Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--node-collector-namespace: Do not delete existing namespace #6558

Closed
2 tasks
chen-keinan opened this issue Apr 25, 2024 Discussed in #6538 · 1 comment · Fixed by #6559
Closed
2 tasks

--node-collector-namespace: Do not delete existing namespace #6558

chen-keinan opened this issue Apr 25, 2024 Discussed in #6538 · 1 comment · Fixed by #6559
Assignees
@chen-keinan
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. target/kubernetes Issues relating to kubernetes cluster scanning
Milestone
v0.51.0

Comments

@chen-keinan
Copy link
Contributor

Discussed in #6538

Originally posted by codinux-gmbh April 22, 2024

Description

When using trivy kubernetes --node-collector-namespace <namespace> ..., then the namespace <namespace> gets deleted after the operation even if it's an existing namespace that contains resources.

That deleted almost our whole (for sake test) cluster.

(Scanning the whole cluster for misconfiguration ran into a timeout, so we decided to automatically scan namespace per namespace. But then jobs sometimes failed as the previous job in the trivy-temp namespace was still running, so we decided to run each job in the namespace to scan via --node-collector-namespace flag.)

The issue is in pkg/jobs/collector.go:

func (jb *jobCollector) Cleanup(ctx context.Context) {
	jb.deleteTrivyNamespace(ctx) // TODO: check if namespace has been created by Trivy first; don't delete existing namespaces
}

Desired Behavior

First check if Trivy created that namespace before deleting it.

Actual Behavior

The namespace passed with --node-collector-namespace gets deleted regardless if Trivy created that namespace or if it's an existing namespace that contains resources.

Reproduction Steps

Run a script, program etc. that does the following:

For each namespace in the cluster run:
`trivy kubernetes --node-collector-namespace <namespace> ...`, e.g. `--scanners misconfig`.

Except the Kubernetes default namespaces (`kube-system` etc.) the cluster is wonderfully clean then.

Target

Kubernetes

Scanner

None

Output Format

None

Mode

None

Debug Output

The output doesn't matter, the clean up behavior is the issue.

Operating System

Arch Linux, but also the OS doesn't matter

Version

`trivy --version` shows only:
`version: dev`

The version is:
`0.49.1-1`

But the issue still persists on current main branch.

Checklist
@chen-keinan chen-keinan added kind/bug Categorizes issue or PR as related to a bug. target/kubernetes Issues relating to kubernetes cluster scanning labels Apr 25, 2024
@chen-keinan
Copy link
Contributor Author

Add support for in case the --node-collector-namespace flag is specified, do not delete the namespace

@chen-keinan chen-keinan added the priority/backlog Higher priority than priority/awaiting-more-evidence. label Apr 25, 2024
@chen-keinan chen-keinan self-assigned this Apr 25, 2024
This was referenced Apr 25, 2024
Merged
Merged
@chen-keinan chen-keinan added this to the v0.51.0 milestone Apr 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chen-keinan chen-keinan

Labels
kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. target/kubernetes Issues relating to kubernetes cluster scanning
Projects
None yet
Milestone
v0.51.0
Development

Successfully merging a pull request may close this issue.

fix: trivy k8s avoid deleting non-default node collector namespace chen-keinan/trivy
1 participant
@chen-keinan