profile-compaction: CollapseConfig CRD + projection overlay + user-maged lifecycle

[entlein]

• CollapseConfig CRD (v1beta1 with conversion, deepcopy, protobuf, openapi, generated clientset/informers/listers, etcd registration)
  lets cluster operators declare path-prefix policies that drive profile-compaction without code changes
• applicationprofile_processor + containerprofile_processor consume the CollapseConfig provider to choose per-profile collapse strategies at admission time
• pkg/registry/file/cleanup.go: cleanup loop skips user-managed resources (annotation-based marker, not labels —
  labels would silently miss every user-managed profile)
• artifacts/collapseconfiguration-default-sample.yaml ships a sample CR

[coderabbitai]

Warning

Rate limit exceeded

@entlein has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 58 minutes and 58 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5e3d6db7-720e-44d3-97ea-791515fd4eb3

📥 Commits

Reviewing files that changed from the base of the PR and between 2a689d8 and cd83527.

⛔ Files ignored due to path filters (17)

• pkg/apis/softwarecomposition/v1beta1/generated.pb.go is excluded by !**/*.pb.go
• pkg/apis/softwarecomposition/v1beta1/generated.protomessage.pb.go is excluded by !**/*.pb.go
• pkg/generated/applyconfiguration/softwarecomposition/v1beta1/collapseconfigentry.go is excluded by !**/generated/**
• pkg/generated/applyconfiguration/softwarecomposition/v1beta1/collapseconfiguration.go is excluded by !**/generated/**
• pkg/generated/applyconfiguration/softwarecomposition/v1beta1/collapseconfigurationspec.go is excluded by !**/generated/**
• pkg/generated/applyconfiguration/utils.go is excluded by !**/generated/**
• pkg/generated/clientset/versioned/typed/softwarecomposition/v1beta1/collapseconfiguration.go is excluded by !**/generated/**
• pkg/generated/clientset/versioned/typed/softwarecomposition/v1beta1/fake/fake_collapseconfiguration.go is excluded by !**/generated/**
• pkg/generated/clientset/versioned/typed/softwarecomposition/v1beta1/fake/fake_softwarecomposition_client.go is excluded by !**/generated/**
• pkg/generated/clientset/versioned/typed/softwarecomposition/v1beta1/generated_expansion.go is excluded by !**/generated/**
• pkg/generated/clientset/versioned/typed/softwarecomposition/v1beta1/softwarecomposition_client.go is excluded by !**/generated/**
• pkg/generated/informers/externalversions/generic.go is excluded by !**/generated/**
• pkg/generated/informers/externalversions/softwarecomposition/v1beta1/collapseconfiguration.go is excluded by !**/generated/**
• pkg/generated/informers/externalversions/softwarecomposition/v1beta1/interface.go is excluded by !**/generated/**
• pkg/generated/listers/softwarecomposition/v1beta1/collapseconfiguration.go is excluded by !**/generated/**
• pkg/generated/listers/softwarecomposition/v1beta1/expansion_generated.go is excluded by !**/generated/**
• pkg/generated/openapi/zz_generated.openapi.go is excluded by !**/generated/**

📒 Files selected for processing (23)

• artifacts/collapseconfiguration-default-sample.yaml
• pkg/apis/softwarecomposition/collapse_types.go
• pkg/apis/softwarecomposition/register.go
• pkg/apis/softwarecomposition/v1beta1/collapse_types.go
• pkg/apis/softwarecomposition/v1beta1/generated.proto
• pkg/apis/softwarecomposition/v1beta1/register.go
• pkg/apis/softwarecomposition/v1beta1/zz_generated.conversion.go
• pkg/apis/softwarecomposition/v1beta1/zz_generated.deepcopy.go
• pkg/apis/softwarecomposition/v1beta1/zz_generated.model_name.go
• pkg/apis/softwarecomposition/zz_generated.deepcopy.go
• pkg/apiserver/apiserver.go
• pkg/registry/file/applicationprofile_processor.go
• pkg/registry/file/applicationprofile_processor_collapse_provider_test.go
• pkg/registry/file/applicationprofile_processor_test.go
• pkg/registry/file/cleanup.go
• pkg/registry/file/cleanup_test.go
• pkg/registry/file/containerprofile_processor.go
• pkg/registry/file/containerprofile_processor_collapse_provider_test.go
• pkg/registry/file/dynamicpathdetector/collapse_config_from_crd.go
• pkg/registry/file/dynamicpathdetector/tests/collapse_config_crd_test.go
• pkg/registry/softwarecomposition/collapseconfiguration/etcd.go
• pkg/registry/softwarecomposition/collapseconfiguration/strategy.go
• pkg/registry/softwarecomposition/collapseconfiguration/strategy_test.go

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[entlein]

@coderabbitai review

Collective re-review request after applying your atomic-split advisory + rabbit-feedback fixes across the full SBOB upstream PR set. Each PR is now scoped to a single tier per your dependency map:

Tier 0 (opens):

• path-wildcards: anchored trailing-* + per-endpoint port + R0040 args #323 (path-wildcards core: anchored trailing-*, per-port key, WildcardIdentifier + CollapseConfig API — squash per your "merge first / or squash together" note)
• feat(cel): was_path_opened* CEL helpers in applicationprofile library node-agent#811 (was_path_opened* CEL helpers — NEW)

Tier 2 (execs):

• allowing wildcards in exec args #322 (CompareExecArgs)
• profile-compaction: CollapseConfig CRD + projection overlay + user-maged lifecycle #325 (CollapseConfig CRD + processors)
• allowing wildcards in exec args node-agent#805 (resolveExecPath + 3-arg parse)
• path-wildcards: anchored trailing-* + per-endpoint port + R0040 args node-agent#807 (R0040 args consumer)
• feat(projection): add ExecsByPath composite-key surface to ProjectedContainerProfile node-agent#812 (ExecsByPath composite-key surface — NEW)

Tier 3 (network):

• allowing CIDRs, wildcards and Plural in IP and DNS #324 (networkmatch package)
• allowing CIDRs, wildcards and Plural in IP and DNS node-agent#806 (network wildcards CEL)

Tier 4 (tamper/sign):

• profile-compaction: CollapseConfig CRD + projection overlay + user-ma… node-agent#808 (projection overlay + tamper + non-blocking fanout + NN resource)
• sign and detect tampering node-agent#809 (cosign sign/verify + tamper detection)

Umbrellas:

• SBOB wildcards: DNS + IP + path exec wildcards, sign/tamper  #326
• SBOB wildcards: DNS + IP + path exec wildcards, sign/tamper  node-agent#810

Please confirm atomicity per your earlier advisory and flag any remaining cross-PR coupling we missed.

[coderabbitai]

🧩 Analysis chain

@entlein: Triggering a fresh full review of #325 now. I'll also pull lightweight metadata from the related PRs in your tier map to cross-check coupling.

---

🏁 Script executed:

#!/bin/bash
# Gather PR details for this PR and related storage PRs to check cross-PR coupling
echo "=== PR `#325` ==="
gh pr view 325 --repo kubescape/storage --json title,body,files,baseRefName,headRefName 2>/dev/null | jq '{title,baseRefName,headRefName,files: [.files[].path]}'

echo ""
echo "=== PR `#323` (Tier 0 - path-wildcards + CollapseConfig API) ==="
gh pr view 323 --repo kubescape/storage --json title,body,files,baseRefName,headRefName 2>/dev/null | jq '{title,baseRefName,headRefName,files: [.files[].path]}'

echo ""
echo "=== PR `#322` (Tier 2 - CompareExecArgs) ==="
gh pr view 322 --repo kubescape/storage --json title,body,files,baseRefName,headRefName 2>/dev/null | jq '{title,baseRefName,headRefName,files: [.files[].path]}'

echo ""
echo "=== PR `#324` (Tier 3 - networkmatch) ==="
gh pr view 324 --repo kubescape/storage --json title,body,files,baseRefName,headRefName 2>/dev/null | jq '{title,baseRefName,headRefName,files: [.files[].path]}'

echo ""
echo "=== PR `#326` (Umbrella) ==="
gh pr view 326 --repo kubescape/storage --json title,body,files,baseRefName,headRefName 2>/dev/null | jq '{title,baseRefName,headRefName,files: [.files[].path]}'

Length of output: 193

---

🏁 Script executed:

#!/bin/bash
# Try alternate approach to fetch PR data
gh auth status 2>&1

echo "=== PR `#325` files ==="
gh api repos/kubescape/storage/pulls/325/files 2>/dev/null | jq '.[].filename' 2>/dev/null || echo "failed"

echo "=== PR `#323` files ==="
gh api repos/kubescape/storage/pulls/323/files 2>/dev/null | jq '.[].filename' 2>/dev/null || echo "failed"

echo "=== PR `#322` files ==="
gh api repos/kubescape/storage/pulls/322/files 2>/dev/null | jq '.[].filename' 2>/dev/null || echo "failed"

echo "=== PR `#324` files ==="
gh api repos/kubescape/storage/pulls/324/files 2>/dev/null | jq '.[].filename' 2>/dev/null || echo "failed"

echo "=== PR `#326` files ==="
gh api repos/kubescape/storage/pulls/326/files 2>/dev/null | jq '.[].filename' 2>/dev/null || echo "failed"

echo "=== PR `#325` base/head ==="
gh api repos/kubescape/storage/pulls/325 2>/dev/null | jq '{title: .title, base: .base.ref, head: .head.ref, state: .state}' 2>/dev/null || echo "failed"

Length of output: 208

---

@entlein: A full re-review of #325 has been kicked off above. Here is my atomicity confirmation and cross-PR coupling analysis based on the PR objectives and your tier map:

---

Atomicity Assessment — #325 (CollapseConfig CRD + Processors)

✅ Internally Atomic

The contents of #325 are well-scoped for a CRD introduction:

Component	Justification
CRD types + v1beta1 conversion	Core — inseparable
Generated deepcopy / protobuf / openapi	Codegen artifacts — must travel with the type definition
Generated clientset / informers / listers	Codegen artifacts — must travel with the type definition
etcd registration	Required to make the resource storable — inseparable from CRD introduction
applicationprofile_processor + containerprofile_processor	First consumer in this repo — reasonable to bundle here
pkg/registry/file/cleanup.go	Logically cohesive (user-managed lifecycle gate) but is a separable concern
artifacts/collapseconfiguration-default-sample.yaml	Low-risk, conventional to ship with the CRD

The only split worth flagging is that cleanup.go is a behavioral policy change independent of the CRD API surface. If you ever need to bisect a regression, that separation could help — but it is not a blocking concern.

---

Cross-PR Coupling Flags

🔴 Hard compile-time dependency: #325 → #323

applicationprofile_processor and containerprofile_processor in #325 import and call the CollapseConfig provider, whose Go types are introduced in #323. #325 cannot compile without #323's types in the target branch. This is your expected and correctly modeled Tier 0 → Tier 2 dependency.

Merge gate: #323 must be merged (or squashed per your advisory) before #325 can target main.

🟡 Same-tier ordering: #325 and #322

Both are Tier 2. If the processors in #325 reference exec-related types added by #322 (e.g., CompareExecArgs), you have an intra-tier ordering constraint. If the processors only depend on CollapseConfig (#323) and existing types, #322 and #325 are independently mergeable in any order after #323.

Recommend verifying: Do applicationprofile_processor or containerprofile_processor in #325 import anything from #322's CompareExecArgs surface? If yes, #322 must precede #325.

🟡 Cross-repo dependency: #325 → node-agent#808

The projection overlay in node-agent#808 presumably consumes the CollapseConfig CRD registered by #325. This is your expected Tier 2 → Tier 4 dependency. No action needed in #325 itself, but node-agent#808 cannot target a release that doesn't include #325.

✅ No coupling detected: #325 ↔ #324 (networkmatch)

The networkmatch package (Tier 3) operates on a distinct resource surface and shares no apparent file-level overlap with the CollapseConfig CRD or the exec processors.

---

Summary Table

`#323` (Tier 0) ──► `#325` (Tier 2) ──► node-agent#808 (Tier 4)
                      │
              possible order dep
                      │
                  `#322` (Tier 2)

The tier structure is correct. The one item to double-check before merging #325 is whether its processors import any symbol from #322 — if so, serialize #322 before #325 within Tier 2.

✅ Actions performed

Full review triggered.