search

aquasecurity / trivy-operator

Kubernetes-native security toolkit
https://aquasecurity.github.io/trivy-operator/latest
Apache License 2.0
1.28k stars 211 forks source link

Trivy Operator is not compatible with Kubernetes v1.31.0 #2251

Open cnwaldron opened 2 months ago

cnwaldron commented 2 months ago

What steps did you take and what happened: We had a Kubernetes cluster that was recently updated to Kubernetes v1.31.0 and had Trivy Operator v0.22 already running. After the upgrade, I noticed that the vulnerability reports were not being created anymore. Then I looked at the namespace and saw the scan jobs were not being cleaned up but they were all successful. I looked at the trivy-operator log and saw reconcile error stating: "unrecognized scan job condition: SuccessCriteriaMet". I have checked the Kubernetes documents and found the Job Success Policy is in beta for v1.31.0 and turned on by default .(https://kubernetes.io/docs/concepts/workloads/controllers/job/#success-policy)

What did you expect to happen:

After a successful job is complete, trivy-operator will clean up the jobs and create the reports as usual.

Anything else you would like to add: To see new policy feature: https://kubernetes.io/docs/concepts/workloads/controllers/job/#success-policy The Job status conditions now have 2 conditions on a success: the first one is the SuccessCriteriaMet type and the second is the Complete type.

Environment:

FranAguiar commented 2 months ago

Hello, any idea when a patch will be released?

allanian commented 1 month ago

+1

amrap030 commented 1 month ago

+1

dpolpa commented 1 month ago

+1

Jhonnyzeroones commented 1 month ago

+1

inikolovski commented 1 month ago

+1

Prates23 commented 1 month ago

+1

Hacks4Snacks commented 1 month ago

I haven't seen a response on whether or not this project is going to continue being supported and I don't really plan on maintaining a long-term fork, but if anyone needs 1.31.0 to work in the near-term you can take a look at the changes I've made to get it working (reference: https://github.com/Hacks4Snacks/trivy-operator).

Jhonnyzeroones commented 1 month ago

@Hacks4Snacks Do you have an image registry that I can pull? I noticed that https://ghcr.io/Hacks4Snacks/trivy-operator was not operational. Have you published images for this or should I build my own trivy-operator image.

Hacks4Snacks commented 1 month ago

@Hacks4Snacks Do you have an image registry that I can pull? I noticed that https://ghcr.io/Hacks4Snacks/trivy-operator was not operational. Have you published images for this or should I build my own trivy-operator image.

@Jhonnyzeroones I am not publishing artifacts to an image registry, I recommend building your own image.

FranAguiar commented 1 month ago

@Hacks4Snacks can you submit a PR with the fix? Not sure if is an option

badgerspoke commented 3 weeks ago

I've had a crack at a PR which appears to be working in my clusters.

basdemirs commented 3 weeks ago

@Hacks4Snacks Do you have an image registry that I can pull? I noticed that https://ghcr.io/Hacks4Snacks/trivy-operator was not operational. Have you published images for this or should I build my own trivy-operator image.

@Jhonnyzeroones I am not publishing artifacts to an image registry, I recommend building your own image.

Thanks @Hacks4Snacks

Xeroxxx commented 2 weeks ago

Is this project abandoned? Even the paid version does not seem to support 1.31 as its based on trivy-operator 0.20.1

Kankarollo commented 1 week ago

Can we do something to bump @badgerspoke PR that it will be reviewed quicker? It's a good blocker for our use cases and we don't know if we should wait or apply our own solution.

itaysk commented 1 week ago

@afdesk can you PTAL?

simlecp commented 1 week ago

Hello,

We face the same issue on chart target 0.23.3 and 0.23.1,

Do you know when will the fix be applied ?

Best regards, SD.

afdesk commented 5 days ago

We face the same issue on chart target 0.23.3 and 0.23.1,

Do you know when will the fix be applied ?

Hello! We understand it's a critical issue and trying to fix ASAP. I hope it'll be resolved in a few days (on this week).

sorry for inconvenience!

Xeroxxx commented 1 day ago

Any update on this matter? 1.31 was released on August 13th.

badgerspoke commented 1 day ago

I think it's being reviewed but ironically they're being rate limited pulling the checks db from GH.. I've seen over 20 build attempts

afdesk commented 1 day ago

@badgerspoke you're right! all tests are failed now, so we can't merge PRs...

badgerspoke commented 1 day ago

Wow. When did that start, and what is being done about it?

afdesk commented 1 day ago

Wow. When did that start, and what is being done about it?

it started a few month ago, it's a known issue - Github rate limits for Trivy - https://github.com/aquasecurity/trivy/discussions/7699

0054 commented 9 hours ago

+1

grigory-bogush commented 8 hours ago

+1

lekks commented 8 hours ago

We need it too!

whatersoer commented 8 hours ago

+1

badunzo commented 8 hours ago

+1

mdnfiras commented 7 hours ago

+1

Nimdim commented 7 hours ago

+1

ArtRozhe commented 7 hours ago

+1

matt-tvg commented 6 hours ago

+1

CrashLoopBackOff-K8s commented 4 hours ago

+1, joining the chorus -- not to dogpile, but to hopefully get some more visibility for this one.

D0Ge3 commented 4 hours ago

+1