broad-laptop-19151
01/19/2023, 6:41 PMcreamy-pencil-82913
01/19/2023, 7:02 PMkubectl logs
mirrors what’s in the actual log file.broad-laptop-19151
01/19/2023, 7:05 PMcreamy-pencil-82913
01/19/2023, 7:31 PMbroad-laptop-19151
01/19/2023, 9:05 PM2023-01-19T20:53:02.001262317Z stdout F {
2023-01-19T20:53:02.001265017Z stdout F "fixedVersion": "215-17+deb8u11",
2023-01-19T20:53:02.001267717Z stdout F "installedVersion": "215-17+deb8u4",
2023-01-19T20:53:02.001270417Z stdout F "pkgName": "systemd-sysv",
2023-01-19T20:53:02.001273117Z stdout F "primaryURL": "<https://avd.aquasec.com/nvd/cve-2019-3815>",
2023-01-19T20:53:02.001275917Z stdout F "severity": "LOW",
2023-01-19T20:53:02.001278717Z stdout F "title": "systemd: memory leak in journald-server.c introduced by fix for CVE-2018-16864",
2023-01-19T20:53:02.001281517Z stdout F "vulnerabilityID": "CVE-2019-3815"
2023-01-19T20:53:02.001284217Z stdout F },
2023-01-19T20:53:02.001287017Z stdout F {
2023-01-19T20:53:02.001289717Z stdout F "installedVersion": "215-17+deb8u4",
2023-01-19T20:53:02.001292517Z stdout F "pkgName": "systemd-sysv",
2023-01-19T20:53:02.001295217Z stdout F "primaryURL": "<https://avd.aquasec.com/nvd/cve-2020-13529>",
2023-01-19T20:53:02.001298017Z stdout F "severity": "LOW",
2023-01-19T20:53:02.001420918Z stdout P "title": "systemd: DHCP FORCERENEW authentication not implemented can cause a system running the DHCP client to hav
And the job pod completed successfully. 🤔 I wonder what is causing this.... Any other suggestions?creamy-pencil-82913
01/19/2023, 9:32 PMbroad-laptop-19151
01/19/2023, 9:36 PMcreamy-pencil-82913
01/19/2023, 9:37 PMruntimeapi.LogTagPartial
) in there
https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/kuberuntime/logs/logs.go#L125-L169kubectl logs
? That’s a pretty rube-goldeberg pipeline you’ve built there.broad-laptop-19151
01/19/2023, 9:45 PMapiVersion: v1
kind: Pod
metadata:
creationTimestamp: "2023-01-19T21:26:32Z"
generateName: deployment-vuln-app-app-eccf8-77bda-
labels:
<http://app.kubernetes.io/managed-by|app.kubernetes.io/managed-by>: image-scanner
<http://app.kubernetes.io/name|app.kubernetes.io/name>: trivy
controller-uid: 281d6325-15bb-47cb-9213-cfb7eb69c7a5
<http://controller.statnett.no/namespace|controller.statnett.no/namespace>: kuttl-test-daring-goat
<http://controller.statnett.no/uid|controller.statnett.no/uid>: 39a65615-de9c-4476-a882-97d76875eb5a
job-name: deployment-vuln-app-app-eccf8-77bda
<http://workload.statnett.no/kind|workload.statnett.no/kind>: Deployment
<http://workload.statnett.no/name|workload.statnett.no/name>: vuln-app
<http://workload.statnett.no/namespace|workload.statnett.no/namespace>: kuttl-test-daring-goat
name: deployment-vuln-app-app-eccf8-77bda-tkh6c
namespace: image-scanner-jobs
ownerReferences:
- apiVersion: batch/v1
blockOwnerDeletion: true
controller: true
kind: Job
name: deployment-vuln-app-app-eccf8-77bda
uid: 281d6325-15bb-47cb-9213-cfb7eb69c7a5
resourceVersion: "1486"
uid: e265d033-d24f-49b0-84ca-4825fcf70758
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchFields:
- key: metadata.name
operator: In
values:
- k3d-image-scanner-server-0
weight: 100
automountServiceAccountToken: false
containers:
- args:
- filesystem
- /
command:
- /var/run/image-scanner/trivy
env:
- name: HOME
value: /tmp
- name: TRIVY_OFFLINE_SCAN
value: "true"
- name: TRIVY_SECURITY_CHECKS
value: vuln
- name: TRIVY_CACHE_DIR
value: /tmp
- name: TRIVY_SERVER
value: <http://trivy.image-scanner.svc.cluster.local>
- name: TRIVY_QUIET
value: "true"
- name: TRIVY_FORMAT
value: template
- name: TRIVY_TEMPLATE
value: |
{{- $vulns := list -}}
{{- range . }}
{{- range .Vulnerabilities -}}
{{- $vuln := dict -}}
{{- $_ := set $vuln "vulnerabilityID" .VulnerabilityID -}}
{{- $_ := set $vuln "pkgName" .PkgName -}}
{{- $_ := set $vuln "installedVersion" .InstalledVersion -}}
{{- $_ := set $vuln "severity" .Severity -}}
{{- if .PkgPath }}{{ $_ := set $vuln "pkgPath" .PkgPath }}{{ end -}}
{{- if .FixedVersion }}{{ $_ := set $vuln "fixedVersion" .FixedVersion }}{{ end -}}
{{- if .Title }}{{ $_ := set $vuln "title" .Title }}{{ end -}}
{{- if .PrimaryURL }}{{ $_ := set $vuln "primaryURL" .PrimaryURL }}{{ end -}}
{{- $vulns = append $vulns $vuln -}}
{{- end -}}
{{- end -}}
{{- toPrettyJson $vulns }}
- name: TRIVY_TIMEOUT
value: 1h0m0s
- name: TRIVY_SEVERITY
value: MEDIUM,HIGH,CRITICAL
image: <http://docker.io/kennship/http-echo@sha256:144322e8e96be2be6675dcf6e3ee15697c5d052d14d240e8914871a2a83990af|docker.io/kennship/http-echo@sha256:144322e8e96be2be6675dcf6e3ee15697c5d052d14d240e8914871a2a83990af>
imagePullPolicy: IfNotPresent
name: scan-image
resources:
limits:
cpu: 500m
memory: 500M
requests:
cpu: 100m
memory: 100M
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
privileged: false
readOnlyRootFilesystem: true
runAsUser: 0
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/image-scanner
name: image-scanner
- mountPath: /tmp
name: tmp
workingDir: /tmp
dnsPolicy: ClusterFirst
enableServiceLinks: true
initContainers:
- command:
- cp
- -v
- /usr/local/bin/trivy
- /var/run/image-scanner/trivy
image: <http://ghcr.io/aquasecurity/trivy:0.36.1|ghcr.io/aquasecurity/trivy:0.36.1>
imagePullPolicy: IfNotPresent
name: trivy
resources:
limits:
cpu: 50m
memory: 200Mi
requests:
cpu: 10m
memory: 50Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
- mountPath: /var/run/image-scanner
name: image-scanner
nodeName: k3d-image-scanner-server-0
preemptionPolicy: PreemptLowerPriority
priority: 0
restartPolicy: OnFailure
schedulerName: default-scheduler
securityContext: {}
serviceAccount: image-scanner
serviceAccountName: image-scanner
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
key: <http://node.kubernetes.io/not-ready|node.kubernetes.io/not-ready>
operator: Exists
tolerationSeconds: 300
- effect: NoExecute
key: <http://node.kubernetes.io/unreachable|node.kubernetes.io/unreachable>
operator: Exists
tolerationSeconds: 300
volumes:
- emptyDir: {}
name: image-scanner
- emptyDir: {}
name: tmp
status:
conditions:
- lastProbeTime: null
lastTransitionTime: "2023-01-19T21:26:36Z"
reason: PodCompleted
status: "True"
type: Initialized
- lastProbeTime: null
lastTransitionTime: "2023-01-19T21:26:43Z"
reason: PodCompleted
status: "False"
type: Ready
- lastProbeTime: null
lastTransitionTime: "2023-01-19T21:26:43Z"
reason: PodCompleted
status: "False"
type: ContainersReady
- lastProbeTime: null
lastTransitionTime: "2023-01-19T21:26:32Z"
status: "True"
type: PodScheduled
containerStatuses:
- containerID: <containerd://256860a1ab03d515ca56a7fb65b09b6aedba2cface02e66a824dec560a2e66b>b
image: sha256:c1c085fb330eea7d222e40bdf5ad0ea400e751285847ce2ae76889ee0d961c04
imageID: <http://docker.io/kennship/http-echo@sha256:144322e8e96be2be6675dcf6e3ee15697c5d052d14d240e8914871a2a83990af|docker.io/kennship/http-echo@sha256:144322e8e96be2be6675dcf6e3ee15697c5d052d14d240e8914871a2a83990af>
lastState: {}
name: scan-image
ready: false
restartCount: 0
started: false
state:
terminated:
containerID: <containerd://256860a1ab03d515ca56a7fb65b09b6aedba2cface02e66a824dec560a2e66b>b
exitCode: 0
finishedAt: "2023-01-19T21:26:43Z"
reason: Completed
startedAt: "2023-01-19T21:26:36Z"
hostIP: 172.18.0.2
initContainerStatuses:
- containerID: <containerd://b6bb18aa1bb7f4d79ce2a4d200725531aed837f211451921583b5acaefa7ddb>2
image: <http://ghcr.io/aquasecurity/trivy:0.36.1|ghcr.io/aquasecurity/trivy:0.36.1>
imageID: <http://ghcr.io/aquasecurity/trivy@sha256:fcd4eddc8082be2d7c929cb07c989d62d2d50669513b8a0889116b40feab435f|ghcr.io/aquasecurity/trivy@sha256:fcd4eddc8082be2d7c929cb07c989d62d2d50669513b8a0889116b40feab435f>
lastState: {}
name: trivy
ready: true
restartCount: 0
state:
terminated:
containerID: <containerd://b6bb18aa1bb7f4d79ce2a4d200725531aed837f211451921583b5acaefa7ddb>2
exitCode: 0
finishedAt: "2023-01-19T21:26:36Z"
reason: Completed
startedAt: "2023-01-19T21:26:33Z"
phase: Succeeded
podIP: 10.42.0.32
podIPs:
- ip: 10.42.0.32
qosClass: Burstable
startTime: "2023-01-19T21:26:32Z"
creamy-pencil-82913
01/19/2023, 9:54 PMbroad-laptop-19151
01/19/2023, 9:56 PMcreamy-pencil-82913
01/19/2023, 9:58 PMbroad-laptop-19151
01/19/2023, 9:58 PMcreamy-pencil-82913
01/19/2023, 9:59 PMbroad-laptop-19151
01/19/2023, 9:59 PMcreamy-pencil-82913
01/19/2023, 10:00 PMbroad-laptop-19151
01/19/2023, 10:01 PMcreamy-pencil-82913
01/19/2023, 10:01 PMbroad-laptop-19151
01/19/2023, 10:02 PMcreamy-pencil-82913
01/19/2023, 10:02 PMbroad-laptop-19151
01/19/2023, 10:02 PMcreamy-pencil-82913
01/19/2023, 10:05 PMbroad-laptop-19151
01/19/2023, 10:05 PMcreamy-pencil-82913
01/19/2023, 10:05 PMbroad-laptop-19151
01/19/2023, 10:05 PMcreamy-pencil-82913
01/19/2023, 10:07 PMbroad-laptop-19151
01/19/2023, 10:07 PMcreamy-pencil-82913
01/19/2023, 10:14 PMbroad-laptop-19151
01/19/2023, 10:15 PMcreamy-pencil-82913
01/19/2023, 10:17 PMbroad-laptop-19151
01/19/2023, 10:18 PMcreamy-pencil-82913
01/19/2023, 10:26 PMbroad-laptop-19151
01/19/2023, 10:27 PMcreamy-pencil-82913
01/19/2023, 10:28 PMwget
has POST upload support, you could probably use that.