Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(k8s): improve artifact selections for specific namespaces #8248

Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

chore(k8s): improve artifact selections for specific namespaces #8248

wants to merge 11 commits into from
+228 −26

Conversation

afdesk
Copy link
Contributor

@afdesk afdesk commented Jan 15, 2025
edited
Loading

Description

This PR improves selections of Kubernetes artifacts for users with limited credentials.
Now Trivy can receive resources only for included namespaces.

$ trivy k8s --report summary --kubeconfig myconfig mycontext --include-namespaces rbac-test

Before:

2025-01-27T12:06:58+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: apps/v1, Resource=deployments - deployments.apps is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"deployments\" in API group \"apps\" at the cluster scope"
2025-01-27T12:06:58+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: /v1, Resource=pods - pods is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"pods\" in API group \"\" at the cluster scope"
2025-01-27T12:06:58+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: apps/v1, Resource=replicasets - replicasets.apps is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"replicasets\" in API group \"apps\" at the cluster scope"
2025-01-27T12:06:58+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: /v1, Resource=replicationcontrollers - replicationcontrollers is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"replicationcontrollers\" in API group \"\" at the cluster scope"
2025-01-27T12:06:58+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: apps/v1, Resource=statefulsets - statefulsets.apps is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"statefulsets\" in API group \"apps\" at the cluster scope"
2025-01-27T12:06:58+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: apps/v1, Resource=daemonsets - daemonsets.apps is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"daemonsets\" in API group \"apps\" at the cluster scope"
2025-01-27T12:06:58+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: batch/v1, Resource=cronjobs - cronjobs.batch is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"cronjobs\" in API group \"batch\" at the cluster scope"
2025-01-27T12:06:58+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: batch/v1, Resource=jobs - jobs.batch is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"jobs\" in API group \"batch\" at the cluster scope"
2025-01-27T12:06:58+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: /v1, Resource=services - services is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"services\" in API group \"\" at the cluster scope"
2025-01-27T12:06:58+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: /v1, Resource=serviceaccounts - serviceaccounts is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"serviceaccounts\" in API group \"\" at the cluster scope"
2025-01-27T12:06:58+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: /v1, Resource=configmaps - configmaps is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"configmaps\" in API group \"\" at the cluster scope"
2025-01-27T12:06:58+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: rbac.authorization.k8s.io/v1, Resource=roles - roles.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"roles\" in API group \"rbac.authorization.k8s.io\" at the cluster scope"
2025-01-27T12:06:59+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: rbac.authorization.k8s.io/v1, Resource=rolebindings - rolebindings.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"rolebindings\" in API group \"rbac.authorization.k8s.io\" at the cluster scope"
2025-01-27T12:06:59+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: networking.k8s.io/v1, Resource=networkpolicies - networkpolicies.networking.k8s.io is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"networkpolicies\" in API group \"networking.k8s.io\" at the cluster scope"
2025-01-27T12:06:59+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: networking.k8s.io/v1, Resource=ingresses - ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope"
2025-01-27T12:06:59+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: /v1, Resource=resourcequotas - resourcequotas is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"resourcequotas\" in API group \"\" at the cluster scope"
2025-01-27T12:06:59+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: /v1, Resource=limitranges - limitranges is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"limitranges\" in API group \"\" at the cluster scope"
2025-01-27T12:07:00+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: rbac.authorization.k8s.io/v1, Resource=clusterroles - clusterroles.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"clusterroles\" in API group \"rbac.authorization.k8s.io\" at the cluster scope"
2025-01-27T12:07:00+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: rbac.authorization.k8s.io/v1, Resource=clusterrolebindings - clusterrolebindings.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"clusterrolebindings\" in API group \"rbac.authorization.k8s.io\" at the cluster scope"
2025-01-27T12:07:00+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: /v1, Resource=nodes - nodes is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"nodes\" in API group \"\" at the cluster scope"                                                                                                                      2025-01-27T12:07:00+06:00       ERROR   Unable to list node resources   error="nodes is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"nodes\" in API group \"\" at the cluster scope"
2025-01-27T12:07:00+06:00       INFO    Node scanning is enabled                                                                                                                                     2025-01-27T12:07:00+06:00       INFO    If you want to disable Node scanning via an in-cluster Job, please try '--disable-node-collector' to disable the Node-Collector job.                         2025-01-27T12:07:00+06:00       INFO    Scanning K8s... K8s="mycontext"                                                                                                                              0 [________________________________________________________________________________________________________________________________________________________________________________________] ?% ? p/s
Summary Report for mycontext


Workload Assessment
┌───────────┬──────────┬───────────────────┬───────────────────┬───────────────────┐
│ Namespace │ Resource │  Vulnerabilities  │ Misconfigurations │      Secrets      │
│           │          ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤
│           │          │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │
└───────────┴──────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN

Infra Assessment                                                                                                                                                                                     ┌───────────┬──────────┬───────────────────┬───────────────────┬───────────────────┐
│ Namespace │ Resource │  Vulnerabilities  │ Misconfigurations │      Secrets      │                                                                                                                 │           │          ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤
│           │          │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │                                                                                                                 └───────────┴──────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN
                                                                                                                                                                                                     RBAC Assessment
┌───────────┬──────────┬───────────────────┐                                                                                                                                                         │ Namespace │ Resource │  RBAC Assessment  │
│           │          ├───┬───┬───┬───┬───┤                                                                                                                                                         │           │          │ C │ H │ M │ L │ U │
└───────────┴──────────┴───┴───┴───┴───┴───┘                                                                                                                                                         Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN

Afrer:

2025-01-27T12:17:11+06:00       INFO    Node scanning is enabled
2025-01-27T12:17:11+06:00       INFO    If you want to disable Node scanning via an in-cluster Job, please try '--disable-node-collector' to disable the Node-Collector job.
2025-01-27T12:17:11+06:00       INFO    Scanning K8s... K8s="mycontext"
5 / 5 [-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 1 p/s

Summary Report for mycontext


Workload Assessment
┌───────────┬───────────────────────┬──────────────────────┬────────────────────┬───────────────────┐
│ Namespace │       Resource        │   Vulnerabilities    │ Misconfigurations  │      Secrets      │
│           │                       ├───┬────┬────┬────┬───┼───┬───┬───┬────┬───┼───┬───┬───┬───┬───┤
│           │                       │ C │ H  │ M  │ L  │ U │ C │ H │ M │ L  │ U │ C │ H │ M │ L │ U │
├───────────┼───────────────────────┼───┼────┼────┼────┼───┼───┼───┼───┼────┼───┼───┼───┼───┼───┼───┤
│ rbac-test │ Pod/my-multiimage-pod │ 2 │ 26 │ 77 │ 99 │ 1 │   │ 3 │ 8 │ 18 │   │   │   │   │   │   │
└───────────┴───────────────────────┴───┴────┴────┴────┴───┴───┴───┴───┴────┴───┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN


Infra Assessment
┌───────────┬──────────┬───────────────────┬───────────────────┬───────────────────┐
│ Namespace │ Resource │  Vulnerabilities  │ Misconfigurations │      Secrets      │
│           │          ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤
│           │          │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │
└───────────┴──────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN


RBAC Assessment
┌───────────┬───────────────────┬───────────────────┐
│ Namespace │     Resource      │  RBAC Assessment  │
│           │                   ├───┬───┬───┬───┬───┤
│           │                   │ C │ H │ M │ L │ U │
├───────────┼───────────────────┼───┼───┼───┼───┼───┤
│ rbac-test │ Role/limited-role │ 2 │   │   │   │   │
└───────────┴───────────────────┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN

Testing

There was added use case here 6e690b9 and tests were broken as expected.
After trivy-kubernetes was update to the latest version 2859ad3, this test case is passed now.

Documentation

there were added parts:
image
image

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@simar7
Copy link
Member

simar7 commented Jan 20, 2025

Really strange this PR has no changes? 🫨 I wonder what happened.

@afdesk
Copy link
Contributor Author

afdesk commented Jan 21, 2025

Really strange this PR has no changes? 🫨 I wonder what happened.

it's a draft. I prepare test cases at first, and then will update the docs and trivy-kubernetes

@afdesk afdesk requested a review from simar7 January 24, 2025 12:41
@afdesk afdesk changed the title chore(k8s): improve artifact selections chore(k8s): improve artifact selections for specific namespaces Jan 27, 2025
@afdesk afdesk marked this pull request as ready for review January 27, 2025 06:20
@afdesk afdesk requested a review from knqyf263 as a code owner January 27, 2025 06:20
@afdesk
Copy link
Contributor Author

afdesk commented Jan 27, 2025

@simar7 @knqyf263
this PR is ready for your review
could you please take a look when you have time? thanks!

@knqyf263
Copy link
Collaborator

@simar7 You are now also maintaining the K8s area, right? Should we update the code owners?

trivy/.github/CODEOWNERS

Lines 17 to 22 in cc66d6d

# Helm chart
helm/trivy/ @afdesk
# Kubernetes scanning
pkg/k8s/ @afdesk
docs/docs/target/kubernetes.md @afdesk

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simar7 simar7 Awaiting requested review from simar7

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@afdesk @simar7 @knqyf263