ROX-35681: Disables Orchestrator Scanning#21737
Open
iamkirkbater wants to merge 2 commits into
Open
Conversation
Here's what the `TestInertManager_ConsumerPathsSafe` test validates:
- GetAffectedClusters (GraphQL path) — The inert manager still queries the database and returns results correctly. This proves the GraphQL `envImpact` field won't break — it just returns whatever cluster CVE data exists in the DB.
- HandleClusterConnection (sensor pipeline path) — Calling it on the inert manager doesn't panic. The signal goes nowhere since `Start()` was never called.
- UpsertOrchestratorIntegration (enrichment path) — Returns a clear error ("does not exist") since no Clairify creator was registered. This path is already dead because Clairify integrations can't be created after ROX-35677.
- RemoveIntegration — Deleting from an empty scanners map is safe, no panic.
|
Skipping CI for Draft Pull Request. |
Contributor
🚀 Build Images ReadyImages are ready for commit 7b7c80b. To use with deploy scripts: export MAIN_IMAGE_TAG=4.12.x-477-g7b7c80be52 |
This was referenced Jul 14, 2026
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## kirk/ROX-35680-gracefully-handle-node-scanning-without-v2 #21737 +/- ##
=============================================================================================
+ Coverage 50.36% 50.39% +0.02%
=============================================================================================
Files 2847 2847
Lines 218416 218420 +4
=============================================================================================
+ Hits 110000 110066 +66
+ Misses 100407 100334 -73
- Partials 8009 8020 +11
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This disables Orchestrator scanner during ACS startup. Additionally adds tests to validate that existing paths still work as expected, with the orchestrator disabled, and do not create panics or otherwise blow up.
User-facing documentation
Testing and quality
Automated testing
How I validated my change
Baseline (flag enabled)
Check orchestrator scanning is running:
Expected: Log lines like:
Found N clusters to scan for orchestrator vulnerabilities.Successfully fetched N Kubernetes CVEsStart orchestrator-level vulnerability reconciliation(every 2 hours)Check cluster CVEs exist (UI): Navigate to Vulnerability Management > Cluster CVEs. Should show K8s/OpenShift/Istio CVEs if any exist for the cluster's versions.
Validation (flag disabled)
Check orchestrator scanning is disabled:
Expected: Single log line at startup:
Orchestrator scanning is disabled: no orchestrator scanners are integrated. No periodic reconciliation messages.Verify no new orchestrator CVE reconciliation:
Expected: No results. The periodic goroutine was never started.
Cluster CVEs page still loads (UI): Navigate to Vulnerability Management > Cluster CVEs. The page should load without errors. It may show stale data from before the flag was disabled, or be empty on a fresh deploy — but it should not error out.
PR Stack:
<-- you are here