trivy-operator icon indicating copy to clipboard operation
trivy-operator copied to clipboard
verified publisher icon aquasecurity

trivyOperator.scanJobAnnotations does not get applied to scanJobs

Open macintoshme opened this issue 1 year ago • 6 comments

What steps did you take and what happened:

set trivyOperator.scanJobAnnotations, which configured the configmap as below, but does not apply to scanjobs

scanJob.annotations: platform-logging-droplogging=true

What did you expect to happen: scanjobs have annotation. Anything else you would like to add:

[Miscellaneous information that will assist in solving the issue.]

Environment:

  • Trivy-Operator version (use trivy-operator version): 0.18.5

macintoshme avatar Mar 21 '24 18:03 macintoshme

@macintoshme can you please share you configuration (trivy-operator config maps)

chen-keinan avatar Apr 01 '24 08:04 chen-keinan

apiVersion: v1 data: compliance.failEntriesLimit: "10" configAuditReports.scanner: Trivy node.collector.imageRef: ghcr.io/aquasecurity/node-collector:0.1.1 node.collector.nodeSelector: "true" nodeCollector.volumeMounts: '[{"mountPath":"/var/lib/etcd","name":"var-lib-etcd","readOnly":true},{"mountPath":"/var/lib/kubelet","name":"var-lib-kubelet","readOnly":true},{"mountPath":"/var/lib/kube-scheduler","name":"var-lib-kube-scheduler","readOnly":true},{"mountPath":"/var/lib/kube-controller-manager","name":"var-lib-kube-controller-manager","readOnly":true},{"mountPath":"/etc/systemd","name":"etc-systemd","readOnly":true},{"mountPath":"/lib/systemd/","name":"lib-systemd","readOnly":true},{"mountPath":"/etc/kubernetes","name":"etc-kubernetes","readOnly":true},{"mountPath":"/etc/cni/net.d/","name":"etc-cni-netd","readOnly":true}]' nodeCollector.volumes: '[{"hostPath":{"path":"/var/lib/etcd"},"name":"var-lib-etcd"},{"hostPath":{"path":"/var/lib/kubelet"},"name":"var-lib-kubelet"},{"hostPath":{"path":"/var/lib/kube-scheduler"},"name":"var-lib-kube-scheduler"},{"hostPath":{"path":"/var/lib/kube-controller-manager"},"name":"var-lib-kube-controller-manager"},{"hostPath":{"path":"/etc/systemd"},"name":"etc-systemd"},{"hostPath":{"path":"/lib/systemd"},"name":"lib-systemd"},{"hostPath":{"path":"/etc/kubernetes"},"name":"etc-kubernetes"},{"hostPath":{"path":"/etc/cni/net.d/"},"name":"etc-cni-netd"}]' report.recordFailedChecksOnly: "true" scanJob.annotations: platform-logging-droplogging=true scanJob.compressLogs: "true" scanJob.podTemplateContainerSecurityContext: '{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true}' scanJob.tolerations: '[{"effect":"NoSchedule","operator":"Exists"}]' trivy.serverURL: http://trivy-service.platform-trivy-operator:4954 vulnerabilityReports.scanner: Trivy kind: ConfigMap metadata: annotations: meta.helm.sh/release-name: platform-trivy-operator meta.helm.sh/release-namespace: platform-trivy-operator creationTimestamp: "2024-01-19T21:18:37Z" labels: app.kubernetes.io/instance: platform-trivy-operator app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: trivy-operator app.kubernetes.io/version: 0.18.5 helm.sh/chart: trivy-operator-0.20.6 name: trivy-operator namespace: platform-trivy-operator resourceVersion: "178146580" uid: bb07d380-7139-4dcb-a718-4d4fdcae57c8

macintoshme avatar Apr 08 '24 16:04 macintoshme

@macintoshme is you issue is similar to this #1735

chen-keinan avatar Apr 09 '24 11:04 chen-keinan

No, the issue is the configmap gets configured, but the spawned scanjobs do not have the annotation that is indicated in the configmap.

macintoshme avatar Apr 09 '24 14:04 macintoshme

can you please share you values.yaml and one of the scan-job yaml.

kubectl get pods <pod name> -n trivy-system -o yaml

chen-keinan avatar Apr 10 '24 05:04 chen-keinan

Spotted annotation where it was reported missing. Closing ticket.

macintoshme avatar Apr 12 '24 22:04 macintoshme