AutoDiscovery serviceaccount lacks permissions: User auto-discovery cannot delete resource "scheduledscans" in API group #2680
Description
🐞 Bug report
Describe the bug
When a pod is deleted the scheduledscan related to it is not properly deleted.
Steps To Reproduce
kind create cluster --name xxx- Install securecodebox operator
helm --namespace securecodebox-system upgrade --install --create-namespace securecodebox-operator oci://ghcr.io/securecodebox/helm/operator - Install autodiscovery
helm install --namespace securecodebox-system auto-discovery-kubernetes oci://ghcr.io/securecodebox/helm/auto-discovery-kubernetes --values values.yaml
Values can be seen here
config:
resourceInclusion:
mode: "enabled-per-namespace"
serviceAutoDiscovery:
enabled: false
containerAutoDiscovery:
enabled: true
scanConfigs:
- annotations:
defectdojo.securecodebox.io/engagement-name: "{{ .Target.Name }}"
defectdojo.securecodebox.io/engagement-version: "{{if (index .Target.Labels
`app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version`
}}{{end}}"
defectdojo.securecodebox.io/product-name: "{{ .Cluster.Name }} | {{ .Namespace.Name
}} | {{ .Target.Name }}"
defectdojo.securecodebox.io/product-tags: cluster/{{ .Cluster.Name }},namespace/{{
.Namespace.Name }}
env: []
hookSelector: {}
labels: {}
name: trivy
parameters:
- "{{ .ImageID }}"
repeatInterval: 168h
scanType: trivy-sbom-image
volumeMounts: []
volumes: []- Create new ns
k create ns trivy-test - Install scanner in namespace
helm upgrade --namespace trivy-test --install trivy-sbom oci://ghcr.io/securecodebox/helm/trivy-sbom - Annotate namespace
k annotate ns trivy-test auto-discovery.securecodebox.io/enabled=true - Create pod
k run nginx --image nginx -n trivy-test - Delete pod
k delete pod/nginx -n trivy-test
Expected behavior
Garbage collection should be able to delete the scheduledscans, scans, etc.
System (please complete the following information):
- secureCodeBox 4.7.0
- OS: macOS 14.3.1
- Kubernetes Version v1.30.2
- Docker Version 25.0.3
- Browser chrome
Screenshots / Logs
k logs pod/auto...
/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:311
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:261
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:222
2024-09-26T09:43:01Z ERROR controllers.ContainerScanController Unable to delete scheduled scan {"scan": "nginx-trivy-at-04ba374043ccd2fc5c593885c0eacddebabd5ca375f9323", "error": "scheduledscans.execution.securecodebox.io \"nginx-trivy-at-04ba374043ccd2fc5c593885c0eacddebabd5ca375f9323\" is forbidden: User \"system:serviceaccount:securecodebox-system:auto-discovery\" cannot delete resource \"scheduledscans\" in API group \"execution.securecodebox.io\" in the namespace \"app-ws-iris-workstation\""}
github.com/secureCodeBox/secureCodeBox/auto-discovery/kubernetes/controllers.(*ContainerScanReconciler).deleteScans
/workspace/controllers/container_scan_controller.go:468
github.com/secureCodeBox/secureCodeBox/auto-discovery/kubernetes/controllers.(*ContainerScanReconciler).checkIfScansNeedToBeDeleted
/workspace/controllers/container_scan_controller.go:407
github.com/secureCodeBox/secureCodeBox/auto-discovery/kubernetes/controllers.(*ContainerScanReconciler).Reconcile
/workspace/controllers/container_scan_controller.go:84
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile
/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:114
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:311
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:261
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:222
2024-09-26T09:43:01Z ERROR controllers.ContainerScanController Unable to delete scheduled scan {"scan": "nginx-trivy-at-04ba374043ccd2fc5c593885c0eacddebabd5ca375f9323", "error": "scheduledscans.execution.securecodebox.io \"nginx-trivy-at-04ba374043ccd2fc5c593885c0eacddebabd5ca375f9323\" is forbidden: User \"system:serviceaccount:securecodebox-system:auto-discovery\" cannot delete resource \"scheduledscans\" in API group \"execution.securecodebox.io\" in the namespace \"app-ws-iris-workstation\""}
github.com/secureCodeBox/secureCodeBox/auto-discovery/kubernetes/controllers.(*ContainerScanReconciler).deleteScans
/workspace/controllers/container_scan_controller.go:468
github.com/secureCodeBox/secureCodeBox/auto-discovery/kubernetes/controllers.(*ContainerScanReconciler).checkIfScansNeedToBeDeleted
/workspace/controllers/container_scan_controller.go:407
github.com/secureCodeBox/secureCodeBox/auto-discovery/kubernetes/controllers.(*ContainerScanReconciler).Reconcile
/workspace/controllers/container_scan_controller.go:84
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile
/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:114
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:311
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:261
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:222
2024-09-26T09:43:01Z ERROR controllers.ContainerScanController Unable to delete scheduled scan {"scan": "nginx-trivy-at-04ba374043ccd2fc5c593885c0eacddebabd5ca375f9323", "error": "scheduledscans.execution.securecodebox.io \"nginx-trivy-at-04ba374043ccd2fc5c593885c0eacddebabd5ca375f9323\" is forbidden: User \"system:serviceaccount:securecodebox-system:auto-discovery\" cannot delete resource \"scheduledscans\" in API group \"execution.securecodebox.io\" in the namespace \"app-ws-iris-workstation\""}
github.com/secureCodeBox/secureCodeBox/auto-discovery/kubernetes/controllers.(*ContainerScanReconciler).deleteScans
/workspace/controllers/container_scan_controller.go:468
github.com/secureCodeBox/secureCodeBox/auto-discovery/kubernetes/controllers.(*ContainerScanReconciler).checkIfScansNeedToBeDeleted
/workspace/controllers/container_scan_controller.go:407
github.com/secureCodeBox/secureCodeBox/auto-discovery/kubernetes/controllers.(*ContainerScanReconciler).Reconcile
/workspace/controllers/container_scan_controller.go:84
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile
/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:114
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:311
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:261
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:222
Additional context
Metadata
Metadata
Assignees
Labels
Type
Projects
Status