Closed Pionerd closed 4 months ago
I can confirm that I just rolled out this new release on the AKS cluster and saw the exact errors mentioned by @Pionerd The new release is working fine on GKE clusters.
Same thing (rego_parse_error: unexpected minus token
) with:
It seems related to configAuditScanner
in my case, like in this other issue.
With configAuditScannerEnabled: false
, the operator logs are clean.
I still don't get any rbac/infra assessment through operator but it's working when I run 'trivy k8s' remotely with trivy docker image. I don't know why, yet, as both my remote machine and my nodes should be allowed to access api-server.
I get the same error with the latest version: 0.21.3
2024-07-03T15:12:00Z ERROR Reconciler error {"controller": "service", "controllerGroup": "", "controllerKind": "Service", "Service": {"name":"aaa","namespace":"monitoring"}, "namespace": "monitoring", "name": "aaa-exporter", "reconcileID": "a8e87ab4-c0c2-474c-b0f6-0860a83e93d0", "error": "evaluating resource: failed to load rego policies from [externalPolicies]: 1 error occurred: externalPolicies/file_0.rego:1: rego_parse_error: unexpected minus token: expected number\n\t---\n\t ^"}
My configuration looks like this:
operator:
privateRegistryScanSecretsNames: {"abc":"bcd"}
logDevMode: true
scanJobsConcurrentLimit: 10
scanJobsRetryDelay: 30s
scannerReportTTL: "10m"
cacheReportTTL: "120h"
sbomGenerationEnabled: false
clusterSbomCacheEnabled: false
configAuditScannerEnabled: true
rbacAssessmentScannerEnabled: true
infraAssessmentScannerEnabled: true
clusterComplianceEnabled: true
storageClassEnabled: true
storageClassName: ""
additionalVulnerabilityReportFields: ""
metricsVulnIdEnabled: true
metricsExposedSecretInfo: true
metricsConfigAuditInfo: true
metricsRbacAssessmentInfo: true
metricsInfraAssessmentInfo: true
metricsImageInfo: true
metricsClusterComplianceInfo: true
serviceMonitor:
enabled: true
labels: {"abc":"bcd"}
trivy:
severity: CRITICAL
slow: true
useBuiltinRegoPolicies: "true"
useEmbeddedRegoPolicies: "false"
debug: true
compliance:
reportType: all
cron: 0 */12 * * *
The vulnerability scans, exposed secrets and compliance reports run correctly
Infrastructure and RBAC assessment do not run
The trivy-operator pod keeps restarting - reason: Back-off
The reported error logs keep flooding the pod
What steps did you take and what happened:
On a fresh installation, I get logs flooded with errors like below, for all kinds of resources. I use exactly the same configuration as on other clusters, where I do not get this error. I tried the last 4 versions of the helm chart, but to no avail. Same goes for a full reinstall, I'm a bit at a loss here.
I do not have any customPolicies defined. ConfigAudits and RBACAssessments are not being generated, VulnerabilityReport and ExposedSecrets are.
What did you expect to happen:
Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]
Environment:
trivy-operator version
): tried multiple of the latest versionskubectl version
): AKS 1.29