Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

trivy-operator container 0.19.0 stop with: fatal error: stack overflow #1931

Closed
aandreev-akamai opened this issue Mar 20, 2024 · 13 comments · Fixed by #1949
Closed

trivy-operator container 0.19.0 stop with: fatal error: stack overflow #1931

aandreev-akamai opened this issue Mar 20, 2024 · 13 comments · Fixed by #1949
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@aandreev-akamai
Copy link

After update deployment from the latest helm-chart ( 0.21.0 ) the trivy-operator container starts to crash with exit code 2

How I found in container logs:

{"level":"info","ts":"2024-03-20T13:59:28Z","msg":"Starting workers","controller":"pod","controllerGroup":"","controllerKind":"Pod","worker count":1}
{"level":"info","ts":"2024-03-20T13:59:28Z","msg":"Starting workers","controller":"configmap","controllerGroup":"","controllerKind":"ConfigMap","worker count":1}
{"level":"info","ts":"2024-03-20T13:59:28Z","msg":"Starting workers","controller":"configmap","controllerGroup":"","controllerKind":"ConfigMap","worker count":1}
{"level":"info","ts":"2024-03-20T13:59:28Z","msg":"Starting workers","controller":"replicaset","controllerGroup":"apps","controllerKind":"ReplicaSet","worker count":1}
{"level":"info","ts":"2024-03-20T13:59:28Z","msg":"Starting workers","controller":"node","controllerGroup":"","controllerKind":"Node","worker count":1}
{"level":"info","ts":"2024-03-20T13:59:28Z","msg":"Starting workers","controller":"daemonset","controllerGroup":"apps","controllerKind":"DaemonSet","worker count":1}
{"level":"info","ts":"2024-03-20T13:59:28Z","msg":"Starting workers","controller":"configmap","controllerGroup":"","controllerKind":"ConfigMap","worker count":1}
I0320 13:59:29.335281       1 request.go:697] Waited for 1.005278845s due to client-side throttling, not priority and fairness, request: GET:https://10.0.0.1:443/api/v1/namespaces/trivy-operator/secrets/trivy-operator-trivy-config
runtime: goroutine stack exceeds 1000000000-byte limit
runtime: sp=0xc0292007f0 stack=[0xc029200000, 0xc049200000]
fatal error: stack overflow

runtime stack:
runtime.throw({0x3c828ab?, 0x20?})
        /opt/hostedtoolcache/go/1.21.8/x64/src/runtime/panic.go:1077 +0x5c fp=0xc004237e18 sp=0xc004237de8 pc=0x43c1dc
runtime.newstack()
        /opt/hostedtoolcache/go/1.21.8/x64/src/runtime/stack.go:1107 +0x5ac fp=0xc004237fc8 sp=0xc004237e18 pc=0x4567ec
runtime.morestack()
        /opt/hostedtoolcache/go/1.21.8/x64/src/runtime/asm_amd64.s:593 +0x8f fp=0xc004237fd0 sp=0xc004237fc8 pc=0x4709cf

goroutine 1309 [running]:
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/core.(*CycloneDX).MarshalComponent(0xc0021d2ed0?, 0xc0065de750, 0xc0491f98e0?, 0xc0491f98b0?, 0xc0491f9880?)
        /home/runner/go/pkg/mod/github.com/aquasecurity/trivy@v0.49.1/pkg/sbom/cyclonedx/core/cyclonedx.go:84 +0xbc5 fp=0xc029200800 sp=0xc0292007f8 pc=0x2e61ea5
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/core.(*CycloneDX).MarshalComponent(0x364c160?, 0xc0065de820, 0xc02164cf30?, 0x24?, 0x0?)
        /home/runner/go/pkg/mod/github.com/aquasecurity/trivy@v0.49.1/pkg/sbom/cyclonedx/core/cyclonedx.go:142 +0x8ac fp=0xc029200cf0 sp=0xc029200800 pc=0x2e61b8c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/core.(*CycloneDX).MarshalComponent(0x364c160?, 0xc0065de750, 0xc02164cf00?, 0x24?, 0x0?)
        /home/runner/go/pkg/mod/github.com/aquasecurity/trivy@v0.49.1/pkg/sbom/cyclonedx/core/cyclonedx.go:142 +0x8ac fp=0xc0292011e0 sp=0xc029200cf0 pc=0x2e61b8c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/core.(*CycloneDX).MarshalComponent(0x364c160?, 0xc0065de820, 0xc02164ced0?, 0x24?, 0x0?)
        /home/runner/go/pkg/mod/github.com/aquasecurity/trivy@v0.49.1/pkg/sbom/cyclonedx/core/cyclonedx.go:142 +0x8ac fp=0xc0292016d0 sp=0xc0292011e0 pc=0x2e61b8c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/core.(*CycloneDX).MarshalComponent(0x364c160?, 0xc0065de750, 0xc02164cea0?, 0x24?, 0x0?)
        /home/runner/go/pkg/mod/github.com/aquasecurity/trivy@v0.49.1/pkg/sbom/cyclonedx/core/cyclonedx.go:142 +0x8ac fp=0xc029201bc0 sp=0xc0292016d0 pc=0x2e61b8c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/core.(*CycloneDX).MarshalComponent(0x364c160?, 0xc0065de820, 0xc02164ce70?, 0x24?, 0x0?)
        /home/runner/go/pkg/mod/github.com/aquasecurity/trivy@v0.49.1/pkg/sbom/cyclonedx/core/cyclonedx.go:142 +0x8ac fp=0xc0292020b0 sp=0xc029201bc0 pc=0x2e61b8c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/core.(*CycloneDX).MarshalComponent(0x364c160?, 0xc0065de750, 0xc02164ce40?, 0x24?, 0x0?)
        /home/runner/go/pkg/mod/github.com/aquasecurity/trivy@v0.49.1/pkg/sbom/cyclonedx/core/cyclonedx.go:142 +0x8ac fp=0xc0292025a0 sp=0xc0292020b0 pc=0x2e61b8c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/core.(*CycloneDX).MarshalComponent(0x364c160?, 0xc0065de820, 0xc02164ce10?, 0x24?, 0x0?)
        /home/runner/go/pkg/mod/github.com/aquasecurity/trivy@v0.49.1/pkg/sbom/cyclonedx/core/cyclonedx.go:142 +0x8ac fp=0xc029202a90 sp=0xc0292025a0 pc=0x2e61b8c

trivy-logs.gz

[Miscellaneous information that will assist in solving the issue.]

Environment:

  • Kubernetes version (use kubectl version): Server Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.9", GitCommit:"d15213f69952c79b317e635abff6ff4ec81475f8", GitTreeState:"clean", BuildDate:"2023-12-22T00:13:26Z", GoVersion:"go1.20.12", Compiler:"gc", Platform:"linux/amd64"}
@aandreev-akamai aandreev-akamai added the kind/bug Categorizes issue or PR as related to a bug. label Mar 20, 2024
@chen-keinan
Copy link
Collaborator

chen-keinan commented Mar 20, 2024
edited

@aandreev-akamai release 0.19.0 has breaking changes, please follow steps on release-notes

@aandreev-akamai
Copy link
Author

aandreev-akamai commented Mar 20, 2024
edited

@aandreev-akamai release 0.19.0 has breaking changes, please steps on release-notes

I have done these steps... forgot to mention it.

@chen-keinan
Copy link
Collaborator

@aandreev-akamai release 0.19.0 has breaking changes, please steps on release-notes

I have done these steps... forgot to mention it.

can you please share your configmaps ?

@aandreev-akamai
Copy link
Author

@aandreev-akamai release 0.19.0 has breaking changes, please steps on release-notes

I have done these steps... forgot to mention it.

can you please share your configmaps ?

aandreev@krk-mp7ab ~ % kubectl -n trivy-operator get configmap trivy-operator-config -o yaml
apiVersion: v1
data:
  CONTROLLER_CACHE_SYNC_TIMEOUT: 5m
  OPERATOR_ACCESS_GLOBAL_SECRETS_SERVICE_ACCOUNTS: "true"
  OPERATOR_BATCH_DELETE_DELAY: 10s
  OPERATOR_BATCH_DELETE_LIMIT: "10"
  OPERATOR_BUILT_IN_TRIVY_SERVER: "false"
  OPERATOR_CACHE_REPORT_TTL: 120h
  OPERATOR_CLUSTER_COMPLIANCE_ENABLED: "true"
  OPERATOR_CLUSTER_SBOM_CACHE_ENABLED: "false"
  OPERATOR_CONCURRENT_NODE_COLLECTOR_LIMIT: "1"
  OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT: "3"
  OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED: "true"
  OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS: "true"
  OPERATOR_EXPOSED_SECRET_SCANNER_ENABLED: "true"
  OPERATOR_HEALTH_PROBE_BIND_ADDRESS: :9090
  OPERATOR_INFRA_ASSESSMENT_SCANNER_ENABLED: "true"
  OPERATOR_LOG_DEV_MODE: "false"
  OPERATOR_MERGE_RBAC_FINDING_WITH_CONFIG_AUDIT: "false"
  OPERATOR_METRICS_BIND_ADDRESS: :8080
  OPERATOR_METRICS_CLUSTER_COMPLIANCE_INFO_ENABLED: "false"
  OPERATOR_METRICS_CONFIG_AUDIT_INFO_ENABLED: "false"
  OPERATOR_METRICS_EXPOSED_SECRET_INFO_ENABLED: "false"
  OPERATOR_METRICS_FINDINGS_ENABLED: "true"
  OPERATOR_METRICS_IMAGE_INFO_ENABLED: "false"
  OPERATOR_METRICS_INFRA_ASSESSMENT_INFO_ENABLED: "false"
  OPERATOR_METRICS_RBAC_ASSESSMENT_INFO_ENABLED: "false"
  OPERATOR_METRICS_VULN_ID_ENABLED: "true"
  OPERATOR_PRIVATE_REGISTRY_SCAN_SECRETS_NAMES: '{}'
  OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED: "true"
  OPERATOR_SBOM_GENERATION_ENABLED: "true"
  OPERATOR_SCAN_JOB_RETRY_AFTER: 30s
  OPERATOR_SCAN_JOB_TIMEOUT: 5m
  OPERATOR_SCAN_JOB_TTL: ""
  OPERATOR_SCANNER_REPORT_TTL: 24h
  OPERATOR_SEND_DELETED_REPORTS: "false"
  OPERATOR_VULNERABILITY_SCANNER_ENABLED: "true"
  OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS: "true"
  OPERATOR_WEBHOOK_BROADCAST_TIMEOUT: 30s
  OPERATOR_WEBHOOK_BROADCAST_URL: ""
  TRIVY_SERVER_HEALTH_CHECK_CACHE_EXPIRATION: 10h
kind: ConfigMap
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"CONTROLLER_CACHE_SYNC_TIMEOUT":"5m","OPERATOR_ACCESS_GLOBAL_SECRETS_SERVICE_ACCOUNTS":"true","OPERATOR_BATCH_DELETE_DELAY":"10s","OPERATOR_BATCH_DELETE_LIMIT":"10","OPERATOR_BUILT_IN_TRIVY_SERVER":"false","OPERATOR_CACHE_REPORT_TTL":"120h","OPERATOR_CLUSTER_COMPLIANCE_ENABLED":"true","OPERATOR_CLUSTER_SBOM_CACHE_ENABLED":"false","OPERATOR_CONCURRENT_NODE_COLLECTOR_LIMIT":"1","OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT":"3","OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED":"true","OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS":"true","OPERATOR_EXPOSED_SECRET_SCANNER_ENABLED":"true","OPERATOR_HEALTH_PROBE_BIND_ADDRESS":":9090","OPERATOR_INFRA_ASSESSMENT_SCANNER_ENABLED":"true","OPERATOR_LOG_DEV_MODE":"false","OPERATOR_MERGE_RBAC_FINDING_WITH_CONFIG_AUDIT":"false","OPERATOR_METRICS_BIND_ADDRESS":":8080","OPERATOR_METRICS_CLUSTER_COMPLIANCE_INFO_ENABLED":"false","OPERATOR_METRICS_CONFIG_AUDIT_INFO_ENABLED":"false","OPERATOR_METRICS_EXPOSED_SECRET_INFO_ENABLED":"false","OPERATOR_METRICS_FINDINGS_ENABLED":"true","OPERATOR_METRICS_IMAGE_INFO_ENABLED":"false","OPERATOR_METRICS_INFRA_ASSESSMENT_INFO_ENABLED":"false","OPERATOR_METRICS_RBAC_ASSESSMENT_INFO_ENABLED":"false","OPERATOR_METRICS_VULN_ID_ENABLED":"true","OPERATOR_PRIVATE_REGISTRY_SCAN_SECRETS_NAMES":"{}","OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED":"true","OPERATOR_SBOM_GENERATION_ENABLED":"true","OPERATOR_SCANNER_REPORT_TTL":"24h","OPERATOR_SCAN_JOB_RETRY_AFTER":"30s","OPERATOR_SCAN_JOB_TIMEOUT":"5m","OPERATOR_SCAN_JOB_TTL":"","OPERATOR_SEND_DELETED_REPORTS":"false","OPERATOR_VULNERABILITY_SCANNER_ENABLED":"true","OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS":"true","OPERATOR_WEBHOOK_BROADCAST_TIMEOUT":"30s","OPERATOR_WEBHOOK_BROADCAST_URL":"","TRIVY_SERVER_HEALTH_CHECK_CACHE_EXPIRATION":"10h"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app.kubernetes.io/instance":"trivy-operator","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"trivy-operator","app.kubernetes.io/version":"0.19.0","argocd.argoproj.io/instance":"trivy-operator-dev-az","helm.sh/chart":"trivy-operator-0.21.0"},"name":"trivy-operator-config","namespace":"trivy-operator"}}
  creationTimestamp: "2024-03-18T17:43:40Z"
  labels:
    app.kubernetes.io/instance: trivy-operator
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: trivy-operator
    app.kubernetes.io/version: 0.19.0
    argocd.argoproj.io/instance: trivy-operator-dev-az
    helm.sh/chart: trivy-operator-0.21.0
  name: trivy-operator-config
  namespace: trivy-operator
  resourceVersion: "208290389"
  uid: 583dbd17-56fb-4932-af4c-79a899225f6b

@aandreev-akamai
Copy link
Author 

aandreev@krk-mp7ab ~ % kubectl -n trivy-operator get configmap trivy-operator -o yaml
apiVersion: v1
data:
  compliance.failEntriesLimit: "10"
  configAuditReports.scanner: Trivy
  node.collector.imageRef: ghcr.io/aquasecurity/node-collector:0.1.2
  node.collector.nodeSelector: "true"
  nodeCollector.volumeMounts: '[{"mountPath":"/var/lib/etcd","name":"var-lib-etcd","readOnly":true},{"mountPath":"/var/lib/kubelet","name":"var-lib-kubelet","readOnly":true},{"mountPath":"/var/lib/kube-scheduler","name":"var-lib-kube-scheduler","readOnly":true},{"mountPath":"/var/lib/kube-controller-manager","name":"var-lib-kube-controller-manager","readOnly":true},{"mountPath":"/etc/systemd","name":"etc-systemd","readOnly":true},{"mountPath":"/lib/systemd/","name":"lib-systemd","readOnly":true},{"mountPath":"/etc/kubernetes","name":"etc-kubernetes","readOnly":true},{"mountPath":"/etc/cni/net.d/","name":"etc-cni-netd","readOnly":true}]'
  nodeCollector.volumes: '[{"hostPath":{"path":"/var/lib/etcd"},"name":"var-lib-etcd"},{"hostPath":{"path":"/var/lib/kubelet"},"name":"var-lib-kubelet"},{"hostPath":{"path":"/var/lib/kube-scheduler"},"name":"var-lib-kube-scheduler"},{"hostPath":{"path":"/var/lib/kube-controller-manager"},"name":"var-lib-kube-controller-manager"},{"hostPath":{"path":"/etc/systemd"},"name":"etc-systemd"},{"hostPath":{"path":"/lib/systemd"},"name":"lib-systemd"},{"hostPath":{"path":"/etc/kubernetes"},"name":"etc-kubernetes"},{"hostPath":{"path":"/etc/cni/net.d/"},"name":"etc-cni-netd"}]'
  policies.bundle.oci.ref: ghcr.io/aquasecurity/trivy-policies:0
  report.recordFailedChecksOnly: "true"
  scanJob.compressLogs: "true"
  scanJob.podTemplateContainerSecurityContext: '{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true}'
  scanJob.podTemplateLabels: azure.workload.identity/use=true,azure.workload.identity/inject-proxy-sidecar=true
  vulnerabilityReports.scanner: Trivy
kind: ConfigMap
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"compliance.failEntriesLimit":"10","configAuditReports.scanner":"Trivy","node.collector.imageRef":"ghcr.io/aquasecurity/node-collector:0.1.2","node.collector.nodeSelector":"true","nodeCollector.volumeMounts":"[{\"mountPath\":\"/var/lib/etcd\",\"name\":\"var-lib-etcd\",\"readOnly\":true},{\"mountPath\":\"/var/lib/kubelet\",\"name\":\"var-lib-kubelet\",\"readOnly\":true},{\"mountPath\":\"/var/lib/kube-scheduler\",\"name\":\"var-lib-kube-scheduler\",\"readOnly\":true},{\"mountPath\":\"/var/lib/kube-controller-manager\",\"name\":\"var-lib-kube-controller-manager\",\"readOnly\":true},{\"mountPath\":\"/etc/systemd\",\"name\":\"etc-systemd\",\"readOnly\":true},{\"mountPath\":\"/lib/systemd/\",\"name\":\"lib-systemd\",\"readOnly\":true},{\"mountPath\":\"/etc/kubernetes\",\"name\":\"etc-kubernetes\",\"readOnly\":true},{\"mountPath\":\"/etc/cni/net.d/\",\"name\":\"etc-cni-netd\",\"readOnly\":true}]","nodeCollector.volumes":"[{\"hostPath\":{\"path\":\"/var/lib/etcd\"},\"name\":\"var-lib-etcd\"},{\"hostPath\":{\"path\":\"/var/lib/kubelet\"},\"name\":\"var-lib-kubelet\"},{\"hostPath\":{\"path\":\"/var/lib/kube-scheduler\"},\"name\":\"var-lib-kube-scheduler\"},{\"hostPath\":{\"path\":\"/var/lib/kube-controller-manager\"},\"name\":\"var-lib-kube-controller-manager\"},{\"hostPath\":{\"path\":\"/etc/systemd\"},\"name\":\"etc-systemd\"},{\"hostPath\":{\"path\":\"/lib/systemd\"},\"name\":\"lib-systemd\"},{\"hostPath\":{\"path\":\"/etc/kubernetes\"},\"name\":\"etc-kubernetes\"},{\"hostPath\":{\"path\":\"/etc/cni/net.d/\"},\"name\":\"etc-cni-netd\"}]","policies.bundle.oci.ref":"ghcr.io/aquasecurity/trivy-policies:0","report.recordFailedChecksOnly":"true","scanJob.compressLogs":"true","scanJob.podTemplateContainerSecurityContext":"{\"allowPrivilegeEscalation\":false,\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"readOnlyRootFilesystem\":true}","scanJob.podTemplateLabels":"azure.workload.identity/use=true,azure.workload.identity/inject-proxy-sidecar=true","vulnerabilityReports.scanner":"Trivy"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app.kubernetes.io/instance":"trivy-operator","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"trivy-operator","app.kubernetes.io/version":"0.19.0","argocd.argoproj.io/instance":"trivy-operator-dev-az","helm.sh/chart":"trivy-operator-0.21.0"},"name":"trivy-operator","namespace":"trivy-operator"}}
  creationTimestamp: "2023-06-20T13:43:07Z"
  labels:
    app.kubernetes.io/instance: trivy-operator
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: trivy-operator
    app.kubernetes.io/version: 0.19.0
    argocd.argoproj.io/instance: trivy-operator-dev-az
    helm.sh/chart: trivy-operator-0.21.0
  name: trivy-operator
  namespace: trivy-operator
  resourceVersion: "208290391"
  uid: 4e6e6a66-c09c-4344-a19b-02d16990e2c4

@chen-keinan
Copy link
Collaborator

@aandreev-akamai can you please add the configmap of trivy, trivy-operator-trivy-config

@aandreev-akamai
Copy link
Author

trivy-operator-trivy-config

aandreev@krk-mp7ab ~ % kubectl -n trivy-operator get configmap trivy-operator-trivy-config -o yaml
apiVersion: v1
data:
  trivy.additionalVulnerabilityReportFields: ""
  trivy.command: image
  trivy.dbRepository: ghcr.io/aquasecurity/trivy-db
  trivy.dbRepositoryInsecure: "false"
  trivy.filesystemScanCacheDir: /var/trivyoperator/trivy-db
  trivy.imagePullPolicy: IfNotPresent
  trivy.imageScanCacheDir: /tmp/trivy/.cache
  trivy.includeDevDeps: "false"
  trivy.javaDbRepository: ghcr.io/aquasecurity/trivy-java-db
  trivy.mode: Standalone
  trivy.repository: ghcr.io/aquasecurity/trivy
  trivy.resources.limits.cpu: 500m
  trivy.resources.limits.memory: 1500M
  trivy.resources.requests.cpu: 100m
  trivy.resources.requests.memory: 100M
  trivy.sbomSources: ""
  trivy.severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
  trivy.skipJavaDBUpdate: "false"
  trivy.slow: "true"
  trivy.supportedConfigAuditKinds: Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota
  trivy.tag: 0.49.1
  trivy.timeout: 5m0s
  trivy.useBuiltinRegoPolicies: "true"
kind: ConfigMap
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"trivy.additionalVulnerabilityReportFields":"","trivy.command":"image","trivy.dbRepository":"ghcr.io/aquasecurity/trivy-db","trivy.dbRepositoryInsecure":"false","trivy.filesystemScanCacheDir":"/var/trivyoperator/trivy-db","trivy.imagePullPolicy":"IfNotPresent","trivy.imageScanCacheDir":"/tmp/trivy/.cache","trivy.includeDevDeps":"false","trivy.javaDbRepository":"ghcr.io/aquasecurity/trivy-java-db","trivy.mode":"Standalone","trivy.repository":"ghcr.io/aquasecurity/trivy","trivy.resources.limits.cpu":"500m","trivy.resources.limits.memory":"1500M","trivy.resources.requests.cpu":"100m","trivy.resources.requests.memory":"100M","trivy.sbomSources":"","trivy.severity":"UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL","trivy.skipJavaDBUpdate":"false","trivy.slow":"true","trivy.supportedConfigAuditKinds":"Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota","trivy.tag":"0.49.1","trivy.timeout":"5m0s","trivy.useBuiltinRegoPolicies":"true"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app.kubernetes.io/instance":"trivy-operator","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"trivy-operator","app.kubernetes.io/version":"0.19.0","argocd.argoproj.io/instance":"trivy-operator-dev-az","helm.sh/chart":"trivy-operator-0.21.0"},"name":"trivy-operator-trivy-config","namespace":"trivy-operator"}}
  creationTimestamp: "2023-06-20T13:43:07Z"
  labels:
    app.kubernetes.io/instance: trivy-operator
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: trivy-operator
    app.kubernetes.io/version: 0.19.0
    argocd.argoproj.io/instance: trivy-operator-dev-az
    helm.sh/chart: trivy-operator-0.21.0
  name: trivy-operator-trivy-config
  namespace: trivy-operator
  resourceVersion: "208301329"
  uid: c8dd61d4-325b-4028-8cdf-0c7b4ef1a2d6

@chen-keinan
Copy link
Collaborator

chen-keinan commented Mar 20, 2024
edited

@aandreev-akamai its look like a bug in trivy, is this happen when scanning specific container, is it somthing you can share so Ill be able to reproduce

Btw: do you have more logz with context that you can share, maybe set debug mode?

@aandreev-akamai
Copy link
Author

@aandreev-akamai its look like a bug in trivy, is this happen when scanning specific container, is it somthing you can share so Ill be able to reproduce

Btw: do you have more logz with context that you can share, maybe set debug mode?

Not sure if it is directly related to a specific container...
I set a debug mode.

trivy-logs2.gz

@aandreev-akamai
Copy link
Author

about containers:

after restart I got a few scaner Jobs still exist each time.
This jobs for scan: jaegertracing/jaeger-operator:1.49.0 and docker.io/grafana/loki:2.9.4

But jaeger only installed on k8s cluster which has this issue.

I hope it will help...

@chen-keinan
Copy link
Collaborator

about containers:

after restart I got a few scaner Jobs still exist each time. This jobs for scan: jaegertracing/jaeger-operator:1.49.0 and docker.io/grafana/loki:2.9.4

But jaeger only installed on k8s cluster which has this issue.

I hope it will help...

thanks got it to reproduce with image jaegertracing/jaeger-operator:1.49.0

@chen-keinan
Copy link
Collaborator

@aandreev-akamai trivy issue aquasecurity/trivy#6360

@albertschwarzkopf
Copy link

Seems that trivy-operator:0.19.1 (helm chart version 0.21.1) has same issue:

│ 2024/03/22 13:48:05 maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined                                                                                                                                                                  │
│ {"level":"info","ts":"2024-03-22T13:48:06Z","logger":"main","msg":"Starting operator","buildInfo":{"Version":"0.19.1","Commit":"f652926cc222efe7377c44389c38432551f1f356","Date":"2024-03-20T14:39:14Z","Executable":""}}                │
│ {"level":"info","ts":"2024-03-22T13:48:06Z","logger":"operator","msg":"Resolved install mode","install mode":"AllNamespaces","operator namespace":"security-system","target namespaces":[],"exclude namespaces":"security-system","targe │
│ t workloads":["pod","replicaset","replicationcontroller","statefulset","daemonset","cronjob","job"]}                                                                                                                                     │
│ {"level":"info","ts":"2024-03-22T13:48:06Z","logger":"operator","msg":"Watching all namespaces"}

@chen-keinan chen-keinan mentioned this issue Mar 27, 2024
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: bump trivy lib and scan-job v0.50.0 chen-keinan/trivy-operator
3 participants
@chen-keinan @albertschwarzkopf @aandreev-akamai