aquasecurity
VulnerabilityReports generation problem in multiPlatform clusters
What steps did you take and what happened:
We are using trivy-operator to scan our workloads in a multiplatform cluster. We have linux/arm64 and linux/amd64 nodes. Some of our applications are built multiplatform but some others are targeting just one or another. For those only built for linux/arm64 vulnerabilityReports are not being generated as trivy is trying to get the linux/amd64 image.
What did you expect to happen:
Trivy-operator being able to generate reports for all the images deployed in the cluster even if they are only built for one specifig platform
Anything else you would like to add:
We cannot use the --platform option because, as mentioned above, our clusters have images generated just for linux/arm64 and others only for linux/amd64
Environment:
- Trivy-Operator version (use
trivy-operator version): 0.31.0 - Kubernetes version (use
kubectl version): v1.31.11-eks-ace6451 - OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): Graviton and amd64 instances
@guipal Thank you for your interest! This particular issue originates directly from Trivy’s design. Unfortunately, there’s no well-established solution for it at the moment. If you have any ideas or approaches in mind, please feel free to share them.
Thanks a lot!
Hello @afdesk . We finally opted to install the operator using the configFile option to provide the platform option. Nevertheless, although the command is using the --config /etc/trivy/trivy-config.yaml flag, the pod is not mounting any volume with the configFile provided. Any idea?
Hi @guipal thanks for the report
which version of trivy-operator do you use?
there was merged a fix for trivy config file - #2713, and it should work in the latest version now - v0.29.0
Hello and sorry for the late response.
After upgrading to the last versión we were able to use the config file.
Nevertheless, i would encourage to find a solution so the operator can analyze images in a multiplatform cluster.
Thank you!