trivy-operator
trivy-operator copied to clipboard
aquasecurity
Problem with scanning locally created images on Docker Desktop with WSL 2
What steps did you take and what happened:
I installed trivy operator v0.1.0 on my local Kubernetes cluster hosted by Docker Desktop on Windows with WSL 2 enabled.
While if works fine for workloads using images from internet e.g. an ingress deployment with image: docker.io/bitnami/nginx-ingress-controller:1.2.0-debian-10-r0 it logs errors for images build locally, e.g. a deployment with image: my-company/my-application:latest.
The mentioned image was build locally using the docker build command.
Here's the error (formatted by me to separate errors):
{"level":"error","ts":1657198162.1443658,"logger":"reconciler.vulnerabilityreport","msg":"Scan job container","job":"trivy-system/scan-vulnerabilityreport-685fbf4b94","container":"my-application-container","status.reason":"Error",
"status.message":"2022-07-07T12:49:12.562Z\t\u001b[31mFATAL\u001b[0m\timage scan error: scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred:
1) unable to inspect the image (my-company/my-application:latest): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
2) unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
3) containerd socket not found: /run/containerd/containerd.sock
4) GET https://index.docker.io/v2/my-company/my-application/manifests/latest: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:my-company/my-application Type:repository]]\n\n\n","stacktrace":"github.com/aquasecurity/trivy-operator/pkg/vulnerabilityreport.(*WorkloadController).reconcileJobs.func1\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/vulnerabilityreport/controller.go:363\nsigs.k8s.io/controller-runtime/pkg/reconcile.Func.Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/reconcile/reconcile.go:102\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:121\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:320\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:273\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:234"}
I thought it has problems because of the Docker Desktop with WSL 2 setup, but the following command works fine:
docker run --rm -v //var/run/docker.sock:/var/run/docker.sock -v c:\Users\UserName\trivy:/root/.cache/ \
aquasec/trivy:0.29.2 image my-company/my-application:latest
What did you expect to happen:
I hoped that if communication with docker engine works when using the docker run option, it would also work in the operator when using Docker Desktop on Windows. Any ideas?
Environment:
- Trivy-Operator version (use
trivy-operator version): docker.io/aquasec/trivy-operator:0.1.0 - Kubernetes version (use
kubectl version): Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.5", GitCommit:"c285e781331a3785a7f436042c65c5641ce8a9e9", GitTreeState:"clean", BuildDate:"2022-03-16T15:58:47Z", GoVersion:"go1.17.8", Compiler:"gc", Platform:"windows/amd64"} Server Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.1", GitCommit:"3ddd0f45aa91e2f30c70734b175631bec5b5825a", GitTreeState:"clean", BuildDate:"2022-05-24T12:18:48Z", GoVersion:"go1.18.2", Compiler:"gc", Platform:"linux/amd64"} - OS: Windows 10.0.19044 N/A Build 19044
@nosalan thank you for reporting this issue , we will take a look at it.
I suggest to fs scanning (doesn't pull the image) as a workaround in meanwhile.
you'll need to add this param trivy.command : filesystem to trivy-operator-trivy-config ConfigMap
