Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Starboard failed to scan ECR images #1252

Open
JK-JIA opened this issue Aug 22, 2022 · 1 comment
Open

Starboard failed to scan ECR images #1252

JK-JIA opened this issue Aug 22, 2022 · 1 comment

Comments

@JK-JIA
Copy link

JK-JIA commented Aug 22, 2022

I use starboard-operator to scan for mirroring vulnerabilities in the cluster, but when I encounter mirroring in the ECR repository, fail and report an error

I refer to https://aquasecurity.github.io/starboard/v0.15.7/vulnerability-scanning/managed-registries/ for authorization
Here is my starboard-operator serviceAccount yaml

kind: ServiceAccount
metadata:
  name: starboard-operator
  namespace: starboard-system
  annotations:
    eks.amazonaws.com/role-arn: arn:aws-cn:iam::516915001847:role/trivy-ecr-role
  labels:
    app.kubernetes.io/name: starboard-operator
    app.kubernetes.io/instance: starboard-operator
    app.kubernetes.io/version: "0.15.4"
    app.kubernetes.io/managed-by: kubectl

I'm using the client/server Trivy mode ,Because I download databases very slowly in China
This is how it works

trivy-server.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: trivy-server-deployment
  namespace: starboard-system
  labels:
    app: trivy-server
spec:
  replicas: 1
  selector:
    matchLabels:
      app: trivy-server
  template:
    metadata:
      labels:
        app: trivy-server
    spec:
      serviceAccountName: starboard-operator
      containers:
      - name: trivy-server
        image: docker.io/aquasec/trivy:0.25.2
        ports:
        - containerPort: 4954
        #command: ["trivy"]
        #args: ["server --listen 127.0.0.1:4954"]
        command: ["/bin/sh"]
        args: ["-c","trivy server --listen 0.0.0.0:4954"]
        #args: ["-c", "while true; do echo hello; sleep 10;done"]
        volumeMounts:
        - name: trivy-data
          mountPath: /root/.cache/trivy
          subPath: trivy
      volumes:
      - name: trivy-data
        persistentVolumeClaim:
          claimName: efs-trivy-cliam
---

apiVersion: v1
kind: Service
metadata:
  name: trivy-server
  namespace: starboard-system
spec:
  type: ClusterIP
  selector:
    app: trivy-server
  ports:
    - port: 4954
      targetPort: 4954

starboard-operator.yaml Abstract

apiVersion: v1
kind: ConfigMap
metadata:
  name: starboard-trivy-config
  namespace: starboard-system
  labels:
    app.kubernetes.io/name: starboard-operator
    app.kubernetes.io/instance: starboard-operator
    app.kubernetes.io/version: "0.15.4"
    app.kubernetes.io/managed-by: kubectl
data:
  trivy.imageRef: "docker.io/aquasec/trivy:0.25.2"
#  trivy.mode: "Standalone"
  trivy.mode: "ClientServer"
  trivy.serverURL: "http://trivy-server:4954"
  trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
  trivy.timeout: "90m0s"
  trivy.dbRepository: "ghcr.io/aquasecurity/trivy-db"
  trivy.resources.requests.cpu: 100m
  trivy.resources.requests.memory: 100M
  trivy.resources.limits.cpu: 1000m
  trivy.resources.limits.memory: 1000M

The following is the error log for the starboard-operator

{"level":"error","ts":1661158616.6022856,"logger":"reconciler.vulnerabilityreport","msg":"Scan job container","job":"starboard-system/scan-vulnerabilityreport-7c87d58f58","container":"jenkins-agent01","status.reason":"Error","status.message":"2022-08-22T08:56:55.119Z\t\u001b[31mFATAL\u001b[0m\tscan error: unable to initialize a scanner: unable to initialize the docker scanner: 3 errors occurred:\n\t* unable to inspect the image (516915001847.dkr.ecr.cn-northwest-1.amazonaws.com.cn/jenkins-slave:v7): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?\n\t* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory\n\t* GET https://516915001847.dkr.ecr.cn-northwest-1.amazonaws.com.cn/v2/jenkins-slave/manifests/v7: unexpected status code 401 Unauthorized: Not Authorized\n\n\n\n","stacktrace":"github.com/aquasecurity/starboard/pkg/vulnerabilityreport.(*WorkloadController).reconcileJobs.func1\n\t/home/runner/work/starboard/starboard/pkg/vulnerabilityreport/controller.go:323\nsigs.k8s.io/controller-runtime/pkg/reconcile.Func.Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/reconcile/reconcile.go:102\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:227"}
{"level":"error","ts":1661158617.44241,"logger":"reconciler.vulnerabilityreport","msg":"Scan job container","job":"starboard-system/scan-vulnerabilityreport-84d4d648c6","container":"nginx","status.reason":"Error","status.message":"2022-08-22T08:56:55.496Z\t\u001b[31mFATAL\u001b[0m\tscan error: unable to initialize a scanner: unable to initialize the docker scanner: 3 errors occurred:\n\t* unable to inspect the image (516915001847.dkr.ecr.cn-northwest-1.amazonaws.com.cn/ixtra-frontend:3.3-rc-3): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?\n\t* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory\n\t* GET https://516915001847.dkr.ecr.cn-northwest-1.amazonaws.com.cn/v2/ixtra-frontend/manifests/3.3-rc-3: unexpected status code 401 Unauthorized: Not Authorized\n\n\n\n","stacktrace":"github.com/aquasecurity/starboard/pkg/vulnerabilityreport.(*WorkloadController).reconcileJobs.func1\n\t/home/runner/work/starboard/starboard/pkg/vulnerabilityreport/controller.go:323\nsigs.k8s.io/controller-runtime/pkg/reconcile.Func.Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/reconcile/reconcile.go:102\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:227"}
{"level":"error","ts":1661158618.2136166,"logger":"reconciler.vulnerabilityreport","msg":"Scan job container","job":"starboard-system/scan-vulnerabilityreport-5fdc98694","container":"nginx","status.reason":"Error","status.message":"2022-08-22T08:56:55.142Z\t\u001b[31mFATAL\u001b[0m\tscan error: unable to initialize a scanner: unable to initialize the docker scanner: 3 errors occurred:\n\t* unable to inspect the image (516915001847.dkr.ecr.cn-northwest-1.amazonaws.com.cn/ixtra-frontend:3.3-rc-3): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?\n\t* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory\n\t* GET https://516915001847.dkr.ecr.cn-northwest-1.amazonaws.com.cn/v2/ixtra-frontend/manifests/3.3-rc-3: unexpected status code 401 Unauthorized: Not Authorized\n\n\n\n","stacktrace":"github.com/aquasecurity/starboard/pkg/vulnerabilityreport.(*WorkloadController).reconcileJobs.func1\n\t/home/runner/work/starboard/starboard/pkg/vulnerabilityreport/controller.go:323\nsigs.k8s.io/controller-runtime/pkg/reconcile.Func.Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/reconcile/reconcile.go:102\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:227"}
{"level":"error","ts":1661158619.0005393,"logger":"reconciler.vulnerabilityreport","msg":"Scan job container","job":"starboard-system/scan-vulnerabilityreport-5f58c95b49","container":"nginx","status.reason":"Error","status.message":"2022-08-22T08:56:55.952Z\t\u001b[31mFATAL\u001b[0m\tscan error: unable to initialize a scanner: unable to initialize the docker scanner: 3 errors occurred:\n\t* unable to inspect the image (516915001847.dkr.ecr.cn-northwest-1.amazonaws.com.cn/ixtra-frontend:3.4.5): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?\n\t* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory\n\t* GET https://516915001847.dkr.ecr.cn-northwest-1.amazonaws.com.cn/v2/ixtra-frontend/manifests/3.4.5: unexpected status code 401 Unauthorized: Not Authorized\n\n\n\n","stacktrace":"github.com/aquasecurity/starboard/pkg/vulnerabilityreport.(*WorkloadController).reconcileJobs.func1\n\t/home/runner/work/starboard/starboard/pkg/vulnerabilityreport/controller.go:323\nsigs.k8s.io/controller-runtime/pkg/reconcile.Func.Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/reconcile/reconcile.go:102\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:227"}
{"level":"error","ts":1661158622.0122895,"logger":"reconciler.vulnerabilityreport","msg":"Scan job container","job":"starboard-system/scan-vulnerabilityreport-fd959ddfb","container":"kubernetes-dashboard","status.reason":"Error","status.message":"2022-08-22T08:56:58.253Z\t\u001b[31mFATAL\u001b[0m\tscan error: unable to initialize a scanner: unable to initialize the docker scanner: 3 errors occurred:\n\t* unable to inspect the image (kubernetesui/dashboard:v2.5.1): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?\n\t* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory\n\t* GET https://index.docker.io/v2/kubernetesui/dashboard/manifests/sha256:6614c53fcdb9df9cb920c701c6a418e398be9b5ee147e5231ad6669fd2b76862: TOOMANYREQUESTS: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit\n\n\n","stacktrace":"github.com/aquasecurity/starboard/pkg/vulnerabilityreport.(*WorkloadController).reconcileJobs.func1\n\t/home/runner/work/starboard/starboard/pkg/vulnerabilityreport/controller.go:323\nsigs.k8s.io/controller-runtime/pkg/reconcile.Func.Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/reconcile/reconcile.go:102\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:227"}
{"level":"error","ts":1661158622.4091635,"logger":"reconciler.vulnerabilityreport","msg":"Scan job container","job":"starboard-system/scan-vulnerabilityreport-6d459d7c7c","container":"dashboards","status.reason":"Error","status.message":"2022-08-22T08:56:58.310Z\t\u001b[31mFATAL\u001b[0m\tscan error: unable to initialize a scanner: unable to initialize the docker scanner: 3 errors occurred:\n\t* unable to inspect the image (docker.io/opensearchproject/opensearch-dashboards:2.0.0): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?\n\t* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory\n\t* GET https://index.docker.io/v2/opensearchproject/opensearch-dashboards/manifests/sha256:fda49bc2f3f3317d58d63fbcbcfb7ad1fcd7958dc528941511d2dcf2da078b72: TOOMANYREQUESTS: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit\n\n\n","stacktrace":"github.com/aquasecurity/starboard/pkg/vulnerabilityreport.(*WorkloadController).reconcileJobs.func1\n\t/home/runner/work/starboard/starboard/pkg/vulnerabilityreport/controller.go:323\nsigs.k8s.io/controller-runtime/pkg/reconcile.Func.Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/reconcile/reconcile.go:102\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:227"}
{"level":"error","ts":1661158630.1363208,"logger":"reconciler.vulnerabilityreport","msg":"Scan job container","job":"starboard-system/scan-vulnerabilityreport-855dd745b7","container":"module-configmap-reloader","status.reason":"Error","status.message":"2022-08-22T08:56:58.145Z\t\u001b[31mFATAL\u001b[0m\tscan error: unable to initialize a scanner: unable to initialize the docker scanner: 3 errors occurred:\n\t* unable to inspect the image (jimmidyson/configmap-reload:v0.5.0): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?\n\t* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory\n\t* GET https://index.docker.io/v2/jimmidyson/configmap-reload/manifests/v0.5.0: TOOMANYREQUESTS: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit\n\n\n","stacktrace":"github.com/aquasecurity/starboard/pkg/vulnerabilityreport.(*WorkloadController).reconcileJobs.func1\n\t/home/runner/work/starboard/starboard/pkg/vulnerabilityreport/controller.go:323\nsigs.k8s.io/controller-runtime/pkg/reconcile.Func.Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/reconcile/reconcile.go:102\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:227"}
{"level":"error","ts":1661158646.4274912,"logger":"reconciler.vulnerabilityreport","msg":"Scan job container","job":"starboard-system/scan-vulnerabilityreport-79667547d8","container":"kube-rbac-proxy","status.reason":"Error","status.message":"2022-08-22T08:57:25.281Z\t\u001b[31mFATAL\u001b[0m\tscan error: unable to initialize a scanner: unable to initialize the docker scanner: 3 errors occurred:\n\t* unable to inspect the image (gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?\n\t* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory\n\t* Get \"https://gcr.io/v2/\": dial tcp 64.233.188.82:443: i/o timeout\n\n\n","stacktrace":"github.com/aquasecurity/starboard/pkg/vulnerabilityreport.(*WorkloadController).reconcileJobs.func1\n\t/home/runner/work/starboard/starboard/pkg/vulnerabilityreport/controller.go:323\nsigs.k8s.io/controller-runtime/pkg/reconcile.Func.Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/reconcile/reconcile.go:102\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:227"}
.......

Please help me, any reply will be helpful to me, thank you😀
@skymoore
Copy link

skymoore commented May 2, 2023

@JK-JIA for future reference, it's a good idea to redact the aws account id.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@skymoore @JK-JIA