fix: add using include/exclude kinds and namespaces

[afdesk]

Problem

After v0.51.0 to successfully scan a Kubernetes cluster, Trivy must be executed under a role that has read permissions at the cluster scope.

If a user tries to run trivy k8s under a limited account there will be a lot of error message (ex here).

I can reproduce it for limiteduser with the role:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

trivy k8s --report summary --disable-node-collector --kubeconfig ./k8s/configs/limiteduser-kubeconfig --include-namespaces default --include-kinds pod 
2024-08-27T00:25:22+06:00	ERROR	Unable to list resources	error="failed listing resources for gvr: apps/v1, Resource=deployments - deployments.apps is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"deployments\" in API group \"apps\" at the cluster scope"
2024-08-27T00:25:22+06:00	ERROR	Unable to list resources	error="failed listing resources for gvr: /v1, Resource=pods - pods is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"pods\" in API group \"\" at the cluster scope"
2024-08-27T00:25:22+06:00	ERROR	Unable to list resources	error="failed listing resources for gvr: apps/v1, Resource=replicasets - replicasets.apps is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"replicasets\" in API group \"apps\" at the cluster scope"
2024-08-27T00:25:22+06:00	ERROR	Unable to list resources	error="failed listing resources for gvr: /v1, Resource=replicationcontrollers - replicationcontrollers is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"replicationcontrollers\" in API group \"\" at the cluster scope"
2024-08-27T00:25:22+06:00	ERROR	Unable to list resources	error="failed listing resources for gvr: apps/v1, Resource=statefulsets - statefulsets.apps is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"statefulsets\" in API group \"apps\" at the cluster scope"
2024-08-27T00:25:22+06:00	ERROR	Unable to list resources	error="failed listing resources for gvr: apps/v1, Resource=daemonsets - daemonsets.apps is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"daemonsets\" in API group \"apps\" at the cluster scope"
2024-08-27T00:25:22+06:00	ERROR	Unable to list resources	error="failed listing resources for gvr: batch/v1, Resource=cronjobs - cronjobs.batch is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"cronjobs\" in API group \"batch\" at the cluster scope"
2024-08-27T00:25:22+06:00	ERROR	Unable to list resources	error="failed listing resources for gvr: batch/v1, Resource=jobs - jobs.batch is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"jobs\" in API group \"batch\" at the cluster scope"
2024-08-27T00:25:22+06:00	ERROR	Unable to list resources	error="failed listing resources for gvr: /v1, Resource=services - services is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"services\" in API group \"\" at the cluster scope"
2024-08-27T00:25:22+06:00	ERROR	Unable to list resources	error="failed listing resources for gvr: /v1, Resource=serviceaccounts - serviceaccounts is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"serviceaccounts\" in API group \"\" at the cluster scope"
2024-08-27T00:25:22+06:00	ERROR	Unable to list resources	error="failed listing resources for gvr: /v1, Resource=configmaps - configmaps is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"configmaps\" in API group \"\" at the cluster scope"
2024-08-27T00:25:22+06:00	ERROR	Unable to list resources	error="failed listing resources for gvr: rbac.authorization.k8s.io/v1, Resource=roles - roles.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"roles\" in API group \"rbac.authorization.k8s.io\" at the cluster scope"
2024-08-27T00:25:22+06:00	ERROR	Unable to list resources	error="failed listing resources for gvr: rbac.authorization.k8s.io/v1, Resource=rolebindings - rolebindings.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"rolebindings\" in API group \"rbac.authorization.k8s.io\" at the cluster scope"
2024-08-27T00:25:22+06:00	ERROR	Unable to list resources	error="failed listing resources for gvr: networking.k8s.io/v1, Resource=networkpolicies - networkpolicies.networking.k8s.io is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"networkpolicies\" in API group \"networking.k8s.io\" at the cluster scope"
2024-08-27T00:25:23+06:00	ERROR	Unable to list resources	error="failed listing resources for gvr: networking.k8s.io/v1, Resource=ingresses - ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope"
2024-08-27T00:25:23+06:00	ERROR	Unable to list resources	error="failed listing resources for gvr: /v1, Resource=resourcequotas - resourcequotas is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"resourcequotas\" in API group \"\" at the cluster scope"
2024-08-27T00:25:23+06:00	ERROR	Unable to list resources	error="failed listing resources for gvr: /v1, Resource=limitranges - limitranges is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"limitranges\" in API group \"\" at the cluster scope"
2024-08-27T00:25:23+06:00	ERROR	Unable to list resources	error="failed listing resources for gvr: rbac.authorization.k8s.io/v1, Resource=clusterroles - clusterroles.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"clusterroles\" in API group \"rbac.authorization.k8s.io\" at the cluster scope"
2024-08-27T00:25:23+06:00	ERROR	Unable to list resources	error="failed listing resources for gvr: rbac.authorization.k8s.io/v1, Resource=clusterrolebindings - clusterrolebindings.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"clusterrolebindings\" in API group \"rbac.authorization.k8s.io\" at the cluster scope"
2024-08-27T00:25:24+06:00	ERROR	Unable to list resources	error="failed listing resources for gvr: /v1, Resource=nodes - nodes is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"nodes\" in API group \"\" at the cluster scope"
2024-08-27T00:25:24+06:00	ERROR	Unable to list node resources	error="nodes is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"nodes\" in API group \"\" at the cluster scope"

Reason

Trivy must be able to access information about all cluster resources, including pods, deployments etc.

trivy-kubernetes/pkg/trivyk8s/trivyk8s.go

Lines 174 to 187 in b070991

	for _, gvr := range grvs {
	dclient := c.getDynamicClient(gvr)
	resources, err := dclient.List(ctx, v1.ListOptions{})
	if err != nil {
	lerr := fmt.Errorf("failed listing resources for gvr: %v - %w", gvr, err)
	if errors.IsNotFound(err) || errors.IsForbidden(err) {
	slog.Error("Unable to list resources", "error", lerr)
	continue
	}
	return nil, lerr
	}

Flags include/exclude kinds and namespaces are used only for the result filter.

trivy-kubernetes/pkg/trivyk8s/trivyk8s.go

Lines 189 to 206 in b070991

	for _, resource := range resources.Items {
	if c.ignoreResource(resource) {
	continue
	}
	// if excludeOwned is enabled and the resource is owned by built-in workload, then we skip it
	if c.excludeOwned && c.hasOwner(resource) {
	continue
	}
	// filter resources by kind
	if FilterResources(c.includeKinds, c.excludeKinds, resource.GetKind()) {
	continue
	}
	// filter resources by namespace
	if FilterResources(c.includeNamespaces, c.excludeNamespaces, resource.GetNamespace()) {
	continue
	}

Solution

This PR suggests next solution:

1. Collect scannable resources based on --include-kinds/--exclude-kinds flags.
2. Collect scannable namespaces based on --include-namespaces/--exclude-namespaces flags. If the namespaces are not provided.
3. Run Trivy for resources under each namespace.
4. If resources and namespaces are not provided, Trivy will run as currently at the cluster scope".
5. For exclude-namespaces a user has to have a cluster role to receive all namespaces and filter excluded ones.

Result:

$ ./trivy k8s --report summary --disable-node-collector --kubeconfig ./k8s/configs/limiteduser-kubeconfig --include-namespaces default --include-kinds pod

1 / 1 [----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 0 p/s

Summary Report for default


Workload Assessment
┌───────────┬────────────────────────────────────┬───────────────────────────────┬────────────────────┬───────────────────┐
│ Namespace │              Resource              │        Vulnerabilities        │ Misconfigurations  │      Secrets      │
│           │                                    ├─────┬──────┬──────┬──────┬────┼───┬───┬───┬────┬───┼───┬───┬───┬───┬───┤
│           │                                    │  C  │  H   │  M   │  L   │ U  │ C │ H │ M │ L  │ U │ C │ H │ M │ L │ U │
├───────────┼────────────────────────────────────┼─────┼──────┼──────┼──────┼────┼───┼───┼───┼────┼───┼───┼───┼───┼───┼───┤
│ default   │ Pod/my-web-deploy-6dbcdb8c54-kbptl │ 157 │ 1336 │ 3108 │ 1529 │ 85 │   │ 1 │ 4 │ 10 │   │   │   │   │   │   │
└───────────┴────────────────────────────────────┴─────┴──────┴──────┴──────┴────┴───┴───┴───┴────┴───┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN


Infra Assessment
┌───────────┬──────────┬───────────────────┬───────────────────┬───────────────────┐
│ Namespace │ Resource │  Vulnerabilities  │ Misconfigurations │      Secrets      │
│           │          ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤
│           │          │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │
└───────────┴──────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN

[simar7]

FYI this might be related aquasecurity/trivy#7107

[afdesk]

FYI this might be related aquasecurity/trivy#7107

thanks. I saw it
this fix just skips the permission error: https://github.com/aquasecurity/trivy-kubernetes/pull/374/files

[itaysk]

Reason Trivy must be able to access information about all cluster resources

so today in order to run any scan, the user needs cluster permissions? if so, indeed sounds like a bug, since we should support the use case of scanning only specific namespaced workloads.

Flags include/exclude kinds and namespaces are used only for the result filter.

needless to say, when the user includes something, we should scan only that, and when they exclude something we should scan everything but this (we can discuss what "everything" means, if we want to never scan some resources).
In either case, Trivy should not error on not-included or excluded resources for any reason (including permissoins). Also the user is responsible for scoping the scan to something they have permissions to.
the steps you describe seem to align with this.

Then there is the question of if Trivy should error and fail when attempting to scan unauthorised resources. I think that for included resources it should - similar to how Trivy would fail for scanning unreachable container image. But for non-excluded resources, maybe it shouldn't fail (since the user isn't aware of everything), and just report it. If supporting this behavior is out of scope for this PR, it's fine I'm just documenting my thoughts.

[afdesk]

so today in order to run any scan, the user needs cluster permissions?

yes, after v0.51.0 there is no way to set up a specific namespace, so all request run at the cluster scope.
so all service account with any Role (not ClusterRole) receives nothing for every resources.

we can discuss what "everything" means, if we want to never scan some resources

right now, "everything" for resources means next namespaced items: Deployments, Pods, ReplicaSets, ReplicationControllers, StatefulSets, DaemonSets, CronJobs, Jobs, Services, ServiceAccounts, ConfigMaps, Roles, RoleBindings, NetworkPolicies, Ingresses, ResourceQuotas, LimitRanges.
and also cluster resources ClusterRoles, ClusterRoleBindings and Nodes.

so a user can exclude any kind of this list.

there is a problem for exclude namespaces. I found out only one way to do it: get all namespaces and exclude specified ones. but such request requires a cluster role again.

[itaysk]

after v0.51.0 there is no way to set up a specific namespace

do you mean there is no way to include a specific namespace? meaning to scan just a specific namespace?

there is a problem for exclude namespaces

do you mean there's a problem in our specific implementation, or a general problem supporting such behavior?

[afdesk]

after v0.51.0 there is no way to set up a specific namespace

do you mean there is no way to include a specific namespace? meaning to scan just a specific namespace?

yes, a user can't specify a specific namespace to scan now, --include-namespaces works only as a filter.

there is a problem for exclude namespaces

do you mean there's a problem in our specific implementation, or a general problem supporting such behavior?

it's a good question, I'll take a look at another implementation

[afdesk]

do you mean there's a problem in our specific implementation, or a general problem supporting such behavior?

my thought is next:
to exclude some namespace, we need to get a list of namespaces, butnamespaces isn't a namespaced resource, so we need a cluster role to get a namespaces list.
or I missed something

UPD: so it seems It's a general problem such behavior.
@simar7 @itaysk wdyt?

[itaysk]

I understand.. in order to exclude namespaces you need to know all available namespaces. can you please point me to the relevant piece of code where this happens?

[afdesk]

I understand.. in order to exclude namespaces you need to know all available namespaces. can you please point me to the relevant piece of code where this happens?

sure, in the current code:

trivy-kubernetes/pkg/trivyk8s/trivyk8s.go

Lines 189 to 206 in b2f739e

	for _, resource := range resources.Items {
	if c.ignoreResource(resource) {
	continue
	}
	// if excludeOwned is enabled and the resource is owned by built-in workload, then we skip it
	if c.excludeOwned && c.hasOwner(resource) {
	continue
	}
	// filter resources by kind
	if FilterResources(c.includeKinds, c.excludeKinds, resource.GetKind()) {
	continue
	}
	// filter resources by namespace
	if FilterResources(c.includeNamespaces, c.excludeNamespaces, resource.GetNamespace()) {
	continue
	}

[afdesk]

my suggestion:
https://github.com/afdesk/trivy-kubernetes/blob/3cee92f75e565d7ea68352319cd001a4bad720d1/pkg/trivyk8s/trivyk8s.go#L200-L215

[simar7]

my suggestion:
https://github.com/afdesk/trivy-kubernetes/blob/3cee92f75e565d7ea68352319cd001a4bad720d1/pkg/trivyk8s/trivyk8s.go#L200-L215

Wouldn't all namespaces be cluster level resources anyway? Maybe I don't understand this logic https://github.com/afdesk/trivy-kubernetes/blob/3cee92f75e565d7ea68352319cd001a4bad720d1/pkg/trivyk8s/trivyk8s.go#L542-L546

[afdesk]

my suggestion:
https://github.com/afdesk/trivy-kubernetes/blob/3cee92f75e565d7ea68352319cd001a4bad720d1/pkg/trivyk8s/trivyk8s.go#L200-L215

Wouldn't all namespaces be cluster level resources anyway? Maybe I don't understand this logic https://github.com/afdesk/trivy-kubernetes/blob/3cee92f75e565d7ea68352319cd001a4bad720d1/pkg/trivyk8s/trivyk8s.go#L542-L546

yes, you're right. a customer needs a cluster role to get all namespaces.

[itaysk]

I think there's no way around it, so let's just make the experience clear:

1. if the user uses include command, no need for elevated permissions
2. if the user uses exclude command, require only necessary permissions (e.g list namespaces)
3. document the required permissions
4. when failing for this reason, explain the cause and solution (e.g list namespaces permissions required when using the --exclude-namespaces flag)

[simar7]

To summarize,

1. If user doesn't ensure that they have enough permissions and tries to run Trivy operator, we should fail out and show to the user why we failed. It's the users responsibility to ensure proper permissions are obtained prior to scanning.
2. If a user has enough permissions to scan but only requests a subset of resources, in such case we should only scan the subset. I believe this is different from today's behaviour where we scan everything & filter.

I believe this PR addresses point 2, but we should address point 1 if we don't already.

[afdesk]

1. If user doesn't ensure that they have enough permissions and tries to run Trivy operator, we should fail out and show to the user why we failed. It's the users responsibility to ensure proper permissions are obtained prior to scanning.

I've added a specific log message if there is no permission to get a namespaces list:
https://github.com/afdesk/trivy-kubernetes/blob/fix/perms/pkg/trivyk8s/trivyk8s.go#L206-L210

For example, if a limited user tries to exclude kube-system namespace:

$ ./trivy k8s --report summary --kubeconfig myconfig --exclude-namespaces kube-system
2024-12-03T16:09:23+06:00       FATAL   Fatal error     get k8s artifacts with node info error: 'exclude namespaces' option requires a cluster role with permissions to list namespaces

If a customer uses a limited role without some permissions, there will be shown an error message.
For example, if list isn't grant for "rbac.authorization.k8s.io":

2024-12-03T15:48:57+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: rbac.authorization.k8s.io/v1, Resource=roles - roles.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"roles\" in API group \"rbac.authorization.k8s.io\" in the namespace \"dev\""
2024-12-03T15:48:57+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: rbac.authorization.k8s.io/v1, Resource=rolebindings - rolebindings.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"rolebindings\" in API group \"rbac.authorization.k8s.io\" in the namespace \"dev\""

[afdesk]

Just FYI.
I wrote some scripts for tests and auto-deploy https://github.com/afdesk/k8s-samples/tree/main/limited-user
It may be useful for integration tests in Trivy in the future.

[afdesk]

@simar7 PTAL, when you have time. thanks!

[simar7]

This function seems untested, can we add some tests?

[afdesk]

done 75fd906

[simar7]

This can occur if a user passes in --include-namespaces and they don't have cluster level permissions as well right?

[afdesk]

This can occur if a user passes in --include-namespaces and they don't have cluster level permissions as well right?

no, it can occur only if len(c.excludeNamespaces) != 0
also a cluster role isn't required for --include-namespaces

[simar7]

Can we add some tests for this too?

[afdesk]

I thought about it.
ListArtifacts consists from several functions, which already tested: c.initResourceList() and c.getNamespaces().

c.ListSpecificArtifacts(ctx) had no tests, and I suggest to do it in a separated PR. wdyt?

[simar7]

What do you mean by this comment?

[afdesk]

the comment was improved eed731d