Hey folks wondering if I could get some help with a fleet bu Rancher Users #fleet

Join Slack

Hey folks, wondering if I could get some help with...

# fleet

colossal-forest-90809

05/13/2025, 6:08 PM

Hey folks, wondering if I could get some help with a fleet bundle drift/patch issue. More info in 🧵

colossal-forest-90809

05/13/2025, 6:10 PM

fleet.yaml:

Copy code

defaultNamespace: trivy-system

helm:
  repo: <https://aquasecurity.github.io/helm-charts/>
  chart: trivy-operator
  releaseName: trivy-operator
  version: 0.28.0
  takeOwnership: true
  maxHistory: 1
  valuesFiles:
    - values.yaml

diff:
  comparePatches:
    - apiVersion: <http://aquasecurity.github.io/v1alpha1|aquasecurity.github.io/v1alpha1>
      kind: ClusterComplianceReport
      name: k8s-cis-1.23
      operations:
        - op: ignore
          path: /metadata/labels/

actual object metadata:

Copy code

apiVersion: <http://aquasecurity.github.io/v1alpha1|aquasecurity.github.io/v1alpha1>
kind: ClusterComplianceReport
metadata:
  annotations:
    <http://meta.helm.sh/release-name|meta.helm.sh/release-name>: trivy-operator
    <http://meta.helm.sh/release-namespace|meta.helm.sh/release-namespace>: trivy-system
    <http://objectset.rio.cattle.io/id|objectset.rio.cattle.io/id>: default-security-provisioning-trivy-operator-cattle-fleet-582c7
  creationTimestamp: "2025-05-13T18:02:16Z"
  generation: 1
  labels:
    <http://app.kubernetes.io/instance|app.kubernetes.io/instance>: trivy-operator
    <http://app.kubernetes.io/managed-by|app.kubernetes.io/managed-by>: Helm
    <http://app.kubernetes.io/name|app.kubernetes.io/name>: trivy-operator
    <http://app.kubernetes.io/version|app.kubernetes.io/version>: 0.26.0
    <http://objectset.rio.cattle.io/hash|objectset.rio.cattle.io/hash>: 3b55c5549853375c4769c24cb26b8b08b447c4c9
  name: k8s-cis-1.23
  resourceVersion: "1463923146"
  uid: d5539fa3-1485-4842-8bc8-02e95b4e061e

bundle patch spec:

Copy code

spec:
  correctDrift:
    enabled: true
  defaultNamespace: trivy-system
  diff:
    comparePatches:
      - apiVersion: <http://aquasecurity.github.io/v1alpha1|aquasecurity.github.io/v1alpha1>
        kind: ClusterComplianceReport
        name: k8s-cis-1.23
        operations:
          - op: ignore
            path: /metadata/labels/

bundle modified status:

Copy code

summary:
    desiredReady: 1
    modified: 1
    nonReadyResources:
      - bundleState: Modified
        modifiedStatus:
          - apiVersion: <http://aquasecurity.github.io/v1alpha1|aquasecurity.github.io/v1alpha1>
            kind: ClusterComplianceReport
            name: k8s-cis-1.23
            patch: '{"metadata":{"labels":{"<http://app.kubernetes.io/managed-by|app.kubernetes.io/managed-by>":"kubectl"}}}'
          - apiVersion: <http://aquasecurity.github.io/v1alpha1|aquasecurity.github.io/v1alpha1>
            kind: ClusterComplianceReport
            name: k8s-nsa-1.0
            patch: '{"metadata":{"labels":{"<http://app.kubernetes.io/managed-by|app.kubernetes.io/managed-by>":"kubectl"}}}'
          - apiVersion: <http://aquasecurity.github.io/v1alpha1|aquasecurity.github.io/v1alpha1>
            kind: ClusterComplianceReport
            name: k8s-pss-baseline-0.1
            patch: '{"metadata":{"labels":{"<http://app.kubernetes.io/managed-by|app.kubernetes.io/managed-by>":"kubectl"}}}'
          - apiVersion: <http://aquasecurity.github.io/v1alpha1|aquasecurity.github.io/v1alpha1>
            kind: ClusterComplianceReport
            name: k8s-pss-restricted-0.1
            patch: '{"metadata":{"labels":{"<http://app.kubernetes.io/managed-by|app.kubernetes.io/managed-by>":"kubectl"}}}'
        name: fleet-local/local
    ready: 0

colossal-forest-90809

05/13/2025, 6:11 PM

I am not sure why

diff.comparePatches

is not working to correct the modifications for the bundle

colossal-forest-90809

05/13/2025, 6:11 PM

Any advice welcome, thank you in advance 🙂

colossal-forest-90809

05/13/2025, 6:27 PM

I have tried:

path: /metadata/labels

path: /metadata/labels/

path: /metadata/labels/app.kubernetes.io/managed-by

path: /metadata/labels/app.kubernetes.io~1managed-by

path: /metadata/labels/app.kubernetes.io\managed-by

colossal-forest-90809

05/13/2025, 7:49 PM

I would have expected the following to work:

Copy code

diff:
  comparePatches:
    - apiVersion: <http://aquasecurity.github.io/v1alpha1|aquasecurity.github.io/v1alpha1>
      kind: ClusterComplianceReport
      name: k8s-cis-1.23
      operations:
        - {"op":"ignore"}
    - apiVersion: <http://aquasecurity.github.io/v1alpha1|aquasecurity.github.io/v1alpha1>
      kind: ClusterComplianceReport
      name: k8s-nsa-1.0
      operations:
        - {"op":"ignore"}
    - apiVersion: <http://aquasecurity.github.io/v1alpha1|aquasecurity.github.io/v1alpha1>
      kind: ClusterComplianceReport
      name: k8s-pss-baseline-0.1
      operations:
        - {"op":"ignore"}
    - apiVersion: <http://aquasecurity.github.io/v1alpha1|aquasecurity.github.io/v1alpha1>
      kind: ClusterComplianceReport
      name: k8s-pss-restricted-0.1
      operations:
        - {"op":"ignore"}
    - apiVersion: <http://aquasecurity.github.io/v1alpha1|aquasecurity.github.io/v1alpha1>
      kind: ClusterComplianceReport
      name: eks-cis-1.4
      operations:
        - {"op":"ignore"}

colossal-forest-90809

05/13/2025, 8:28 PM

Fixed, just had to resolve other fleet issues with different bundles before this one would resolve

6 Views

Open in Slack

Previous Next