Skip to content

Trivy operator exception unexpected result: empty message instead of removing the check #1742

New issue
New issue
Closed
#1845
Closed
Trivy operator exception unexpected result: empty message instead of removing the check#1742
#1845
Labels
kind/featureCategorizes issue or PR as related to a new feature.priority/backlogHigher priority than priority/awaiting-more-evidence.target/kubernetesIssues relating to kubernetes cluster scanning
@thommeo

Description

@thommeo
thommeo
opened on Jan 4, 2024

What steps did you take and what happened:

Adding exception as OPA policy results in empty messages in reports instead of removing the checks.

Related to aquasecurity/trivy#5679

I have a lot of false positives from KVS116 that requires adding spec.securityContext to ConfigMaps, NetworkPolicies and other resources which security context is not applicable to.

In an attempt to eliminate those false positives, I tried to add exception for this rule in the. Helm chart. Here is the values.yaml:

  trivyOperator:
    policiesConfig: |
      policy.ksv116_exclude_resources.kinds: "*"
      policy.ksv116_exclude_resources.rego: |
        # ref: https://github.com/aquasecurity/trivy-policies/blob/main/checks/kubernetes/general/runs_with_a_root_primary_or_supplementary_GID.rego
        package builtin.kubernetes.KSV116

        # Exclude resource kinds from KSV116
        exception[rules] {
          resource_kinds := {
            "NetworkPolicy",
            "ConfigMap",
            "Service",
            "ReplicaSet",
          }
          resource_kinds[input.kind]
          rules := [""]
        }

It works fine locally. Tested as described here - works as expected. Using the above Rego file removes the false positives.

When running with trivy operator in live Kubernetes cluster, it re-creates the policies with the only difference - it clears the message from the report.

Before

apiVersion: aquasecurity.github.io/v1alpha1
kind: ConfigAuditReport
metadata:
  annotations:
    trivy-operator.aquasecurity.github.io/report-ttl: 24h0m0s
  creationTimestamp: "2024-01-04T15:25:46Z"
  generation: 1
  labels:
    plugin-config-hash: 58fd957545
    resource-spec-hash: 9b5cdd74f
    trivy-operator.resource.kind: NetworkPolicy
    trivy-operator.resource.name: allow-any
    trivy-operator.resource.namespace: <...>
  name: networkpolicy-<...>
  namespace: <...>
  ownerReferences:
  - apiVersion: networking.k8s.io/v1
    blockOwnerDeletion: false
    controller: true
    kind: NetworkPolicy
    name: allow-any
    uid: de6f00ab-a5cf-4b3e-83ce-c09cc82b18dc
  resourceVersion: "11500641"
  uid: 3c43d1e9-fe2c-4b4b-994e-b444a4c7f7a0
report:
  checks:
  - category: Kubernetes Security Check
    checkID: KSV116
    description: According to pod security standard 'Non-root groups', containers
      should be forbidden from running with a root primary or supplementary GID.
    messages:
    - networkpolicy allow-any in <...> namespace should set spec.securityContext.runAsGroup,
      spec.securityContext.supplementalGroups[*] and spec.securityContext.fsGroup
      to integer greater than 0
    severity: LOW
    success: false
    title: Runs with a root primary or supplementary GID
  scanner:
    name: Trivy
    vendor: Aqua Security
    version: 0.18.0
  summary:
    criticalCount: 0
    highCount: 0
    lowCount: 1
    mediumCount: 0

After

apiVersion: aquasecurity.github.io/v1alpha1
kind: ConfigAuditReport
metadata:
  annotations:
    trivy-operator.aquasecurity.github.io/report-ttl: 24h0m0s
  creationTimestamp: "2024-01-04T15:34:48Z"
  generation: 1
  labels:
    plugin-config-hash: 565d547fbc
    resource-spec-hash: 56766fc755
    trivy-operator.resource.kind: NetworkPolicy
    trivy-operator.resource.name: allow-any
    trivy-operator.resource.namespace: <...>
  name: allow-any
  namespace: <...>
  ownerReferences:
  - apiVersion: networking.k8s.io/v1
    blockOwnerDeletion: false
    controller: true
    kind: NetworkPolicy
    name: <...>
    uid: 6ab4da63-543c-4616-90a3-5a04a7f60d23
  resourceVersion: "11505030"
  uid: a4bbcbde-2627-428e-80f4-2e64ce331432
report:
  checks:
  - category: Kubernetes Security Check # <<<<<<<<<<<<<<<<<<<<<<<< Expected: not to have this check at all
    checkID: KSV116
    description: According to pod security standard 'Non-root groups', containers
      should be forbidden from running with a root primary or supplementary GID.
    messages:
    - "" # <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Message is empty
    severity: LOW
    success: false
    title: Runs with a root primary or supplementary GID
  scanner:
    name: Trivy
    vendor: Aqua Security
    version: 0.18.0
  summary:
    criticalCount: 0
    highCount: 0
    lowCount: 1
    mediumCount: 0
  updateTimestamp: "2024-01-04T15:34:48Z"

What did you expect to happen:

The check should be missing in reports and metrics.

Environment:

  • Trivy-Operator version "Version":"0.18.0", "Commit":"c73d65dca31483e6c7b8edcd5e386b3f4bf6d0f2"
  • Kubernetes version (use kubectl version): v1.27.6
  • Helm chart version 0.20.0
  • OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): macos 14.2.1

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/featureCategorizes issue or PR as related to a new feature.priority/backlogHigher priority than priority/awaiting-more-evidence.target/kubernetesIssues relating to kubernetes cluster scanning

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions