K8 report generation without namespace creation not possible

[nika-pr]

Description

I would like to analyse a GKE cluster where I was granted Kubernetes Engine Cluster Viewer and Kubernetes Engine Viewer on the project level.
When I try to run trivy k8s --report=summary cluster, I get the following error:

FATAL   get k8s artifacts with node info error: namespaces is forbidden: 
User "[...]" cannot create resource "namespaces" in API group "" at the cluster scope:
requires one of ["container.namespaces.create"] permission(s).

Why do I need namespace creation permissions for a report?

Desired Behavior

Successful report generation being possible without this permission or alternatively a WARN log that tells me the results are limited due to missing permissions, but a "limited" report being provided as output nonetheless.

Actual Behavior

FATAL report generation failure

Reproduction Steps

1. Have Kubernetes Engine Cluster Viewer and Kubernetes Engine Viewer roles on the project level
2. Have a GKE cluster in that project
3. Run trivy k8s --report summary cluster

Target

Kubernetes

Scanner

None

Output Format

None

Mode

None

Debug Output

2023-12-05T10:42:31.890+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-12-05T10:42:31.891+0100    DEBUG   Ignore statuses {"statuses": null}
2023-12-05T10:42:50.843+0100    FATAL   get k8s artifacts with node info error:
    github.com/aquasecurity/trivy/pkg/k8s/commands.clusterRun
        /home/runner/work/trivy/trivy/pkg/k8s/commands/cluster.go:38
  - namespaces is forbidden: User "[...]" cannot create resource "namespaces" in API group "" at the cluster scope: requires one of ["container.names
paces.create"] permission(s).

Operating System

Ubuntu 22.04.3 LTS

Version

0.48.0

Checklist

• Run trivy image --reset
• Read the troubleshooting

[itaysk]

Trivy does different types of analysis of Kubernetes clusters as covered here]. As part of the infra type of scan, Trivy will deploy a single-use job to extract meaningful information from the cluster. By default, Trivy will try to do the most comprehensive scan i.e scan all component types including infra. You can disable this "infra" scanning (and the job) by using the --components workload flag

[nika-pr]

How do I analyse RBAC? It's listed under components types but not available through the components flag.

[itaysk]

yes currently RBAC can't be individually controlled, it is only included if a complete scan is issued. We can probably improve this behavior @chen-keinan , and also the classification of infra and workloads, since workload does include non-intrusive infra scans at the moment.

[itaysk]

as a workaround I think you can do --components workload --scanners config which will disable the job but also the vulnerability scanner, so you will get RBAC scanning (among other misconfigurations). I'll open an issue to improve this experience, thanks for the feedback.

[itaysk]

#5745

[afdesk]

This discussion is outdated now.
The last Trivy should work with namespace credentions #7094 (reply in thread)