trivy bug(k8s): Image scanned from "metadata:annotations:kubectl.kubernetes.io/last-applied-configuration" instead of "spec"

Description

since #4786 (https://github.com/aquasecurity/trivy-kubernetes/pull/189) Trivy scan last applied configuration instead of actual Resource state.

Reason

For scans Trivy prefers info from an annotation. so if a customer mixes imperative and declarative styles, the result is a bit confusing.

https://github.com/aquasecurity/trivy-kubernetes/blob/b070991579cacd7634052dee2e250350d6e493e8/pkg/trivyk8s/trivyk8s.go#L208-L214

Note: the issue will be happened only if a resource is created from kubectl apply.

Solution

We can try to receive a version info more flexible way

Reproduction Steps

Create a deployment:

$ kubectl apply -f nginx-deployment.yaml

/nginx-deployment

```yaml apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment labels: app: nginx web: my-app spec: replicas: 1 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.14.1 ports: - containerPort: 80 ```

update an image manually:

$ kubectl set image deployment.apps/nginx-deployment nginx=nginx:1.15.0

Result:

$ kubectl get deployment.apps/nginx-deployment -o yaml

nginx-deployment details

apiVersion: apps/v1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: "3" kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{},"labels":{"app":"nginx","web":"my-app"},"name":"nginx-deployment","namespace":"7551"},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"nginx"}},"template":{"metadata":{"labels":{"app":"nginx"}},"spec":{"containers":[{"image":"nginx:1.14.1","name":"nginx","ports":[{"containerPort":80}]}]}}}} labels: app: nginx web: my-app pec: replicas: 1 template: metadata: creationTimestamp: null labels: app: nginx spec: containers: - image: nginx:1.15.0 name: nginx ports: - containerPort: 80 ... ```

Trivy will scan nginx:1.14.1 instead of `nginx:1.15.0", that actually runs in a cluster.

Discussed in https://github.com/aquasecurity/trivy/discussions/7551

Sep 23 '24 03:09 afdesk

I'd like to grab this one

Oct 03 '24 19:10 michaeljsaenz

@michaeljsaenz thanks! it'd be really nice!

Oct 07 '24 09:10 afdesk

please assign 👍🏽

Oct 09 '24 16:10 michaeljsaenz

hi @michaeljsaenz! how is it going? do you need any help? thanks!

Oct 29 '24 07:10 afdesk

hi @afdesk ! thanks for checking in, its going well now, had a little trouble with the tests due to this error, but I applied the workaround and all is well now (I wanted to confirm all tests pass before adding any changes 👍🏽)

I am currently working to add logic here in this package, please let me know if you have a recommendation or preference where to add this in?

Thank you!

Oct 30 '24 05:10 michaeljsaenz

@michaeljsaenz I'd like a detailed reason for https://github.com/aquasecurity/trivy-kubernetes/pull/189 at first why it required for outdated-api when k8s convert resources maybe there is any documentation. honestly, I didn't deep in it yet. thanks!

Oct 30 '24 05:10 afdesk

maybe it'll help you https://github.com/aquasecurity/trivy/issues/4784

Oct 30 '24 05:10 afdesk

We see similar behaviour but for findings such as 'securityContext.readOnlyRootFilesystem' should be set to true (AVD-KSV-0014)

I've fixed a number of these findings but they still show on the Trivy report because the old configuration details are in the last-applied-configuration field

Dec 10 '24 16:12 phr3nzii

hi @michaeljsaenz are there any updates here?

Feb 03 '25 12:02 afdesk

@phr3nzii thanks for the report! will try to fix it before next release

Feb 03 '25 12:02 afdesk