Closed 02fa closed 1 year ago
Hey , sorry this is not well documented but you need compliance reports in detailed mode, to have all required information for mapping
see
https://github.com/fjogeleit/trivy-operator-polr-adapter#clustercompliancereport
https://github.com/fjogeleit/trivy-operator-polr-adapter/blob/main/CHANGELOG.md#030
and
https://aquasecurity.github.io/trivy-operator/v0.13.0/settings/ Compliance.ReportType
Hello, sorry to comment on this old thread. I am facing this same issue even with reportType: all
If you have any idea how to debug it, thank you!
Here is my config:
helm upgrade --install trivy-operator aqua/trivy-operator \
--namespace trivy-system \
--create-namespace \
--version 0.23.2 \
--set operator.builtInTrivyServer=true \
--set operator.exposedSecretScannerEnabled=false \
--set operator.rbacAssessmentScannerEnabled=false \
--set operator.configAuditScannerEnabled=false \
--set trivy.severity="CRITICAL\,HIGH\,MEDIUM" \
--set serviceAccount.annotations."eks\.amazonaws\.com/role-arn=arn:aws:iam::${AWS_ACCOUNT_ID}:role/trivy-operator-role" \
--set trivyOperator.skipInitContainers=true \
--set trivyOperator.scanJobPodTemplateContainerSecurityContext.runAsUser=0 \
--set trivy.command=filesystem \
-f ./trivy-values.yaml
I have reportType: all in trivy-values.yaml
helm upgrade --install trivy-operator-polr-adapter trivy-operator-polr-adapter/trivy-operator-polr-adapter -n trivy-system \
--version 0.8.0 \
--set adapters.complianceReports.enabled=true \
--set adapters.clusterVulnerabilityReports.enabled=true
╰─$ k describe ClusterComplianceReport cis|grep Report 2 ↵
Kind: ClusterComplianceReport
Report Type: all
╰─$ k describe clusterpolicyreports trivy-compliance-cpolr-cis 1 ↵
Name: trivy-compliance-cpolr-cis
Namespace:
Labels: app.kubernetes.io/created-by=trivy-operator-polr-adapter
app.kubernetes.io/managed-by=trivy-operator-polr-adapter
trivy-operator.source=ClusterComplianceReport
Annotations: <none>
API Version: wgpolicyk8s.io/v1beta1
Kind: ClusterPolicyReport
Metadata:
Creation Timestamp: 2024-06-06T16:40:39Z
Generation: 1
Owner References:
API Version: aquasecurity.github.io/v1alpha1
Kind: ClusterComplianceReport
Name: cis
UID: 724bc3a7-608c-489e-ac4c-313a89a02333
Resource Version: 1135212852
UID: 50188682-40e9-40df-a901-9a4a0872ab48
Summary:
Error: 0
Fail: 0
Pass: 0
Skip: 0
Warn: 0
Events: <none>
Hi, I will take a look but your example doesn’t show any event it could map.
Hi @fjogeleit, I used this config and now I can see ClusterComplianceReport in Policy Reporter UI
Not sure if clusterInfraAssessmentReports and configAuditReports helped, or it just took time for the operator to process. I will probably delete everything and try again just to confirm. Thanks anyway @fjogeleit for creating this project and for wiling to support!
helm upgrade --install trivy-operator-polr-adapter trivy-operator-polr-adapter/trivy-operator-polr-adapter -n trivy-system \
--version 0.8.0 \
--set adapters.complianceReports.enabled=true \
--set adapters.clusterVulnerabilityReports.enabled=true \
--set adapters.clusterInfraAssessmentReports.enabled=true \
--set adapters.configAuditReports.enabled=true
It's also interesting that all results have Result: pass
and Severity: info
╰─$ k get clusterpolicyreports -A
NAME PASS FAIL WARN ERROR SKIP AGE
trivy-compliance-cpolr-cis 116 0 0 0 0 3h3m
trivy-compliance-cpolr-nsa 27 0 0 0 0 5h2m
trivy-compliance-cpolr-pss-baseline 11 0 0 0 0 5h2m
trivy-compliance-cpolr-pss-restricted 17 0 0 0 0 5h2m
When checking ClusterComplianceReports, they have more accurate informations.
What do you measn exactly?
Results in a ComplianceReport are successfull or not -> pass / fail
My problem is similar to https://github.com/aquasecurity/trivy-operator/issues/1306
So nothing to do with trivy-operator-polr-adapter.
although there are CRITICAL and HIGH in the ComplianceReport, the summary is showing all of them pass
.
Summary:
Pass Count: 116
Dear @fjogeleit and Dear @caruccio,
I am a big admirer of your project, thank you for taking care of the original architectural overlooks in trivy-operator!
I seem to be missing any ClusterComplianceReport's data. Although trivy-operator-polr-adapter is aware of these reports existence, it comes up with zero readings.
Trivy own view appears to be more meaningful.
I appreciate this isn't a support forum, but what direction shall I be digging in, please? Have I missed anything?
Or could it be that ClusterComplianceReport is somewhat unintended use of trivy-operator? My final destination is to combine multi-cluster data into Grafana Loki. This could be, of course, a duplicate effort of what armo/kubescape is doing for report aggregation. Reporting is a paid feature though.
Best regards, Wang Wei
trivy-operator configuration
trivy-operator-polr-adapter configuration (no policy-reporter is present on the cluster)