EKS上的Trivy无法扫描任何图像
EKS上的Trivy无法扫描任何图像
提问于 2022-11-12 23:12:56
我正在尝试扫描部署在我的EKS集群上的所有映像,我正在为高安全性而设置(将部署到分类IL5环境)。Kubernetes v1.23,所有工作节点都运行在Bottlerocket上。
我预计图像将被扫描,并可在VulnerabilityReports光盘。
我成功地将Falco安装到集群中(使用容器)。但是,当部署正式的Helm图表(0.6.0-rc3)时,扫描漏洞容器会启动,然后立即出错。我在trivy-操作符部署上设置了这个环境变量:
- name: CONTAINER_RUNTIME_ENDPOINT
value: /run/containerd/containerd.sock用-debug运行的输出
{
"level": "error",
"ts": 1668286646.865245,
"logger": "reconciler.vulnerabilityreport",
"msg": "Scan job container",
"job": "trivy-system/scan-vulnerabilityreport-74f54b6cd",
"container": "discovery",
"status.reason": "Error",
"status.message": "2022-11-12T20:57:13.674Z\t\u001b[31mFATAL\u001b[0m\timage scan error: scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred:\n\t* unable to inspect the image (023620263533.dkr.ecr.us-gov-east-1.amazonaws.com/docker.io/istio/pilot:1.15.2): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?\n\t* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory\n\t* containerd socket not found: /run/containerd/containerd.sock\n\t* GET https://023620263533.dkr.ecr.us-gov-east-1.amazonaws.com/v2/docker.io/istio/pilot/manifests/1.15.2: unexpected status code 401 Unauthorized: Not Authorized\n\n\n\n",
"stacktrace": "github.com/aquasecurity/trivy-operator/pkg/vulnerabilityreport.(*WorkloadController).processFailedScanJob\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/vulnerabilityreport/controller.go:551\ngithub.com/aquasecurity/trivy-operator/pkg/vulnerabilityreport.(*WorkloadController).reconcileJobs.func1\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/vulnerabilityreport/controller.go:376\nsigs.k8s.io/controller-runtime/pkg/reconcile.Func.Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.13.1/pkg/reconcile/reconcile.go:102\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.13.1/pkg/internal/controller/controller.go:121\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.13.1/pkg/internal/controller/controller.go:320\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.13.1/pkg/internal/controller/controller.go:273\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.13.1/pkg/internal/controller/controller.go:234"
}我确认bottlerocket使用容器,因为在我的Falco部署中指定了/run/containerd/containerd.sock。即使当我将它作为卷挂载到吊舱上并将CONTAINER_RUNTIME_ENDPOINT设置为此路径时,我也会得到相同的错误。
编辑i添加了以下安全上下文:
seLinuxOptions:
user: system_u
role: system_r
type: control_t
level: s0-s0:c0.c1023回答 1
Stack Overflow用户
回答已采纳
发布于 2022-11-15 20:11:16
最初,我将dockershim.sock从主机安装到pod,然后意识到这是不必要的,错误消息有点误导,这实际上是一个带有ECR问题的身份验证。此外,需要在pod级别而不是容器级别指定seLinux标志。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/74417278
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号