K8s cluster scan with NoSchedule toleration specified fails because tolerationSeconds is set

[chen-keinan]

Discussed in #5346

^{Originally posted by gnadaban October 6, 2023}

Description

Hello. I'm trying to do cluster scanning where some nodes have a CriticalAddonsOnly taint with NoSchedule effect.

# trivy k8s -f table --tolerations "key1=CriticalAddonsOnly:NoSchedule" --ignore-unfixed --report all cluster
2023-10-06T13:30:53.735-0400    FATAL   get k8s artifacts with node info error: running node-collector job: Job.batch "node-collector-7d758c9878" is invalid: spec.template.spec.tolerations[0].effect: Invalid value: "NoSchedule": effect must be 'NoExecute' when `tolerationSeconds` is set

It appears that the toleration seconds is always set here even though it should not be for NoSchedule effects.

Desired Behavior

The scanning of nodes with tolerated taints should successfully complete.

Actual Behavior

Failing due to error.

Reproduction Steps

1.Create a cluster with some nodes that have CriticalAddonsOnly:NoSchedule taints
2. Run `trivy k8s -f table --tolerations "key1=CriticalAddonsOnly:NoSchedule" --ignore-unfixed --report all cluster`

Target

Kubernetes

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

2023-10-06T13:36:30.328-0400    DEBUG   Severities: ["MEDIUM" "HIGH" "CRITICAL"]
2023-10-06T13:36:30.329-0400    DEBUG   Ignore statuses {"statuses": ["unknown","not_affected","affected","under_investigation","will_not_fix","fix_deferred","end_of_life"]}
2023-10-06T13:36:38.614-0400    FATAL   get k8s artifacts with node info error:
    github.com/aquasecurity/trivy/pkg/k8s/commands.clusterRun
        github.com/aquasecurity/trivy/pkg/k8s/commands/cluster.go:34
  - running node-collector job: Job.batch "node-collector-7d758c9878" is invalid: spec.template.spec.tolerations[0].effect: Invalid value: "NoSchedule": effect must be 'NoExecute' when `tolerationSeconds` is set

Operating System

macOS Ventura 13.6

Version

Version: 0.45.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-10-06 12:21:25.448657861 +0000 UTC
  NextUpdate: 2023-10-06 18:21:25.448657461 +0000 UTC
  DownloadedAt: 2023-10-06 15:01:43.985294 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-10-05 00:54:53.57111501 +0000 UTC
  NextUpdate: 2023-10-08 00:54:53.57111451 +0000 UTC
  DownloadedAt: 2023-10-05 15:03:53.68674 +0000 UTC
Policy Bundle:
  Digest: sha256:24b38cdf646f0e5becf55a709ae9a3c4e819a348c28990cec0b6aabe4637d8b1
  DownloadedAt: 2023-10-06 15:01:44.795995 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting