0.54: kubernetes scanner requires role permissions

[jkroepke]

Description

I'm coming from #6653 however, since the discussion is closed, I have to create a new one

---

I'm running trivy 0.54.1 as developer with reduced permissions. I would like to scan all my workload once.

Trivy has the Kubernetes Role "view" which give trivy access to all workloads

Here is my command line call

trivy kubernetes --report=all \
            --disable-node-collector \
            --cache-dir /tmp/.trivycache/ \
            --no-progress \
            --ignore-unfixed \
            --exit-code 0 \
            --parallel 1 \
            --format table \
            --scanners vuln \
            --ignorefile /.trivyignore \
            --pkg-types os \
            --include-namespaces opsstack \
            -o "/scans/report.all.html" \
            --include-kinds deploy,sts,ds;

Trivy report that it can not access roles, however in --include-kinds deploy,sts,ds, there is no role defined. It also reports an error cannot list resource \"nodes\" in API group while disable-node-collector is set.

Desired Behavior

The trivy 0.50 behavior where I could set --components workload and everything works as expected.

Actual Behavior

2024-08-12T08:09:56Z    ERROR   Unable to list resources        error="failed listing resources for gvr: rbac.authorization.k8s.io/v1, Resource=roles - roles.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:opsstack:opsstack-trivy\" cannot list resource \"roles\" in API group \"rbac.authorization.k8s.io\" at the cluster scope"
2024-08-12T08:09:56Z    ERROR   Unable to list resources        error="failed listing resources for gvr: rbac.authorization.k8s.io/v1, Resource=rolebindings - rolebindings.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:opsstack:opsstack-trivy\" cannot list resource \"rolebindings\" in API group \"rbac.authorization.k8s.io\" at the cluster scope"
2024-08-12T08:09:57Z    ERROR   Unable to list resources        error="failed listing resources for gvr: rbac.authorization.k8s.io/v1, Resource=clusterroles - clusterroles.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:opsstack:opsstack-trivy\" cannot list resource \"clusterroles\" in API group \"rbac.authorization.k8s.io\" at the cluster scope"
2024-08-12T08:09:57Z    ERROR   Unable to list resources        error="failed listing resources for gvr: rbac.authorization.k8s.io/v1, Resource=clusterrolebindings - clusterrolebindings.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:opsstack:opsstack-trivy\" cannot list resource \"clusterrolebindings\" in API group \"rbac.authorization.k8s.io\" at the cluster scope"
2024-08-12T08:09:58Z    ERROR   Unable to list resources        error="failed listing resources for gvr: /v1, Resource=nodes - nodes is forbidden: User \"system:serviceaccount:opsstack:opsstack-trivy\" cannot list resource \"nodes\" in API group \"\" at the cluster scope"
2024-08-12T08:09:58Z    ERROR   Unable to list node resources   error="nodes is forbidden: User \"system:serviceaccount:opsstack:opsstack-trivy\" cannot list resource \"nodes\" in API group \"\" at the cluster scope"
0 [_______________________________________________________________________________________________________________________________________________________________________________________________________________________] ?% ? p/s
~ $ 

To my surprise, trivy exit with exit code 0. The report is empty, but I there are vulnerabilities. (trivy 0.50 scan confirms this)

Reproduction Steps

1. Run a Kubernetes cluster with workload
2. Run the command in this report
...

Target

Kubernetes

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

2024-08-12T08:25:42Z    DEBUG   Cache dir       dir="/tmp/.trivycache/"
2024-08-12T08:25:42Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-08-12T08:25:42Z    DEBUG   Ignore statuses statuses=[0 1 2 4 5 6 7]
2024-08-12T08:25:42Z    ERROR   Unable to list resources        error="failed listing resources for gvr: rbac.authorization.k8s.io/v1, Resource=roles - roles.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:opsstack:opsstack-trivy\" cannot list resource \"roles\" in API group \"rbac.authorization.k8s.io\" at the cluster scope"
2024-08-12T08:25:43Z    ERROR   Unable to list resources        error="failed listing resources for gvr: rbac.authorization.k8s.io/v1, Resource=rolebindings - rolebindings.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:opsstack:opsstack-trivy\" cannot list resource \"rolebindings\" in API group \"rbac.authorization.k8s.io\" at the cluster scope"
2024-08-12T08:25:44Z    ERROR   Unable to list resources        error="failed listing resources for gvr: rbac.authorization.k8s.io/v1, Resource=clusterroles - clusterroles.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:opsstack:opsstack-trivy\" cannot list resource \"clusterroles\" in API group \"rbac.authorization.k8s.io\" at the cluster scope"
2024-08-12T08:25:44Z    ERROR   Unable to list resources        error="failed listing resources for gvr: rbac.authorization.k8s.io/v1, Resource=clusterrolebindings - clusterrolebindings.rbac.authorization.k8s.io is forbidden: User \"system:serviceaccount:opsstack:opsstack-trivy\" cannot list resource \"clusterrolebindings\" in API group \"rbac.authorization.k8s.io\" at the cluster scope"
2024-08-12T08:25:44Z    ERROR   Unable to list resources        error="failed listing resources for gvr: /v1, Resource=nodes - nodes is forbidden: User \"system:serviceaccount:opsstack:opsstack-trivy\" cannot list resource \"nodes\" in API group \"\" at the cluster scope"
2024-08-12T08:25:44Z    ERROR   Unable to list node resources   error="nodes is forbidden: User \"system:serviceaccount:opsstack:opsstack-trivy\" cannot list resource \"nodes\" in API group \"\" at the cluster scope"
2024-08-12T08:25:44Z    DEBUG   DB update was skipped because the local DB is the latest
2024-08-12T08:25:44Z    DEBUG   DB info schema=2 updated_at=2024-08-12T06:11:34.28006316Z next_update=2024-08-12T12:11:34.28006289Z downloaded_at=2024-08-12T08:19:14.211071503Z
0 [_______________________________________________________________________________________________________________________________________________________________________________________________________________________] ?% ? p/s
~ $

Operating System

Linux

Version

0.54.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[simar7]

@afdesk could you take a look?

[afdesk]

@jkroepke thanks for the report.
you're right, there is an issue with permissions, trying to resolve and/or describe it.

[jkroepke]

The current trivy version does not report any permission issues, but the list of vulnerabilities is empty. It says 0 issues, but scanning with full permissions reports issue as expected. Is that really expected? End-user may think, they are safe, like a static green light.

[jkroepke]

Did it just work? Or did you get vulnerabilities back? My list is always empty.

[jkroepke]

Do you think it's too many perms? thanks!

Are the RBAC permissions bound to a namespaces, with RoleBindings? Than, It's fine. On a cluster level via ClusterRoleBinding, it would be too much.

[afdesk]

I agree with you. and trying to use only Role (not ClusterRole).I'll update you about my results

[afdesk]

The current trivy version does not report any permission issues, but the list of vulnerabilities is empty. It says 0 issues, but scanning with full permissions reports issue as expected. Is that really expected? End-user may think, they are safe, like a static green light.

it's a bit strange. in my environments I can see the permission errors:

2024-09-30T13:38:53+06:00	ERROR	Unable to list resources	error="failed listing resources for gvr: apps/v1, Resource=deployments - deployments.apps is forbidden: User \"system:serviceaccount:rbac-test:user1\" cannot list resource \"deployments\" in API group \"apps\" at the cluster scope"