Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Trivy operator flag insecure not working - failed to verify certificate: x509 #2212

Open
martinaragow opened this issue Aug 1, 2024 · 9 comments · May be fixed by #2228
Open

Trivy operator flag insecure not working - failed to verify certificate: x509 #2212

martinaragow opened this issue Aug 1, 2024 · 9 comments · May be fixed by #2228
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug.
Milestone

Comments

@martinaragow
Copy link

What steps did you take and what happened:
Im using trivy operator behind a proxy that has its own certificate and needs to run with the insecure flag in order to download the policy bundles ignoring the ssl check. I tried the flag policiesBundle.insecure: "true" and it is not working.

Also, the trivy operator is not generating any vulnerability report:

kubectl get vulnerabilityreports --all-namespaces -o wide
No resources found

However, trivy operator pod and trivy server are both running and the trivy server succesfully downloads the db
Screenshot 2024-08-01 at 4 08 24 PM
Screenshot 2024-08-01 at 4 11 50 PM

What did you expect to happen:
I expected to ignore the ssl check when downloading the policy bundles and create a vulnerability report for each pod but instead it didn't.

Anything else you would like to add:

Environment variables from trivy-operator pod:
BB_ASH_VERSION='1.36.1'
CONTROLLER_CACHE_SYNC_TIMEOUT='5m'
FUNCNAME=''
HISTFILE='/home/trivyoperator/.ash_history'
HOME='/home/trivyoperator'
HOSTNAME='trivy-operator-67dddb6db-765tx'
HTTPS_PROXY='http://obfuscated:obfuscated'
HTTP_PROXY='http://obfuscated:obfuscated'
IFS='
'
KUBERNETES_PORT='tcp://10.43.0.1:443'
KUBERNETES_PORT_443_TCP='tcp://10.43.0.1:443'
KUBERNETES_PORT_443_TCP_ADDR='10.43.0.1'
KUBERNETES_PORT_443_TCP_PORT='443'
KUBERNETES_PORT_443_TCP_PROTO='tcp'
KUBERNETES_SERVICE_HOST='10.43.0.1'
KUBERNETES_SERVICE_PORT='443'
KUBERNETES_SERVICE_PORT_HTTPS='443'
LINENO=''
NO_PROXY='obfuscated'
OLDPWD='/'
OPERATOR_ACCESS_GLOBAL_SECRETS_SERVICE_ACCOUNTS='true'
OPERATOR_BATCH_DELETE_DELAY='10s'
OPERATOR_BATCH_DELETE_LIMIT='10'
OPERATOR_BUILT_IN_TRIVY_SERVER='true'
OPERATOR_CACHE_REPORT_TTL='120h'
OPERATOR_CLUSTER_COMPLIANCE_ENABLED='true'
OPERATOR_CLUSTER_SBOM_CACHE_ENABLED='false'
OPERATOR_CONCURRENT_NODE_COLLECTOR_LIMIT='1'
OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT='10'
OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED='true'
OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS='true'
OPERATOR_EXCLUDE_NAMESPACES=''
OPERATOR_EXPOSED_SECRET_SCANNER_ENABLED='true'
OPERATOR_HEALTH_PROBE_BIND_ADDRESS=':9090'
OPERATOR_INFRA_ASSESSMENT_SCANNER_ENABLED='true'
OPERATOR_LOG_DEV_MODE='false'
OPERATOR_MERGE_RBAC_FINDING_WITH_CONFIG_AUDIT='false'
OPERATOR_METRICS_BIND_ADDRESS=':8080'
OPERATOR_METRICS_CLUSTER_COMPLIANCE_INFO_ENABLED='false'
OPERATOR_METRICS_CONFIG_AUDIT_INFO_ENABLED='false'
OPERATOR_METRICS_EXPOSED_SECRET_INFO_ENABLED='false'
OPERATOR_METRICS_FINDINGS_ENABLED='true'
OPERATOR_METRICS_IMAGE_INFO_ENABLED='false'
OPERATOR_METRICS_INFRA_ASSESSMENT_INFO_ENABLED='false'
OPERATOR_METRICS_RBAC_ASSESSMENT_INFO_ENABLED='false'
OPERATOR_METRICS_VULN_ID_ENABLED='false'
OPERATOR_NAMESPACE='trivy-system'
OPERATOR_PRIVATE_REGISTRY_SCAN_SECRETS_NAMES='{}'
OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED='true'
OPERATOR_SBOM_GENERATION_ENABLED='true'
OPERATOR_SCANNER_REPORT_TTL='1h'
OPERATOR_SCAN_JOB_RETRY_AFTER='30s'
OPERATOR_SCAN_JOB_TIMEOUT='5m'
OPERATOR_SCAN_JOB_TTL=''
OPERATOR_SEND_DELETED_REPORTS='false'
OPERATOR_SERVICE_ACCOUNT='trivy-operator'
OPERATOR_TARGET_NAMESPACES=''
OPERATOR_TARGET_WORKLOADS='pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job'
OPERATOR_VULNERABILITY_SCANNER_ENABLED='true'
OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS='true'
OPERATOR_WEBHOOK_BROADCAST_CUSTOM_HEADERS=''
OPERATOR_WEBHOOK_BROADCAST_TIMEOUT='30s'
OPERATOR_WEBHOOK_BROADCAST_URL=''
OPTIND='1'
PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
PPID='0'
PS1='\w $ '
PS2='> '
PS4='+ '
PWD='/home/trivyoperator'
SHLVL='1'
TERM='xterm'
TRIVY_SERVER_HEALTH_CHECK_CACHE_EXPIRATION='10h'
TRIVY_SERVICE_PORT='tcp://10.43.109.224:4954'
TRIVY_SERVICE_PORT_4954_TCP='tcp://10.43.109.224:4954'
TRIVY_SERVICE_PORT_4954_TCP_ADDR='10.43.109.224'
TRIVY_SERVICE_PORT_4954_TCP_PORT='4954'
TRIVY_SERVICE_PORT_4954_TCP_PROTO='tcp'
TRIVY_SERVICE_SERVICE_HOST='10.43.109.224'
TRIVY_SERVICE_SERVICE_PORT='4954'
TRIVY_SERVICE_SERVICE_PORT_TRIVY_HTTP='4954'

Logs:
{"level":"error","ts":"2024-08-01T18:53:34Z","logger":"policyLoader.Get misconfig bundle policies","msg":"failed to load policies","error":"failed to download policies: failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* Get "https://ghcr.io/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority\n\n","stacktrace":"github.com/aquasecurity/trivy-operator/pkg/policy.(*policyLoader).GetPoliciesAndBundlePath\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/policy/loader.go:63\ngithub.com/aquasecurity/trivy-operator/pkg/configauditreport/controller.(*NodeReconciler).SetupWithManager.(*NodeReconciler).reconcileNodes.func5\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/configauditreport/controller/node.go:169\nsigs.k8s.io/controller-runtime/pkg/reconcile.Func.Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/reconcile/reconcile.go:113\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:261\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:222"}
{"level":"error","ts":"2024-08-01T18:53:34Z","msg":"Reconciler error","controller":"node","controllerGroup":"","controllerKind":"Node","Node":{"name":"rhel1"},"namespace":"","name":"rhel1","reconcileID":"176498a2-1a4d-4767-a975-a44f49779732","error":"creating job: no compliance commands found","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:261\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:222"}

image

Environment:

  • Trivy-Operator version (use trivy-operator version): 0.22.0
  • Kubernetes version (use kubectl version): -
  • OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): redhat 8
@martinaragow martinaragow added the kind/bug Categorizes issue or PR as related to a bug. label Aug 1, 2024
@andyalamo
Copy link

andyalamo commented Aug 1, 2024

I have the same error, but I am testing with the main branch because I saw a commit that fixes the behavior of the insecure flag, can you help @chen-keinan ?

@tranthang2404 tranthang2404 linked a pull request Aug 14, 2024 that will close this issue
5 tasks
Copy link

github-actions bot commented Oct 1, 2024

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Oct 1, 2024
@andyalamo
Copy link

News?

@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Oct 11, 2024
@teimyBr
Copy link

teimyBr commented Oct 25, 2024

would be very helpfull for us

@Doenerpapst
Copy link

Same error here. Cloud you please give us an update to this issue?

@EsDmitrii
Copy link

Same here

@yannispgs
Copy link

yannispgs commented Nov 27, 2024

I do encounter this error message using the default value for the Trivy Operator. I also get it when running the trivy k8s command on my cluster, with the DB being successfully downloaded.

EDIT: but I only encounter the "no compliance commands found" error, not the one about the certificate.
{"level":"error","ts":"2024-11-27T15:54:12Z","msg":"Reconciler error","controller":"node","controllerGroup":"","controllerKind":"Node","Node":{"name":"<node_name>"},"namespace":"","name":"<node_name>","reconcileID":"b69bfb0a-8f5c-4ca3-86fc-89d25ca5f2d9","error":"creating job: no compliance commands found","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:263\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:224"}

@simar7
Copy link
Member

simar7 commented Nov 27, 2024

@afdesk can you take a look?

@afdesk
Copy link
Contributor

afdesk commented Nov 28, 2024

@afdesk can you take a look?

yes, sure. I'll take a look at this issue.
It seems there are a few similar problems, I'll try to investigate it next week

@simar7 simar7 added this to the v0.24.0 milestone Dec 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

8 participants