Giters

aquasecurity / starboard

Moved to https://github.com/aquasecurity/trivy-operator

Home Page:https://aquasecurity.github.io/starboard/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Handle FailedCreate events associated with scan jobs

danielpacak opened this issue · comments

commented

What steps did you take and what happened:

Deploy Starboard Operator in an environment (e.g. OCP) where scan pod cannot be created for some reason and its reported as event with FailedCreate reason.

kubectl get event -n starboard-system
LAST SEEN   TYPE      REASON              OBJECT                                     MESSAGE
3m25s       Warning   FailedCreate        job/scan-cisbenchmark-6bcf4ddc9c           Error creating: pods "scan-cisbenchmark-6bcf4ddc9c-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted: .spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used, spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[1]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[2]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[3]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.volumes[4]: Invalid value: "hostPath": hostPath volumes are not allowed to be used, spec.containers[0].securityContext.runAsUser: Invalid value: 0: must be in the ranges: [1000630000, 1000639999], spec.containers[0].securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]

What did you expect to happen:

  • The error message propagated to the Starboard Operator log.
  • TBD how we should handle a scan job? Delete and retry or other strategy?

Environment:

  • Starboard version (use starboard version): v0.13.2
  • Kubernetes version (use kubectl version): any
  • OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): any