Not able to generate configauditreport from trivy-operator on openshift cluster #2383
Description
I have installed trivy-operator(both v0.23.0 and v21.4) on openshift cluster( cluster version: 4.17.9).
All pods are in running state and I am getting vulnerability report and other reports except configauditreport. I tried to check for logs but could not find any particular issues.
I suspect there is some issue with CRD's installed ( not able to attach the yaml
PFB
C:\Users>oc get pods -o wide -n trivy-system
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
node-collector-6c4b84cbbf-5lc24 0/1 Completed 0 3d 10.131.6.42
scan-vulnerabilityreport-5995b59d86-brmmb 3/3 Running 0 18s 10.131.12.211
scan-vulnerabilityreport-689458bf4d-62k8w 0/1 Running 0 7s 10.130.49.204
scan-vulnerabilityreport-69b8567c4b-qjx8m 0/3 Running 0 8s 10.131.79.70
trivy-operator-9fb88dbfc-qkg6q 1/1 Running 0 2d23h 10.131.12.77
$ oc get configauditreports -A
No resources found
**What did you expect to happen: Trivy operator should publish configauditreport
Environment:
- Trivy-Operator version (use
trivy-operator version): V0.23.0 and v0.21.4( i tried both) - Kubernetes version (use
kubectl version): openshift 4.17.9 - OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): ubuntu 22
I am adding CRD yaml here as was able to attach the yaml directly:
clusterconfigauditreports.aquasecurity.github.io:
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1
metadata:
name: clusterconfigauditreports.aquasecurity.github.io
uid: 67eb3e7f-3b65-4c50-82b2-9a3313a68518
resourceVersion: '2427179094'
generation: 1
creationTimestamp: '2025-01-17T08:15:19Z'
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
- manager: kube-apiserver
operation: Update
apiVersion: apiextensions.k8s.io/v1
time: '2025-01-17T08:15:19Z'
spec:
group: aquasecurity.github.io
names:
plural: clusterconfigauditreports
singular: clusterconfigauditreport
shortNames:
- clusterconfigaudit
kind: ClusterConfigAuditReport
listKind: ClusterConfigAuditReportList
scope: Cluster
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
description: ClusterConfigAuditReport is a specification for the ClusterConfigAuditReport resource.
type: object
required:
- report
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
report:
type: object
required:
- checks
properties:
checks:
description: Checks provides results of conducting audit steps.
type: array
items:
description: Check provides the result of conducting a single audit step.
type: object
required:
- checkID
- severity
- success
properties:
success:
type: boolean
checkID:
type: string
remediation:
description: Remediation provides description or links to external resources to remediate failing check.
type: string
messages:
type: array
items:
type: string
scope:
description: Scope indicates the section of config that was audited.
type: object
required:
- type
- value
properties:
type:
description: 'Type indicates type of this scope, e.g. Container, ConfigMapKey or JSONPath.'
type: string
value:
description: 'Value indicates value of this scope that depends on Type, e.g. container name, ConfigMap key or JSONPath expression'
type: string
title:
type: string
description:
type: string
severity:
description: Severity level of a vulnerability or a configuration audit check.
type: string
category:
type: string
scanner:
description: Scanner is the spec for a scanner generating a security assessment report.
type: object
required:
- name
- vendor
- version
properties:
name:
description: Name the name of the scanner.
type: string
vendor:
description: Vendor the name of the vendor providing the scanner.
type: string
version:
description: Version the version of the scanner.
type: string
summary:
description: ConfigAuditSummary counts failed checks by severity.
type: object
required:
- criticalCount
- highCount
- lowCount
- mediumCount
properties:
criticalCount:
description: CriticalCount is the number of failed checks with critical severity.
type: integer
highCount:
description: HighCount is the number of failed checks with high severity.
type: integer
lowCount:
description: LowCount is the number of failed check with low severity.
type: integer
mediumCount:
description: MediumCount is the number of failed checks with medium severity.
type: integer
updateTimestamp:
type: string
format: date-time
x-kubernetes-preserve-unknown-fields: true
subresources: {}
additionalPrinterColumns:
- name: Scanner
type: string
description: The name of the config audit scanner
jsonPath: .report.scanner.name
- name: Age
type: date
description: The age of the report
jsonPath: .metadata.creationTimestamp
- name: Critical
type: integer
description: The number of failed checks with critical severity
priority: 1
jsonPath: .report.summary.criticalCount
- name: High
type: integer
description: The number of failed checks with high severity
priority: 1
jsonPath: .report.summary.highCount
- name: Medium
type: integer
description: The number of failed checks with medium severity
priority: 1
jsonPath: .report.summary.mediumCount
- name: Low
type: integer
description: The number of failed checks with low severity
priority: 1
jsonPath: .report.summary.lowCount
conversion:
strategy: None
status:
conditions:
- type: NamesAccepted
status: 'True'
lastTransitionTime: '2025-01-17T08:15:19Z'
reason: NoConflicts
message: no conflicts found
- type: Established
status: 'True'
lastTransitionTime: '2025-01-17T08:15:19Z'
reason: InitialNamesAccepted
message: the initial names have been accepted
acceptedNames:
plural: clusterconfigauditreports
singular: clusterconfigauditreport
shortNames:
- clusterconfigaudit
kind: ClusterConfigAuditReport
listKind: ClusterConfigAuditReportList
storedVersions:
- v1alpha1
clustercompliancereports.aquasecurity.github.io:
kind: CustomResourceDefinition
apiVersion: apiextensions.k8s.io/v1
metadata:
name: clustercompliancereports.aquasecurity.github.io
uid: 73b40d5e-6288-42da-a404-e284ac906270
resourceVersion: '2427179079'
generation: 1
creationTimestamp: '2025-01-17T08:15:19Z'
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
spec:
group: aquasecurity.github.io
names:
plural: clustercompliancereports
singular: clustercompliancereport
shortNames:
- compliance
kind: ClusterComplianceReport
listKind: ClusterComplianceReportList
scope: Cluster
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
description: ClusterComplianceReport is a specification for the ClusterComplianceReport resource.
type: object
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ReportSpec represent the compliance specification
type: object
required:
- compliance
- cron
- reportType
properties:
compliance:
type: object
required:
- controls
- description
- id
- relatedResources
- title
- version
properties:
controls:
description: Control represent the cps controls data and mapping checks
type: array
items:
description: Control represent the cps controls data and mapping checks
type: object
required:
- id
- name
- severity
properties:
checks:
type: array
items:
description: SpecCheck represent the scanner who perform the control check
type: object
required:
- id
properties:
id:
description: id define the check id as produced by scanner
type: string
defaultStatus:
description: define the default value for check status in case resource not found
type: string
enum:
- PASS
- WARN
- FAIL
description:
type: string
id:
description: id define the control check id
type: string
name:
type: string
severity:
description: define the severity of the control
type: string
enum:
- CRITICAL
- HIGH
- MEDIUM
- LOW
- UNKNOWN
description:
type: string
id:
type: string
relatedResources:
type: array
items:
type: string
title:
type: string
version:
type: string
cron:
description: cron define the intervals for report generation
type: string
pattern: '^(((([*]{1}){1})|((*/){0,1}(([0-9]{1}){1}|(([1-5]{1}){1}([0-9]{1}){1}){1}))) ((([*]{1}){1})|((*/){0,1}(([0-9]{1}){1}|(([1]{1}){1}([0-9]{1}){1}){1}|([2]{1}){1}([0-3]{1}){1}))) ((([*]{1}){1})|((*/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))) ((([*]{1}){1})|((*/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))|(jan|feb|mar|apr|may|jun|jul|aug|sep|okt|nov|dec)) ((([*]{1}){1})|((*/){0,1}(([0-7]{1}){1}))|(sun|mon|tue|wed|thu|fri|sat)))$'
reportType:
type: string
enum:
- summary
- all
status:
type: object
required:
- updateTimestamp
properties:
detailReport:
description: ComplianceReport represents a kubernetes scan report
type: object
properties:
description:
type: string
id:
type: string
relatedVersion:
type: array
items:
type: string
results:
type: array
items:
type: object
required:
- checks
properties:
checks:
type: array
items:
description: ComplianceCheck provides the result of conducting a single compliance step.
type: object
required:
- checkID
- severity
- success
properties:
success:
type: boolean
checkID:
type: string
remediation:
description: Remediation provides description or links to external resources to remediate failing check.
type: string
messages:
type: array
items:
type: string
target:
type: string
title:
type: string
description:
type: string
severity:
description: Severity level of a vulnerability or a configuration audit check.
type: string
category:
type: string
description:
type: string
id:
type: string
name:
type: string
severity:
type: string
status:
type: string
title:
type: string
version:
type: string
x-kubernetes-preserve-unknown-fields: true
summary:
type: object
properties:
failCount:
type: integer
passCount:
type: integer
summaryReport:
description: SummaryReport represents a kubernetes scan report with consolidated findings
type: object
properties:
controlCheck:
type: array
items:
type: object
properties:
id:
type: string
name:
type: string
severity:
type: string
totalFail:
type: integer
id:
type: string
title:
type: string
x-kubernetes-preserve-unknown-fields: true
updateTimestamp:
type: string
format: date-time
x-kubernetes-preserve-unknown-fields: true
subresources:
status: {}
additionalPrinterColumns:
- name: Age
type: date
description: The age of the report
jsonPath: .metadata.creationTimestamp
- name: Fail
type: integer
description: The number of checks that failed
priority: 1
jsonPath: .status.summary.failCount
- name: Pass
type: integer
description: The number of checks that passed
priority: 1
jsonPath: .status.summary.passCount
conversion:
strategy: None
status:
conditions:
- type: NamesAccepted
status: 'True'
lastTransitionTime: '2025-01-17T08:15:19Z'
reason: NoConflicts
message: no conflicts found
- type: Established
status: 'True'
lastTransitionTime: '2025-01-17T08:15:19Z'
reason: InitialNamesAccepted
message: the initial names have been accepted
acceptedNames:
plural: clustercompliancereports
singular: clustercompliancereport
shortNames:
- compliance
kind: ClusterComplianceReport
listKind: ClusterComplianceReportList
storedVersions:
- v1alpha1