fix(zelyo-policies): default all scanning surfaces to opt-in (#78)

mayurkr · claude · web-flow · commit cc1af16a841a · 2026-04-15T16:04:24.000+05:30
* fix(zelyo-policies): default all scanning surfaces to opt-in A fresh `helm install zelyo-policies` previously shipped a catch-all SecurityPolicy (empty namespaces = every pod in every namespace), a MonitoringPolicy with cluster-wide anomaly and log scanning, and two ClusterScans, all reconciling on hardcoded 5-minute intervals. On non-trivial clusters this produced a scan storm on install that could starve the operator and the API server. Flip `securityPolicies.enabled`, `clusterScans.enabled`, and `monitoring.enabled` to `false` by default. Also flip the catch-all `environments.default.enabled` so that even after users opt top-level scanning in, the cluster-wide policy stays off until they explicitly ask for it. Update NOTES.txt with concrete `helm upgrade --set` commands showing how to turn each surface on. No controller logic changes; the `schedule:` field on each CR still gets written through as today. Values comments updated to reflect the opt-in model. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(zelyo-policies): use .Release.Name in NOTES.txt upgrade example Previously the example `helm upgrade` command hardcoded the release name `zelyo-policies`, which misled users who installed the chart under a different name. Switch to `{{ .Release.Name }}` so the printed command always matches the actual release. Addresses review feedback on PR #78. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/deploy/helm/zelyo-policies/templates/NOTES.txt b/deploy/helm/zelyo-policies/templates/NOTES.txt
@@ -57,6 +57,25 @@ Remediation:      {{ if .Values.remediation.enabled }}enabled (dryRun={{ .Values
 Verify:
   kubectl get securitypolicies,clusterscans,monitoringpolicies,costpolicies,cloudaccountconfigs,notificationchannels,gitopsrepositories,remediationpolicies -n {{ include "zelyo-policies.namespace" . }}
 
+{{- if and (not .Values.securityPolicies.enabled) (not .Values.clusterScans.enabled) (not .Values.monitoring.enabled) }}
+
+-------------------------------------------------------------
+Heads up — scanning is OFF by default
+-------------------------------------------------------------
+This chart ships opt-in to avoid a scan storm on first install. No
+SecurityPolicy, ClusterScan, or MonitoringPolicy CRs were created.
+
+Enable the surfaces you need, for example:
+
+  helm upgrade {{ .Release.Name }} ./zelyo-policies -n {{ include "zelyo-policies.namespace" . }} \
+    --set securityPolicies.enabled=true \
+    --set clusterScans.enabled=true
+
+The catch-all `default` SecurityPolicy (which targets every namespace)
+stays off unless you also pass:
+    --set securityPolicies.environments.default.enabled=true
+{{- end }}
+
 {{- if not .Values.monitoring.notificationChannels }}
 {{- if not .Values.notifications.channels }}
 
diff --git a/deploy/helm/zelyo-policies/values.yaml b/deploy/helm/zelyo-policies/values.yaml
@@ -4,14 +4,25 @@
 # This chart deploys production-ready security policies that cover all 56
 # scanners (8 Kubernetes + 48 cloud) provided by Zelyo Operator.
 #
-# Quick start:
-#   helm install zelyo-policies ./zelyo-policies -n zelyo-system
+# IMPORTANT — OPT-IN BY DEFAULT
+# All scanning is disabled out of the box so a fresh `helm install` never
+# hammers a cluster. Enable the surfaces you want explicitly:
+#
+#   helm install zelyo-policies ./zelyo-policies -n zelyo-system \
+#     --set securityPolicies.enabled=true \
+#     --set clusterScans.enabled=true
+#
+# Even when `securityPolicies.enabled=true`, the catch-all `default`
+# environment (which targets every namespace) stays off unless you also set
+# `--set securityPolicies.environments.default.enabled=true`.
 #
 # Override the security profile:
-#   helm install zelyo-policies ./zelyo-policies -n zelyo-system --set global.profile=strict
+#   helm install zelyo-policies ./zelyo-policies -n zelyo-system \
+#     --set securityPolicies.enabled=true --set global.profile=strict
 #
 # Enable SOC 2 + HIPAA compliance:
 #   helm install zelyo-policies ./zelyo-policies -n zelyo-system \
+#     --set clusterScans.enabled=true \
 #     --set compliance.presets.soc2=true --set compliance.presets.hipaa=true
 # ============================================================================
 
@@ -37,8 +48,10 @@ global:
 # ---------------------------------------------------------------------------
 # Creates SecurityPolicy CRs targeting namespaces by environment tier.
 # Each environment can override the global profile.
+#
+# Disabled by default. Enable with `--set securityPolicies.enabled=true`.
 securityPolicies:
-  enabled: true
+  enabled: false
 
   environments:
     # -- Production: strictest scanning, frequent schedule
@@ -61,9 +74,13 @@ securityPolicies:
       schedule: "0 */2 * * *"
       notificationChannels: []
 
-    # -- Default: catch-all for remaining namespaces
+    # -- Default: catch-all for remaining namespaces.
+    # Disabled by default even when `securityPolicies.enabled=true`: an empty
+    # namespaces list resolves to *every* pod in the cluster, which can
+    # overwhelm the operator on first install. Enable deliberately with
+    # `--set securityPolicies.environments.default.enabled=true`.
     default:
-      enabled: true
+      enabled: false
       profile: ""                  # Uses global.profile
       namespaces: []               # Empty = all namespaces
       excludeNamespaces:
@@ -93,8 +110,9 @@ securityPolicies:
 # ---------------------------------------------------------------------------
 # Cluster Scans — scheduled full-cluster security evaluations
 # ---------------------------------------------------------------------------
+# Disabled by default. Enable with `--set clusterScans.enabled=true`.
 clusterScans:
-  enabled: true
+  enabled: false
 
   # Nightly scan — runs all K8s scanners every night at 2 AM.
   nightly:
@@ -140,8 +158,12 @@ compliance:
 # ---------------------------------------------------------------------------
 # Monitoring Policy — real-time event watching and anomaly detection
 # ---------------------------------------------------------------------------
+# Disabled by default. A single MonitoringPolicy with empty targetNamespaces
+# observes every pod in the cluster on a 5-minute cycle and runs regex log
+# scanning + anomaly detection, which can be expensive on large clusters.
+# Enable with `--set monitoring.enabled=true`.
 monitoring:
-  enabled: true
+  enabled: false
 
   targetNamespaces: []             # Empty = all namespaces
   excludeNamespaces:
