When are Scans triggered in ClientServer Mode?

[kimdre]

Hi, I set the operator to use builtInTrivyServer: true.
After the deployment and startup of the trivy-operator and trivy-server pods nothing really happens. When or how do vulnerability scans for get triggered in this mode?

[kimdre]

@chen-keinan Could you please help me out here? Am I missing something? 😅

[kimdre]

Does not seem like that is the cause.
The operator still runs no image scans. The only thing it does it creates ConfigAuditReports, but the operator did this before aswell with targetNamespace set.

[chen-keinan]

have you tried to deploy a new resource to cluster , can you please share your configmaps ?

[kimdre]

I deployed a service with a new version but no scans were triggered.

These are the values I use:

targetNamespaces: "**redacted**,trivy-operator" # comma-separated list
excludeNamespaces: "" # comma-separated list

compliance:
  cron: "0 */6 * * *"

operator:
  builtInTrivyServer: true
  valuesFromSecret: proxy-secrets
  infraAssessmentScannerEnabled: false
  scanJobsConcurrentLimit: 1

trivy:
  slow: true
  severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
  valuesFromSecret: proxy-secrets
  resources:
    requests:
      cpu: 100m
      memory: 100M
    limits:
      cpu: 500m
      memory: 500M
  server:
    resources:
      requests:
        cpu: 200m
        memory: 512M
      limits:
        cpu: 1
        memory: 1Gi
    podSecurityContext:
      runAsNonRoot: true
      seccompProfile:
        type: RuntimeDefault
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop: ["ALL"]
      privileged: false
      readOnlyRootFilesystem: true
      seccompProfile:
        type: RuntimeDefault

trivyOperator:
  scanJobPodTemplateContainerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop: ["ALL"]
    privileged: false
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: RuntimeDefault

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop: ["ALL"]
  privileged: false
  readOnlyRootFilesystem: true
  seccompProfile:
    type: RuntimeDefault

podSecurityContext:
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault

[chen-keinan]

you do not have vulnerabilities report at all ?

[kimdre]

Nope :/

[chen-keinan]

@kimdre I'm sure its related to configuration, as we have e2e testing with client/server mode.
can you please use the default, use simple local kind cluster and run helm install on it just to make sure you get scanning working.

helm install trivy-operator aqua/trivy-operator \
  --namespace trivy-system \
  --create-namespace \
  --set="trivy.ignoreUnfixed=true" \
  --set="operator.builtInTrivyServer=true" \
  --version 0.24.1

[kimdre]

Yes that works locally.

I enabled the infraAssessmentScanner for a short while just to be sure if the operator can create jobs/pods for that and it worked. However still no jobs or pods for image scans. :(

[chen-keinan]

thanks for the update, I'm confused , did it worked locally? you got reports for all ?

[kimdre]

Yeah, the jobs and pods spin up like they should and create reports:

$ k get vulnerabilityreports.aquasecurity.github.io -A                                                            main
NAMESPACE      NAME                                                 REPOSITORY                           TAG                                        SCANNER   AGE
kube-system    daemonset-kube-proxy-kube-proxy                      kube-proxy                           v1.29.1                                    Trivy     26m
kube-system    pod-5cd55c86b                                        kube-controller-manager              v1.29.1                                    Trivy     25m
kube-system    pod-etcd-docker-desktop-etcd                         etcd                                 3.5.10-0                                   Trivy     25m
kube-system    pod-kube-apiserver-docker-desktop-kube-apiserver     kube-apiserver                       v1.29.1                                    Trivy     25m
kube-system    pod-kube-scheduler-docker-desktop-kube-scheduler     kube-scheduler                       v1.29.1                                    Trivy     26m
kube-system    pod-storage-provisioner-storage-provisioner          docker/desktop-storage-provisioner   v2.0                                       Trivy     26m
kube-system    pod-vpnkit-controller-vpnkit-controller              docker/desktop-vpnkit-controller     dc331cb22850be0cdd97c84a9cfecaf44a1afb6e   Trivy     26m
kube-system    replicaset-coredns-76f75df574-coredns                coredns/coredns                      v1.11.1                                    Trivy     26m
trivy-system   replicaset-trivy-operator-67dddb6db-trivy-operator   aquasecurity/trivy-operator          0.22.0                                     Trivy     10m
trivy-system   statefulset-trivy-server-trivy-server                aquasecurity/trivy                   0.53.0                                     Trivy     10m