Error encountered during Trivy scan of RKE2.

[chen-keinan]

Discussed in #6093

^{Originally posted by Hamzachelligue February 9, 2024}

Description

Dear all
I am using Trivy to generate a CIS benchmark report, but it is showing me errors related to the kube-apiserver pod, indicating that --anonymous-auth arguments should be false, even though they are present on the pods with the correct attribut.
Has anyone encountered this type of problem? Thank you in advance.

Desired Behavior

How to correct this problem?
there are many arguments with the same problem

Actual Behavior

The error message indicates the absence of an argument that is present.

Reproduction Steps

1.trivy k8s --namespace=kube-system --report=all  --compliance=k8s-cis pod

Target

Kubernetes

Scanner

Vulnerability

Output Format

Table

Mode

Client/Server

Debug Output

Pod/kube-apiserver-controlplane-1 (kubernetes)
==============================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 0 ()
 
MEDIUM: Ensure that the --anonymous-auth argument is set to false^M
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════^M
Disable anonymous requests to the API server.^M
^M
See https://avd.aquasec.com/misconfig/kcv0001^M
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────^M
Pod/kube-apiserver-controlplane-1:25-186^M
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────^M
  25 ┌         - args:^M
  26 │             - --admission-control-config-file=/etc/rancher/rke2/rke2-pss.yaml^M
  27 │             - --allow-privileged=true^M
  28 │             - --anonymous-auth=false^M
  29 │             - --api-audiences=https://kubernetes.default.svc.cluster.local,rke2^M
  30 │             - --authorization-mode=Node,RBAC^M
  31 │             - --bind-address=0.0.0.0^M
  32 │             - --cert-dir=/var/lib/rancher/rke2/server/tls/temporary-certs^M
  33 └             - --client-ca-file=/var/lib/rancher/rke2/server/tls/client-ca.crt^M
  ..   ^M

Operating System

linux

Version

0.49.0

Checklist

• Run trivy image --reset
• Read the troubleshooting

[imstevenxyz]

I am also experiencing this on a newly installed RKE2 cluster (v1.29.1+rke2r1) and trivy-0.49.1

[itaysk]

@chen-keinan is this still an issue?

[chen-keinan]

@chen-keinan is this still an issue?

I'll investigate and update

[chen-keinan]

fixed by this PR aquasecurity/trivy-checks#110