Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

workloadconfigurationscans not Generating after Reinstalling #607

Open
AdonisOkpidi opened this issue Jan 30, 2025 · 24 comments
Open

workloadconfigurationscans not Generating after Reinstalling #607

AdonisOkpidi opened this issue Jan 30, 2025 · 24 comments
Assignees
@matthyx
Labels
bug Something isn't working

Comments

@AdonisOkpidi
Copy link

AdonisOkpidi commented Jan 30, 2025
edited
Loading

Overview

Reinstalled kubescape to ensure the reports are created/updated effectively when testing scheduled scanning. However the kubescape pod log contains errors (Air-gap only) and reports are not generating with a no resources found (Air-gap and non Air-gap environment) when retrieving using kubectl get workloadconfigurationscans -A.

In AKS (Air Gapped Environment) the errors focuses on Failure to download policies and Host scanner errors (no reports generated). In GKE, Frameworks is pulled successfully and host scanner installed successfully. However the reports are not generated.

AKS (Air Gapped Environment)

Failure to download policies and Host scanner

Using default frameworks scan logs

Image

AKS filtered framework scan logs

Image

GKE (non Air Gapped Environment)

Frameworks is pulled successfully and host scanner installed successfully. However the reports are not generated 'no resources found'.

Image

No Resources Found

Image
@AdonisOkpidi AdonisOkpidi added the bug Something isn't working label Jan 30, 2025
@AdonisOkpidi
Copy link
Author

Hello @matthyx, can you help with this please.

Did anything change as I cant access the policies in air-gapped env? I have the KS_OFFLINE variable enabled as you instructed but seems to not download successfully since a reinstall?

For GKE the scans seems to work but reports are not generated?

@matthyx
Copy link
Contributor

matthyx commented Jan 31, 2025

Hello @matthyx, can you help with this please.

Did anything change as I cant access the policies in air-gapped env? I have the KS_OFFLINE variable enabled as you instructed but seems to not download successfully since a reinstall?

For GKE the scans seems to work but reports are not generated?

How did you reinstall kubescape-operator? Can you share the command used and/or the content of the ks-cloud-config ConfigMap?

@AdonisOkpidi
Copy link
Author

I uninstalled then reinstalled using helm upgrade --install kubescape Documents/Projects/dh/helm-charts/charts/kubescape-operator/ -n kubescape -f Documents/Projects/dh/helm-charts/charts/kubescape-operator/values.yaml

ks-cloud-config

Image

@AdonisOkpidi
Copy link
Author

Here is another example of the kubescape-scheduler log when a scheduled scan request is posted.

Image

@matthyx
Copy link
Contributor

matthyx commented Jan 31, 2025
edited
Loading

so this was broken in 1.25.3?
I think this is maybe the cause 3ef02bf

@AdonisOkpidi
Copy link
Author

I think thats correct! I reverted to 1.25.0 and everything is back to normal now. Air gapped environment now pulling the policies and reports generated and Non air-gap environment now generating reports with kubectl get workloadconfigurationscans -A.

@matthyx
Copy link
Contributor

matthyx commented Jan 31, 2025

ok thanks for checking, sorry for that mess, I will try to solve that next week

@AdonisOkpidi
Copy link
Author

No worries at all. I appreciate you jumping in! :)

@matthyx
Copy link
Contributor

matthyx commented Feb 3, 2025
edited
Loading

@AdonisOkpidi I have just tried the latest helm on a kind cluster (not air gap):

helm repo add kubescape https://kubescape.github.io/helm-charts/ ; helm repo update ; helm upgrade --install kubescape kubescape/kubescape-operator -n kubescape --create-namespace --set clusterName=`kubectl config current-context` --set capabilities.continuousScan=enable

After a few minutes I get some results:

kubectl get workloadconfigurationscans -A
NAMESPACE            NAME                                                    CREATED AT
local-path-storage   serviceaccount-default                                  2025-02-03T14:56:57Z
local-path-storage   serviceaccount-local-path-provisioner-service-account   2025-02-03T14:56:57Z
local-path-storage   configmap-local-path-config                             2025-02-03T14:56:57Z
local-path-storage   configmap-kube-root-ca.crt                              2025-02-03T14:56:58Z
local-path-storage   deployment-local-path-provisioner                       2025-02-03T14:56:59Z

@matthyx
Copy link
Contributor

matthyx commented Feb 3, 2025

I am going to check air gaped soon...

@matthyx
Copy link
Contributor

matthyx commented Feb 3, 2025

Indeed, seems like I have an issue:

{"level":"error","ts":"2025-02-03T16:38:26Z","msg":"scanning failed","ID":"87c50ae7-4221-4858-a511-130f34456b1e","error":"failed to scan. reason: 'framework: security: framework from file not matching'"}

@AdonisOkpidi
Copy link
Author

@AdonisOkpidi I have just tried the latest helm on a kind cluster (not air gap):

helm repo add kubescape https://kubescape.github.io/helm-charts/ ; helm repo update ; helm upgrade --install kubescape kubescape/kubescape-operator -n kubescape --create-namespace --set clusterName=`kubectl config current-context` --set capabilities.continuousScan=enable

After a few minutes I get some results:

kubectl get workloadconfigurationscans -A
NAMESPACE            NAME                                                    CREATED AT
local-path-storage   serviceaccount-default                                  2025-02-03T14:56:57Z
local-path-storage   serviceaccount-local-path-provisioner-service-account   2025-02-03T14:56:57Z
local-path-storage   configmap-local-path-config                             2025-02-03T14:56:57Z
local-path-storage   configmap-kube-root-ca.crt                              2025-02-03T14:56:58Z
local-path-storage   deployment-local-path-provisioner                       2025-02-03T14:56:59Z

Interesting! Just to confirm to was using 1.25.3?

@matthyx
Copy link
Contributor

matthyx commented Feb 3, 2025 via email

@matthyx
Copy link
Contributor

matthyx commented Feb 3, 2025
edited
Loading

@AdonisOkpidi I think I've found what I missed in the chart... can you try to set KS_OFFLINE="true" in the deployment's env for kubescape?
If that works, I will prepare a proper capability in the next chart release.

@matthyx matthyx moved this to Triage in Kubescaping Feb 3, 2025
@AdonisOkpidi
Copy link
Author

Non Air Gap Environment

This seems to work now in 1.25.4

Image

Image

I am getting errors scanning GCR images. Is the ACCOUNT_ID compulsory in this script when setting this up? https://hub.armosec.io/recipes/setup-gcp-iam-authorization-for-in-cluster-installation-of-kubescape-in-gke-1

@matthyx matthyx self-assigned this Feb 4, 2025
@matthyx matthyx moved this from Triage to High Priority in Kubescaping Feb 4, 2025
@matthyx
Copy link
Contributor

matthyx commented Feb 4, 2025

I am getting errors scanning GCR images. Is the ACCOUNT_ID compulsory in this script when setting this up? https://hub.armosec.io/recipes/setup-gcp-iam-authorization-for-in-cluster-installation-of-kubescape-in-gke-1

The script is stupid, you don't need to set the ACCOUNT_ID - just make sure you have the proper helm command at the end.

@AdonisOkpidi
Copy link
Author

I am getting errors scanning GCR images. Is the ACCOUNT_ID compulsory in this script when setting this up? https://hub.armosec.io/recipes/setup-gcp-iam-authorization-for-in-cluster-installation-of-kubescape-in-gke-1

The script is stupid, you don't need to set the ACCOUNT_ID - just make sure you have the proper helm command at the end.

Thanks! I will give this a try and let you know if any issues

@AdonisOkpidi
Copy link
Author

AdonisOkpidi commented Feb 4, 2025
edited
Loading

Air Gapped Environment

I have the KS_OFFLINE variable set to True in the kubescape pod using the 1.25.4 release but seems to be the same issue.

Image

Image

Bumped kubescape version and same result

Image

@matthyx
Copy link
Contributor

matthyx commented Feb 4, 2025
edited
Loading

@AdonisOkpidi can you check that you actually set these 2 parameters?

--set grypeOfflineDB.enabled=true --set grypeOfflineDB.image.tag=latest

@matthyx
Copy link
Contributor

matthyx commented Feb 4, 2025

This is ninja scripting to enable the offline mode... I promise I will add soon a capability and some docs.

@AdonisOkpidi
Copy link
Author

Enabling grypeOfflineDB and image.tag seems to do the trick :).

Question: seeing this worked in 1.25.0 in offline mode anyway with grype.anchore.io and toolbox-data.anchore.io whitelisted, why is enabling in this version necessary?

I have noticed although this seems to work, some of the node-agents are crashing unusually but the logs have no errors in logs. I will look into it tomorrow and feedback any details.

@matthyx
Copy link
Contributor

matthyx commented Feb 5, 2025

That's because of this condition that I've added

helm-charts/charts/kubescape-operator/templates/kubescape/deployment.yaml

Line 175 in faa0d13

{{- if and .Values.grypeOfflineDB.enabled (eq .Values.grypeOfflineDB.image.tag "latest") }}

As I said, I will make an offline capability in the next release (which could happen today).

For node-agents, do you see OOMKills maybe?

@AdonisOkpidi
Copy link
Author

Awesome! Looking forward to the update :)

Thats correct. It is a OOMKill for the nodes! I have now increased the memory and this is resolved.

I am currently trying to authenticate with GKE and seems the install are using parameters specific to kubescape/kubescape-cloud-operator (deprecated) https://hub.armosec.io/recipes/setup-gcp-iam-authorization-for-in-cluster-installation-of-kubescape-in-gke-1. I have added the service account created to

helm-charts/charts/kubescape-operator/values.yaml

Line 155 in 418bb04

gkeServiceAccount:
but doesnt seem to make any difference with scans. I will test again tomorrow incase I am missing anything.

@matthyx
Copy link
Contributor

matthyx commented Feb 5, 2025

I am not sure how the whole authentication works... help @dwertent !
In the meantime we have a new parameter in the latest chart:

helm-charts/charts/kubescape-operator/values.yaml

Line 109 in 418bb04

kubescapeOffline: disable

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@matthyx matthyx

Labels
bug Something isn't working
Projects
Kubescaping
Status: High Priority
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AdonisOkpidi @matthyx