Closed seenu433 closed 5 years ago
ankushchadha
commented
5 years ago Thanks, @seenu433 for reporting this issue. Can you share values.yaml file that includes whitelist information? Feel free to obfuscate values if certain details shouldn't be exposed.
Regarding the response from the API, is Xray's component information API being referred or the webhook payload?
seenu433
commented
5 years ago Thanks @ankushchadha for the quick response. Below is the configmap used
apiVersion: v1 data: config.yaml: |- unscanned: whitelistNamespaces: kube-system,kubexray,ns-cicd deployments: ignore statefulSets: ignore security: deployments: scaledown statefulSets: ignore whitelistNamespaces: kube-system,kubexray license: deployments: scaledown statefulSets: ignore whitelistNamespaces: kube-system,kubexray kind: ConfigMap
Only the changes for the unscanned: deployments and statefulsets are reflected. The whitelistNamespaces and license doesnt seem to be working.
A log of the sample activity
time="2019-04-07T20:49:56Z" level=debug msg=HandlerImpl.ObjectCreated time="2019-04-07T20:49:56Z" level=debug msg="Resource for pod nginx-ingress-controller-84sm2 is not stateful set nginx-ingress-controller: statefulsets.apps \"nginx-ingress-controller\" not found" time="2019-04-07T20:49:56Z" level=debug msg="Resource for pod nginx-ingress-controller-84sm2 is not deployment nginx-ingress: deployments.apps \"nginx-ingress\" not found" time="2019-04-07T20:49:56Z" level=debug msg="Pod: nginx-ingress-controller-84sm2 v.3494480 (Node: .., Running)" time="2019-04-07T20:49:56Z" level=debug msg="Container: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.22.0, Digest: 47ef793dc8dfcbf73c9dee4abfb87afa3aa8554c35461635f6539c6cc5073b2c" time="2019-04-07T20:49:56Z" level=debug msg="Checking sha ... with Xray ..." time="2019-04-07T20:49:56Z" level=debug msg="404 response from componentIdsByChecksum, trying backup API instead" time="2019-04-07T20:49:56Z" level=debug msg="Checking sha .. with Xray ..." time="2019-04-07T20:49:56Z" level=debug msg="Xray does not recognize this sha" time="2019-04-07T20:49:56Z" level=debug msg="Ignoring pod: nginx-ingress-controller-84sm2"
A network trace indicated that the first call in the above log is api/v2/componentIdsByChecksum/...
and the second is for api/v2/summary/artifact
The first one lands in 404 and the second ones give s a response as below {"artifacts":[{........},"issues":[],"licenses":[{"name":"Unknown","full_name":"Unknown license","components":[........]}]}]}
The kubexray is installed through the latest hel chart.
We do not have webhooks enabled yet.
ankushchadha
commented
5 years ago api/v2/componentIdsByChecksum/ endpoint is not released yet, hence the other API is a fallback. Will follow up with the Xray team.
We reviewed the code and the whitelistNamespaces should work even for security and license policies. We will try to reproduce the issue. The sample file that we usually use is located at https://github.com/jfrog/charts/blob/master/stable/kubexray/values.yaml
The whitelisting is not honored and no matter the order in which its provided, there is not any help. Xray version is Xray 2.3.3 Revision: 6b3b534
Also the response from api has issues and licenses as separate attributes {"artifacts":[{........},"issues":[],"licenses":[{"name":"Unknown","full_name":"Unknown license","components":[........]}]}]}
But the code looks for security and license under the issues. Is this due to any version mismatch.
Using the latest version of kubexray helm chart