Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

K8s cluster scan with NoSchedule toleration specified fails because tolerationSeconds is set #5349

Closed
2 tasks done
chen-keinan opened this issue Oct 8, 2023 Discussed in #5346 · 0 comments · Fixed by #5562
Closed
2 tasks done
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug. target/kubernetes Issues relating to kubernetes cluster scanning
Milestone

Comments

@chen-keinan
Copy link
Contributor

Discussed in #5346

Originally posted by gnadaban October 6, 2023

Description

Hello. I'm trying to do cluster scanning where some nodes have a CriticalAddonsOnly taint with NoSchedule effect.

# trivy k8s -f table --tolerations "key1=CriticalAddonsOnly:NoSchedule" --ignore-unfixed --report all cluster
2023-10-06T13:30:53.735-0400    FATAL   get k8s artifacts with node info error: running node-collector job: Job.batch "node-collector-7d758c9878" is invalid: spec.template.spec.tolerations[0].effect: Invalid value: "NoSchedule": effect must be 'NoExecute' when `tolerationSeconds` is set

It appears that the toleration seconds is always set here even though it should not be for NoSchedule effects.

Desired Behavior

The scanning of nodes with tolerated taints should successfully complete.

Actual Behavior

Failing due to error.

Reproduction Steps

1.Create a cluster with some nodes that have CriticalAddonsOnly:NoSchedule taints
2. Run `trivy k8s -f table --tolerations "key1=CriticalAddonsOnly:NoSchedule" --ignore-unfixed --report all cluster`

Target

Kubernetes

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

2023-10-06T13:36:30.328-0400    DEBUG   Severities: ["MEDIUM" "HIGH" "CRITICAL"]
2023-10-06T13:36:30.329-0400    DEBUG   Ignore statuses {"statuses": ["unknown","not_affected","affected","under_investigation","will_not_fix","fix_deferred","end_of_life"]}
2023-10-06T13:36:38.614-0400    FATAL   get k8s artifacts with node info error:
    github.com/aquasecurity/trivy/pkg/k8s/commands.clusterRun
        github.com/aquasecurity/trivy/pkg/k8s/commands/cluster.go:34
  - running node-collector job: Job.batch "node-collector-7d758c9878" is invalid: spec.template.spec.tolerations[0].effect: Invalid value: "NoSchedule": effect must be 'NoExecute' when `tolerationSeconds` is set

Operating System

macOS Ventura 13.6

Version

Version: 0.45.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-10-06 12:21:25.448657861 +0000 UTC
  NextUpdate: 2023-10-06 18:21:25.448657461 +0000 UTC
  DownloadedAt: 2023-10-06 15:01:43.985294 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-10-05 00:54:53.57111501 +0000 UTC
  NextUpdate: 2023-10-08 00:54:53.57111451 +0000 UTC
  DownloadedAt: 2023-10-05 15:03:53.68674 +0000 UTC
Policy Bundle:
  Digest: sha256:24b38cdf646f0e5becf55a709ae9a3c4e819a348c28990cec0b6aabe4637d8b1
  DownloadedAt: 2023-10-06 15:01:44.795995 +0000 UTC

Checklist

@chen-keinan chen-keinan added kind/bug Categorizes issue or PR as related to a bug. target/kubernetes Issues relating to kubernetes cluster scanning labels Oct 8, 2023
@chen-keinan chen-keinan self-assigned this Oct 8, 2023
@chen-keinan chen-keinan added this to the v0.47.1 milestone Nov 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug. target/kubernetes Issues relating to kubernetes cluster scanning
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant