Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

0.51: kubernetes scanner requires role permissions #6692

Closed
1 of 2 tasks
chen-keinan opened this issue May 15, 2024 Discussed in #6653 · 2 comments
Closed
1 of 2 tasks

0.51: kubernetes scanner requires role permissions #6692

chen-keinan opened this issue May 15, 2024 Discussed in #6653 · 2 comments
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. target/kubernetes Issues relating to kubernetes cluster scanning

Comments

@chen-keinan
Copy link
Contributor

Discussed in #6653

Originally posted by jkroepke May 7, 2024

Description

I'm running trivy with an limited scope of permissions

Before 0.51, i'm runing trivy with following settings:

      trivy --quiet -q kubernetes --report=all \
        --components workload \
        --disable-node-collector \
        --cache-dir /tmp/.trivycache/ \
        --no-progress \
        --ignore-unfixed \
        --exit-code 0 \
        --slow \
        --format table \
        --scanners vuln \
        --ignorefile /.trivyignore \
        --vuln-type os \
        -n opsstack \
        -o "/scans/report.all.html" \
        deploy,sts,ds;

with works fine. After upgrade, I'm using the following command

      trivy kubernetes --report=all \
        --disable-node-collector \
        --cache-dir /tmp/.trivycache/ \
        --no-progress \
        --ignore-unfixed \
        --exit-code 0 \
        --slow \
        --format table \
        --scanners vuln \
        --ignorefile /.trivyignore \
        --vuln-type os \
        --include-namespaces opsstack \
        -o "/scans/report.all.html" \
        --include-kinds deploy,sts,ds;

I'm getting an error that trivy has no access to roles. However, trivy should not ask for roles.

Desired Behavior

Except that trivy is scanning the workload of deployments, statefulsets and daemonsets

Actual Behavior

2024-05-07T15:49:56Z FATAL Fatal error get k8s artifacts error: failed listing resources for gvr: rbac.authorization.k8s.io/v1, Resource=roles - roles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:opsstack:opsstack-trivy" cannot list resource "roles" in API group "rbac.authorization.k8s.io" at the cluster scope

Reproduction Steps

1. Setup trivy using a context with namespace access only
2. Run the command above
3.
...

Target

Kubernetes

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

2024-05-07T15:51:34Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-05-07T15:51:34Z    DEBUG   Ignore statuses statuses=[0 1 2 4 5 6 7]
2024-05-07T15:51:40Z    FATAL   Fatal error
  - get k8s artifacts error:
    github.com/aquasecurity/trivy/pkg/k8s/commands.clusterRun
        /home/runner/work/trivy/trivy/pkg/k8s/commands/cluster.go:49
  - failed listing resources for gvr: rbac.authorization.k8s.io/v1, Resource=roles - roles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:opsstack:opsstack-trivy" cannot list resource "roles" in API group "rbac.authorization.k8s.io" at the cluster scope

Operating System

Linux

Version

Version: 0.51.1

Checklist

@chen-keinan chen-keinan added kind/bug Categorizes issue or PR as related to a bug. target/kubernetes Issues relating to kubernetes cluster scanning labels May 15, 2024
@chen-keinan chen-keinan self-assigned this May 15, 2024
@chen-keinan chen-keinan added the priority/backlog Higher priority than priority/awaiting-more-evidence. label May 15, 2024
@chen-keinan
Copy link
Contributor Author

fixed by #6707

@DmitriyLewen
Copy link
Contributor

Fixed by #7107

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. target/kubernetes Issues relating to kubernetes cluster scanning
Projects
None yet
Development

No branches or pull requests

2 participants