Skip to content

feat(k8s): improve artifact selections for specific namespaces #8248

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Jan 29, 2025
Merged

feat(k8s): improve artifact selections for specific namespaces #8248

merged 14 commits into from
Jan 29, 2025
+234 −29

Conversation

afdesk
Copy link
Contributor

@afdesk afdesk commented Jan 15, 2025
edited
Loading

Description

This PR improves selections of Kubernetes artifacts for users with limited credentials.
Now Trivy can receive resources only for included namespaces.

$ trivy k8s --report summary --kubeconfig myconfig mycontext --include-namespaces rbac-test

Before:

2025-01-27T12:06:58+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: apps/v1, Resource=deployments - deployments.apps is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"deployments\" in API group \"apps\" at the cluster scope"
2025-01-27T12:06:58+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: /v1, Resource=pods - pods is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"pods\" in API group \"\" at the cluster scope"
2025-01-27T12:06:58+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: apps/v1, Resource=replicasets - replicasets.apps is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"replicasets\" in API group \"apps\" at the cluster scope"
2025-01-27T12:06:58+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: /v1, Resource=replicationcontrollers - replicationcontrollers is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"replicationcontrollers\" in API group \"\" at the cluster scope"
2025-01-27T12:06:58+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: apps/v1, Resource=statefulsets - statefulsets.apps is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"statefulsets\" in API group \"apps\" at the cluster scope"
2025-01-27T12:06:58+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: apps/v1, Resource=daemonsets - daemonsets.apps is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"daemonsets\" in API group \"apps\" at the cluster scope"
2025-01-27T12:06:58+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: batch/v1, Resource=cronjobs - cronjobs.batch is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"cronjobs\" in API group \"batch\" at the cluster scope"
2025-01-27T12:06:58+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: batch/v1, Resource=jobs - jobs.batch is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"jobs\" in API group \"batch\" at the cluster scope"
2025-01-27T12:06:58+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: /v1, Resource=services - services is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"services\" in API group \"\" at the cluster scope"
2025-01-27T12:06:58+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: /v1, Resource=serviceaccounts - serviceaccounts is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"serviceaccounts\" in API group \"\" at the cluster scope"
2025-01-27T12:06:58+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: /v1, Resource=configmaps - configmaps is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"configmaps\" in API group \"\" at the cluster scope"
2025-01-27T12:06:58+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: rbac.authorization.k8s.io/v1, Resource=roles - roles.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"roles\" in API group \"rbac.authorization.k8s.io\" at the cluster scope"
2025-01-27T12:06:59+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: rbac.authorization.k8s.io/v1, Resource=rolebindings - rolebindings.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"rolebindings\" in API group \"rbac.authorization.k8s.io\" at the cluster scope"
2025-01-27T12:06:59+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: networking.k8s.io/v1, Resource=networkpolicies - networkpolicies.networking.k8s.io is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"networkpolicies\" in API group \"networking.k8s.io\" at the cluster scope"
2025-01-27T12:06:59+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: networking.k8s.io/v1, Resource=ingresses - ingresses.networking.k8s.io is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"ingresses\" in API group \"networking.k8s.io\" at the cluster scope"
2025-01-27T12:06:59+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: /v1, Resource=resourcequotas - resourcequotas is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"resourcequotas\" in API group \"\" at the cluster scope"
2025-01-27T12:06:59+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: /v1, Resource=limitranges - limitranges is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"limitranges\" in API group \"\" at the cluster scope"
2025-01-27T12:07:00+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: rbac.authorization.k8s.io/v1, Resource=clusterroles - clusterroles.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"clusterroles\" in API group \"rbac.authorization.k8s.io\" at the cluster scope"
2025-01-27T12:07:00+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: rbac.authorization.k8s.io/v1, Resource=clusterrolebindings - clusterrolebindings.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"clusterrolebindings\" in API group \"rbac.authorization.k8s.io\" at the cluster scope"
2025-01-27T12:07:00+06:00       ERROR   Unable to list resources        error="failed listing resources for gvr: /v1, Resource=nodes - nodes is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"nodes\" in API group \"\" at the cluster scope"                                                                                                                      2025-01-27T12:07:00+06:00       ERROR   Unable to list node resources   error="nodes is forbidden: User \"system:serviceaccount:default:limiteduser\" cannot list resource \"nodes\" in API group \"\" at the cluster scope"
2025-01-27T12:07:00+06:00       INFO    Node scanning is enabled                                                                                                                                     2025-01-27T12:07:00+06:00       INFO    If you want to disable Node scanning via an in-cluster Job, please try '--disable-node-collector' to disable the Node-Collector job.                         2025-01-27T12:07:00+06:00       INFO    Scanning K8s... K8s="mycontext"                                                                                                                              0 [________________________________________________________________________________________________________________________________________________________________________________________] ?% ? p/s
Summary Report for mycontext


Workload Assessment
┌───────────┬──────────┬───────────────────┬───────────────────┬───────────────────┐
│ Namespace │ Resource │  Vulnerabilities  │ Misconfigurations │      Secrets      │
│           │          ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤
│           │          │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │
└───────────┴──────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN

Infra Assessment                                                                                                                                                                                     ┌───────────┬──────────┬───────────────────┬───────────────────┬───────────────────┐
│ Namespace │ Resource │  Vulnerabilities  │ Misconfigurations │      Secrets      │                                                                                                                 │           │          ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤
│           │          │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │                                                                                                                 └───────────┴──────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN
                                                                                                                                                                                                     RBAC Assessment
┌───────────┬──────────┬───────────────────┐                                                                                                                                                         │ Namespace │ Resource │  RBAC Assessment  │
│           │          ├───┬───┬───┬───┬───┤                                                                                                                                                         │           │          │ C │ H │ M │ L │ U │
└───────────┴──────────┴───┴───┴───┴───┴───┘                                                                                                                                                         Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN

Afrer:

2025-01-27T12:17:11+06:00       INFO    Node scanning is enabled
2025-01-27T12:17:11+06:00       INFO    If you want to disable Node scanning via an in-cluster Job, please try '--disable-node-collector' to disable the Node-Collector job.
2025-01-27T12:17:11+06:00       INFO    Scanning K8s... K8s="mycontext"
5 / 5 [-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 1 p/s

Summary Report for mycontext


Workload Assessment
┌───────────┬───────────────────────┬──────────────────────┬────────────────────┬───────────────────┐
│ Namespace │       Resource        │   Vulnerabilities    │ Misconfigurations  │      Secrets      │
│           │                       ├───┬────┬────┬────┬───┼───┬───┬───┬────┬───┼───┬───┬───┬───┬───┤
│           │                       │ C │ H  │ M  │ L  │ U │ C │ H │ M │ L  │ U │ C │ H │ M │ L │ U │
├───────────┼───────────────────────┼───┼────┼────┼────┼───┼───┼───┼───┼────┼───┼───┼───┼───┼───┼───┤
│ rbac-test │ Pod/my-multiimage-pod │ 2 │ 26 │ 77 │ 99 │ 1 │   │ 3 │ 8 │ 18 │   │   │   │   │   │   │
└───────────┴───────────────────────┴───┴────┴────┴────┴───┴───┴───┴───┴────┴───┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN


Infra Assessment
┌───────────┬──────────┬───────────────────┬───────────────────┬───────────────────┐
│ Namespace │ Resource │  Vulnerabilities  │ Misconfigurations │      Secrets      │
│           │          ├───┬───┬───┬───┬───┼───┬───┬───┬───┬───┼───┬───┬───┬───┬───┤
│           │          │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │ C │ H │ M │ L │ U │
└───────────┴──────────┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN


RBAC Assessment
┌───────────┬───────────────────┬───────────────────┐
│ Namespace │     Resource      │  RBAC Assessment  │
│           │                   ├───┬───┬───┬───┬───┤
│           │                   │ C │ H │ M │ L │ U │
├───────────┼───────────────────┼───┼───┼───┼───┼───┤
│ rbac-test │ Role/limited-role │ 2 │   │   │   │   │
└───────────┴───────────────────┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN

Testing

There was added use case here 6e690b9 and tests were broken as expected.
After trivy-kubernetes was update to the latest version 2859ad3, this test case is passed now.

Documentation

there were added parts:
image
image

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

Sorry, something went wrong.

@afdesk
chore(k8s): improve artifact selections
Loading
Loading status checks…
4eb82d4
@simar7
Copy link
Member

simar7 commented Jan 20, 2025

Really strange this PR has no changes? 🫨 I wonder what happened.

@afdesk
Copy link
Contributor Author

afdesk commented Jan 21, 2025

Really strange this PR has no changes? 🫨 I wonder what happened.

it's a draft. I prepare test cases at first, and then will update the docs and trivy-kubernetes

@afdesk afdesk requested a review from simar7 January 24, 2025 12:41
afdesk added 4 commits January 24, 2025 18:44
@afdesk
test: add a broken use case for failure
Loading
Loading status checks…
6e690b9
@afdesk
chore: bump up Trivy-kubernetes to v0.7.0
Loading
Loading status checks…
2859ad3
@afdesk
Merge branch 'main' of github.com:afdesk/trivy into chore/update-k8s
Loading
Loading status checks…
70f3b98 
# Conflicts:
#	go.mod
#	go.sum
@afdesk
docs(k8s): update info about permissions
Loading
Loading status checks…
6a6e269
@afdesk afdesk changed the title chore(k8s): improve artifact selections chore(k8s): improve artifact selections for specific namespaces Jan 27, 2025
@afdesk afdesk marked this pull request as ready for review January 27, 2025 06:20
@afdesk afdesk requested a review from knqyf263 as a code owner January 27, 2025 06:20
@afdesk
Copy link
Contributor Author

afdesk commented Jan 27, 2025

@simar7 @knqyf263
this PR is ready for your review
could you please take a look when you have time? thanks!

@knqyf263
Copy link
Collaborator

@simar7 You are now also maintaining the K8s area, right? Should we update the code owners?

trivy/.github/CODEOWNERS

Lines 17 to 22 in cc66d6d

# Helm chart
helm/trivy/ @afdesk
# Kubernetes scanning
pkg/k8s/ @afdesk
docs/docs/target/kubernetes.md @afdesk

@simar7
Copy link
Member

simar7 commented Jan 28, 2025

@simar7 You are now also maintaining the K8s area, right? Should we update the code owners?

trivy/.github/CODEOWNERS

Lines 17 to 22 in cc66d6d

# Helm chart
helm/trivy/ @afdesk
# Kubernetes scanning
pkg/k8s/ @afdesk
docs/docs/target/kubernetes.md @afdesk

Yes, we should add myself to it.

@knqyf263
Copy link
Collaborator

OK, done #8303

@afdesk
Merge branch 'main' of github.com:afdesk/trivy into chore/update-k8s
Loading
Loading status checks…
12cd544 
# Conflicts:
#	go.mod
#	go.sum
afdesk and others added 2 commits January 29, 2025 13:21
@afdesk @simar7
Update docs/docs/target/kubernetes.md

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
Loading
Loading status checks…
362471d 
Co-authored-by: simar7 <[email protected]>
@afdesk @simar7
Update docs/docs/target/kubernetes.md

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
Loading
Loading status checks…
4ad32d6 
Co-authored-by: simar7 <[email protected]>
@afdesk
Copy link
Contributor Author

afdesk commented Jan 29, 2025

@knqyf263 do you mind if we merge this PR? thanks

@knqyf263 knqyf263 added this pull request to the merge queue Jan 29, 2025
@knqyf263 knqyf263 removed this pull request from the merge queue due to a manual request Jan 29, 2025
@knqyf263
Copy link
Collaborator

@afdesk One comment: isn't it a feature enhancement or bug fix? We might want to update the PR title. It looks like an enhancement to me, but if you don't think so, please feel free to merge this.

@afdesk afdesk changed the title chore(k8s): improve artifact selections for specific namespaces feat(k8s): improve artifact selections for specific namespaces Jan 29, 2025
@afdesk
Copy link
Contributor Author

afdesk commented Jan 29, 2025

@knqyf263 thanks a lot! you're right!
Now we can use Role instead of ClusterRole for scanning, so it looks like a feature.
I'll add it to the release notes

@afdesk afdesk added this pull request to the merge queue Jan 29, 2025
@afdesk afdesk mentioned this pull request Jan 29, 2025
Closed
6 tasks
Merged via the queue into aquasecurity:main with commit db9e57a Jan 29, 2025
18 checks passed
@afdesk afdesk deleted the chore/update-k8s branch January 29, 2025 08:34
@aqua-bot aqua-bot mentioned this pull request Jan 29, 2025
Merged
@afdesk afdesk added this to the v0.59.0 milestone Jan 30, 2025
@sfowl sfowl mentioned this pull request Jan 30, 2025
Merged
RingoDev pushed a commit to RingoDev/trivy that referenced this pull request Feb 26, 2025
@afdesk @simar7 @RingoDev
feat(k8s): improve artifact selections for specific namespaces (aquas…

Verified

This commit was signed with the committer’s verified signature.
RingoDev Thomas Grininger
SSH Key Fingerprint: KATz0QzeH7DznHXhQYjCizfbbqEhD2I0MiOey5kCDes
Verified
Learn about vigilant mode
4dbcdeb 
…ecurity#8248)

Co-authored-by: simar7 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simar7 simar7

@knqyf263 knqyf263

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.59.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@afdesk @simar7 @knqyf263