Empty tag in all reports when deployed with digester #2411
Comments
danchenko-dmitry
pushed a commit
to danchenko-dmitry/trivy-operator
that referenced
this issue
Jan 31, 2025
danchenko-dmitry
pushed a commit
to danchenko-dmitry/trivy-operator
that referenced
this issue
Jan 31, 2025
3 tasks
|
Opened PR to fix this issue: |
danchenko-dmitry
pushed a commit
to danchenko-dmitry/trivy-operator
that referenced
this issue
Jan 31, 2025
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What steps did you take and what happened:
I've deployed trivy-opeator on cluster with k8s-digester.
k8s-digester is a mutate webhook, it resolves tag and adds digest to every Deployment, StatefulSet or Pod.
For example reference mirror.gcr.io/aquasec/trivy:0.58.0 will be replaced with:
mirror.gcr.io/aquasec/trivy:0.58.0@sha256:b88012e2a0a309d6a8a00463d4e63e5e513377fb74eccbc8f9b0f8f81940ebeb
https://github.com/google/k8s-digester
After deployment I found that most reports perform without tags.
`
% kubectl get vulnerabilityreports.aquasecurity.github.io replicaset-vector-6479d4f44b-vector -n vector -o yaml
apiVersion: aquasecurity.github.io/v1alpha1
kind: VulnerabilityReport
metadata:
annotations:
trivy-operator.aquasecurity.github.io/report-ttl: 24h0m0s
creationTimestamp: "2025-01-31T11:56:18Z"
generation: 1
labels:
resource-spec-hash: 96d854ff9
trivy-operator.container.name: vector
trivy-operator.resource.kind: ReplicaSet
trivy-operator.resource.name: vector-6479d4f44b
trivy-operator.resource.namespace: vector
name: replicaset-vector-6479d4f44b-vector
namespace: vector
ownerReferences:
blockOwnerDeletion: false
controller: true
kind: ReplicaSet
name: vector-6479d4f44b
uid: 807c20a4-3e63-49fc-99ae-06a4263239e7
resourceVersion: "173100373"
uid: 66160640-83b4-43a8-86a4-e4be738ef6b0
report:
artifact:
digest: sha256:131485defae3fc07fa20cf9dda85bb3056e8d0d475a8aa387c6d6417eca0223b
repository: timberio/vector
os:
family: debian
name: "12.8"
registry:
server: index.docker.io
scanner:
`
% kubectl get pod -n vector vector-6479d4f44b-ccrrz -o yaml | grep image image: timberio/vector:0.43.1-distroless-libc@sha256:131485defae3fc07fa20cf9dda85bb3056e8d0d475a8aa387c6d6417eca0223b imagePullPolicy: IfNotPresent image: sha256:9f544504e5b7b1aa782b14cc84efe37a58fb225dc345a0bac4e4fea098fc9e37 imageID: docker.io/timberio/vector@sha256:131485defae3fc07fa20cf9dda85bb3056e8d0d475a8aa387c6d6417eca0223bWhat did you expect to happen:
I expect recieve all reports with tags if tags was provided in deployments. (In this particular example tag should be: 0.43.1-distroless-libc)
Environment:
Trivy-Operator version (use
trivy-operator version): v0.23.0Kubernetes version (use
kubectl version):Client Version: v1.30.2;
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3;
Server Version: v1.30.8-gke.1128000
OS (macOS Sonoma 14.4.1 (23E224)):
The text was updated successfully, but these errors were encountered: