-
Notifications
You must be signed in to change notification settings - Fork 217
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trivy operator flag insecure not working - failed to verify certificate: x509 #2212
Comments
I have the same error, but I am testing with the main branch because I saw a commit that fixes the behavior of the insecure flag, can you help @chen-keinan ? |
This issue is stale because it has been labeled with inactivity. |
News? |
would be very helpfull for us |
Same error here. Cloud you please give us an update to this issue? |
Same here |
I do encounter this error message using the default value for the Trivy Operator. I also get it when running the EDIT: but I only encounter the "no compliance commands found" error, not the one about the certificate. |
@afdesk can you take a look? |
yes, sure. I'll take a look at this issue. |
What steps did you take and what happened:
Im using trivy operator behind a proxy that has its own certificate and needs to run with the insecure flag in order to download the policy bundles ignoring the ssl check. I tried the flag policiesBundle.insecure: "true" and it is not working.
Also, the trivy operator is not generating any vulnerability report:
However, trivy operator pod and trivy server are both running and the trivy server succesfully downloads the db
What did you expect to happen:
I expected to ignore the ssl check when downloading the policy bundles and create a vulnerability report for each pod but instead it didn't.
Anything else you would like to add:
Environment variables from trivy-operator pod:
BB_ASH_VERSION='1.36.1'
CONTROLLER_CACHE_SYNC_TIMEOUT='5m'
FUNCNAME=''
HISTFILE='/home/trivyoperator/.ash_history'
HOME='/home/trivyoperator'
HOSTNAME='trivy-operator-67dddb6db-765tx'
HTTPS_PROXY='http://obfuscated:obfuscated'
HTTP_PROXY='http://obfuscated:obfuscated'
IFS='
'
KUBERNETES_PORT='tcp://10.43.0.1:443'
KUBERNETES_PORT_443_TCP='tcp://10.43.0.1:443'
KUBERNETES_PORT_443_TCP_ADDR='10.43.0.1'
KUBERNETES_PORT_443_TCP_PORT='443'
KUBERNETES_PORT_443_TCP_PROTO='tcp'
KUBERNETES_SERVICE_HOST='10.43.0.1'
KUBERNETES_SERVICE_PORT='443'
KUBERNETES_SERVICE_PORT_HTTPS='443'
LINENO=''
NO_PROXY='obfuscated'
OLDPWD='/'
OPERATOR_ACCESS_GLOBAL_SECRETS_SERVICE_ACCOUNTS='true'
OPERATOR_BATCH_DELETE_DELAY='10s'
OPERATOR_BATCH_DELETE_LIMIT='10'
OPERATOR_BUILT_IN_TRIVY_SERVER='true'
OPERATOR_CACHE_REPORT_TTL='120h'
OPERATOR_CLUSTER_COMPLIANCE_ENABLED='true'
OPERATOR_CLUSTER_SBOM_CACHE_ENABLED='false'
OPERATOR_CONCURRENT_NODE_COLLECTOR_LIMIT='1'
OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT='10'
OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED='true'
OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS='true'
OPERATOR_EXCLUDE_NAMESPACES=''
OPERATOR_EXPOSED_SECRET_SCANNER_ENABLED='true'
OPERATOR_HEALTH_PROBE_BIND_ADDRESS=':9090'
OPERATOR_INFRA_ASSESSMENT_SCANNER_ENABLED='true'
OPERATOR_LOG_DEV_MODE='false'
OPERATOR_MERGE_RBAC_FINDING_WITH_CONFIG_AUDIT='false'
OPERATOR_METRICS_BIND_ADDRESS=':8080'
OPERATOR_METRICS_CLUSTER_COMPLIANCE_INFO_ENABLED='false'
OPERATOR_METRICS_CONFIG_AUDIT_INFO_ENABLED='false'
OPERATOR_METRICS_EXPOSED_SECRET_INFO_ENABLED='false'
OPERATOR_METRICS_FINDINGS_ENABLED='true'
OPERATOR_METRICS_IMAGE_INFO_ENABLED='false'
OPERATOR_METRICS_INFRA_ASSESSMENT_INFO_ENABLED='false'
OPERATOR_METRICS_RBAC_ASSESSMENT_INFO_ENABLED='false'
OPERATOR_METRICS_VULN_ID_ENABLED='false'
OPERATOR_NAMESPACE='trivy-system'
OPERATOR_PRIVATE_REGISTRY_SCAN_SECRETS_NAMES='{}'
OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED='true'
OPERATOR_SBOM_GENERATION_ENABLED='true'
OPERATOR_SCANNER_REPORT_TTL='1h'
OPERATOR_SCAN_JOB_RETRY_AFTER='30s'
OPERATOR_SCAN_JOB_TIMEOUT='5m'
OPERATOR_SCAN_JOB_TTL=''
OPERATOR_SEND_DELETED_REPORTS='false'
OPERATOR_SERVICE_ACCOUNT='trivy-operator'
OPERATOR_TARGET_NAMESPACES=''
OPERATOR_TARGET_WORKLOADS='pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job'
OPERATOR_VULNERABILITY_SCANNER_ENABLED='true'
OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS='true'
OPERATOR_WEBHOOK_BROADCAST_CUSTOM_HEADERS=''
OPERATOR_WEBHOOK_BROADCAST_TIMEOUT='30s'
OPERATOR_WEBHOOK_BROADCAST_URL=''
OPTIND='1'
PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
PPID='0'
PS1='\w $ '
PS2='> '
PS4='+ '
PWD='/home/trivyoperator'
SHLVL='1'
TERM='xterm'
TRIVY_SERVER_HEALTH_CHECK_CACHE_EXPIRATION='10h'
TRIVY_SERVICE_PORT='tcp://10.43.109.224:4954'
TRIVY_SERVICE_PORT_4954_TCP='tcp://10.43.109.224:4954'
TRIVY_SERVICE_PORT_4954_TCP_ADDR='10.43.109.224'
TRIVY_SERVICE_PORT_4954_TCP_PORT='4954'
TRIVY_SERVICE_PORT_4954_TCP_PROTO='tcp'
TRIVY_SERVICE_SERVICE_HOST='10.43.109.224'
TRIVY_SERVICE_SERVICE_PORT='4954'
TRIVY_SERVICE_SERVICE_PORT_TRIVY_HTTP='4954'
Logs:
{"level":"error","ts":"2024-08-01T18:53:34Z","logger":"policyLoader.Get misconfig bundle policies","msg":"failed to load policies","error":"failed to download policies: failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* Get "https://ghcr.io/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority\n\n","stacktrace":"github.com/aquasecurity/trivy-operator/pkg/policy.(*policyLoader).GetPoliciesAndBundlePath\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/policy/loader.go:63\ngithub.com/aquasecurity/trivy-operator/pkg/configauditreport/controller.(*NodeReconciler).SetupWithManager.(*NodeReconciler).reconcileNodes.func5\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/configauditreport/controller/node.go:169\nsigs.k8s.io/controller-runtime/pkg/reconcile.Func.Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/reconcile/reconcile.go:113\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:261\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:222"}
{"level":"error","ts":"2024-08-01T18:53:34Z","msg":"Reconciler error","controller":"node","controllerGroup":"","controllerKind":"Node","Node":{"name":"rhel1"},"namespace":"","name":"rhel1","reconcileID":"176498a2-1a4d-4767-a975-a44f49779732","error":"creating job: no compliance commands found","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:261\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:222"}
Environment:
trivy-operator version
): 0.22.0kubectl version
): -The text was updated successfully, but these errors were encountered: