search

fjogeleit / trivy-operator-polr-adapter

Creates PolicyReports based on the different Trivy Operator CRDs like VulnerabilityReports
MIT License
56 stars 7 forks source link

No Trivy Operator ClusterComplianceReport #97

Closed 02fa closed 1 year ago

02fa commented 1 year ago

Dear @fjogeleit and Dear @caruccio,

I am a big admirer of your project, thank you for taking care of the original architectural overlooks in trivy-operator!

I seem to be missing any ClusterComplianceReport's data. Although trivy-operator-polr-adapter is aware of these reports existence, it comes up with zero readings.

kubectl get cpolr trivy-compliance-cpolr-cis trivy-compliance-cpolr-nsa trivy-compliance-cpolr-pss-baseline trivy-compliance-cpolr-pss-restricted NAME PASS FAIL WARN ERROR SKIP AGE trivy-compliance-cpolr-cis 0 0 0 0 0 43m trivy-compliance-cpolr-nsa 0 0 0 0 0 43m trivy-compliance-cpolr-pss-baseline 0 0 0 0 0 43m trivy-compliance-cpolr-pss-restricted 0 0 0 0 0 43m

Trivy own view appears to be more meaningful.

kubectl get clustercompliancereports cis -oyaml|grep -E 'HIGH|MEDIUM|CRITICAL|LOW|INFO'|sort|uniq -c 19 severity: CRITICAL 50 severity: HIGH 23 severity: LOW 24 severity: MEDIUM kubectl get clustercompliancereports nsa -oyaml|grep -E 'HIGH|MEDIUM|CRITICAL|LOW|INFO'|sort|uniq -c 8 severity: CRITICAL 5 severity: HIGH 3 severity: LOW 11 severity: MEDIUM kubectl get clustercompliancereports pss-baseline -oyaml|grep -E 'HIGH|MEDIUM|CRITICAL|LOW|INFO'|sort|uniq -c 5 severity: HIGH 6 severity: MEDIUM kubectl get clustercompliancereports pss-restricted -oyaml|grep -E 'HIGH|MEDIUM|CRITICAL|LOW|INFO'|sort|uniq -c 5 severity: HIGH 4 severity: LOW 8 severity: MEDIUM

I appreciate this isn't a support forum, but what direction shall I be digging in, please? Have I missed anything?

Or could it be that ClusterComplianceReport is somewhat unintended use of trivy-operator? My final destination is to combine multi-cluster data into Grafana Loki. This could be, of course, a duplicate effort of what armo/kubescape is doing for report aggregation. Reporting is a paid feature though.

Best regards, Wang Wei

trivy-operator configuration

helm install trivy-operator aqua/trivy-operator \ --namespace trivy-system \ --create-namespace \ --version 0.13.0 \ --set='trivy.ignoreUnfixed=true' \ --set='trivy.command=filesystem' \ --set='trivyOperator.scanJobPodTemplateContainerSecurityContext.runAsUser=0'

trivy-operator-polr-adapter configuration (no policy-reporter is present on the cluster)

helm install trivy-operator-polr-adapter trivy-operator-polr-adapter/trivy-operator-polr-adapter \ -ntrivy-adapter --create-namespace \ --set='crds.install=true' \ --set='adapters.complianceReports.enabled=true' \ --set='adapters.rbacAssessmentReports.enabled=true' \ --set='adapters.exposedSecretReports.enabled=true' \ --set='adapters.infraAssessmentReports.enabled=true' \ --set='adapters.clusterInfraAssessmentReports.enabled=true'

fjogeleit commented 1 year ago

Hey , sorry this is not well documented but you need compliance reports in detailed mode, to have all required information for mapping

see

https://github.com/fjogeleit/trivy-operator-polr-adapter#clustercompliancereport

https://github.com/fjogeleit/trivy-operator-polr-adapter/blob/main/CHANGELOG.md#030

and

https://aquasecurity.github.io/trivy-operator/v0.13.0/settings/ Compliance.ReportType

oussemos commented 4 months ago

Hello, sorry to comment on this old thread. I am facing this same issue even with reportType: all

If you have any idea how to debug it, thank you!

Here is my config:

helm upgrade --install trivy-operator aqua/trivy-operator \
    --namespace trivy-system \
    --create-namespace \
    --version 0.23.2 \
    --set operator.builtInTrivyServer=true \
    --set operator.exposedSecretScannerEnabled=false \
    --set operator.rbacAssessmentScannerEnabled=false \
    --set operator.configAuditScannerEnabled=false \
    --set trivy.severity="CRITICAL\,HIGH\,MEDIUM" \
    --set serviceAccount.annotations."eks\.amazonaws\.com/role-arn=arn:aws:iam::${AWS_ACCOUNT_ID}:role/trivy-operator-role" \
    --set trivyOperator.skipInitContainers=true \
    --set trivyOperator.scanJobPodTemplateContainerSecurityContext.runAsUser=0 \
    --set trivy.command=filesystem \
    -f ./trivy-values.yaml

I have reportType: all in trivy-values.yaml

helm upgrade --install trivy-operator-polr-adapter trivy-operator-polr-adapter/trivy-operator-polr-adapter -n trivy-system \
--version 0.8.0 \
--set adapters.complianceReports.enabled=true \
--set adapters.clusterVulnerabilityReports.enabled=true

╰─$ k describe ClusterComplianceReport cis|grep Report                                                                                                           2 ↵
Kind:         ClusterComplianceReport
  Report Type:  all

╰─$ k describe clusterpolicyreports trivy-compliance-cpolr-cis                                                                                                   1 ↵
Name:         trivy-compliance-cpolr-cis
Namespace:    
Labels:       app.kubernetes.io/created-by=trivy-operator-polr-adapter
              app.kubernetes.io/managed-by=trivy-operator-polr-adapter
              trivy-operator.source=ClusterComplianceReport
Annotations:  <none>
API Version:  wgpolicyk8s.io/v1beta1
Kind:         ClusterPolicyReport
Metadata:
  Creation Timestamp:  2024-06-06T16:40:39Z
  Generation:          1
  Owner References:
    API Version:     aquasecurity.github.io/v1alpha1
    Kind:            ClusterComplianceReport
    Name:            cis
    UID:             724bc3a7-608c-489e-ac4c-313a89a02333
  Resource Version:  1135212852
  UID:               50188682-40e9-40df-a901-9a4a0872ab48
Summary:
  Error:  0
  Fail:   0
  Pass:   0
  Skip:   0
  Warn:   0
Events:   <none>
fjogeleit commented 4 months ago

Hi, I will take a look but your example doesn’t show any event it could map.

oussemos commented 4 months ago

Hi @fjogeleit, I used this config and now I can see ClusterComplianceReport in Policy Reporter UI

Not sure if clusterInfraAssessmentReports and configAuditReports helped, or it just took time for the operator to process. I will probably delete everything and try again just to confirm. Thanks anyway @fjogeleit for creating this project and for wiling to support!

helm upgrade --install trivy-operator-polr-adapter trivy-operator-polr-adapter/trivy-operator-polr-adapter -n trivy-system \
--version 0.8.0 \
--set adapters.complianceReports.enabled=true \
--set adapters.clusterVulnerabilityReports.enabled=true \
--set adapters.clusterInfraAssessmentReports.enabled=true \
--set adapters.configAuditReports.enabled=true
oussemos commented 4 months ago

It's also interesting that all results have Result: pass and Severity: info

╰─$ k get clusterpolicyreports -A                             
NAME                                    PASS   FAIL   WARN   ERROR   SKIP   AGE
trivy-compliance-cpolr-cis              116    0      0      0       0      3h3m
trivy-compliance-cpolr-nsa              27     0      0      0       0      5h2m
trivy-compliance-cpolr-pss-baseline     11     0      0      0       0      5h2m
trivy-compliance-cpolr-pss-restricted   17     0      0      0       0      5h2m

When checking ClusterComplianceReports, they have more accurate informations.

fjogeleit commented 4 months ago

What do you measn exactly?

Results in a ComplianceReport are successfull or not -> pass / fail

oussemos commented 4 months ago

My problem is similar to https://github.com/aquasecurity/trivy-operator/issues/1306

So nothing to do with trivy-operator-polr-adapter.

although there are CRITICAL and HIGH in the ComplianceReport, the summary is showing all of them pass.

  Summary:
    Pass Count:      116