standards
standards copied to clipboard
Published
20 hours ago •
SovereignCloudStack
SovereignCloudStack
Refine CVE check in check script for k8s version policy
Sorry, I went ahead and marked this as draft, and I changed the title as well to give context.
Hi @mbuechse and @piobig2871, as requested in the Container Call, I just tried that script but get some weird result:
./k8s_version_policy.py -k /tmp/kubeconfig ⎈ (kind-kind/default)
WARNING: The EOL data in k8s-eol-data.yml isn't up-to-date.
INFO: Initiating scan on the Kubernetes cluster specified by kubeconfig at /tmp/kubeconfig
with context .
Fetching cluster information and verifying access.
INFO: Scanning image: /
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: t
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: m
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: p
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: /
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: k
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: u
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: b
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: e
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: c
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: o
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: n
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: f
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: i
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: g
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Checking cluster specified by default context in /tmp/kubeconfig.
ERROR: The K8s cluster version 1.29.9 of cluster 'cs-cluster-admin@cs-cluster' is outdated according to the standard.
version-policy-check: FAIL
It looks like it loops over the path to the kubeconfig and uses every character as image to scan. Yes, I'm aware of that trivy is not found and I also tried with that installed, but the output is the same, just noisier:
./k8s_version_policy.py -k /tmp/kubeconfig
WARNING: The EOL data in k8s-eol-data.yml isn't up-to-date.
INFO: Initiating scan on the Kubernetes cluster specified by kubeconfig at /tmp/kubeconfig
with context .
Fetching cluster information and verifying access.
INFO: Scanning image: /
ERROR: Trivy scan failed: 2024-11-07T11:07:03+01:00 INFO Need to update DB
2024-11-07T11:07:03+01:00 INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-11-07T11:07:05+01:00 FATAL Fatal error init error: DB error: failed to download vulnerability DB: database download error: OCI repository error: 1 error occurred:
* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 522.404µs, allowed: 44000/minute
INFO: Scanning image: t
ERROR: Trivy scan failed: 2024-11-07T11:07:05+01:00 INFO Need to update DB
2024-11-07T11:07:05+01:00 INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-11-07T11:07:20+01:00 INFO Vulnerability scanning is enabled
2024-11-07T11:07:20+01:00 INFO Secret scanning is enabled
2024-11-07T11:07:20+01:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-07T11:07:20+01:00 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-11-07T11:07:20+01:00 FATAL Fatal error image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: failed to parse the image name: could not parse reference: t
INFO: Scanning image: m
ERROR: Trivy scan failed: 2024-11-07T11:07:20+01:00 INFO Vulnerability scanning is enabled
2024-11-07T11:07:20+01:00 INFO Secret scanning is enabled
2024-11-07T11:07:20+01:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-07T11:07:20+01:00 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-11-07T11:07:20+01:00 FATAL Fatal error image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: failed to parse the image name: could not parse reference: m
INFO: Scanning image: p
ERROR: Trivy scan failed: 2024-11-07T11:07:20+01:00 INFO Vulnerability scanning is enabled
2024-11-07T11:07:20+01:00 INFO Secret scanning is enabled
2024-11-07T11:07:20+01:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-07T11:07:20+01:00 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-11-07T11:07:20+01:00 FATAL Fatal error image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: failed to parse the image name: could not parse reference: p
INFO: Scanning image: /
ERROR: Trivy scan failed: 2024-11-07T11:07:20+01:00 INFO Vulnerability scanning is enabled
2024-11-07T11:07:20+01:00 INFO Secret scanning is enabled
2024-11-07T11:07:20+01:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-07T11:07:20+01:00 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-11-07T11:07:20+01:00 FATAL Fatal error image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: failed to parse the image name: could not parse reference: /
INFO: Scanning image: k
ERROR: Trivy scan failed: 2024-11-07T11:07:21+01:00 INFO Vulnerability scanning is enabled
2024-11-07T11:07:21+01:00 INFO Secret scanning is enabled
2024-11-07T11:07:21+01:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-07T11:07:21+01:00 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-11-07T11:07:21+01:00 FATAL Fatal error image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: failed to parse the image name: could not parse reference: k
INFO: Scanning image: u
ERROR: Trivy scan failed: 2024-11-07T11:07:21+01:00 INFO Vulnerability scanning is enabled
2024-11-07T11:07:21+01:00 INFO Secret scanning is enabled
2024-11-07T11:07:21+01:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-07T11:07:21+01:00 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-11-07T11:07:21+01:00 FATAL Fatal error image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: failed to parse the image name: could not parse reference: u
INFO: Scanning image: b
ERROR: Trivy scan failed: 2024-11-07T11:07:21+01:00 INFO Vulnerability scanning is enabled
2024-11-07T11:07:21+01:00 INFO Secret scanning is enabled
2024-11-07T11:07:21+01:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-07T11:07:21+01:00 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-11-07T11:07:21+01:00 FATAL Fatal error image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: failed to parse the image name: could not parse reference: b
INFO: Scanning image: e
ERROR: Trivy scan failed: 2024-11-07T11:07:22+01:00 INFO Vulnerability scanning is enabled
2024-11-07T11:07:22+01:00 INFO Secret scanning is enabled
2024-11-07T11:07:22+01:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-07T11:07:22+01:00 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-11-07T11:07:22+01:00 FATAL Fatal error image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: failed to parse the image name: could not parse reference: e
INFO: Scanning image: c
ERROR: Trivy scan failed: 2024-11-07T11:07:22+01:00 INFO Vulnerability scanning is enabled
2024-11-07T11:07:22+01:00 INFO Secret scanning is enabled
2024-11-07T11:07:22+01:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-07T11:07:22+01:00 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-11-07T11:07:22+01:00 FATAL Fatal error image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: failed to parse the image name: could not parse reference: c
INFO: Scanning image: o
ERROR: Trivy scan failed: 2024-11-07T11:07:22+01:00 INFO Vulnerability scanning is enabled
2024-11-07T11:07:22+01:00 INFO Secret scanning is enabled
2024-11-07T11:07:22+01:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-07T11:07:22+01:00 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-11-07T11:07:22+01:00 FATAL Fatal error image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: failed to parse the image name: could not parse reference: o
INFO: Scanning image: n
ERROR: Trivy scan failed: 2024-11-07T11:07:22+01:00 INFO Vulnerability scanning is enabled
2024-11-07T11:07:22+01:00 INFO Secret scanning is enabled
2024-11-07T11:07:22+01:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-07T11:07:22+01:00 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-11-07T11:07:22+01:00 FATAL Fatal error image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: failed to parse the image name: could not parse reference: n
INFO: Scanning image: f
ERROR: Trivy scan failed: 2024-11-07T11:07:23+01:00 INFO Vulnerability scanning is enabled
2024-11-07T11:07:23+01:00 INFO Secret scanning is enabled
2024-11-07T11:07:23+01:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-07T11:07:23+01:00 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-11-07T11:07:23+01:00 FATAL Fatal error image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: failed to parse the image name: could not parse reference: f
INFO: Scanning image: i
ERROR: Trivy scan failed: 2024-11-07T11:07:23+01:00 INFO Vulnerability scanning is enabled
2024-11-07T11:07:23+01:00 INFO Secret scanning is enabled
2024-11-07T11:07:23+01:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-07T11:07:23+01:00 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-11-07T11:07:23+01:00 FATAL Fatal error image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: failed to parse the image name: could not parse reference: i
INFO: Scanning image: g
ERROR: Trivy scan failed: 2024-11-07T11:07:23+01:00 INFO Vulnerability scanning is enabled
2024-11-07T11:07:23+01:00 INFO Secret scanning is enabled
2024-11-07T11:07:23+01:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-07T11:07:23+01:00 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-11-07T11:07:23+01:00 FATAL Fatal error image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: failed to parse the image name: could not parse reference: g
INFO: Checking cluster specified by default context in /tmp/kubeconfig.
ERROR: The K8s cluster version 1.29.9 of cluster 'cs-cluster-admin@cs-cluster' is outdated according to the standard.
version-policy-check: FAIL
Hi @jschoone there was a problem with one argument, I have fixed the issue.
Hi @jschoone there was a problem with one argument, I have fixed the issue.
Hi @piobig2871 looks good now!
./k8s_version_policy.py --kubeconfig /tmp/kubeconfig
....
version-policy-check: PASS
I'd just recommend to check for trivy before it starts to prevent all these output:
./k8s_version_policy.py -k /tmp/kubeconfig
WARNING: The EOL data in k8s-eol-data.yml isn't up-to-date.
INFO: Initiating scan on the Kubernetes cluster specified by kubeconfig at /tmp/kubeconfig
with context .
Fetching cluster information and verifying access.
INFO: Scanning image: registry.k8s.io/kube-apiserver:v1.29.10
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: registry.k8s.io/metrics-server/metrics-server:v0.7.2
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: registry.k8s.io/sig-storage/csi-attacher:v4.4.2
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: registry.k8s.io/sig-storage/csi-snapshotter:v6.3.2
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.29.1
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: registry.k8s.io/coredns/coredns:v1.11.1
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: registry.k8s.io/kube-controller-manager:v1.29.10
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: registry.k8s.io/provider-os/openstack-cloud-controller-manager:v1.29.1
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: registry.k8s.io/etcd:3.5.15-0
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: quay.io/cilium/cilium:v1.16.3@sha256:62d2a09bbef840a46099ac4c69421c90f84f28d018d479749049011329aa7f28
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: registry.k8s.io/sig-storage/csi-provisioner:v3.6.2
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: registry.k8s.io/kube-scheduler:v1.29.10
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: quay.io/cilium/cilium-envoy:v1.29.9-1728346947-0d05e48bfbb8c4737ec40d5781d970a550ed2bbd@sha256:42614a44e508f70d03a04470df5f61e3cffd22462471a0be0544cf116f2c50ba
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.2
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: registry.k8s.io/sig-storage/livenessprobe:v2.11.0
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: quay.io/cilium/operator-generic:v1.16.3@sha256:6e2925ef47a1c76e183c48f95d4ce0d34a1e5e848252f910476c3e11ce1ec94b
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: registry.k8s.io/kube-proxy:v1.29.10
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Scanning image: registry.k8s.io/sig-storage/csi-resizer:v1.9.2
ERROR: Error running Trivy scan: [Errno 2] No such file or directory: 'trivy'
INFO: Checking cluster specified by default context in /tmp/kubeconfig.
INFO: The K8s cluster version 1.29.10 of cluster 'scs-cluster-129-admin@scs-cluster-129' is still in the recency time window.
version-policy-check: FAIL