trivy-operator icon indicating copy to clipboard operation
trivy-operator copied to clipboard
verified publisher icon aquasecurity

CIS Benchmark k8s-cis-1.23 is empty

Open Halogenmake opened this issue 1 year ago • 3 comments

What steps did you take and what happened: I’m using the latest version of Trivy Operator, 0.22. All components are functioning as expected, but the k8s-cis-1.23 report is not being generated. Meanwhile, the k8s-pss-baseline-0.1 report is generated without issues.

What did you expect to happen:

Anything else you would like to add: The configuration file for the modified settings is as follows:

---
trivy:
  command: filesystem

trivyOperator:
  scanJobPodTemplateContainerSecurityContext:
    # For filesystem scanning, Trivy needs to run as the root user
    runAsUser: 0
  scanJobNodeSelector:
    node.kubernetes.io/role: worker

nodeSelector:
  node.kubernetes.io/role: worker

compliance:
  reportType: all

operator:
  scanJobsConcurrentLimit: 5
  scannerReportTTL: "120h"

nodeCollector:
  tolerations:
    - key: ***/control-plane
      operator: "Equal"
      effect: NoSchedule
    - key: ***/dedicated
      value: engineering
      operator: "Equal"
      effect: NoSchedule
    - key: ***/dedicated
      value: s***a
      operator: "Equal"
      effect: NoSchedule

Environment:

  • Trivy-Operator version (use trivy-operator version): 0.22
  • Kubernetes version (use kubectl version): v1.30.4+rke2r1

Halogenmake avatar Oct 15 '24 15:10 Halogenmake

Can confirm the issue. Observed during the installation of the trivy-operator-polr-adapter..

kubectl logs -f trivy-operator-polr-adapter-5f647d56b9-5k9jk
kind.go] "if kind is a CRD, it should be installed before calling Start" err="no matches for kind \"CISKubeBenchReport\" in version \"aquasecurity.github.io/v1alpha1\"" logger="controller-runtime.source.EventHandler" kind="CISKubeBenchReport.aquasecurity.github.io"

elaurensx avatar Oct 16 '24 11:10 elaurensx

additional information: I use helm chart version 0.24.1

Halogenmake avatar Oct 16 '24 12:10 Halogenmake

More details: I have multiple Kubernetes clusters, and on some clusters, the report is generated correctly, while on others, it isn’t. The cluster versions, Helm chart versions, and application versions are all the same.

Meanwhile, on the clusters where the report is not generated, the ClusterComplianceReport:k8s-cis-1.23 resource exists, but it lacks a status section—only the spec section is present.

Halogenmake avatar Oct 16 '24 14:10 Halogenmake

@Halogenmake and @elaurensx do you still have this issue with the latest release and the latest helm chart?

simar7 avatar Jan 16 '25 23:01 simar7

@Halogenmake and @elaurensx thanks for the report and sorry for long response from my side.

first of all, as @simar7 said, could you check the last version of trivy-operator v0.23.0 (helm chart v0.25.0)?

also, I see a similar issue here: #2178, https://github.com/aquasecurity/trivy-operator/issues/2178#issuecomment-2217271599, #2179 there are some reasons there. but if it's not your case, please feel free to update this ticket, and I'll try to investigate it.

thanks!

afdesk avatar Jan 20 '25 04:01 afdesk

@simar7 and @afdesk Updated to the latest version and can confirm that the report is being generated..

$ k get clustercompliancereports.aquasecurity.github.io -A -o wide
NAME                     AGE    FAIL   PASS
k8s-cis-1.23             3h1m   15     101
k8s-nsa-1.0              3h1m   12     15
k8s-pss-baseline-0.1     3h1m   3      8
k8s-pss-restricted-0.1   3h1m   3      14

Thank you very much for the follow-up.

elaurensx avatar Jan 20 '25 19:01 elaurensx

thanks for the confirmation, @elaurensx!

simar7 avatar Jan 21 '25 05:01 simar7