bug(k8s): Image scanned from "metadata:annotations:kubectl.kubernetes.io/last-applied-configuration" instead of "spec"

[afdesk]

Description

since #4786 (aquasecurity/trivy-kubernetes#189) Trivy scan last applied configuration instead of actual Resource state.

Reason

For scans Trivy prefers info from an annotation. so if a customer mixes imperative and declarative styles, the result is a bit confusing.

https://github.com/aquasecurity/trivy-kubernetes/blob/b070991579cacd7634052dee2e250350d6e493e8/pkg/trivyk8s/trivyk8s.go#L208-L214

Note: the issue will be happened only if a resource is created from kubectl apply.

Solution

We can try to receive a version info more flexible way

Reproduction Steps

1. Create a deployment:

$ kubectl apply -f nginx-deployment.yaml

/nginx-deployment

```yaml apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment labels: app: nginx web: my-app spec: replicas: 1 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.14.1 ports: - containerPort: 80 ```

2. update an image manually:

$ kubectl set image deployment.apps/nginx-deployment nginx=nginx:1.15.0

3. Result:

$ kubectl get deployment.apps/nginx-deployment -o yaml

nginx-deployment details

apiVersion: apps/v1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: "3" kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{},"labels":{"app":"nginx","web":"my-app"},"name":"nginx-deployment","namespace":"7551"},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"nginx"}},"template":{"metadata":{"labels":{"app":"nginx"}},"spec":{"containers":[{"image":"nginx:1.14.1","name":"nginx","ports":[{"containerPort":80}]}]}}}} labels: app: nginx web: my-app pec: replicas: 1 template: metadata: creationTimestamp: null labels: app: nginx spec: containers: - image: nginx:1.15.0 name: nginx ports: - containerPort: 80 ... ```

4. Trivy will scan nginx:1.14.1 instead of `nginx:1.15.0", that actually runs in a cluster.

Discussed in #7551

[michaeljsaenz]

I'd like to grab this one

[afdesk]

@michaeljsaenz thanks! it'd be really nice!

[michaeljsaenz]

please assign 👍🏽

[afdesk]

hi @michaeljsaenz!
how is it going? do you need any help?
thanks!

[michaeljsaenz]

hi @afdesk !
thanks for checking in, its going well now, had a little trouble with the tests due to this error, but I applied the workaround and all is well now (I wanted to confirm all tests pass before adding any changes 👍🏽)

• I am currently working to add logic here in this package, please let me know if you have a recommendation or preference where to add this in?

Thank you!

[afdesk]

@michaeljsaenz
I'd like a detailed reason for aquasecurity/trivy-kubernetes#189 at first
why it required for outdated-api when k8s convert resources
maybe there is any documentation.
honestly, I didn't deep in it yet.
thanks!

[afdesk]

maybe it'll help you #4784

[phr3nzii]

We see similar behaviour but for findings such as 'securityContext.readOnlyRootFilesystem' should be set to true (AVD-KSV-0014)

I've fixed a number of these findings but they still show on the Trivy report because the old configuration details are in the last-applied-configuration field

[afdesk]

hi @michaeljsaenz
are there any updates here?

[afdesk]

@phr3nzii thanks for the report! will try to fix it before next release