Fix trivy-operator scanJobs, in order to generate vulnerability reports.

Dragos Gerearequested to merge
dg/fix-trivy-operator into main

What does this MR do and why?

This MR was raised to address the issue stated in #2122 (closed). It was reported that no vulnerabilityreports are being generated by the trivy-operator unit. The issue is being caused by the fact that the right securityContext was not set on the scanJobs that are generated by the trivy-operator, as it follows:

Warning  FailedCreate  13s   job-controller  Error creating: pods "scan-vulnerabilityreport-56cbf5658f-45k62" is forbidden: violates PodSecurity "restricted:latest": runAsNonRoot != true (pod or containers "44b7c680-2948-4765-aa7b-731b72d59963", "run-script" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "44b7c680-2948-4765-aa7b-731b72d59963", "run-script" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
  Warning  FailedCreate  12s   job-controller  Error creating: pods "scan-vulnerabilityreport-56cbf5658f-h6ppk" is forbidden: violates PodSecurity "restricted:latest": runAsNonRoot != true (pod or containers "44b7c680-2948-4765-aa7b-731b72d59963", "run-script" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "44b7c680-2948-4765-aa7b-731b72d59963", "run-script" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

This MR fixes the scanJobs by setting the appropriate securityContext at the container level, allowing for more granular control over security settings. This ensures the job executes fully and generates vulnerability reports successfully.

Related reference(s)

Closes #2122 (closed)

Test coverage

This was tested on a CAPO environment and vuleranibilityreports are being generated successfully:

 k get vulnerabilityreports -A
NAMESPACE                          NAME                                                              REPOSITORY                                                                                                     TAG                                                   SCANNER   AGE
calico-system                      replicaset-795dc8577f                                             rancher/mirrored-calico-kube-controllers                                                                       v3.29.0                                               Trivy     2h
calico-system                      replicaset-calico-typha-77ff9d7d98-calico-typha                   rancher/mirrored-calico-typha                                                                                  v3.29.0                                               Trivy     2h
capi-system                        replicaset-capi-controller-manager-68dcf7ddbd-manager             cluster-api/cluster-api-controller                                                                             v1.8.8                                                Trivy     2h
capo-system                        replicaset-capo-controller-manager-5f579f75d5-manager             capi-openstack/capi-openstack-controller                                                                       v0.11.4                                               Trivy     2h
cattle-fleet-local-system          statefulset-fleet-agent-fleet-agent                               rancher/fleet-agent                                                                                            v0.11.3                                               Trivy     2h
cattle-fleet-local-system          statefulset-fleet-agent-fleet-agent-clusterstatus                 rancher/fleet-agent                                                                                            v0.11.3                                               Trivy     2h
cattle-fleet-local-system          statefulset-fleet-agent-fleet-agent-register                      rancher/fleet-agent                                                                                            v0.11.3                                               Trivy     2h

CI configuration

Below you can choose test deployment variants to run in this MR's CI.

Click to open to CI configuration

Legend:

Icon Meaning Available values
☁️ Infra Provider capd, capo, capm3
🚀 Bootstrap Provider kubeadm (alias kadm), rke2
🐧 Node OS ubuntu, suse
🛠️ Deployment Options light-deploy, dev-sources, ha, misc
🎬 Pipeline Scenarios Available scenario list and description

  • 🎬 preview ☁️ capd 🚀 kadm 🐧 ubuntu

  • 🎬 preview ☁️ capo 🚀 rke2 🐧 suse

  • 🎬 preview ☁️ capm3 🚀 rke2 🐧 ubuntu

  • ☁️ capd 🚀 kadm 🛠️ light-deploy 🐧 ubuntu

  • ☁️ capd 🚀 rke2 🛠️ light-deploy 🐧 suse

  • ☁️ capo 🚀 rke2 🛠️ misc 🐧 suse

  • ☁️ capo 🚀 kadm 🐧 ubuntu

  • ☁️ capo 🚀 rke2 🎬 rolling-update 🛠️ ha 🐧 ubuntu

  • ☁️ capo 🚀 kadm 🎬 wkld-k8s-upgrade 🐧 ubuntu

  • ☁️ capo 🚀 rke2 🎬 rolling-update-no-wkld 🛠️ ha,misc 🐧 suse

  • ☁️ capo 🚀 rke2 🎬 sylva-upgrade-from-1.3.x 🛠️ ha,misc 🐧 ubuntu

  • ☁️ capm3 🚀 rke2 🛠️ misc 🐧 suse

  • ☁️ capm3 🚀 kadm 🐧 ubuntu

  • ☁️ capm3 🚀 kadm 🎬 rolling-update-no-wkld 🛠️ ha,misc 🐧 ubuntu

  • ☁️ capm3 🚀 rke2 🎬 wkld-k8s-upgrade 🛠️ ha 🐧 suse

  • ☁️ capm3 🚀 kadm 🎬 rolling-update 🛠️ ha 🐧 ubuntu

  • ☁️ capm3 🚀 rke2 🎬 sylva-upgrade-from-1.3.x 🛠️ misc,ha 🐧 suse

  • ☁️ capm3 🚀 kadm 🎬 rolling-update 🛠️ ha 🐧 suse

Global config for deployment pipelines

  • autorun pipelines
  • allow failure on pipelines

Notes:

  • Enabling autorun will make deployment pipelines to be run automatically without human interaction
  • Disabling allow failure will make deployment pipelines mandatory for pipeline success.
  • if both autorun and allow failure are disabled, deployment pipelines will need manual triggering but will be blocking the pipeline

Be aware: after configuration change, pipeline is not triggered automatically. Please run it manually (by clicking the run pipeline button in Pipelines tab) or push new code.

Edited by Dragos Gerea

Merge request reports