search

giantswarm / starboard-exporter

A standalone exporter for vulnerability reports and other CRs created by Trivy Operator (formerly Starboard).
Apache License 2.0
59 stars 23 forks source link

"ensure CRDs are installed first" while installing via HELM Chart #338

Closed dj-wasabi closed 7 months ago

dj-wasabi commented 8 months ago

Hi,

I am trying to install the exporter, but I think I am doing something wrong because I get an error:

$ helm repo add aqua https://aquasecurity.github.io/helm-charts/
$ helm repo add giantswarm https://giantswarm.github.io/giantswarm-catalog
$ helm repo update
$ helm install trivy-operator oci://ghcr.io/aquasecurity/helm-charts/trivy-operator \
   --namespace trivy-system \
   --create-namespace \
   --version 0.21.3

$ helm upgrade -i starboard-exporter --namespace trivy-system  giantswarm/starboard-exporter

Release "starboard-exporter" does not exist. Installing it now.
Error: unable to build kubernetes objects from release manifest: resource mapping not found for name: "starboard-exporter-psp" namespace: "" from "": no matches for kind "PodSecurityPolicy" in version "policy/v1beta1"
ensure CRDs are installed first

Trivi is installed:

$ kubectl get all -n trivy-system
NAME                                            READY   STATUS    RESTARTS      AGE
pod/scan-vulnerabilityreport-7877b49d8c-s8lts   3/3     Running   0             36s
pod/trivy-operator-7cc7457867-gwwt7             1/1     Running   1 (45s ago)   5m51s

NAME                     TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
service/trivy-operator   ClusterIP   None         <none>        80/TCP    5m51s

NAME                             READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/trivy-operator   1/1     1            1           5m51s

NAME                                        DESIRED   CURRENT   READY   AGE
replicaset.apps/trivy-operator-7cc7457867   1         1         1       5m51s

NAME                                            COMPLETIONS   DURATION   AGE
job.batch/scan-vulnerabilityreport-7877b49d8c   0/1           36s        36s
$ kubectl get crds | grep -i aquasecurity
clustercompliancereports.aquasecurity.github.io        2024-04-03T17:48:51Z
clusterconfigauditreports.aquasecurity.github.io       2024-04-03T17:48:51Z
clusterinfraassessmentreports.aquasecurity.github.io   2024-04-03T17:48:51Z
clusterrbacassessmentreports.aquasecurity.github.io    2024-04-03T17:48:51Z
clustersbomreports.aquasecurity.github.io              2024-04-03T17:48:51Z
clustervulnerabilityreports.aquasecurity.github.io     2024-04-03T17:48:51Z
configauditreports.aquasecurity.github.io              2024-04-03T17:48:51Z
exposedsecretreports.aquasecurity.github.io            2024-04-03T17:48:51Z
infraassessmentreports.aquasecurity.github.io          2024-04-03T17:48:51Z
rbacassessmentreports.aquasecurity.github.io           2024-04-03T17:48:51Z
sbomreports.aquasecurity.github.io                     2024-04-03T17:48:51Z
vulnerabilityreports.aquasecurity.github.io            2024-04-03T17:48:51Z

Can you please help me with what is missing right now?

Thank you!

stone-z commented 7 months ago

Hey @dj-wasabi, I think you just need to disable the PSP that ships in our Helm chart.

You can do this by setting the global.podSecurityStandards.enforced value to true here.

Our app is currently a bit unusual because it is supporting some PSP migration logic for our customers, but we will eventually make your situation (no PSPs / newer k8s versions) the default, as it should be.

stone-z commented 7 months ago

Closing this so I can take it off my todo list :smile: but do let me know if I can help further