Closed
Description
Description
By design Trivy k8s scans only targeted control plane components (Infra Assessment), which made sense for cluster-level scanning (without namespaces).
However, Trivy now supports scanning controllers that may be restricted to specific namespaces.
We should enhance the handling of such cases to ensure accurate and comprehensive scanning.
See below for details:
Without the --include-namespaces flag
➜ ingress-nightmare ~/repos/trivy/trivy.new k8s --scanners=vuln --report summary
2025-03-26T15:04:44-06:00 INFO Node scanning is enabled
2025-03-26T15:04:44-06:00 INFO If you want to disable Node scanning via an in-cluster Job, please try '--disable-node-collector' to disable the Node-Collector job.
2025-03-26T15:04:44-06:00 INFO Scanning K8s... K8s="kind-kind-cluster"
248 / 248 [----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 22 p/s
Summary Report for kind-kind-cluster
Workload Assessment
┌────────────────────┬─────────────────────────────────────────────┬──────────────────────┐
│ Namespace │ Resource │ Vulnerabilities │
│ │ ├───┬────┬────┬────┬───┤
│ │ │ C │ H │ M │ L │ U │
├────────────────────┼─────────────────────────────────────────────┼───┼────┼────┼────┼───┤
│ projectcontour │ Job/contour-certgen-v1-30-1 │ │ │ 4 │ │ │
│ projectcontour │ Deployment/contour │ │ │ 4 │ │ │
│ projectcontour │ DaemonSet/envoy │ │ │ 25 │ 44 │ │
│ local-path-storage │ Deployment/local-path-provisioner │ 1 │ │ 17 │ 11 │ 2 │
│ ingress-nginx │ Job/ingress-nginx-admission-patch │ 1 │ 2 │ 9 │ │ 2 │
│ ingress-nginx │ Deployment/ingress-nginx-controller │ │ 11 │ 38 │ 7 │ 2 │
│ ingress-nginx │ ControlPlaneComponents/k8s.io/ingress-nginx │ 1 │ 4 │ 1 │ │ │
│ ingress-nginx │ Job/ingress-nginx-admission-create │ 1 │ 2 │ 9 │ │ 2 │
└────────────────────┴─────────────────────────────────────────────┴───┴────┴────┴────┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN
Infra Assessment
┌─────────────┬────────────────────────────────────────────────────────┬─────────────────────┐
│ Namespace │ Resource │ Vulnerabilities │
│ │ ├───┬───┬────┬────┬───┤
│ │ │ C │ H │ M │ L │ U │
├─────────────┼────────────────────────────────────────────────────────┼───┼───┼────┼────┼───┤
│ kube-system │ Deployment/coredns │ 1 │ 2 │ 8 │ 1 │ 2 │
│ kube-system │ Pod/kube-apiserver-kind-cluster-control-plane │ 1 │ │ 8 │ │ │
│ kube-system │ Pod/kube-controller-manager-kind-cluster-control-plane │ 1 │ │ 8 │ │ │
│ kube-system │ Pod/kube-scheduler-kind-cluster-control-plane │ 1 │ │ 7 │ │ │
│ kube-system │ DaemonSet/kindnet │ │ 1 │ 20 │ 16 │ │
│ kube-system │ DaemonSet/kube-proxy │ 1 │ │ 9 │ 14 │ │
│ kube-system │ Pod/etcd-kind-cluster-control-plane │ 4 │ 4 │ 19 │ 4 │ │
│ │ Node/kind-cluster-control-plane │ │ │ 1 │ │ │
└─────────────┴────────────────────────────────────────────────────────┴───┴───┴────┴────┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWNWith the --include-namespaces flag
➜ ingress-nightmare ~/repos/trivy/trivy.new k8s --scanners=vuln --report summary --include-namespaces=ingress-nginx
2025-03-26T15:04:35-06:00 INFO Node scanning is enabled
2025-03-26T15:04:35-06:00 INFO If you want to disable Node scanning via an in-cluster Job, please try '--disable-node-collector' to disable the Node-Collector job.
2025-03-26T15:04:35-06:00 INFO Scanning K8s... K8s="kind-kind-cluster"
14 / 14 [-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 8 p/s
Summary Report for kind-kind-cluster
Workload Assessment
┌───────────────┬─────────────────────────────────────┬─────────────────────┐
│ Namespace │ Resource │ Vulnerabilities │
│ │ ├───┬────┬────┬───┬───┤
│ │ │ C │ H │ M │ L │ U │
├───────────────┼─────────────────────────────────────┼───┼────┼────┼───┼───┤
│ ingress-nginx │ Job/ingress-nginx-admission-patch │ 1 │ 2 │ 9 │ │ 2 │
│ ingress-nginx │ Deployment/ingress-nginx-controller │ │ 11 │ 38 │ 7 │ 2 │
│ ingress-nginx │ Job/ingress-nginx-admission-create │ 1 │ 2 │ 9 │ │ 2 │
└───────────────┴─────────────────────────────────────┴───┴────┴────┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN
Infra Assessment
┌───────────┬──────────┬───────────────────┐
│ Namespace │ Resource │ Vulnerabilities │
│ │ ├───┬───┬───┬───┬───┤
│ │ │ C │ H │ M │ L │ U │
└───────────┴──────────┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWNObserve that ControlPlaneComponents/k8s.io/ingress-nginx does not show up when filtering by namespace even though it is in the same namespace as the filter.
Originally posted by @simar7 in #8614 (comment)
Metadata
Metadata
Labels
Type
Projects
Status
No status