You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What steps did you take and what happened:
Im using trivy operator behind a proxy that has its own certificate and needs to run with the insecure flag in order to download the policy bundles ignoring the ssl check. I tried the flag policiesBundle.insecure: "true" and it is not working.
Also, the trivy operator is not generating any vulnerability report:
kubectl get vulnerabilityreports --all-namespaces -o wide
No resources found
However, trivy operator pod and trivy server are both running and the trivy server succesfully downloads the db
What did you expect to happen:
I expected to ignore the ssl check when downloading the policy bundles and create a vulnerability report for each pod but instead it didn't.
I have the same error, but I am testing with the main branch because I saw a commit that fixes the behavior of the insecure flag, can you help @chen-keinan ?
What steps did you take and what happened:
Im using trivy operator behind a proxy that has its own certificate and needs to run with the insecure flag in order to download the policy bundles ignoring the ssl check. I tried the flag policiesBundle.insecure: "true" and it is not working.
Also, the trivy operator is not generating any vulnerability report:
However, trivy operator pod and trivy server are both running and the trivy server succesfully downloads the db
What did you expect to happen:
I expected to ignore the ssl check when downloading the policy bundles and create a vulnerability report for each pod but instead it didn't.
Anything else you would like to add:
Environment variables from trivy-operator pod:
BB_ASH_VERSION='1.36.1'
CONTROLLER_CACHE_SYNC_TIMEOUT='5m'
FUNCNAME=''
HISTFILE='/home/trivyoperator/.ash_history'
HOME='/home/trivyoperator'
HOSTNAME='trivy-operator-67dddb6db-765tx'
HTTPS_PROXY='http://obfuscated:obfuscated'
HTTP_PROXY='http://obfuscated:obfuscated'
IFS='
'
KUBERNETES_PORT='tcp://10.43.0.1:443'
KUBERNETES_PORT_443_TCP='tcp://10.43.0.1:443'
KUBERNETES_PORT_443_TCP_ADDR='10.43.0.1'
KUBERNETES_PORT_443_TCP_PORT='443'
KUBERNETES_PORT_443_TCP_PROTO='tcp'
KUBERNETES_SERVICE_HOST='10.43.0.1'
KUBERNETES_SERVICE_PORT='443'
KUBERNETES_SERVICE_PORT_HTTPS='443'
LINENO=''
NO_PROXY='obfuscated'
OLDPWD='/'
OPERATOR_ACCESS_GLOBAL_SECRETS_SERVICE_ACCOUNTS='true'
OPERATOR_BATCH_DELETE_DELAY='10s'
OPERATOR_BATCH_DELETE_LIMIT='10'
OPERATOR_BUILT_IN_TRIVY_SERVER='true'
OPERATOR_CACHE_REPORT_TTL='120h'
OPERATOR_CLUSTER_COMPLIANCE_ENABLED='true'
OPERATOR_CLUSTER_SBOM_CACHE_ENABLED='false'
OPERATOR_CONCURRENT_NODE_COLLECTOR_LIMIT='1'
OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT='10'
OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED='true'
OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS='true'
OPERATOR_EXCLUDE_NAMESPACES=''
OPERATOR_EXPOSED_SECRET_SCANNER_ENABLED='true'
OPERATOR_HEALTH_PROBE_BIND_ADDRESS=':9090'
OPERATOR_INFRA_ASSESSMENT_SCANNER_ENABLED='true'
OPERATOR_LOG_DEV_MODE='false'
OPERATOR_MERGE_RBAC_FINDING_WITH_CONFIG_AUDIT='false'
OPERATOR_METRICS_BIND_ADDRESS=':8080'
OPERATOR_METRICS_CLUSTER_COMPLIANCE_INFO_ENABLED='false'
OPERATOR_METRICS_CONFIG_AUDIT_INFO_ENABLED='false'
OPERATOR_METRICS_EXPOSED_SECRET_INFO_ENABLED='false'
OPERATOR_METRICS_FINDINGS_ENABLED='true'
OPERATOR_METRICS_IMAGE_INFO_ENABLED='false'
OPERATOR_METRICS_INFRA_ASSESSMENT_INFO_ENABLED='false'
OPERATOR_METRICS_RBAC_ASSESSMENT_INFO_ENABLED='false'
OPERATOR_METRICS_VULN_ID_ENABLED='false'
OPERATOR_NAMESPACE='trivy-system'
OPERATOR_PRIVATE_REGISTRY_SCAN_SECRETS_NAMES='{}'
OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED='true'
OPERATOR_SBOM_GENERATION_ENABLED='true'
OPERATOR_SCANNER_REPORT_TTL='1h'
OPERATOR_SCAN_JOB_RETRY_AFTER='30s'
OPERATOR_SCAN_JOB_TIMEOUT='5m'
OPERATOR_SCAN_JOB_TTL=''
OPERATOR_SEND_DELETED_REPORTS='false'
OPERATOR_SERVICE_ACCOUNT='trivy-operator'
OPERATOR_TARGET_NAMESPACES=''
OPERATOR_TARGET_WORKLOADS='pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job'
OPERATOR_VULNERABILITY_SCANNER_ENABLED='true'
OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS='true'
OPERATOR_WEBHOOK_BROADCAST_CUSTOM_HEADERS=''
OPERATOR_WEBHOOK_BROADCAST_TIMEOUT='30s'
OPERATOR_WEBHOOK_BROADCAST_URL=''
OPTIND='1'
PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
PPID='0'
PS1='\w $ '
PS2='> '
PS4='+ '
PWD='/home/trivyoperator'
SHLVL='1'
TERM='xterm'
TRIVY_SERVER_HEALTH_CHECK_CACHE_EXPIRATION='10h'
TRIVY_SERVICE_PORT='tcp://10.43.109.224:4954'
TRIVY_SERVICE_PORT_4954_TCP='tcp://10.43.109.224:4954'
TRIVY_SERVICE_PORT_4954_TCP_ADDR='10.43.109.224'
TRIVY_SERVICE_PORT_4954_TCP_PORT='4954'
TRIVY_SERVICE_PORT_4954_TCP_PROTO='tcp'
TRIVY_SERVICE_SERVICE_HOST='10.43.109.224'
TRIVY_SERVICE_SERVICE_PORT='4954'
TRIVY_SERVICE_SERVICE_PORT_TRIVY_HTTP='4954'
Logs:
{"level":"error","ts":"2024-08-01T18:53:34Z","logger":"policyLoader.Get misconfig bundle policies","msg":"failed to load policies","error":"failed to download policies: failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* Get "https://ghcr.io/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority\n\n","stacktrace":"github.com/aquasecurity/trivy-operator/pkg/policy.(*policyLoader).GetPoliciesAndBundlePath\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/policy/loader.go:63\ngithub.com/aquasecurity/trivy-operator/pkg/configauditreport/controller.(*NodeReconciler).SetupWithManager.(*NodeReconciler).reconcileNodes.func5\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/configauditreport/controller/node.go:169\nsigs.k8s.io/controller-runtime/pkg/reconcile.Func.Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/reconcile/reconcile.go:113\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:261\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:222"}
{"level":"error","ts":"2024-08-01T18:53:34Z","msg":"Reconciler error","controller":"node","controllerGroup":"","controllerKind":"Node","Node":{"name":"rhel1"},"namespace":"","name":"rhel1","reconcileID":"176498a2-1a4d-4767-a975-a44f49779732","error":"creating job: no compliance commands found","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:261\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:222"}
Environment:
trivy-operator version
): 0.22.0kubectl version
): -The text was updated successfully, but these errors were encountered: