Trivy Kubernetes Scan Error

[Susanta2000]

Question

Hi there, I am doing trivy compliance scan in an EKS cluster. I am getting the following error for multiple times.
Command: trivy k8s cluster --compliance=k8s-nsa --report summary
Error: 2023-11-23T15:34:59.435+0530 FATAL get k8s artifacts with node info error: running node-collector job: runner received timeout
When I ran this by increasing timeout, also get another error.
Command: trivy k8s cluster --compliance=k8s-nsa --report summary --timeout 15m
Error: 2023-11-23T15:35:37.341+0530 FATAL get k8s artifacts with node info error: running node-collector job: jobs.batch "node-collector-5bb7b6797b" already exists.

I was trying same things in another account's EKS cluster, but get same errors.
Can anyone help me out?

Target

None

Scanner

None

Output Format

None

Mode

None

Operating System

Ubuntu

Version

Version: 0.45.0

[chen-keinan]

@Susanta2000 can you delete trivy-temp namespace and run again
kubectl delete namespace trivy-temp

[Sk3pper]

I have the same problem but i cannot understand what i have to use to work. What did you use?

[itaysk]

@Sk3pper can you comment to the original message and provide the reproduction steps and debug output?

[holgerson97]

trivy k8s --report all --timeout 1h -d --skip-images

2024-08-07T14:07:03+02:00       DEBUG   Cache dir       dir="/Users/xxx/Library/Caches/trivy"
2024-08-07T14:07:03+02:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-08-07T14:07:03+02:00       DEBUG   Ignore statuses statuses=[]
2024-08-07T14:07:22+02:00       FATAL   Fatal error
  - get k8s artifacts with node info error:
    github.com/aquasecurity/trivy/pkg/k8s/commands.clusterRun
        github.com/aquasecurity/trivy/pkg/k8s/commands/cluster.go:42
  - running node-collector job: jobs.batch "node-collector-58b9bf5bb8" already exists

No namespace, no job.

[afdesk]

@holgerson97 thanks for the report.
I can reproduce your issue on the clean minikube.
In my case it happens when I break Trivy through ctrl+C
after some time it works again,

$ trivy k8s --report all --timeout 1h -d --skip-images
2024-08-07T18:42:30+06:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-08-07T18:42:30+06:00	DEBUG	Ignore statuses	statuses=[]
^C
$ trivy k8s --report all --timeout 1h -d --skip-images
2024-08-07T18:42:40+06:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-08-07T18:42:40+06:00	DEBUG	Ignore statuses	statuses=[]
2024-08-07T18:42:43+06:00	FATAL	Fatal error
  - get k8s artifacts with node info error:
    github.com/aquasecurity/trivy/pkg/k8s/commands.clusterRun
        /home/runner/work/trivy/trivy/pkg/k8s/commands/cluster.go:42
  - running node-collector job: jobs.batch "node-collector-7868567fb6" already exists

[afdesk]

trivy k8s --report all --timeout 1h -d --skip-images

No namespace, no job.

but I can see a job:

$ kubectl get jobs --all-namespaces
NAMESPACE    NAME                        COMPLETIONS   DURATION   AGE
trivy-temp   node-collector-7868567fb6   1/1           13s        14s

[starcraft66]

I'm experiencing the same problem:

❯ trivy k8s --report --debug summary oidc@k8s-235-1
[... 5 minutes go by ...]
2024-09-23T17:26:23-04:00	FATAL	Fatal error	flag error: report flag error: unable to parse flag: invalid argument "--debug" for "--report" flag: must be one of ["all" "summary"]

Using the suggested: trivy k8s --timeout 1h --report summary oidc@k8s-235-1 just results in the same thing.

Both times I see this job created:

@Zecora:~/s/i/k/a/w/o/prod (master) [$!?⇡] ❯ kubectl get job -n trivy-temp                           
NAME                        STATUS    COMPLETIONS   DURATION   AGE
node-collector-7c5b64fc7f   Running   0/1           11s        11s
@Zecora:~/s/i/k/a/w/o/prod (master) [$!?⇡] ❯ kubectl get job -n trivy-temp
NAME                        STATUS    COMPLETIONS   DURATION   AGE
node-collector-7c5b64fc7f   Running   0/1           15s        15s
@Zecora:~/s/i/k/a/w/o/prod (master) [$!?⇡] ❯ kubectl get job -n trivy-temp
@Zecora:~/s/i/k/a/w/o/prod (master) [$!?⇡] ❯ kubectl logs -n trivy-temp job/node-collector-7c5b64fc7f
{"apiVersion":"v1","kind":"NodeInfo","metadata":{"creationTimestamp":"2024-09-23T21:37:42Z"},"type":"worker","info":{"certificateAuthoritiesFileOwnership":{"values":[]},"certificateAuthoritiesFilePermissions":{"values":[]},"kubeconfigFileExistsOwnership":{"values":[]},"kubeconfigFileExistsPermissions":{"values":[]},"kubeletAnonymousAuthArgumentSet":{"values":[]},"kubeletAuthorizationModeArgumentSet":{"values":[]},"kubeletClientCaFileArgumentSet":{"values":[]},"kubeletConfFileOwnership":{"values":[]},"kubeletConfFilePermissions":{"values":[]},"kubeletConfigYamlConfigurationFileOwnership":{"values":[]},"kubeletConfigYamlConfigurationFilePermission":{"values":[]},"kubeletEventQpsArgumentSet":{"values":[]},"kubeletHostnameOverrideArgumentSet":{"values":["sassaflash.235.tdude.co"]},"kubeletMakeIptablesUtilChainsArgumentSet":{"values":[]},"kubeletOnlyUseStrongCryptographic":{"values":[]},"kubeletProtectKernelDefaultsArgumentSet":{"values":[]},"kubeletReadOnlyPortArgumentSet":{"values":[]},"kubeletRotateCertificatesArgumentSet":{"values":[]},"kubeletRotateKubeletServerCertificateArgumentSet":{"values":[]},"kubeletServiceFileOwnership":{"values":[]},"kubeletServiceFilePermissions":{"values":[]},"kubeletStreamingConnectionIdleTimeoutArgumentSet":{"values":[]},"kubeletTlsCertFileTlsArgumentSet":{"values":[]},"kubeletTlsPrivateKeyFileArgumentSet":{"values":[]}}}%                                                                                                                                                  @Zecora:~/s/i/k/a/w/o/prod (master) [$!?⇡] ❯ kubectl get job -n trivy-temp                           
NAME                        STATUS     COMPLETIONS   DURATION   AGE
node-collector-7c5b64fc7f   Complete   1/1           27s        28s

[afdesk]

as said @chen-keinan you can try to delete namespace.

$ kubectl delete namespace trivy-temp

which version of Trivy do you use?
and also what is oidc@k8s-235-1? is it a context?