-
Notifications
You must be signed in to change notification settings - Fork 190
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to access private gcr images even have right service account defined to scanjob #1298
Comments
@saurabh21316 have you tried using global secrets (option 4 ) https://aquasecurity.github.io/trivy-operator/v0.14.1/tutorials/private-registries/ |
I have tried method 1st,4th and 5th but still no luck in 4th method, i used "us.gcr.io". :( The error we see now {"level":"error","ts":"2023-06-14T21:12:16Z","logger":"reconciler.scan job","msg":"Scan job container","job":"trivy-system/scan-vulnerabilityreport-788598479c","container":"dev-postgrest-crm-internal-ro","status.reason":"Error","status.message":"2023-06-14T21:12:12.792Z\t\u001b[31mFATAL\u001b[0m\tflag error: registry flag error: the length of usernames and passwords must match\n","stacktrace":"github.com/aquasecurity/trivy-operator/pkg/vulnerabilityreport/controller.(*ScanJobController).processFailedScanJob\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/vulnerabilityreport/controller/scanjob.go:265\ngithub.com/aquasecurity/trivy-operator/pkg/vulnerabilityreport/controller.(*ScanJobController).reconcileJobs.func1\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/vulnerabilityreport/controller/scanjob.go:79\nsigs.k8s.io/controller-runtime/pkg/reconcile.Func.Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/reconcile/reconcile.go:103\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:118\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:314\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:265\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:226"} |
@saurabh21316 how you create the secret , it should be in form of :
Please also review this issue #1279 |
Thanks for your response @chen-keinan !! e.g 1.) echo -n "{ 2.) echo -n '{"auths":{"us.gcr.io":{"auth":"OUTPUT"}}}' | base64
|
@saurabh21316 it is not supported with gcp service account see issue #1095, currently only with with registry credential , user/password |
@chen-keinan thanks for the update. I tried the given GCR method as well on this link: apiVersion: v1 via adding annotation of gcp sa to default username (trivy-operator) created by helm and it didn't work either. Does it even work? Thanks |
Yes , we got the instruction from community how make it work in production. Why not to use user/password secret as suggested? |
I don't think there is an option to use user/password with gcr. Could you please share the instruction on how can I make service account work? @chen-keinan |
@saurabh21316 please confirm that following :
|
@chen-keinan As I said above this is exactly i did and it's not working. The same service account works when running using docker command locally. so iam service account has right permissions to access the gcr. docker run -it --rm -v /tmp:/tmp |
The only concern for me is the instruction given on the above page is For Config Connector, apply the IAMServiceAccount object for your selected service account.
|
@chen-keinan please let me know if you get a chance to look at this. |
FYI I got latest Helm chart ( Main steps according to doc eg. add serviceaccount, add policy-bindings for My
and then granting permissions on another project:
|
@petskratt Thanks or sharing , do you mind reviewing our docs for gcp and let me know if anything need to be amended. |
yeah, we have it running in different project as well(e.g. abc-project). did you get it working? @chen-keinan The service account I created have following roles under (abc-project) : So service account has right permissions as required and it looks like the procedure define here is broken. @petskratt would really appreciate if you can help on it as we have been stuck on it from last couple of weeks. |
@saurabh21316 the docs for gcp managed private registries has been contributed by community user who make it work same as @petskratt |
@chen-keinan I agree but as I said earlier, It seems like these crds don't exist anymore resource mapping not found for name: "trivy-operator" namespace: "trivy-system" from "gke-service-account-connector.yaml": no matches for kind "IAMServiceAccount" in version "iam.cnrm.cloud.google.com/v1beta1" here is the file: apiVersion: v1
|
This idea of using it workload identity with trivy operator is security concern for a security tool, In GCP diff projects hosts diff repos,even individual repo has granual level permission. The way it's going if you are running 50 application in a cluster, and if they belong to 50 diff repos then the access should be done for all these repo, giving this defies the basic principle of least privilege. |
@btwseeu78 I'm not objecting for adding support for workload identity as describe above. |
@chen-keinan workload identity is nice way to access repository,but it was meant to be secure but for platform teams who hosts multiple project its burden because we dont control how individual project acesss their repo, as trivy works as of now that it uses the credentials from workload its scanning, this works for me but only if supports all the methods, since serviceaccount is one of the go to method for pulling from google artifact registry its generally used by many and easier, workload identity is not bad but for platform team we can not control how projects want to authenticate. so i am wondering why the last issue was closed on this same topic, are we saying that serviceaccount in json will not be supported, thats diff problem since we require diff solution or finding way to fit it in. so the assurance tat we should wait or not should be at least available. |
@btwseeu78 are you referring to this issue #1095 , it was closed by |
@petskratt if you got it working when running trivy operator let's say in Project-A and then can access gcr image in Project-B then I must be doing something wrong. Going with the reply above as you said.
|
Ok I think I got it working guys.. The only piece was missing the below command since it was little confusing but eventually I see it's able to scan private gcr. will update it once it finishes scanning or I get into any error. gcloud iam service-accounts add-iam-policy-binding trivy-operator-gsa@<GSA_PROJECT>.iam.gserviceaccount.com Thanks for your support and continue response. |
@saurabh21316 thanks for the update , I would like to ask you the same, if all works , could you confirm if our gcr manages privare registry docs requires an update |
yes @chen-keinan imo, it's quite simple to get it working if instructions are updated because there is no need of connector and the CRD doesn't exist anymore. |
Happy to update the instructions if you like and we can go through it if require. |
To run the Trivy Operator in Project A while using Private Google Container Registry (GCR) in Project B, you need to follow these steps: 1.) Create an IAM service account in Project B with the necessary roles:
For example, it creates a service account named test-scanner@Project-B.iam.gserviceaccount.com with these roles assigned. 2.) Run the following command in the terminal, ensuring you are in Project B gcloud iam service-accounts add-iam-policy-binding test-scanner@Project-B.iam.gserviceaccount.com This command adds an IAM policy binding to the service account test-scanner@Project-B.iam.gserviceaccount.com with the role roles/iam.workloadIdentityUser and associates it with the service account trivy-system/trivy-operator in Project A and it's quite important to run this command otherwise it will not work. 3.) Update the custom-value.yaml file for the Trivy Operator before deploying it using Helm. trivyOperator: serviceAccount: Ensure you make these modifications to the custom-value.yaml file specific to the Trivy Operator before deploying it via Helm. By completing these steps, you will have created the necessary IAM service account, granted it the required roles, and configured the Trivy Operator with the appropriate service account annotation and settings for authentication and authorization between Project A and Project B. |
@chen-keinan i have just posted the fix that i did at my end however I am not sure if it requires when running in same project. please have a look. |
i would try to code it myslef, im am new to go i will try to fix the issue.if not i would request someone to pick it up. |
@chen-keinan @saurabh21316 just for the note to add, Workload identity is not a default enabled feature in GKE, This supposed be created preferred in times of node creation, else updating it is tricky for existing nodes. |
I have the imagePullSecrets set on the
|
It doesn't work @cdenneen therefore use the above method to access private gcr. |
I opened #1364 the issue is I need this to work globally vs just a particular namespace right? or should it just be:
all examples are for individual namespaces but if the operator spins all the images up in the
|
Sry I haven't able to put my efforts on this, so the problem here is tricky uses special argument when you use google application credentials, it's an argument where you provide file path to the command GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json. Now the way operator works currently does not support this argument it tries to convert it to docker auth which is not right for json creeds, we need a new volume mount when trivia docker auth finds a username == -json-key. And we also need to Mindy arts list that operator runs making username blank that should solve issues with private registry GCR and AR,popping the jobs or using workload identify can solve but only will work when your entire organisation pull from same private repository but for organisations who uses granular perm it's an headache as you will end up with hundreds of pull secrets append and managing @chen-keinan what your though I found the problem but not the time to fix it, maybe you can put your thought on this |
string{ |
@btwseeu78 thanks for update , I'll take e a look at it |
I am not the best or the brightest in terms of go but i tested my changes with private registry with json creds works just fine as i thought it should be. anybody wants to use this can test using : linuxarpan/trivy-test:v2 , @chen-keinan im not the best guy in terms go and overall dev i would let you handle the rest part. |
Thanks , Ill take a look |
This issue is stale because it has been labeled with inactivity. |
Hello Team,
I would really appreciate if someone can help to resolve the private gcr docker images issue.
ERROR:
{"level":"error","ts":"2023-06-08T16:35:25Z","logger":"reconciler.scan job","msg":"Scan job container","job":"trivy-system/scan-vulnerabilityreport-8644d5d6fc","container":"limit-processer","status.reason":"Error","status.message":"2023-06-08T16:35:21.135Z\t\u001b[31mFATAL\u001b[0m\timage scan error: scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred:\n\t* unable to inspect the image (us.gcr.io/abc/xyz:28ddd33d77904d113a5451c): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?\n\t* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory\n\t* containerd socket not found: /run/containerd/containerd.sock\n\t* GET https://us.gcr.io/v2/abc/xyz/manifests/28ddd33d77904d113a5451c: UNAUTHORIZED: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication\n\n\n","stacktrace":"github.com/aquasecurity/trivy-operator/pkg/vulnerabilityreport/controller.(*ScanJobController).processFailedScanJob\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/vulnerabilityreport/controller/scanjob.go:265\ngithub.com/aquasecurity/trivy-operator/pkg/vulnerabilityreport/controller.(*ScanJobController).reconcileJobs.func1\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/vulnerabilityreport/controller/scanjob.go:79\nsigs.k8s.io/controller-runtime/pkg/reconcile.Func.Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/reconcile/reconcile.go:103\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:118\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:314\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:265\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:226"}
Few things I tried when deploying via helm:
1.) Via apply GCP service account directly to trivy-operator instead of using default sa.
serviceAccountName: abcd123
serviceAccount: abcd123
2.) I also tried to define via helm:
---> privateRegistryScanSecretsNames: {"trivy-system": "trivy-scanner"}
3.) Via adding GCP SA annotation to trivy-operator SA Account.
None of them worked.
I can confirm the secrets works for gcr when i tested locally with docker run command as indicated on the below page.
https://aquasecurity.github.io/trivy/v0.25.4/docs/advanced/private-registries/gcr/
But if I directly run scan pod and add GOOGLE_APPLICATION_CREDENTIALS via env to container along with secret volume mount then it works but then I don't see an option to apply env/volume mount via helm to scan job (e.g configmap)
I would highly appreciate if someone can point me to right direction.
Thanks
The text was updated successfully, but these errors were encountered: