search

devopstales / trivy-operator

Kubernetes Operator based on the open-source container vulnerability scanner Trivy.
https://devopstales.github.io/trivy-operator/
Apache License 2.0
47 stars 10 forks source link

set timeout value to more than 5 min #43

Closed AmaniBenAoun closed 9 months ago

AmaniBenAoun commented 11 months ago

Hey 👋

We're using your Trivy-operator alongside DefectDojo to scan our cluster. Particularly, we're using the namespaceScanner. Both are installed via Helm and we're using the latest version. It was working fine when I added the trivy-scan: "true" label to a couple of namespaces, but when I added it to multiple namespaces it seems that the scan will need more than 5 min (which is the default value) to finish and therefore it fails after some time. with the error:

kopf._cogs.clients.w [ERROR ] Request attempt #1/9 failed; will retry: GET https://*.*.*.*:443/apis/trivy-operator.devopstales.io/v1/namespace-scanners?watch=true&resourceVersion=2006420349 -> ServerDisconnectedError('Server disconnected')

Is there a way to override the default value of the timeout as in the duration to wait for scan completion?

Also, I see this error in the logs occasionally [ERROR ] [security-scanning/trivy-operator-main-config] Handler 'create_fn' failed with an exception. Will retry. Traceback (most recent call last): File "/usr/local/lib/python3.8/site-packages/kopf/_core/actions/execution.py", line 279, in execute_handler_once result = await invoke_handler( File "/usr/local/lib/python3.8/site-packages/kopf/_core/actions/execution.py", line 374, in invoke_handler result = await invocation.invoke( File "/usr/local/lib/python3.8/site-packages/kopf/_core/actions/invocation.py", line 116, in invoke result = await fn(**kwargs) # type: ignore File "/trivy-operator.py", line 416, in create_fn pull_secret_decoder(tmp3, tagged_ns) File "/trivy-operator.py", line 238, in pull_secret_decoder secret_data = secret.data['.dockerconfigjson'] KeyError: '.dockerconfigjson'

thanks 🙏

devopstales commented 11 months ago

Hi @AmaniBenAoun

Thanx for your ticket. First I will start with the second problem that is a duplicate for the #42 ticket. It seams I didn't foxed this back to the latest 2.5 image. But for the first error I need more information. What Trivy operator image version do sou use? What is the content of the NamespaceScanner object? Can you try to run the operator with DEBUG log level and upload the logs to here?

AmaniBenAoun commented 11 months ago

hi!

thanks for the reply. the versions we're using are version 2.5.0 for the trivy operator ( this one here) and for Defectdojo we're using version 1.6.93 (this one here)

Also, I was able to confirm that the errors were because the timeout duration that is set to 5 min by default. When I reduced the number of namespaces to be scanned, I no longer had the errors and the operator was able to finish the scan in that time period with no problem. My solution for this was to create multiple NamespaceScanner objects and each of them with a different selector so I can assign different namespaces to them. That fixed the errors and now everything runs as expected. thanks again!

devopstales commented 9 months ago

In the NamespaceScanner object you can change the timeout period. For a bigger cluster the default 5 minuter of course is not enough.