Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

the custom configuration audit policies is not working properly #2345

Open
33yan opened this issue Dec 4, 2024 · 0 comments
Open

the custom configuration audit policies is not working properly #2345

33yan opened this issue Dec 4, 2024 · 0 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@33yan
Copy link

33yan commented Dec 4, 2024

What steps did you take and what happened:

I follow the below directions and Trivy doesn't pick up my custom audit policy:
https://aquasecurity.github.io/trivy-operator/v0.23.0/tutorials/writing-custom-configuration-audit-policies/

I have also referred to this issue(#1677), but still can not solve the problem.

when I kubectl apply the configmap ,trivy can rescan all the pods but for whatever reason it doesn't pick up my custom audit. Is there some trick that I'm missing?

Environment:
the trivy-operator install info:

helm upgrade --install trivy-operator aqua/trivy-operator \
  --namespace trivy-system \
  --create-namespace \
  --version 0.23.0 \
  --set="trivy.command=filesystem" \
  --set="trivyOperator.scanJobPodTemplateContainerSecurityContext.runAsUser=0" \
  --set="operator.builtInTrivyServer=true" \
  --set="operator.sbomGenerationEnabled=false" \
  --set="trivy.externalRegoPoliciesEnabled=true" \
  --set="trivy.useBuiltinRegoPolicies=true" \
  --set="trivy.useEmbeddedRegoPolicies=false" \
  --set="targetNamespaces=test1" \
  --set="trivy.debug=true"  \
  --set="operator.logDevMode=true"
  • Kubernetes version (use kubectl version):
    image

  • the ConfigMap info:
    image
    image

apiVersion: v1
data:
  policy.rule1.kinds: '*'
  policy.rule1.rego: |
    package trivyoperator.policy.k8s.custom

    import data.lib.result
    import future.keywords.in
    import data.lib.kubernetes

    __rego_metadata__ := {
      "id": "rule1",
      "title": "rule1",
      "severity": "CRITICAL",
      "type": "Kubernetes Security Check",
      "description": "rule1",
      "recommended_actions": "rule1",
      "url": "https://kubernetes.io/docs/rule1",
    }

    recommended_labels := [
      "app.kubernetes.io/name",
      "app.kubernetes.io/version",
    ]

    deny[res] {
      provided := {label | input.metadata.labels[label]}
      required := {label | label := recommended_labels[_]}
      missing := required - provided
      count(missing) > 0
      msg := sprintf("You must provide labels: %v", [missing])
      res := {"msg": msg}
    }
kind: ConfigMap
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: >
      {"apiVersion":"v1","data":{"policy.rule1.kinds":"*","policy.rule1.rego":"package
      trivyoperator.policy.k8s.custom\n\nimport data.lib.result\nimport
      future.keywords.in\nimport data.lib.kubernetes\n\n__rego_metadata__ :=
      {\n  \"id\": \"rule1\",\n  \"title\": \"rule1\",\n  \"severity\":
      \"CRITICAL\",\n  \"type\": \"Kubernetes Security Check\",\n 
      \"description\": \"rule1\",\n  \"recommended_actions\": \"rule1\",\n 
      \"url\": \"https://kubernetes.io/docs/rule1\",\n}\n\nrecommended_labels :=
      [\n  \"app.kubernetes.io/name\",\n 
      \"app.kubernetes.io/version\",\n]\n\ndeny[res] {\n  provided := {label |
      input.metadata.labels[label]}\n  required := {label | label :=
      recommended_labels[_]}\n  missing := required - provided\n  count(missing)
      \u003e 0\n  msg := sprintf(\"You must provide labels: %v\", [missing])\n 
      res := {\"msg\":
      msg}\n}\n"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app.kubernetes.io/instance":"trivy-operator","app.kubernetes.io/managed-by":"kubectl","app.kubernetes.io/name":"trivy-operator","app.kubernetes.io/version":"0.23.0"},"name":"trivy-operator-policies-config","namespace":"trivy-system"}}
    meta.helm.sh/release-name: trivy-operator
    meta.helm.sh/release-namespace: trivy-system
  creationTimestamp: '2024-12-03T09:32:56Z'
  labels:
    app.kubernetes.io/instance: trivy-operator
    app.kubernetes.io/managed-by: kubectl
    app.kubernetes.io/name: trivy-operator
    app.kubernetes.io/version: 0.23.0
    helm.sh/chart: trivy-operator-0.25.0
  managedFields:
    - apiVersion: v1
      fieldsType: FieldsV1
      fieldsV1:
        f:metadata:
          f:annotations:
            .: {}
            f:meta.helm.sh/release-name: {}
            f:meta.helm.sh/release-namespace: {}
          f:labels:
            .: {}
            f:app.kubernetes.io/instance: {}
            f:app.kubernetes.io/name: {}
            f:app.kubernetes.io/version: {}
            f:helm.sh/chart: {}
      manager: helm
      operation: Update
      time: '2024-12-03T09:58:25Z'
    - apiVersion: v1
      fieldsType: FieldsV1
      fieldsV1:
        f:data:
          .: {}
          f:policy.rule1.kinds: {}
          f:policy.rule1.rego: {}
        f:metadata:
          f:annotations:
            f:kubectl.kubernetes.io/last-applied-configuration: {}
          f:labels:
            f:app.kubernetes.io/managed-by: {}
      manager: kubectl-client-side-apply
      operation: Update
      time: '2024-12-04T06:12:33Z'
  name: trivy-operator-policies-config
  namespace: trivy-system
  resourceVersion: '1141024'
  uid: 7c301daf-d3b6-4f57-8a8b-17b3e76c9de1
@33yan 33yan added the kind/bug Categorizes issue or PR as related to a bug. label Dec 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Development

No branches or pull requests

1 participant