Morgan Hoffman
Morgan Hoffman
``apiVersion: v1 data: compliance.failEntriesLimit: "10" configAuditReports.scanner: Trivy node.collector.imageRef: ghcr.io/aquasecurity/node-collector:0.1.1 node.collector.nodeSelector: "true" nodeCollector.volumeMounts: '[{"mountPath":"/var/lib/etcd","name":"var-lib-etcd","readOnly":true},{"mountPath":"/var/lib/kubelet","name":"var-lib-kubelet","readOnly":true},{"mountPath":"/var/lib/kube-scheduler","name":"var-lib-kube-scheduler","readOnly":true},{"mountPath":"/var/lib/kube-controller-manager","name":"var-lib-kube-controller-manager","readOnly":true},{"mountPath":"/etc/systemd","name":"etc-systemd","readOnly":true},{"mountPath":"/lib/systemd/","name":"lib-systemd","readOnly":true},{"mountPath":"/etc/kubernetes","name":"etc-kubernetes","readOnly":true},{"mountPath":"/etc/cni/net.d/","name":"etc-cni-netd","readOnly":true}]' nodeCollector.volumes: '[{"hostPath":{"path":"/var/lib/etcd"},"name":"var-lib-etcd"},{"hostPath":{"path":"/var/lib/kubelet"},"name":"var-lib-kubelet"},{"hostPath":{"path":"/var/lib/kube-scheduler"},"name":"var-lib-kube-scheduler"},{"hostPath":{"path":"/var/lib/kube-controller-manager"},"name":"var-lib-kube-controller-manager"},{"hostPath":{"path":"/etc/systemd"},"name":"etc-systemd"},{"hostPath":{"path":"/lib/systemd"},"name":"lib-systemd"},{"hostPath":{"path":"/etc/kubernetes"},"name":"etc-kubernetes"},{"hostPath":{"path":"/etc/cni/net.d/"},"name":"etc-cni-netd"}]' report.recordFailedChecksOnly: "true" scanJob.annotations: platform-logging-droplogging=true scanJob.compressLogs: "true" scanJob.podTemplateContainerSecurityContext: '{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true}' scanJob.tolerations: '[{"effect":"NoSchedule","operator":"Exists"}]' trivy.serverURL: http://trivy-service.platform-trivy-operator:4954 vulnerabilityReports.scanner: Trivy kind:...
No, the issue is the configmap gets configured, but the spawned scanjobs do not have the annotation that is indicated in the configmap.
Spotted annotation where it was reported missing. Closing ticket.
Is there any kind of node that the pre-flight should not be running on in a k8s cluster?
> This issue has not seen any activity since it was marked stale. Closing. Looks like this is an incorrect action. Commenting to keep open.
I was heavily-handed playing with my lab cluster and found that the kubelet cert didn't seem to be involved in any of the cert refreshes, unlike other certs. I eventually...