Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support k8s version and lastAppliedResource #1345

Closed
chen-keinan opened this issue Jul 8, 2023 · 7 comments · Fixed by #1347
Closed

support k8s version and lastAppliedResource #1345

chen-keinan opened this issue Jul 8, 2023 · 7 comments · Fixed by #1347
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. target/kubernetes Issues relating to kubernetes cluster scanning

Comments

@chen-keinan
Copy link
Contributor

it is require to add support for k8s version and lastAppliedResourceannotation check for outdated-api capabilities to be able to detect converted resources
@chen-keinan chen-keinan added kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. target/kubernetes Issues relating to kubernetes cluster scanning labels Jul 8, 2023
This was referenced Jul 8, 2023
Closed
Merged
@jkleinlercher
Copy link

jkleinlercher commented Jul 10, 2023
edited
Loading

Great @chen-keinan ! Can you please help me how I can run this analyzes in trivy-operator to get the outdated apis? I still don‘t understand it … sorry!

@chen-keinan
Copy link
Contributor Author

@jkleinlercher Note: the fix has been merged to upstream but not yet released.
I'll cut an RC tomorrow.
The outdated-api finding will appear as ConfigAuditReport so once you run the operator with an outdated-api resource you can find it by query
kubectl get ConfigAuditReport <outdated-api resource report name> -n <outdated-api resource namespace>

@chen-keinan
Copy link
Contributor Author

chen-keinan commented Jul 10, 2023
edited
Loading

@jkleinlercher example :

apiVersion: aquasecurity.github.io/v1alpha1
kind: ConfigAuditReport
metadata:
  annotations:
    trivy-operator.aquasecurity.github.io/report-ttl: 24h0m0s
  creationTimestamp: "2023-07-10T19:20:44Z"
  generation: 1
  labels:
    plugin-config-hash: 659b7b9c46
    resource-spec-hash: 55b58d8898
    trivy-operator.resource.kind: CronJob
    trivy-operator.resource.name: demo-deprecated-cron-job
    trivy-operator.resource.namespace: default
  name: cronjob-demo-deprecated-cron-job
  namespace: default
  ownerReferences:
  - apiVersion: batch/v1
    blockOwnerDeletion: false
    controller: true
    kind: CronJob
    name: demo-deprecated-cron-job
    uid: 27df88e2-48c2-421b-8428-67517df3251e
  resourceVersion: "1298"
  uid: 0c85d50b-e1ad-43f1-9a91-3708a5d3ad02
report:
  checks:
  - category: Kubernetes Security Check
    checkID: KSV030
    description: The RuntimeDefault/Localhost seccomp profile must be required, or
      allow specific additional profiles.
    messages:
    - Either Pod or Container should set 'securityContext.seccompProfile.type' to
      'RuntimeDefault'
    severity: LOW
    success: false
    title: Default Seccomp profile not set
  - category: Kubernetes Security Check
    checkID: KSV107
    description: 'apiVersion ''batch/v1beta1'' and kind ''CronJob'' has been deprecated
      on: ''v1.21'' and planned for removal on:''v1.25'''
    messages:
    - |-
      apiVersion 'batch/v1beta1' and kind ‘CronJob' should be replaced with the new API 'batch.v1.CronJob'
      See https://github.com/kubernetes/kubernetes/tree/master/staging/src/k8s.io/api/batch/v1beta1/zz_generated.prerelease-lifecycle.go
    severity: LOW
    success: false
    title: Evaluate k8s deprecated and removed APIs

@chen-keinan
Copy link
Contributor Author

@jkleinlercher trivy-operator v0.15.0-rc is available

@jkleinlercher
Copy link

I tried it today. CronJob is working but HorizontalPodAutoscaler is not working. I tested with https://github.com/suxess-it/deprecated-k8s-api-testcase/blob/main/hpa-deprecated.yaml .
trivy cli finds it with „trivy conf “ but trivy-operator doesn‘t

@chen-keinan
Copy link
Contributor Author

@jkleinlercher trivy-operator do not reconcile HorizontalPodAutoscaler can you open an issue for it and I'll add the ability to reconcile custom resources

@jkleinlercher
Copy link

@chen-keinan I created issue #1384 . thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. target/kubernetes Issues relating to kubernetes cluster scanning
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: outdated-api last applied resource support chen-keinan/trivy-operator
2 participants
@chen-keinan @jkleinlercher