Skip to content

ROX-35681: Disables Orchestrator Scanning#21737

Open
iamkirkbater wants to merge 2 commits into
kirk/ROX-35680-gracefully-handle-node-scanning-without-v2from
kirk/ROX-35681-disable-orchestrator-scanning
Open

ROX-35681: Disables Orchestrator Scanning#21737
iamkirkbater wants to merge 2 commits into
kirk/ROX-35680-gracefully-handle-node-scanning-without-v2from
kirk/ROX-35681-disable-orchestrator-scanning

Conversation

@iamkirkbater

@iamkirkbater iamkirkbater commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Description

This disables Orchestrator scanner during ACS startup. Additionally adds tests to validate that existing paths still work as expected, with the orchestrator disabled, and do not create panics or otherwise blow up.

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

How I validated my change

Baseline (flag enabled)

  1. Check orchestrator scanning is running:

    kubectl -n stackrox logs deploy/central | grep -i "orchestrator"

    Expected: Log lines like:

    • Found N clusters to scan for orchestrator vulnerabilities.
    • Successfully fetched N Kubernetes CVEs
    • Start orchestrator-level vulnerability reconciliation (every 2 hours)
  2. Check cluster CVEs exist (UI): Navigate to Vulnerability Management > Cluster CVEs. Should show K8s/OpenShift/Istio CVEs if any exist for the cluster's versions.

Validation (flag disabled)

  1. Check orchestrator scanning is disabled:

    kubectl -n stackrox logs deploy/central | grep -i "orchestrator"

    Expected: Single log line at startup: Orchestrator scanning is disabled: no orchestrator scanners are integrated. No periodic reconciliation messages.

  2. Verify no new orchestrator CVE reconciliation:

    kubectl -n stackrox logs deploy/central | grep "Start orchestrator-level vulnerability reconciliation"

    Expected: No results. The periodic goroutine was never started.

  3. Cluster CVEs page still loads (UI): Navigate to Vulnerability Management > Cluster CVEs. The page should load without errors. It may show stale data from before the flag was disabled, or be empty on a fresh deploy — but it should not error out.


PR Stack:

Here's what the `TestInertManager_ConsumerPathsSafe` test validates:

- GetAffectedClusters (GraphQL path) — The inert manager still queries the database and returns results correctly. This proves the GraphQL `envImpact` field won't break — it just returns whatever cluster CVE data exists in the DB.
- HandleClusterConnection (sensor pipeline path) — Calling it on the inert manager doesn't panic. The signal goes nowhere since `Start()` was never called.
- UpsertOrchestratorIntegration (enrichment path) — Returns a clear error ("does not exist") since no Clairify creator was registered. This path is already dead because Clairify integrations can't be created after ROX-35677.
- RemoveIntegration — Deleting from an empty scanners map is safe, no panic.
@openshift-ci

openshift-ci Bot commented Jul 14, 2026

Copy link
Copy Markdown

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@github-actions

Copy link
Copy Markdown
Contributor

🚀 Build Images Ready

Images are ready for commit 7b7c80b. To use with deploy scripts:

export MAIN_IMAGE_TAG=4.12.x-477-g7b7c80be52

@codecov

codecov Bot commented Jul 14, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 50.39%. Comparing base (25a86bd) to head (7b7c80b).

Additional details and impacted files
@@                                      Coverage Diff                                      @@
##           kirk/ROX-35680-gracefully-handle-node-scanning-without-v2   #21737      +/-   ##
=============================================================================================
+ Coverage                                                      50.36%   50.39%   +0.02%     
=============================================================================================
  Files                                                           2847     2847              
  Lines                                                         218416   218420       +4     
=============================================================================================
+ Hits                                                          110000   110066      +66     
+ Misses                                                        100407   100334      -73     
- Partials                                                        8009     8020      +11     
Flag Coverage Δ
go-unit-tests 50.39% <100.00%> (+0.02%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@iamkirkbater iamkirkbater marked this pull request as ready for review July 14, 2026 20:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant