Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CIS Benchmark k8s-cis-1.23 is empty #2285

Open
Halogenmake opened this issue Oct 15, 2024 · 3 comments
Open

CIS Benchmark k8s-cis-1.23 is empty #2285

Halogenmake opened this issue Oct 15, 2024 · 3 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@Halogenmake
Copy link

Halogenmake commented Oct 15, 2024
edited
Loading

What steps did you take and what happened:
I’m using the latest version of Trivy Operator, 0.22. All components are functioning as expected, but the k8s-cis-1.23 report is not being generated. Meanwhile, the k8s-pss-baseline-0.1 report is generated without issues.

What did you expect to happen:

Anything else you would like to add:
The configuration file for the modified settings is as follows:

---
trivy:
  command: filesystem

trivyOperator:
  scanJobPodTemplateContainerSecurityContext:
    # For filesystem scanning, Trivy needs to run as the root user
    runAsUser: 0
  scanJobNodeSelector:
    node.kubernetes.io/role: worker

nodeSelector:
  node.kubernetes.io/role: worker

compliance:
  reportType: all

operator:
  scanJobsConcurrentLimit: 5
  scannerReportTTL: "120h"

nodeCollector:
  tolerations:
    - key: ***/control-plane
      operator: "Equal"
      effect: NoSchedule
    - key: ***/dedicated
      value: engineering
      operator: "Equal"
      effect: NoSchedule
    - key: ***/dedicated
      value: s***a
      operator: "Equal"
      effect: NoSchedule

Environment:

  • Trivy-Operator version (use trivy-operator version): 0.22
  • Kubernetes version (use kubectl version): v1.30.4+rke2r1
@Halogenmake Halogenmake added the kind/bug Categorizes issue or PR as related to a bug. label Oct 15, 2024
@elaurensx
Copy link

Can confirm the issue. Observed during the installation of the trivy-operator-polr-adapter..

kubectl logs -f trivy-operator-polr-adapter-5f647d56b9-5k9jk
kind.go] "if kind is a CRD, it should be installed before calling Start" err="no matches for kind \"CISKubeBenchReport\" in version \"aquasecurity.github.io/v1alpha1\"" logger="controller-runtime.source.EventHandler" kind="CISKubeBenchReport.aquasecurity.github.io"

@Halogenmake
Copy link
Author

additional information: I use helm chart version 0.24.1

@Halogenmake
Copy link
Author

More details: I have multiple Kubernetes clusters, and on some clusters, the report is generated correctly, while on others, it isn’t. The cluster versions, Helm chart versions, and application versions are all the same.

Meanwhile, on the clusters where the report is not generated, the ClusterComplianceReport:k8s-cis-1.23 resource exists, but it lacks a status section—only the spec section is present.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@elaurensx @Halogenmake