Trivy Kubernetes Scan Error #5639

Susanta2000 · 2023-11-23T10:34:31Z

Susanta2000
Nov 23, 2023

Question

Hi there, I am doing trivy compliance scan in an EKS cluster. I am getting the following error for multiple times.
Command: trivy k8s cluster --compliance=k8s-nsa --report summary
Error: 2023-11-23T15:34:59.435+0530 FATAL get k8s artifacts with node info error: running node-collector job: runner received timeout
When I ran this by increasing timeout, also get another error.
Command: trivy k8s cluster --compliance=k8s-nsa --report summary --timeout 15m
Error: 2023-11-23T15:35:37.341+0530 FATAL get k8s artifacts with node info error: running node-collector job: jobs.batch "node-collector-5bb7b6797b" already exists.

I was trying same things in another account's EKS cluster, but get same errors.
Can anyone help me out?

Target

None

Scanner

None

Output Format

None

Mode

None

Operating System

Ubuntu

Version

Version: 0.45.0

Answered by chen-keinan

Nov 27, 2023

@Susanta2000 can you delete trivy-temp namespace and run again
kubectl delete namespace trivy-temp

View full answer

chen-keinan · 2023-11-27T06:34:22Z

chen-keinan
Nov 27, 2023

@Susanta2000 can you delete trivy-temp namespace and run again
kubectl delete namespace trivy-temp

15 replies

Sk3pper Feb 20, 2024

I have the same problem but i cannot understand what i have to use to work. What did you use?

itaysk Apr 9, 2024
Maintainer

@Sk3pper can you comment to the original message and provide the reproduction steps and debug output?

holgerson97 Aug 7, 2024

trivy k8s --report all --timeout 1h -d --skip-images

2024-08-07T14:07:03+02:00       DEBUG   Cache dir       dir="/Users/xxx/Library/Caches/trivy"
2024-08-07T14:07:03+02:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-08-07T14:07:03+02:00       DEBUG   Ignore statuses statuses=[]
2024-08-07T14:07:22+02:00       FATAL   Fatal error
  - get k8s artifacts with node info error:
    github.com/aquasecurity/trivy/pkg/k8s/commands.clusterRun
        github.com/aquasecurity/trivy/pkg/k8s/commands/cluster.go:42
  - running node-collector job: jobs.batch "node-collector-58b9bf5bb8" already exists

No namespace, no job.

afdesk Aug 7, 2024
Maintainer

@holgerson97 thanks for the report.
I can reproduce your issue on the clean minikube.
In my case it happens when I break Trivy through ctrl+C
after some time it works again,

$ trivy k8s --report all --timeout 1h -d --skip-images
2024-08-07T18:42:30+06:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-08-07T18:42:30+06:00	DEBUG	Ignore statuses	statuses=[]
^C
$ trivy k8s --report all --timeout 1h -d --skip-images
2024-08-07T18:42:40+06:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-08-07T18:42:40+06:00	DEBUG	Ignore statuses	statuses=[]
2024-08-07T18:42:43+06:00	FATAL	Fatal error
  - get k8s artifacts with node info error:
    github.com/aquasecurity/trivy/pkg/k8s/commands.clusterRun
        /home/runner/work/trivy/trivy/pkg/k8s/commands/cluster.go:42
  - running node-collector job: jobs.batch "node-collector-7868567fb6" already exists

afdesk Aug 7, 2024
Maintainer

trivy k8s --report all --timeout 1h -d --skip-images

No namespace, no job.

but I can see a job:

$ kubectl get jobs --all-namespaces
NAMESPACE    NAME                        COMPLETIONS   DURATION   AGE
trivy-temp   node-collector-7868567fb6   1/1           13s        14s

starcraft66 · 2024-09-23T21:46:57Z

starcraft66
Sep 23, 2024

I'm experiencing the same problem:

❯ trivy k8s --report --debug summary oidc@k8s-235-1
[... 5 minutes go by ...]
2024-09-23T17:26:23-04:00	FATAL	Fatal error	flag error: report flag error: unable to parse flag: invalid argument "--debug" for "--report" flag: must be one of ["all" "summary"]

Using the suggested: trivy k8s --timeout 1h --report summary oidc@k8s-235-1 just results in the same thing.

Both times I see this job created:

@Zecora:~/s/i/k/a/w/o/prod (master) [$!?⇡] ❯ kubectl get job -n trivy-temp                           
NAME                        STATUS    COMPLETIONS   DURATION   AGE
node-collector-7c5b64fc7f   Running   0/1           11s        11s
@Zecora:~/s/i/k/a/w/o/prod (master) [$!?⇡] ❯ kubectl get job -n trivy-temp
NAME                        STATUS    COMPLETIONS   DURATION   AGE
node-collector-7c5b64fc7f   Running   0/1           15s        15s
@Zecora:~/s/i/k/a/w/o/prod (master) [$!?⇡] ❯ kubectl get job -n trivy-temp
@Zecora:~/s/i/k/a/w/o/prod (master) [$!?⇡] ❯ kubectl logs -n trivy-temp job/node-collector-7c5b64fc7f
{"apiVersion":"v1","kind":"NodeInfo","metadata":{"creationTimestamp":"2024-09-23T21:37:42Z"},"type":"worker","info":{"certificateAuthoritiesFileOwnership":{"values":[]},"certificateAuthoritiesFilePermissions":{"values":[]},"kubeconfigFileExistsOwnership":{"values":[]},"kubeconfigFileExistsPermissions":{"values":[]},"kubeletAnonymousAuthArgumentSet":{"values":[]},"kubeletAuthorizationModeArgumentSet":{"values":[]},"kubeletClientCaFileArgumentSet":{"values":[]},"kubeletConfFileOwnership":{"values":[]},"kubeletConfFilePermissions":{"values":[]},"kubeletConfigYamlConfigurationFileOwnership":{"values":[]},"kubeletConfigYamlConfigurationFilePermission":{"values":[]},"kubeletEventQpsArgumentSet":{"values":[]},"kubeletHostnameOverrideArgumentSet":{"values":["sassaflash.235.tdude.co"]},"kubeletMakeIptablesUtilChainsArgumentSet":{"values":[]},"kubeletOnlyUseStrongCryptographic":{"values":[]},"kubeletProtectKernelDefaultsArgumentSet":{"values":[]},"kubeletReadOnlyPortArgumentSet":{"values":[]},"kubeletRotateCertificatesArgumentSet":{"values":[]},"kubeletRotateKubeletServerCertificateArgumentSet":{"values":[]},"kubeletServiceFileOwnership":{"values":[]},"kubeletServiceFilePermissions":{"values":[]},"kubeletStreamingConnectionIdleTimeoutArgumentSet":{"values":[]},"kubeletTlsCertFileTlsArgumentSet":{"values":[]},"kubeletTlsPrivateKeyFileArgumentSet":{"values":[]}}}%                                                                                                                                                  @Zecora:~/s/i/k/a/w/o/prod (master) [$!?⇡] ❯ kubectl get job -n trivy-temp                           
NAME                        STATUS     COMPLETIONS   DURATION   AGE
node-collector-7c5b64fc7f   Complete   1/1           27s        28s

1 reply

afdesk Sep 24, 2024
Maintainer

as said @chen-keinan you can try to delete namespace.

$ kubectl delete namespace trivy-temp

which version of Trivy do you use?
and also what is oidc@k8s-235-1? is it a context?

yitzhaktal · 2024-11-17T19:53:01Z

yitzhaktal
Nov 17, 2024

Same issue, can't get results...

❯
❯ trivy k8s --severity=CRITICAL --report=summary

2024-11-17T21:51:16+02:00 FATAL Fatal error get k8s artifacts with node info error: running node-collector job: jobs.batch "node-collector-774d8bccc9" already exists

1 reply

afdesk Nov 18, 2024
Maintainer

thanks for the report!
did you try to remove a trivy temporary namespace?

$ kubectl delete namespace trivy-temp

ak2766 · 2024-12-04T00:38:06Z

ak2766
Dec 4, 2024

Same issue on a kind cluster.

Intent is to first test this on a KinD cluster running k8s version 1.31.2 before attempting it on my production cluster:

$ > k get nodes
NAME                    STATUS   ROLES           AGE     VERSION
cilium-control-plane    Ready    control-plane   3m46s   v1.31.2
cilium-control-plane2   Ready    control-plane   3m40s   v1.31.2
cilium-control-plane3   Ready    control-plane   3m34s   v1.31.2
cilium-worker           Ready    <none>          3m28s   v1.31.2
cilium-worker2          Ready    <none>          3m28s   v1.31.2
cilium-worker3          Ready    <none>          3m28s   v1.31.2

$ > cilium version
cilium-cli: v0.16.20 compiled with go1.23.2 on linux/amd64
cilium image (default): v1.16.3
cilium image (stable): v1.16.4
cilium image (running): 1.16.4

I'm running the following trivy version:

$ > ./trivy version
Version: 0.58.0
Check Bundle:
  Digest: sha256:f6901e03f486a48f47aa17a78d89d18e6c31ded82aff83ed19d0d73935a1a059
  DownloadedAt: 2024-12-03 23:24:38.164420326 +0000 UTC

And finally, I'm attempting to run trivy using the following command:

$ > ./trivy k8s --report summary --timeout 1h -d --skip-images
2024-12-04T11:27:39+11:00	DEBUG	No plugins loaded
2024-12-04T11:27:39+11:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-12-04T11:27:39+11:00	DEBUG	Cache dir	dir="/home/akk/.cache/trivy"
2024-12-04T11:27:39+11:00	DEBUG	Cache dir	dir="/home/akk/.cache/trivy"
2024-12-04T11:27:39+11:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-12-04T11:27:39+11:00	DEBUG	Ignore statuses	statuses=[]
2024-12-04T11:32:44+11:00	FATAL	Fatal error
  - get k8s artifacts with node info error:
    github.com/aquasecurity/trivy/pkg/k8s/commands.clusterRun
        /home/runner/work/trivy/trivy/pkg/k8s/commands/cluster.go:42
  - running node-collector job: job failed: DeadlineExceeded: Job was active longer than specified deadline

Any suggestions?

29 replies

afdesk Dec 12, 2024
Maintainer

Which version of trivy are you running?:

Trivy v0.58.0 too.

could you try to set up tolerations on your clusters?
something like it:

$  trivy k8s --report summary -d --tolerations node-role.kubernetes.io/control-plane="":NoSchedule

afdesk Dec 12, 2024
Maintainer

I've created a new issue to track it #8087

ak2766 Dec 13, 2024

Interestingly, on my PoC k8s cluster on AWS running k8s v1.30.4, the NoSchedule taint doesn't use control-plane but rather master - i.e.:

$ > k get nodes -l node-role.kubernetes.io/control-plane -o jsonpath="{range .items[*]}{.metadata.name}{': '}{.spec.taints}{'\n'}{end}"
node1: [{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"}]

However, even after changing the toleration, it still fails to complete a successful scan without --scanners vuln. However, this time it's to do with context deadline exceeded as shown below:

$ > ./trivy k8s --report summary -d --tolerations node-role.kubernetes.io/master="":NoSchedule
2024-12-12T21:31:38+11:00	DEBUG	No plugins loaded
2024-12-12T21:31:38+11:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-12-12T21:31:38+11:00	DEBUG	Cache dir	dir="/home/akk/.cache/trivy"
2024-12-12T21:31:38+11:00	DEBUG	Cache dir	dir="/home/akk/.cache/trivy"
2024-12-12T21:31:38+11:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-12-12T21:31:38+11:00	DEBUG	Ignore statuses	statuses=[]
2024-12-12T21:31:39+11:00	DEBUG	[misconfig] Failed to open the check metadata	err="open /home/akk/.cache/trivy/policy/metadata.json: no such file or directory"
2024-12-12T21:31:39+11:00	INFO	[misconfig] Need to update the built-in checks
2024-12-12T21:31:39+11:00	INFO	[misconfig] Downloading the built-in checks...
2024-12-12T21:31:39+11:00	DEBUG	[misconfig] Loading check bundle	repository="mirror.gcr.io/aquasec/trivy-checks:1"
160.80 KiB / 160.80 KiB [------------------------------------------------------------------------------------------------------------] 100.00% 2.15 MiB p/s 300ms
2024-12-12T21:31:41+11:00	DEBUG	[misconfig] Digest of the built-in checks	digest="sha256:f6901e03f486a48f47aa17a78d89d18e6c31ded82aff83ed19d0d73935a1a059"
2024-12-12T21:33:35+11:00	INFO	Node scanning is enabled
2024-12-12T21:33:35+11:00	INFO	If you want to disable Node scanning via an in-cluster Job, please try '--disable-node-collector' to disable the Node-Collector job.
2024-12-12T21:33:35+11:00	DEBUG	[vulndb] There is no valid metadata file	err="unable to open a file: open /home/akk/.cache/trivy/db/metadata.json: no such file or directory"
2024-12-12T21:33:35+11:00	INFO	[vulndb] Need to update DB
2024-12-12T21:33:35+11:00	DEBUG	[vulndb] No metadata file
2024-12-12T21:33:35+11:00	INFO	[vulndb] Downloading vulnerability DB...
2024-12-12T21:33:35+11:00	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
57.31 MiB / 57.31 MiB [---------------------------------------------------------------------------------------------------------------] 100.00% 6.59 MiB p/s 8.9s
2024-12-12T21:33:45+11:00	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2024-12-12T21:33:45+11:00	DEBUG	Updating database metadata...
2024-12-12T21:33:45+11:00	DEBUG	DB info	schema=2 updated_at=2024-12-12T06:16:32.82899896Z next_update=2024-12-13T06:16:32.82899858Z downloaded_at=2024-12-12T10:33:45.537032958Z
2024-12-12T21:33:45+11:00	INFO	Scanning K8s...	K8s="[email protected]"
668.77 MiB / 668.77 MiB [------------------------------------------------------------------------------------------------------------] 100.00% 6.39 MiB p/s 1m45s
9 / 378 [--->_______________________________________________________________________________________________________________________________________] 2.38% 0 p/s
2024-12-12T21:37:16+11:00	FATAL	Fatal error
  - k8s scan error:
    github.com/aquasecurity/trivy/pkg/k8s/commands.(*runner).run
        /home/runner/work/trivy/trivy/pkg/k8s/commands/run.go:92
  - context deadline exceeded

afdesk Dec 16, 2024
Maintainer

Interestingly, on my PoC k8s cluster on AWS running k8s v1.30.4, the NoSchedule taint doesn't use control-plane but rather master - i.e.:

$ > k get nodes -l node-role.kubernetes.io/control-plane -o jsonpath="{range .items[*]}{.metadata.name}{': '}{.spec.taints}{'\n'}{end}"
node1: [{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"}]

However, even after changing the toleration, it still fails to complete a successful scan without --scanners vuln. However, this time it's to do with context deadline exceeded as shown below:

$ > ./trivy k8s --report summary -d --tolerations node-role.kubernetes.io/master="":NoSchedule
2024-12-12T21:31:38+11:00	DEBUG	No plugins loaded
2024-12-12T21:31:38+11:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-12-12T21:31:38+11:00	DEBUG	Cache dir	dir="/home/akk/.cache/trivy"
2024-12-12T21:31:38+11:00	DEBUG	Cache dir	dir="/home/akk/.cache/trivy"
2024-12-12T21:31:38+11:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-12-12T21:31:38+11:00	DEBUG	Ignore statuses	statuses=[]
2024-12-12T21:31:39+11:00	DEBUG	[misconfig] Failed to open the check metadata	err="open /home/akk/.cache/trivy/policy/metadata.json: no such file or directory"
2024-12-12T21:31:39+11:00	INFO	[misconfig] Need to update the built-in checks
2024-12-12T21:31:39+11:00	INFO	[misconfig] Downloading the built-in checks...
2024-12-12T21:31:39+11:00	DEBUG	[misconfig] Loading check bundle	repository="mirror.gcr.io/aquasec/trivy-checks:1"
160.80 KiB / 160.80 KiB [------------------------------------------------------------------------------------------------------------] 100.00% 2.15 MiB p/s 300ms
2024-12-12T21:31:41+11:00	DEBUG	[misconfig] Digest of the built-in checks	digest="sha256:f6901e03f486a48f47aa17a78d89d18e6c31ded82aff83ed19d0d73935a1a059"
2024-12-12T21:33:35+11:00	INFO	Node scanning is enabled
2024-12-12T21:33:35+11:00	INFO	If you want to disable Node scanning via an in-cluster Job, please try '--disable-node-collector' to disable the Node-Collector job.
2024-12-12T21:33:35+11:00	DEBUG	[vulndb] There is no valid metadata file	err="unable to open a file: open /home/akk/.cache/trivy/db/metadata.json: no such file or directory"
2024-12-12T21:33:35+11:00	INFO	[vulndb] Need to update DB
2024-12-12T21:33:35+11:00	DEBUG	[vulndb] No metadata file
2024-12-12T21:33:35+11:00	INFO	[vulndb] Downloading vulnerability DB...
2024-12-12T21:33:35+11:00	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
57.31 MiB / 57.31 MiB [---------------------------------------------------------------------------------------------------------------] 100.00% 6.59 MiB p/s 8.9s
2024-12-12T21:33:45+11:00	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2024-12-12T21:33:45+11:00	DEBUG	Updating database metadata...
2024-12-12T21:33:45+11:00	DEBUG	DB info	schema=2 updated_at=2024-12-12T06:16:32.82899896Z next_update=2024-12-13T06:16:32.82899858Z downloaded_at=2024-12-12T10:33:45.537032958Z
2024-12-12T21:33:45+11:00	INFO	Scanning K8s...	K8s="[email protected]"
668.77 MiB / 668.77 MiB [------------------------------------------------------------------------------------------------------------] 100.00% 6.39 MiB p/s 1m45s
9 / 378 [--->_______________________________________________________________________________________________________________________________________] 2.38% 0 p/s
2024-12-12T21:37:16+11:00	FATAL	Fatal error
  - k8s scan error:
    github.com/aquasecurity/trivy/pkg/k8s/commands.(*runner).run
        /home/runner/work/trivy/trivy/pkg/k8s/commands/run.go:92
  - context deadline exceeded

it's definitely another issue on your side.
If I understand correctly you already fixed it by yourself )

ak2766 Dec 16, 2024

Yep. Turned out to be latency related. Works as advertised after adding the necessary tolerations.

That taints being master instead of control-plane might be related to the kubeadm config file i used.

Thanks for your patience.

john-funk · 2024-12-09T12:25:12Z

john-funk
Dec 9, 2024

I also ran into this issue due to a Taint on one of my nodes.
After checking for taints with

kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{range .spec.taints[*]}{.key}{"="}{.value}{":"}{.effect}{"\n"}{end}{"\n"}{end}

and adding the listed taints to the trivy command like this:

trivy k8s --ignore-unfixed --tolerations KEY=VALUE:EFFECT --report=all --timeout=1h

THe scan ran through successfully.

2 replies

afdesk Dec 12, 2024
Maintainer

@john-funk thanks for the report
we should investigate this behavior

afdesk Dec 12, 2024
Maintainer

I've created an issue to track it #8087

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trivy Kubernetes Scan Error #5639

{{title}}

Replies: 5 comments 48 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Trivy Kubernetes Scan Error #5639

Question

Target

Scanner

Output Format

Mode

Operating System

Version

Replies: 5 comments · 48 replies

itaysk Apr 9, 2024 Maintainer

afdesk Aug 7, 2024 Maintainer

afdesk Aug 7, 2024 Maintainer

afdesk Sep 24, 2024 Maintainer

afdesk Nov 18, 2024 Maintainer

afdesk Dec 12, 2024 Maintainer

afdesk Dec 12, 2024 Maintainer

afdesk Dec 16, 2024 Maintainer

afdesk Dec 12, 2024 Maintainer

afdesk Dec 12, 2024 Maintainer

Replies: 5 comments 48 replies

itaysk Apr 9, 2024
Maintainer

afdesk Aug 7, 2024
Maintainer

afdesk Aug 7, 2024
Maintainer

afdesk Sep 24, 2024
Maintainer

afdesk Nov 18, 2024
Maintainer

afdesk Dec 12, 2024
Maintainer

afdesk Dec 12, 2024
Maintainer

afdesk Dec 16, 2024
Maintainer

afdesk Dec 12, 2024
Maintainer

afdesk Dec 12, 2024
Maintainer