Error when scanning a Kubernetes workload or ServiceAccount with an empty item in imagePullSecrets array

[matheusfm]

Description

Trivy fails when scanning a Kubernetes workload with an empty item in imagePullSecrets array:

  imagePullSecrets:
    - {}

Desired Behavior

I expect this object to be scanned without errors, ignoring the empty imagePullSecrets item.

Actual Behavior

Trivy fails with the following output:

2024-06-13T17:04:23-03:00	FATAL	Fatal error	get k8s artifacts with node info error: failed getting auth for gvr: /v1, Resource=pods - getting secret by name: default/: resource name may not be empty

Reproduction Steps

1. Create a kind cluster

kind create cluster

2. Create a pod with an empty item in imagePullSecrets array

cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: nginx
  labels:
    role: nginx
spec:
  imagePullSecrets:
    - {}
  containers:
    - name: nginx
      image: nginx
EOF

3. Run trivy:

trivy k8s --report summary

Target

Kubernetes

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

2024-06-13T17:04:22-03:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-06-13T17:04:22-03:00	DEBUG	Ignore statuses	statuses=[]
2024-06-13T17:04:23-03:00	FATAL	Fatal error	get k8s artifacts with node info error: failed getting auth for gvr: /v1, Resource=pods - getting secret by name: default/: resource name may not be empty

Operating System

linux

Version

Version: 0.52.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-06-10 12:13:28.957657425 +0000 UTC
  NextUpdate: 2024-06-10 18:13:28.957657255 +0000 UTC
  DownloadedAt: 2024-06-10 13:43:20.101006187 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-06-10 01:05:31.416428614 +0000 UTC
  NextUpdate: 2024-06-13 01:05:31.416428444 +0000 UTC
  DownloadedAt: 2024-06-10 13:53:07.844808071 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[matheusfm]

The same error happens for an imagePullSecrets like that in a ServiceAccount.

To reproduce it, just replace the 2nd step to

cat << EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  name: test
imagePullSecrets:
  - {}
---
apiVersion: v1
kind: Pod
metadata:
  name: nginx
  labels:
    role: nginx
spec:
  serviceAccountName: test
  containers:
    - name: nginx
      image: nginx
EOF

[matheusfm]

I've created a Pull Request to fix it: aquasecurity/trivy-kubernetes#362

[chen-keinan]

issue opened #7011