheduling.priorityClassName.
Tests charts/kubescape-operator/tests/snapshot_test.yaml	Append "priority class scheduling" snapshot test case covering global and component overrides; adjust trailing newlines in snapshot file.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I nibble at charts, a helper I sow,
Component then global — down priority goes.
Pods hop to their places, neat labels in line,
Values set snugly, then I munch on a vine. 🥕

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	One out-of-scope change detected: operator.image.tag was updated from v0.2.128 to v0.2.133 in values.yaml, unrelated to the priorityClassName feature scope.	Remove the operator.image.tag version bump (v0.2.128 → v0.2.133) from this PR as it is outside the priorityClassName feature scope. Commit it separately.
Linked Issues check	❓ Inconclusive	The PR implements configurable priorityClassName support across deployments and daemonsets, allowing compliance with PriorityClass policies [#322]. However, the PR does not assign specific PriorityClasses (system-node-critical/system-cluster-critical) as proposed in the issue.	Clarify whether the PR fully satisfies issue #322 or if default PriorityClass assignments are expected in a follow-up. The current implementation provides configurability but not hardcoded defaults as originally proposed.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the primary change: adding priorityClassName support for deployments in the kubescape-operator Helm chart.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

charts/kubescape-operator/templates/operator/deployment.yaml (1)

272-278: Consider centralizing this fallback into a shared helper template.

This logic is duplicated across multiple Deployment templates; extracting it once will reduce drift and simplify future changes.

♻️ Suggested refactor

+# templates/_helpers.tpl
+{{- define "kubescape-operator.priorityClassName" -}}
+{{- with .component.priorityClassName }}
+priorityClassName: {{ . | quote }}
+{{- else }}
+{{- with .global }}
+priorityClassName: {{ . | quote }}
+{{- end }}
+{{- end }}
+{{- end -}}

-      {{- with .Values.operator.priorityClassName }}
-      priorityClassName: {{ . }}
-      {{- else }}
-      {{- with .Values.customScheduling.priorityClassName }}
-      priorityClassName: {{ . }}
-      {{- end }}
-      {{- end }}
+      {{- include "kubescape-operator.priorityClassName" (dict "component" .Values.operator "global" .Values.customScheduling.priorityClassName) | nindent 6 }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/kubescape-operator/templates/operator/deployment.yaml` around lines
272 - 278, The priorityClassName fallback logic is duplicated; extract it into a
shared Helm helper (e.g., create a template named "kubescape.priorityClassName"
or similar) that checks .Values.operator.priorityClassName then falls back to
.Values.customScheduling.priorityClassName, and replace the inline blocks in
Deployment templates (where priorityClassName is currently set from
.Values.operator.priorityClassName / .Values.customScheduling.priorityClassName)
with a single call to that helper to centralize the behavior and avoid drift.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@charts/kubescape-operator/templates/operator/deployment.yaml`:
- Around line 272-278: The priorityClassName fallback logic is duplicated;
extract it into a shared Helm helper (e.g., create a template named
"kubescape.priorityClassName" or similar) that checks
.Values.operator.priorityClassName then falls back to
.Values.customScheduling.priorityClassName, and replace the inline blocks in
Deployment templates (where priorityClassName is currently set from
.Values.operator.priorityClassName / .Values.customScheduling.priorityClassName)
with a single call to that helper to centralize the behavior and avoid drift.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c2e52c46-4016-46cc-8a6c-eb7f33b8ebf8

📥 Commits

Reviewing files that changed from the base of the PR and between a1eab50 and 9fb6842.

📒 Files selected for processing (6)

• charts/kubescape-operator/templates/kubescape/deployment.yaml
• charts/kubescape-operator/templates/kubevuln/deployment.yaml
• charts/kubescape-operator/templates/operator/deployment.yaml
• charts/kubescape-operator/templates/prometheus-exporter/deployment.yaml
• charts/kubescape-operator/templates/storage/deployment.yaml
• charts/kubescape-operator/values.yaml

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

charts/kubescape-operator/values.yaml (1)

329-329: Unrelated change: operator image tag bump.

The operator.image.tag bump from v0.2.128 to v0.2.133 appears unrelated to the priorityClassName feature. Consider splitting this into a separate commit or PR for clearer change tracking, or document the reason in the PR description.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/kubescape-operator/values.yaml` at line 329, The values.yaml change
unexpectedly bumps operator.image.tag from v0.2.128 to v0.2.133 which is
unrelated to the priorityClassName work; revert the operator.image.tag change in
charts/kubescape-operator/values.yaml (the operator.image.tag entry) so the PR
only contains the priorityClassName changes, or move just this tag bump into its
own commit/PR and document the reason in the commit message/PR description.

charts/kubescape-operator/tests/snapshot_test.yaml (1)

524-525: Use unmistakably dummy fixture keys to reduce secret-scan noise.

Lines 524–525 use UUID-like values for account and accessKey that secret scanners may flag. Consider using clearly synthetic placeholders (e.g., test-account-id, 00000000-0000-0000-0000-000000000000) instead, both here and at other test fixture locations throughout the file.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/kubescape-operator/tests/snapshot_test.yaml` around lines 524 - 525,
Replace the UUID-like secret-looking values used for the test fixture keys
account and accessKey in snapshot_test.yaml with unmistakably synthetic
placeholders (for example set account: test-account-id and accessKey:
00000000-0000-0000-0000-000000000000) to avoid secret-scan noise; update the
entries referenced by the keys account and accessKey in the snapshot data and
scan the rest of the file for other similar fixtures to replace with the same
clearly dummy placeholders.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@charts/kubescape-operator/tests/snapshot_test.yaml`:
- Around line 530-535: The snapshot’s capabilities block is missing
prometheusExporter, so the prometheus-exporter template (and its new
priorityClassName path) won’t render; update the capabilities map used in this
test (the block containing
configurationScan/nodeScan/vulnerabilityScan/relevancy/runtimeDetection) to
include prometheusExporter: enable so the prometheus-exporter deployment is
rendered and the priorityClassName change is exercised.

---

Nitpick comments:
In `@charts/kubescape-operator/tests/snapshot_test.yaml`:
- Around line 524-525: Replace the UUID-like secret-looking values used for the
test fixture keys account and accessKey in snapshot_test.yaml with unmistakably
synthetic placeholders (for example set account: test-account-id and accessKey:
00000000-0000-0000-0000-000000000000) to avoid secret-scan noise; update the
entries referenced by the keys account and accessKey in the snapshot data and
scan the rest of the file for other similar fixtures to replace with the same
clearly dummy placeholders.

In `@charts/kubescape-operator/values.yaml`:
- Line 329: The values.yaml change unexpectedly bumps operator.image.tag from
v0.2.128 to v0.2.133 which is unrelated to the priorityClassName work; revert
the operator.image.tag change in charts/kubescape-operator/values.yaml (the
operator.image.tag entry) so the PR only contains the priorityClassName changes,
or move just this tag bump into its own commit/PR and document the reason in the
commit message/PR description.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0dd28b0a-2c6e-412d-9539-b5ec4acb6473

📥 Commits

Reviewing files that changed from the base of the PR and between 9f6052e and 4cdf536.

⛔ Files ignored due to path filters (1)

• charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap is excluded by !**/*.snap

📒 Files selected for processing (14)

• charts/kubescape-operator/templates/_helpers.tpl
• charts/kubescape-operator/templates/autoupdater/cronjob.yaml
• charts/kubescape-operator/templates/grype-offline-db/cronjob.yaml
• charts/kubescape-operator/templates/kubescape-scheduler/cronjob.yaml
• charts/kubescape-operator/templates/kubescape/deployment.yaml
• charts/kubescape-operator/templates/kubevuln-scheduler/cronjob.yaml
• charts/kubescape-operator/templates/kubevuln/deployment.yaml
• charts/kubescape-operator/templates/node-agent/_node-agent.tpl
• charts/kubescape-operator/templates/operator/deployment.yaml
• charts/kubescape-operator/templates/prometheus-exporter/deployment.yaml
• charts/kubescape-operator/templates/storage/deployment.yaml
• charts/kubescape-operator/templates/synchronizer/deployment.yaml
• charts/kubescape-operator/tests/snapshot_test.yaml
• charts/kubescape-operator/values.yaml

🚧 Files skipped from review as they are similar to previous changes (4)

• charts/kubescape-operator/templates/operator/deployment.yaml
• charts/kubescape-operator/templates/storage/deployment.yaml
• charts/kubescape-operator/templates/kubevuln/deployment.yaml
• charts/kubescape-operator/templates/kubescape/deployment.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Enable prometheusExporter in this scenario to actually cover the new deployment change.

Line 530’s capability set does not include prometheusExporter: enable, so this snapshot may skip rendering prometheus-exporter and miss validating the newly added priorityClassName path in that template.

✅ Suggested patch

       capabilities:
         configurationScan: enable
         nodeScan: enable
         vulnerabilityScan: enable
         relevancy: enable
         runtimeDetection: enable
+        prometheusExporter: enable

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	capabilities:
	configurationScan: enable
	nodeScan: enable
	vulnerabilityScan: enable
	relevancy: enable
	runtimeDetection: enable
	capabilities:
	configurationScan: enable
	nodeScan: enable
	vulnerabilityScan: enable
	relevancy: enable
	runtimeDetection: enable
	prometheusExporter: enable

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/kubescape-operator/tests/snapshot_test.yaml` around lines 530 - 535,
The snapshot’s capabilities block is missing prometheusExporter, so the
prometheus-exporter template (and its new priorityClassName path) won’t render;
update the capabilities map used in this test (the block containing
configurationScan/nodeScan/vulnerabilityScan/relevancy/runtimeDetection) to
include prometheusExporter: enable so the prometheus-exporter deployment is
rendered and the priorityClassName change is exercised.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@charts/kubescape-operator/templates/node-agent/_node-agent.tpl`:
- Around line 446-451: The current precedence in the node-agent template uses
.Values.configurations.priorityClass.enabled before
.Values.customScheduling.priorityClassName, which prevents the global fallback
(kubescape-critical) from being masked correctly; update the condition order in
the priorityClassName block so it checks .Values.nodeAgent.priorityClassName
first, then .Values.customScheduling.priorityClassName, and only then
.Values.configurations.priorityClass.enabled to emit "priorityClassName:
kubescape-critical" — adjust the conditional sequence around the
priorityClassName lines to reflect this corrected precedence.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 40e33dca-6cd3-423b-8c5a-059ac1ba3f8f

📥 Commits

Reviewing files that changed from the base of the PR and between 4cdf536 and af43373.

⛔ Files ignored due to path filters (1)

• charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap is excluded by !**/*.snap

📒 Files selected for processing (8)

• charts/kubescape-operator/templates/autoupdater/cronjob.yaml
• charts/kubescape-operator/templates/grype-offline-db/cronjob.yaml
• charts/kubescape-operator/templates/kubescape-scheduler/cronjob.yaml
• charts/kubescape-operator/templates/kubevuln-scheduler/cronjob.yaml
• charts/kubescape-operator/templates/node-agent/_node-agent.tpl
• charts/kubescape-operator/templates/synchronizer/deployment.yaml
• charts/kubescape-operator/tests/snapshot_test.yaml
• charts/kubescape-operator/values.yaml

✅ Files skipped from review due to trivial changes (2)

• charts/kubescape-operator/templates/grype-offline-db/cronjob.yaml
• charts/kubescape-operator/templates/kubescape-scheduler/cronjob.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• charts/kubescape-operator/tests/snapshot_test.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Global fallback is effectively masked for node-agent.

At Line 448, configurations.priorityClass.enabled takes precedence over customScheduling.priorityClassName, so global scheduling won’t apply to node-agent under default settings. This is inconsistent with the component→global fallback model used elsewhere.

💡 Suggested precedence fix

 {{- if .Values.nodeAgent.priorityClassName }}
 priorityClassName: {{ .Values.nodeAgent.priorityClassName }}
-{{- else if .Values.configurations.priorityClass.enabled }}
-priorityClassName: kubescape-critical
 {{- else if .Values.customScheduling.priorityClassName }}
 priorityClassName: {{ .Values.customScheduling.priorityClassName }}
+{{- else if .Values.configurations.priorityClass.enabled }}
+priorityClassName: kubescape-critical
 {{- end }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	{{- if .Values.nodeAgent.priorityClassName }}
	priorityClassName: {{ .Values.nodeAgent.priorityClassName }}
	{{- else if .Values.configurations.priorityClass.enabled }}
	priorityClassName: kubescape-critical
	{{- else if .Values.customScheduling.priorityClassName }}
	priorityClassName: {{ .Values.customScheduling.priorityClassName }}
	{{- if .Values.nodeAgent.priorityClassName }}
	priorityClassName: {{ .Values.nodeAgent.priorityClassName }}
	{{- else if .Values.customScheduling.priorityClassName }}
	priorityClassName: {{ .Values.customScheduling.priorityClassName }}
	{{- else if .Values.configurations.priorityClass.enabled }}
	priorityClassName: kubescape-critical
	{{- end }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/kubescape-operator/templates/node-agent/_node-agent.tpl` around lines
446 - 451, The current precedence in the node-agent template uses
.Values.configurations.priorityClass.enabled before
.Values.customScheduling.priorityClassName, which prevents the global fallback
(kubescape-critical) from being masked correctly; update the condition order in
the priorityClassName block so it checks .Values.nodeAgent.priorityClassName
first, then .Values.customScheduling.priorityClassName, and only then
.Values.configurations.priorityClass.enabled to emit "priorityClassName:
kubescape-critical" — adjust the conditional sequence around the
priorityClassName lines to reflect this corrected precedence.

[matthyx]

superseded by #809