Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

k8s scanning fails in 0.47.0 #5528

Closed
2 tasks done
chen-keinan opened this issue Nov 7, 2023 Discussed in #5521 · 1 comment · Fixed by #5529
Closed
2 tasks done

k8s scanning fails in 0.47.0 #5528

chen-keinan opened this issue Nov 7, 2023 Discussed in #5521 · 1 comment · Fixed by #5529
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. target/kubernetes Issues relating to kubernetes cluster scanning
Milestone
v0.47.1

Comments

@chen-keinan
Copy link
Contributor

Discussed in #5521

Originally posted by michael-mader November 6, 2023

Description

The following command fails with trivy 0.47.0:

trivy -d k8s --context "my-context" -n default deployments/my-release

It fails with this output:

2023-11-06T11:12:28.630+0100    FATAL   k8s scan error:
    github.com/aquasecurity/trivy/pkg/k8s/commands.(*runner).run
        /home/runner/work/trivy/trivy/pkg/k8s/commands/run.go:95
  - failed to find node name

it is working in 0.46.1 and below. It is failing when using the trivy binary on MacOS 14.1 and running the 0.47.0 docker image on linux.

Desired Behavior

Runs till end and does only fail if there are vulnerabilities

Actual Behavior

Fails:

2023-11-06T11:12:28.630+0100    FATAL   k8s scan error:
    github.com/aquasecurity/trivy/pkg/k8s/commands.(*runner).run
        /home/runner/work/trivy/trivy/pkg/k8s/commands/run.go:95
  - failed to find node name

Reproduction Steps

Run `trivy -d k8s --context "my-context" -n default deployments/my-release` with correct values for your deployment to scan.

Target

Kubernetes

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

/Users/user/Downloads/trivy_0.47.0_macOS-ARM64/trivy -d k8s --context "my-context" -n default --no-progress deployments/my-deployment
2023-11-06T11:16:36.451+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-06T11:16:36.452+0100    DEBUG   Ignore statuses {"statuses": null}
2023-11-06T11:16:38.362+0100    DEBUG   cache dir:  /Users/user/Library/Caches/trivy
2023-11-06T11:16:38.363+0100    DEBUG   DB update was skipped because the local DB is the latest
2023-11-06T11:16:38.363+0100    DEBUG   DB Schema: 2, UpdatedAt: 2023-11-06 06:17:59.317996254 +0000 UTC, NextUpdate: 2023-11-06 12:17:59.317995754 +0000 UTC, DownloadedAt: 2023-11-06 10:10:16.850618 +0000 UTC
1 / 1 [-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 0 p/s
2023-11-06T11:16:41.552+0100    FATAL   k8s scan error:
    github.com/aquasecurity/trivy/pkg/k8s/commands.(*runner).run
        /home/runner/work/trivy/trivy/pkg/k8s/commands/run.go:95
  - failed to find node name



### Operating System

macOS 14.1

### Version

```bash
Version: 0.47.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-11-06 06:17:59.317996254 +0000 UTC
  NextUpdate: 2023-11-06 12:17:59.317995754 +0000 UTC
  DownloadedAt: 2023-11-06 10:10:16.850618 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-11-06 00:56:11.785628882 +0000 UTC
  NextUpdate: 2023-11-09 00:56:11.785628382 +0000 UTC
  DownloadedAt: 2023-11-06 10:10:50.304873 +0000 UTC
Policy Bundle:
  Digest: sha256:1df8ade71efc830877ca3b1130f83e0c6368e3a45b0d4c0f0418955501644054
  DownloadedAt: 2023-11-06 10:10:17.701092 +0000 UTC

Checklist
@chen-keinan chen-keinan added kind/bug Categorizes issue or PR as related to a bug. target/kubernetes Issues relating to kubernetes cluster scanning labels Nov 7, 2023
@chen-keinan chen-keinan mentioned this issue Nov 7, 2023
Merged
2 tasks
@chen-keinan chen-keinan added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label Nov 7, 2023
@chen-keinan chen-keinan added this to the v0.47.1 milestone Nov 7, 2023
This was referenced Nov 7, 2023
Merged
Closed
@jkroepke
Copy link
Contributor

jkroepke commented Nov 7, 2023

rel: #5418

Seems like the new k8s core components scan isn't optional for now.

Define --components=workload does not have any affect

~ $ trivy --quiet -q kubernetes '--report=all' --components=workload --cache-dir /tmp/.trivycache/ --no-progress --ignore-unfixed --exit-code 0 --slow --format table --scanners vuln --ignorefile /.trivyignore --vuln-type os -n opsstack -o /scans/report.all.html deploy,sts,ds
2023-11-07T16:57:22.603Z        FATAL   nodes is forbidden: User "system:serviceaccount:opsstack:opsstack-trivy" cannot list resource "nodes" in API group "" at the cluster scope: Azure does not have opinion for this user.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. target/kubernetes Issues relating to kubernetes cluster scanning
Projects
None yet
Milestone
v0.47.1
Development

Successfully merging a pull request may close this issue.

fix: fail k8s resource scanning chen-keinan/trivy
2 participants
@jkroepke @chen-keinan