No Failed CIS Reports or InfraAssessmentReports #2144

MWiedmer · 2024-06-17T07:31:27Z

MWiedmer
Jun 17, 2024

My issue is similar to No warnings or failed cis benchmarks #1306 but the workarounds (using default values, deleting all crd and reinstalling, etc) did not work for me.

The vulnerability scans work fine, however the operator does not generate any InfraAssessmentReport despite it being enabled in the config.

trivy-operator is being installed through helm (helm chart version 0.21.4). the resulting config-map is as follows

  CONTROLLER_CACHE_SYNC_TIMEOUT: 5m 
  OPERATOR_ACCESS_GLOBAL_SECRETS_SERVICE_ACCOUNTS: "true"
  OPERATOR_BATCH_DELETE_DELAY: 10s
  OPERATOR_BATCH_DELETE_LIMIT: "10"
  OPERATOR_BUILT_IN_TRIVY_SERVER: "false"
  OPERATOR_CACHE_REPORT_TTL: 120h
  OPERATOR_CLUSTER_COMPLIANCE_ENABLED: "true"
  OPERATOR_CLUSTER_SBOM_CACHE_ENABLED: "false"
  OPERATOR_CONCURRENT_NODE_COLLECTOR_LIMIT: "1"
  OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT: "4"
  OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED: "true"
  OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS: "true"
  OPERATOR_EXPOSED_SECRET_SCANNER_ENABLED: "true"
  OPERATOR_HEALTH_PROBE_BIND_ADDRESS: :9090
  OPERATOR_INFRA_ASSESSMENT_SCANNER_ENABLED: "true"
  OPERATOR_LOG_DEV_MODE: "false"
  OPERATOR_MERGE_RBAC_FINDING_WITH_CONFIG_AUDIT: "false"
  OPERATOR_METRICS_BIND_ADDRESS: :8080
  OPERATOR_METRICS_CLUSTER_COMPLIANCE_INFO_ENABLED: "true"
  OPERATOR_METRICS_CONFIG_AUDIT_INFO_ENABLED: "true"
  OPERATOR_METRICS_EXPOSED_SECRET_INFO_ENABLED: "false"
  OPERATOR_METRICS_FINDINGS_ENABLED: "true"
  OPERATOR_METRICS_IMAGE_INFO_ENABLED: "false"
  OPERATOR_METRICS_INFRA_ASSESSMENT_INFO_ENABLED: "false"
  OPERATOR_METRICS_RBAC_ASSESSMENT_INFO_ENABLED: "false"
  OPERATOR_METRICS_VULN_ID_ENABLED: "true"
  OPERATOR_PRIVATE_REGISTRY_SCAN_SECRETS_NAMES: '{}'
  OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED: "true"
  OPERATOR_SBOM_GENERATION_ENABLED: "true"
  OPERATOR_SCAN_JOB_RETRY_AFTER: 30s
  OPERATOR_SCAN_JOB_TIMEOUT: 5m
  OPERATOR_SCAN_JOB_TTL: ""
  OPERATOR_SCANNER_REPORT_TTL: 24h
  OPERATOR_SEND_DELETED_REPORTS: "false"
  OPERATOR_VULNERABILITY_SCANNER_ENABLED: "true"
  OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS: "true"
  OPERATOR_WEBHOOK_BROADCAST_TIMEOUT: 30s
  OPERATOR_WEBHOOK_BROADCAST_URL: ""
  TRIVY_SERVER_HEALTH_CHECK_CACHE_EXPIRATION: 10h

when we check for InfraAssessmentReports we get nothing

$ kubectl get infraassessmentreports -A
No resources found

probably as a result of that, I don't have any failed checks in the cis report:
kubectl get clustercompliancereports cis -oyaml

   ...
    title: CIS Kubernetes Benchmarks v1.23
    version: "1.0"
  summary:
    passCount: 116
  updateTimestamp: "2024-06-17T07:00:00Z"

am I missing something?

Environment:
Trivy-Operator (HELM Chart version): 0.27.4
Kubernetes version: v1.27.5+vmware.1

Answered by chen-keinan

Jun 17, 2024

@MWiedmer can you please uninstall this version and re-install helm v0.23.3 there an important patch in this regards with latest release.
also delete all CRDs :

    kubectl delete crd vulnerabilityreports.aquasecurity.github.io
    kubectl delete crd exposedsecretreports.aquasecurity.github.io
    kubectl delete crd configauditreports.aquasecurity.github.io
    kubectl delete crd clusterconfigauditreports.aquasecurity.github.io
    kubectl delete crd rbacassessmentreports.aquasecurity.github.io
    kubectl delete crd infraassessmentreports.aquasecurity.github.io
    kubectl delete crd clusterrbacassessmentreports.aquasecurity.github.io
    kubectl delete crd clustercompliancereports.aquas…

View full answer

chen-keinan · 2024-06-17T07:47:50Z

chen-keinan
Jun 17, 2024

@MWiedmer can you please uninstall this version and re-install helm v0.23.3 there an important patch in this regards with latest release.
also delete all CRDs :

    kubectl delete crd vulnerabilityreports.aquasecurity.github.io
    kubectl delete crd exposedsecretreports.aquasecurity.github.io
    kubectl delete crd configauditreports.aquasecurity.github.io
    kubectl delete crd clusterconfigauditreports.aquasecurity.github.io
    kubectl delete crd rbacassessmentreports.aquasecurity.github.io
    kubectl delete crd infraassessmentreports.aquasecurity.github.io
    kubectl delete crd clusterrbacassessmentreports.aquasecurity.github.io
    kubectl delete crd clustercompliancereports.aquasecurity.github.io
    kubectl delete crd clusterinfraassessmentreports.aquasecurity.github.io
    kubectl delete crd sbomreports.aquasecurity.github.io
    kubectl delete crd clustersbomreports.aquasecurity.github.io
    kubectl delete crd clustervulnerabilityreports.aquasecurity.github.io

Install helm v0.23.3

1 reply

MWiedmer Jun 17, 2024
Author

thank you for your quick reply. It seems I made a mix up between helm chart version and app version (and a typo in the issue on top of that)
I had helm chart version 0.21.3 installed, instead of app version. I uninstalled all, deleted the CRD as suggested and reinstalled with helm chart version v0.23.03.

Now I get the expected compliance fails in the CIS Report.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

No Failed CIS Reports or InfraAssessmentReports #2144

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 1 reply

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

No Failed CIS Reports or InfraAssessmentReports #2144

MWiedmer Jun 17, 2024

Replies: 1 comment · 1 reply

chen-keinan Jun 17, 2024

MWiedmer Jun 17, 2024 Author

MWiedmer
Jun 17, 2024

Replies: 1 comment 1 reply

chen-keinan
Jun 17, 2024

MWiedmer Jun 17, 2024
Author