False positive results in cloud provider K8s compliance scans

[chen-keinan]

Discussed in #6012

^{Originally posted by kamieniarzk January 27, 2024}

Description

When performing a compliance scan on an EKS or a GKE Kubernetes cluster with the command
trivy k8s cluster --compliance k8s-cis --report summary --debug
there are PASS results for all checks related to the control plane and etcd which are both managed by the cloud provider and not accessible to the user. The debug logs do not show anything about checks being skipped or ignored, --report all does not include any of the above checks as they are considered PASSed.

Desired Behavior

Either some kind of warning or at least a - in place of the result of a check that is not possible to be performed.

Actual Behavior

The resuts are all PASS

Reproduction Steps

1.  k8s cluster --compliance k8s-cis --report summary --debug on a cloud-provider Kubernetes cluster

Target

Kubernetes

Scanner

None

Output Format

None

Mode

Standalone

Debug Output

2024-01-27T19:26:37.494+0100	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-01-27T19:26:37.494+0100	DEBUG	Ignore statuses	{"statuses": null}
2024-01-27T19:27:02.495+0100	DEBUG	cache dir:  /home/dev/.cache/trivy
2024-01-27T19:27:02.495+0100	DEBUG	DB update was skipped because the local DB was downloaded during the last hour
2024-01-27T19:27:02.495+0100	DEBUG	DB Schema: 2, UpdatedAt: 2024-01-27 12:12:07.911536862 +0000 UTC, NextUpdate: 2024-01-27 18:12:07.911536541 +0000 UTC, DownloadedAt: 2024-01-27 17:57:42.274257098 +0000 UTC

Operating System

Ubuntu 22.04

Version

0.48.3

Checklist

• Run trivy image --reset
• Read the troubleshooting