feat: node-collector custom namespace support (#4407)

Signed-off-by: chenk <[email protected]>

Author: chen-keinan

docs/docs/references/configuration/cli/trivy_kubernetes.md

@@ -27,63 +27,64 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
 ### Options
 
 ```
-  -A, --all-namespaces              fetch resources from all cluster namespaces
-      --cache-backend string        cache backend (e.g. redis://localhost:6379) (default "fs")
-      --cache-ttl duration          cache TTL when using redis as cache backend
-      --clear-cache                 clear image caches without scanning
-      --compliance string           compliance report to generate (k8s-nsa,k8s-cis, k8s-pss-baseline, k8s-pss-restricted)
-      --components strings          specify which components to scan (default [workload,infra])
-      --config-data strings         specify paths from which data for the Rego policies will be recursively loaded
-      --config-policy strings       specify paths to the Rego policy files directory, applying config files
-      --context string              specify a context to scan
-      --db-repository string        OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
-      --dependency-tree             [EXPERIMENTAL] show dependency origin tree of vulnerable packages
-      --download-db-only            download/update vulnerability database but don't run a scan
-      --download-java-db-only       download/update Java index database but don't run a scan
-      --exit-code int               specify exit code when any security issues are found
-      --file-patterns strings       specify config file patterns
-  -f, --format string               format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
-      --helm-set strings            specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --helm-set-file strings       specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
-      --helm-set-string strings     specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --helm-values strings         specify paths to override the Helm values.yaml files
-  -h, --help                        help for kubernetes
-      --ignore-policy string        specify the Rego file path to evaluate each vulnerability
-      --ignore-unfixed              display only fixed vulnerabilities
-      --ignorefile string           specify .trivyignore file (default ".trivyignore")
-      --include-non-failures        include successes and exceptions, available with '--scanners config'
-      --java-db-repository string   OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
-      --k8s-version string          specify k8s version to validate outdated api by it (example: 1.21.0)
-      --kubeconfig string           specify the kubeconfig file path to use
-      --list-all-pkgs               enabling the option will output all packages regardless of vulnerability
-  -n, --namespace string            specify a namespace to scan
-      --no-progress                 suppress progress bar
-      --offline-scan                do not issue API requests to identify dependencies
-  -o, --output string               output file name
-      --parallel int                number (between 1-20) of goroutines enabled for parallel scanning (default 5)
-      --policy-namespaces strings   Rego namespaces
-      --redis-ca string             redis ca file location, if using redis as cache backend
-      --redis-cert string           redis certificate file location, if using redis as cache backend
-      --redis-key string            redis key file location, if using redis as cache backend
-      --redis-tls                   enable redis TLS with public certificates, if using redis as cache backend
-      --rekor-url string            [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --report string               specify a report format for the output. (all,summary) (default "all")
-      --reset                       remove all caches and database
-      --sbom-sources strings        [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
-      --scanners string             comma-separated list of what security issues to detect (vuln,config,secret,license) (default "vuln,config,secret,rbac")
-      --secret-config string        specify a path to config file for secret scanning (default "trivy-secret.yaml")
-  -s, --severity string             severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
-      --skip-db-update              skip updating vulnerability database
-      --skip-dirs strings           specify the directories where the traversal is skipped
-      --skip-files strings          specify the file paths to skip traversal
-      --skip-java-db-update         skip updating Java index database
-      --skip-policy-update          skip fetching rego policy updates
-      --slow                        scan over time with lower CPU and memory utilization
-  -t, --template string             output template
-      --tf-vars strings             specify paths to override the Terraform tfvars files
-      --tolerations strings         specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)
-      --trace                       enable more verbose trace output for custom queries
-      --vuln-type strings           comma-separated list of vulnerability types (os,library) (default [os,library])
+  -A, --all-namespaces                    fetch resources from all cluster namespaces
+      --cache-backend string              cache backend (e.g. redis://localhost:6379) (default "fs")
+      --cache-ttl duration                cache TTL when using redis as cache backend
+      --clear-cache                       clear image caches without scanning
+      --compliance string                 compliance report to generate (k8s-nsa,k8s-cis, k8s-pss-baseline, k8s-pss-restricted)
+      --components strings                specify which components to scan (default [workload,infra])
+      --config-data strings               specify paths from which data for the Rego policies will be recursively loaded
+      --config-policy strings             specify paths to the Rego policy files directory, applying config files
+      --context string                    specify a context to scan
+      --db-repository string              OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
+      --dependency-tree                   [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+      --download-db-only                  download/update vulnerability database but don't run a scan
+      --download-java-db-only             download/update Java index database but don't run a scan
+      --exit-code int                     specify exit code when any security issues are found
+      --file-patterns strings             specify config file patterns
+  -f, --format string                     format (table, json, template, sarif, cyclonedx, spdx, spdx-json, github, cosign-vuln) (default "table")
+      --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
+      --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
+      --helm-values strings               specify paths to override the Helm values.yaml files
+  -h, --help                              help for kubernetes
+      --ignore-policy string              specify the Rego file path to evaluate each vulnerability
+      --ignore-unfixed                    display only fixed vulnerabilities
+      --ignorefile string                 specify .trivyignore file (default ".trivyignore")
+      --include-non-failures              include successes and exceptions, available with '--scanners config'
+      --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
+      --k8s-version string                specify k8s version to validate outdated api by it (example: 1.21.0)
+      --kubeconfig string                 specify the kubeconfig file path to use
+      --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+  -n, --namespace string                  specify a namespace to scan
+      --no-progress                       suppress progress bar
+      --node-collector-namespace string   specify the namespace in which the node-collector job should be deployed (default "trivy-temp")
+      --offline-scan                      do not issue API requests to identify dependencies
+  -o, --output string                     output file name
+      --parallel int                      number (between 1-20) of goroutines enabled for parallel scanning (default 5)
+      --policy-namespaces strings         Rego namespaces
+      --redis-ca string                   redis ca file location, if using redis as cache backend
+      --redis-cert string                 redis certificate file location, if using redis as cache backend
+      --redis-key string                  redis key file location, if using redis as cache backend
+      --redis-tls                         enable redis TLS with public certificates, if using redis as cache backend
+      --rekor-url string                  [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --report string                     specify a report format for the output. (all,summary) (default "all")
+      --reset                             remove all caches and database
+      --sbom-sources strings              [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
+      --scanners string                   comma-separated list of what security issues to detect (vuln,config,secret,license) (default "vuln,config,secret,rbac")
+      --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
+  -s, --severity string                   severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
+      --skip-db-update                    skip updating vulnerability database
+      --skip-dirs strings                 specify the directories where the traversal is skipped
+      --skip-files strings                specify the file paths to skip traversal
+      --skip-java-db-update               skip updating Java index database
+      --skip-policy-update                skip fetching rego policy updates
+      --slow                              scan over time with lower CPU and memory utilization
+  -t, --template string                   output template
+      --tf-vars strings                   specify paths to override the Terraform tfvars files
+      --tolerations strings               specify node-collector job tolerations (example: key1=value1:NoExecute,key2=value2:NoSchedule)
+      --trace                             enable more verbose trace output for custom queries
+      --vuln-type strings                 comma-separated list of vulnerability types (os,library) (default [os,library])
 ```
 
 ### Options inherited from parent commands

go.mod

@@ -26,7 +26,7 @@ require (
 	github.com/aquasecurity/tml v0.6.1
 	github.com/aquasecurity/trivy-db v0.0.0-20230515061101-378ab9ed302c
 	github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728
-	github.com/aquasecurity/trivy-kubernetes v0.4.1-0.20230420095211-019a895da295
+	github.com/aquasecurity/trivy-kubernetes v0.5.2
 	github.com/aws/aws-sdk-go v1.44.245
 	github.com/aws/aws-sdk-go-v2 v1.18.0
 	github.com/aws/aws-sdk-go-v2/config v1.18.24

go.sum

@@ -345,8 +345,8 @@ github.com/aquasecurity/trivy-db v0.0.0-20230515061101-378ab9ed302c h1:mFMfHmb5G
 github.com/aquasecurity/trivy-db v0.0.0-20230515061101-378ab9ed302c/go.mod h1:s7x7CTxYeiFf6gPOakSsg4mCD93au4dbYplG4h0FGrs=
 github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728 h1:0eS+V7SXHgqoT99tV1mtMW6HL4HdoB9qGLMCb1fZp8A=
 github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
-github.com/aquasecurity/trivy-kubernetes v0.4.1-0.20230420095211-019a895da295 h1:ZdQMyXrUTNhsjKMiGLNtwIpGkn0Aj7r6eRPzaJlDbYc=
-github.com/aquasecurity/trivy-kubernetes v0.4.1-0.20230420095211-019a895da295/go.mod h1:FPtS3hhfzykyaIiAIUg3vovniDP5loM9hHRa8W2+PuU=
+github.com/aquasecurity/trivy-kubernetes v0.5.2 h1:EOoEiNphSaypSrlyPSN1bCywPud0Sx+JYe6GZNfvIhU=
+github.com/aquasecurity/trivy-kubernetes v0.5.2/go.mod h1:uh1LZLfGnJLxnuYxlcrfCpcsKbwP6ETlmz+fW/HO148=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=

pkg/flag/kubernetes_flags.go

@@ -69,40 +69,49 @@ var (
 		Value:      false,
 		Usage:      "fetch resources from all cluster namespaces",
 	}
+	NodeCollectorNamespace = Flag{
+		Name:       "node-collector-namespace",
+		ConfigName: "node.collector.namespace",
+		Value:      "trivy-temp",
+		Usage:      "specify the namespace in which the node-collector job should be deployed",
+	}
 )
 
 type K8sFlagGroup struct {
-	ClusterContext *Flag
-	Namespace      *Flag
-	KubeConfig     *Flag
-	Components     *Flag
-	K8sVersion     *Flag
-	Parallel       *Flag
-	Tolerations    *Flag
-	AllNamespaces  *Flag
+	ClusterContext         *Flag
+	Namespace              *Flag
+	KubeConfig             *Flag
+	Components             *Flag
+	K8sVersion             *Flag
+	Parallel               *Flag
+	Tolerations            *Flag
+	AllNamespaces          *Flag
+	NodeCollectorNamespace *Flag
 }
 
 type K8sOptions struct {
-	ClusterContext string
-	Namespace      string
-	KubeConfig     string
-	Components     []string
-	K8sVersion     string
-	Parallel       int
-	Tolerations    []corev1.Toleration
-	AllNamespaces  bool
+	ClusterContext         string
+	Namespace              string
+	KubeConfig             string
+	Components             []string
+	K8sVersion             string
+	Parallel               int
+	Tolerations            []corev1.Toleration
+	AllNamespaces          bool
+	NodeCollectorNamespace string
 }
 
 func NewK8sFlagGroup() *K8sFlagGroup {
 	return &K8sFlagGroup{
-		ClusterContext: &ClusterContextFlag,
-		Namespace:      &K8sNamespaceFlag,
-		KubeConfig:     &KubeConfigFlag,
-		Components:     &ComponentsFlag,
-		K8sVersion:     &K8sVersionFlag,
-		Parallel:       &ParallelFlag,
-		Tolerations:    &TolerationsFlag,
-		AllNamespaces:  &AllNamespaces,
+		ClusterContext:         &ClusterContextFlag,
+		Namespace:              &K8sNamespaceFlag,
+		KubeConfig:             &KubeConfigFlag,
+		Components:             &ComponentsFlag,
+		K8sVersion:             &K8sVersionFlag,
+		Parallel:               &ParallelFlag,
+		Tolerations:            &TolerationsFlag,
+		AllNamespaces:          &AllNamespaces,
+		NodeCollectorNamespace: &NodeCollectorNamespace,
 	}
 }
 
@@ -120,6 +129,7 @@ func (f *K8sFlagGroup) Flags() []*Flag {
 		f.Parallel,
 		f.Tolerations,
 		f.AllNamespaces,
+		f.NodeCollectorNamespace,
 	}
 }
 
@@ -137,14 +147,15 @@ func (f *K8sFlagGroup) ToOptions() (K8sOptions, error) {
 		}
 	}
 	return K8sOptions{
-		ClusterContext: getString(f.ClusterContext),
-		Namespace:      getString(f.Namespace),
-		KubeConfig:     getString(f.KubeConfig),
-		Components:     getStringSlice(f.Components),
-		K8sVersion:     getString(f.K8sVersion),
-		Parallel:       parallel,
-		Tolerations:    tolerations,
-		AllNamespaces:  getBool(f.AllNamespaces),
+		ClusterContext:         getString(f.ClusterContext),
+		Namespace:              getString(f.Namespace),
+		KubeConfig:             getString(f.KubeConfig),
+		Components:             getStringSlice(f.Components),
+		K8sVersion:             getString(f.K8sVersion),
+		Parallel:               parallel,
+		Tolerations:            tolerations,
+		AllNamespaces:          getBool(f.AllNamespaces),
+		NodeCollectorNamespace: getString(f.NodeCollectorNamespace),
 	}, nil
 }
 

pkg/k8s/commands/cluster.go

@@ -22,7 +22,7 @@ func clusterRun(ctx context.Context, opts flag.Options, cluster k8s.Cluster) err
 	var artifacts []*artifacts.Artifact
 	var err error
 	if opts.Scanners.AnyEnabled(types.MisconfigScanner) && slices.Contains(opts.Components, "infra") {
-		artifacts, err = trivyk8s.New(cluster, log.Logger).ListArtifactAndNodeInfo(ctx, opts.Tolerations...)
+		artifacts, err = trivyk8s.New(cluster, log.Logger).ListArtifactAndNodeInfo(ctx, opts.NodeCollectorNamespace, opts.Tolerations...)
 		if err != nil {
 			return xerrors.Errorf("get k8s artifacts with node info error: %w", err)
 		}