search

aquasecurity / trivy-operator

Kubernetes-native security toolkit
https://aquasecurity.github.io/trivy-operator/latest
Apache License 2.0
1.24k stars 205 forks source link

CIS Benchmark k8s-cis-1.23 is empty #2285

Open Halogenmake opened 5 days ago

Halogenmake commented 5 days ago

What steps did you take and what happened: I’m using the latest version of Trivy Operator, 0.22. All components are functioning as expected, but the k8s-cis-1.23 report is not being generated. Meanwhile, the k8s-pss-baseline-0.1 report is generated without issues.

What did you expect to happen:

Anything else you would like to add: The configuration file for the modified settings is as follows:

---
trivy:
  command: filesystem

trivyOperator:
  scanJobPodTemplateContainerSecurityContext:
    # For filesystem scanning, Trivy needs to run as the root user
    runAsUser: 0
  scanJobNodeSelector:
    node.kubernetes.io/role: worker

nodeSelector:
  node.kubernetes.io/role: worker

compliance:
  reportType: all

operator:
  scanJobsConcurrentLimit: 5
  scannerReportTTL: "120h"

nodeCollector:
  tolerations:
    - key: ***/control-plane
      operator: "Equal"
      effect: NoSchedule
    - key: ***/dedicated
      value: engineering
      operator: "Equal"
      effect: NoSchedule
    - key: ***/dedicated
      value: s***a
      operator: "Equal"
      effect: NoSchedule

Environment:

elaurensx commented 4 days ago

Can confirm the issue. Observed during the installation of the trivy-operator-polr-adapter..

kubectl logs -f trivy-operator-polr-adapter-5f647d56b9-5k9jk
kind.go] "if kind is a CRD, it should be installed before calling Start" err="no matches for kind \"CISKubeBenchReport\" in version \"aquasecurity.github.io/v1alpha1\"" logger="controller-runtime.source.EventHandler" kind="CISKubeBenchReport.aquasecurity.github.io"
Halogenmake commented 4 days ago

additional information: I use helm chart version 0.24.1

Halogenmake commented 4 days ago

More details: I have multiple Kubernetes clusters, and on some clusters, the report is generated correctly, while on others, it isn’t. The cluster versions, Helm chart versions, and application versions are all the same.

Meanwhile, on the clusters where the report is not generated, the ClusterComplianceReport:k8s-cis-1.23 resource exists, but it lacks a status section—only the spec section is present.