Skip to content

feat: add security resource defaults and nodepool#6

Merged
patrickleet merged 1 commit into
mainfrom
feat/security-resource-defaults-nodepool
May 25, 2026
Merged

feat: add security resource defaults and nodepool#6
patrickleet merged 1 commit into
mainfrom
feat/security-resource-defaults-nodepool

Conversation

@patrickleet

Copy link
Copy Markdown
Contributor

Summary:

  • Add explicit resource requests/limits for Trivy Operator, Falco, Falco sidekick/metacollector, and Kubescape components.
  • Add opt-in spec.nodePool support for a dedicated hops-security Karpenter NodePool; default remains disabled.
  • Cover resource defaults and nodepool placement in render tests and examples.

Verification:

  • make test: 19/19 passed.
  • hops config install --path xrs/stacks/k8s/security --context colima: completed, package healthy.
  • Colima SecurityStack/default pat-local: Synced=True Ready=True.
  • Colima Helm Releases trivy-operator, falco, kubescape: Synced=True Ready=True, state=deployed.
  • Target trivy-system/trivy-operator: 1/1 ready, requests cpu=50m memory=826Mi, limit memory=1Gi.
  • Target falco/falco DaemonSet: 10/10 ready, falco requests cpu=50m memory=826Mi limits cpu=1 memory=2Gi; falcoctl install/follow resources set.
  • Target falco/falco-falcosidekick: 2/2 ready, requests cpu=15m memory=100Mi, limits cpu=100m memory=256Mi.
  • Target falco/falco-k8s-metacollector: 1/1 ready, requests cpu=15m memory=100Mi, limits cpu=100m memory=256Mi.
  • Target kubescape/kubescape, operator, prometheus-exporter, storage: all 1/1 ready with explicit requests/limits matching this change.

NodePool note:

  • pat-local does not currently set spec.nodePool, so no hops-security NodePool exists or is active. The nodepool path is opt-in and covered by render tests.

@coderabbitai

coderabbitai Bot commented May 25, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@patrickleet, we couldn't start this review because you've used your available PR reviews for now.

Your plan includes 1 review of capacity. Refill in 27 minutes and 37 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9651e7b4-e963-4290-8ce5-ebf819f6da2a

📥 Commits

Reviewing files that changed from the base of the PR and between cf712e4 and 47379fd.

📒 Files selected for processing (9)
  • Makefile
  • apis/securitystacks/definition.yaml
  • examples/securitystacks/nodepool.yaml
  • functions/render/000-state-init.yaml.gotmpl
  • functions/render/155-nodepool.yaml.gotmpl
  • functions/render/200-trivy.yaml.gotmpl
  • functions/render/210-falco.yaml.gotmpl
  • functions/render/220-kubescape.yaml.gotmpl
  • tests/test-render/main.k
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/security-resource-defaults-nodepool

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

Copy link
Copy Markdown

Published Crossplane Package

The following Crossplane package was published as part of this PR:

Package: ghcr.io/hops-ops/security-stack:pr-6-6f9e270b778569482d2680ab8817eb9879e30ffd

View Package

@patrickleet patrickleet merged commit 4f07ce7 into main May 25, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant