Closed sheeeng closed 2 months ago
According to the documentation...
If you need to trigger another manual cleanup, you have to create a new ImageList or make changes to an existing one.
I have updated the existing ImageList
using the following example.
cat <<EOF | kubectl apply -f -
apiVersion: eraser.sh/v1
kind: ImageList
metadata:
name: imagelist
spec:
images:
- docker.io/library/alpine:3.7.3
EOF
But there is not a single Trivy string found in the logs after the ImageList
is updated.
for pod in $(kubectl get pods --output json | jq --raw-output '.items[] | select(.metadata.name|contains("eraser")) | .metadata.name') ; do
echo $pod
kubectl logs $pod | grep --ignore-case trivy
done
$ kubectl describe configmap --namespace kube-system eraser-manager-config | grep --after-context=10 scanner:
scanner:
enabled: true
image:
repo: mcr.microsoft.com/oss/eraser/eraser-trivy-scanner
tag: v1.2.3
request:
mem: 500Mi
cpu: 250m
limit:
mem: 2Gi
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#how-pods-with-resource-limits-are-run
According to Trivy's documentation...
Scan reports are saved as VulnerabilityReport resources, which are owned by a Kubernetes controller.
$ kubectl get vulnerabilityreports.aquasecurity.github.io --all-namespaces
No resources found
@sheeeng Thanks for your feedback! I've assigned this issue to the author who will investigate and update as appropriate.
Image cleaner doesn't output trivy report as eraser doesn't have it. If you want to know the scanner results, you can check the scanner pod logs:
kubectl logs -n kube-system
Where can I get the Trivy reports from the Image Cleaner?
The documentation does not explain how we get those Trivy reports.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.