search

aquasecurity / trivy-operator

Kubernetes-native security toolkit
https://aquasecurity.github.io/trivy-operator/latest
Apache License 2.0
1.2k stars 200 forks source link

Trivy operator flag insecure not working - failed to verify certificate: x509 #2212

Open martinaragow opened 1 month ago

martinaragow commented 1 month ago

What steps did you take and what happened: Im using trivy operator behind a proxy that has its own certificate and needs to run with the insecure flag in order to download the policy bundles ignoring the ssl check. I tried the flag policiesBundle.insecure: "true" and it is not working.

Also, the trivy operator is not generating any vulnerability report:

kubectl get vulnerabilityreports --all-namespaces -o wide
No resources found

However, trivy operator pod and trivy server are both running and the trivy server succesfully downloads the db

Screenshot 2024-08-01 at 4 08 24 PM Screenshot 2024-08-01 at 4 11 50 PM

What did you expect to happen: I expected to ignore the ssl check when downloading the policy bundles and create a vulnerability report for each pod but instead it didn't.

Anything else you would like to add:

Environment variables from trivy-operator pod: BB_ASH_VERSION='1.36.1' CONTROLLER_CACHE_SYNC_TIMEOUT='5m' FUNCNAME='' HISTFILE='/home/trivyoperator/.ash_history' HOME='/home/trivyoperator' HOSTNAME='trivy-operator-67dddb6db-765tx' HTTPS_PROXY='http://obfuscated:obfuscated' HTTP_PROXY='http://obfuscated:obfuscated' IFS=' ' KUBERNETES_PORT='tcp://10.43.0.1:443' KUBERNETES_PORT_443_TCP='tcp://10.43.0.1:443' KUBERNETES_PORT_443_TCP_ADDR='10.43.0.1' KUBERNETES_PORT_443_TCP_PORT='443' KUBERNETES_PORT_443_TCP_PROTO='tcp' KUBERNETES_SERVICE_HOST='10.43.0.1' KUBERNETES_SERVICE_PORT='443' KUBERNETES_SERVICE_PORT_HTTPS='443' LINENO='' NO_PROXY='obfuscated' OLDPWD='/' OPERATOR_ACCESS_GLOBAL_SECRETS_SERVICE_ACCOUNTS='true' OPERATOR_BATCH_DELETE_DELAY='10s' OPERATOR_BATCH_DELETE_LIMIT='10' OPERATOR_BUILT_IN_TRIVY_SERVER='true' OPERATOR_CACHE_REPORT_TTL='120h' OPERATOR_CLUSTER_COMPLIANCE_ENABLED='true' OPERATOR_CLUSTER_SBOM_CACHE_ENABLED='false' OPERATOR_CONCURRENT_NODE_COLLECTOR_LIMIT='1' OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT='10' OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED='true' OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS='true' OPERATOR_EXCLUDE_NAMESPACES='' OPERATOR_EXPOSED_SECRET_SCANNER_ENABLED='true' OPERATOR_HEALTH_PROBE_BIND_ADDRESS=':9090' OPERATOR_INFRA_ASSESSMENT_SCANNER_ENABLED='true' OPERATOR_LOG_DEV_MODE='false' OPERATOR_MERGE_RBAC_FINDING_WITH_CONFIG_AUDIT='false' OPERATOR_METRICS_BIND_ADDRESS=':8080' OPERATOR_METRICS_CLUSTER_COMPLIANCE_INFO_ENABLED='false' OPERATOR_METRICS_CONFIG_AUDIT_INFO_ENABLED='false' OPERATOR_METRICS_EXPOSED_SECRET_INFO_ENABLED='false' OPERATOR_METRICS_FINDINGS_ENABLED='true' OPERATOR_METRICS_IMAGE_INFO_ENABLED='false' OPERATOR_METRICS_INFRA_ASSESSMENT_INFO_ENABLED='false' OPERATOR_METRICS_RBAC_ASSESSMENT_INFO_ENABLED='false' OPERATOR_METRICS_VULN_ID_ENABLED='false' OPERATOR_NAMESPACE='trivy-system' OPERATOR_PRIVATE_REGISTRY_SCAN_SECRETS_NAMES='{}' OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED='true' OPERATOR_SBOM_GENERATION_ENABLED='true' OPERATOR_SCANNER_REPORT_TTL='1h' OPERATOR_SCAN_JOB_RETRY_AFTER='30s' OPERATOR_SCAN_JOB_TIMEOUT='5m' OPERATOR_SCAN_JOB_TTL='' OPERATOR_SEND_DELETED_REPORTS='false' OPERATOR_SERVICE_ACCOUNT='trivy-operator' OPERATOR_TARGET_NAMESPACES='' OPERATOR_TARGET_WORKLOADS='pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job' OPERATOR_VULNERABILITY_SCANNER_ENABLED='true' OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS='true' OPERATOR_WEBHOOK_BROADCAST_CUSTOM_HEADERS='' OPERATOR_WEBHOOK_BROADCAST_TIMEOUT='30s' OPERATOR_WEBHOOK_BROADCAST_URL='' OPTIND='1' PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' PPID='0' PS1='\w \$ ' PS2='> ' PS4='+ ' PWD='/home/trivyoperator' SHLVL='1' TERM='xterm' TRIVY_SERVER_HEALTH_CHECK_CACHE_EXPIRATION='10h' TRIVY_SERVICE_PORT='tcp://10.43.109.224:4954' TRIVY_SERVICE_PORT_4954_TCP='tcp://10.43.109.224:4954' TRIVY_SERVICE_PORT_4954_TCP_ADDR='10.43.109.224' TRIVY_SERVICE_PORT_4954_TCP_PORT='4954' TRIVY_SERVICE_PORT_4954_TCP_PROTO='tcp' TRIVY_SERVICE_SERVICE_HOST='10.43.109.224' TRIVY_SERVICE_SERVICE_PORT='4954' TRIVY_SERVICE_SERVICE_PORT_TRIVY_HTTP='4954'

Logs: {"level":"error","ts":"2024-08-01T18:53:34Z","logger":"policyLoader.Get misconfig bundle policies","msg":"failed to load policies","error":"failed to download policies: failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t Get \"https://ghcr.io/v2/\": tls: failed to verify certificate: x509: certificate signed by unknown authority\n\n","stacktrace":"github.com/aquasecurity/trivy-operator/pkg/policy.(policyLoader).GetPoliciesAndBundlePath\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/policy/loader.go:63\ngithub.com/aquasecurity/trivy-operator/pkg/configauditreport/controller.(NodeReconciler).SetupWithManager.(NodeReconciler).reconcileNodes.func5\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/configauditreport/controller/node.go:169\nsigs.k8s.io/controller-runtime/pkg/reconcile.Func.Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.4/pkg/reconcile/reconcile.go:113\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.4/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.4/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.4/pkg/internal/controller/controller.go:261\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.4/pkg/internal/controller/controller.go:222"} {"level":"error","ts":"2024-08-01T18:53:34Z","msg":"Reconciler error","controller":"node","controllerGroup":"","controllerKind":"Node","Node":{"name":"rhel1"},"namespace":"","name":"rhel1","reconcileID":"176498a2-1a4d-4767-a975-a44f49779732","error":"creating job: no compliance commands found","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.4/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.4/pkg/internal/controller/controller.go:261\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.4/pkg/internal/controller/controller.go:222"}

image

Environment:

andyalamo commented 1 month ago

I have the same error, but I am testing with the main branch because I saw a commit that fixes the behavior of the insecure flag, can you help @chen-keinan ?