feat(openprotection): publish active-rule open-protection union as ConfigMap

[matthyx]

What

Adds an open-protection watcher — the in-cluster producer side of rule-aware collapse protection (design B: active-CRD union). Stacked on #384.

The operator watches RuntimeRuleAlertBinding, resolves the rules each binding activates (by id/name/tags) against the versioned rule library (armosec/rulelibrary), computes the union of those rules' profileDataRequired.opens (armotypes.OpenMatchers), and publishes it as a single ConfigMap (key openProtection). The storage apiserver polls that ConfigMap and pins the matched sensitive prefixes to literal during profile collapse, so anomaly rules such as R0010 ("unexpected /etc/shadow access") keep working through profile generalisation.

Reader side (consumer): kubescape/storage PR #335.

Design

• Independent of the admission controller — runs its own dynamic watcher so protection works regardless of admission config. Gated by the new openProtectionConfigMapName config (empty = disabled).
• Debounced + idempotent — coalesces the initial LIST burst; canonical sorted/de-duplicated JSON; skips the write when unchanged (both in the watcher and the publisher, so no needless resourceVersion churn).
• Scoped, no over-pinning — no bindings ⇒ empty union; deleting the last binding that pinned a prefix drops it on the next reconcile.
• Resolving selectors in the library (not node-agent's rule engine) keeps the protected set scoped to actually-active rules.

Commits

1. chore(deps): pull in rulelibrary + bump node-agent/storage — MVS pulls node-agent v0.3.38→v0.3.98 and storage v0.0.239→v0.0.268 (rulelibrary's direct requires). Only API drift: a constant rename in k8s-interface's instanceidhandler helpers ({Kind,Name,Namespace}MetadataKey → Related{…}MetadataKey, same label strings).
2. feat(openprotection): publish active-rule open-protection union as ConfigMap — the openprotection package + main wiring + config gate.

Verification

• go build ./... — clean
• go vet ./... — clean
• go test ./openprotection/... ./config/... ./watcher/... — pass (selector extraction; union end-to-end against the embedded library R0010 → /etc/shadow; idempotence; empty/delete transitions; ConfigMap publisher create/update/skip-unchanged via fake clientset)

⚠️ Landing dependency

Depends on rulelibrary pkg/rules (armosec/rulelibrary#93), pinned here to its branch commit c246d47. Merge blocker: #93 must be merged and rulelibrary tagged with a release that contains pkg/rules, then this PR repins to that tag. Until then go mod tidy resolves rulelibrary to the older release tag (v0.0.71) that lacks the package — CI tidy will fail. Also merge #384 first (this is stacked on it).

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: aac589cf-2e30-4790-b6ee-0be2ae3d72eb

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/open-protection-watcher

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}