René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"AutoDiscovery serviceaccount lacks permissions: User auto-discovery cannot delete resource \"scheduledscans\" in API group","articleBody":"## 🐞 Bug report\r\n\r\n### Describe the bug\r\nWhen a pod is deleted the scheduledscan related to it is not properly deleted.\r\n\r\n### Steps To Reproduce\r\n1. `kind create cluster --name xxx`\r\n2. Install securecodebox operator `helm --namespace securecodebox-system upgrade --install --create-namespace securecodebox-operator oci://ghcr.io/securecodebox/helm/operator`\r\n3. Install autodiscovery `helm install --namespace securecodebox-system auto-discovery-kubernetes oci://ghcr.io/securecodebox/helm/auto-discovery-kubernetes --values values.yaml`\r\n\r\nValues can be seen here\r\n```yaml\r\nconfig:\r\n  resourceInclusion:\r\n    mode: \"enabled-per-namespace\"\r\n  serviceAutoDiscovery:\r\n    enabled: false\r\n  containerAutoDiscovery:\r\n    enabled: true\r\n    scanConfigs:\r\n    - annotations:\r\n        defectdojo.securecodebox.io/engagement-name: \"{{ .Target.Name }}\"\r\n        defectdojo.securecodebox.io/engagement-version: \"{{if (index .Target.Labels\r\n          `app.kubernetes.io/version`) }}{{ index .Target.Labels `app.kubernetes.io/version`\r\n          }}{{end}}\"\r\n        defectdojo.securecodebox.io/product-name: \"{{ .Cluster.Name }} | {{ .Namespace.Name\r\n          }} | {{ .Target.Name }}\"\r\n        defectdojo.securecodebox.io/product-tags: cluster/{{ .Cluster.Name }},namespace/{{\r\n          .Namespace.Name }}\r\n      env: []\r\n      hookSelector: {}\r\n      labels: {}\r\n      name: trivy\r\n      parameters:\r\n      - \"{{ .ImageID }}\"\r\n      repeatInterval: 168h\r\n      scanType: trivy-sbom-image\r\n      volumeMounts: []\r\n      volumes: []\r\n```\r\n4. Create new ns `k create ns trivy-test`\r\n5. Install scanner in namespace `helm upgrade --namespace trivy-test --install trivy-sbom oci://ghcr.io/securecodebox/helm/trivy-sbom`\r\n6. Annotate namespace `k annotate ns trivy-test auto-discovery.securecodebox.io/enabled=true`\r\n7. Create pod `k run nginx --image nginx -n trivy-test`\r\n8. Delete pod `k delete pod/nginx -n trivy-test`\r\n\r\n### Expected behavior\r\nGarbage collection should be able to delete the scheduledscans, scans, etc. \r\n\r\n### System (please complete the following information):\r\n- secureCodeBox 4.7.0\r\n- OS: macOS 14.3.1\r\n- Kubernetes Version v1.30.2\r\n- Docker Version 25.0.3\r\n- Browser chrome\r\n\r\n### Screenshots / Logs\r\n\r\n```\r\nk logs pod/auto...\r\n\r\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller.go:311\r\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\r\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller.go:261\r\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\r\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller.go:222\r\n2024-09-26T09:43:01Z\tERROR\tcontrollers.ContainerScanController\tUnable to delete scheduled scan\t{\"scan\": \"nginx-trivy-at-04ba374043ccd2fc5c593885c0eacddebabd5ca375f9323\", \"error\": \"scheduledscans.execution.securecodebox.io \\\"nginx-trivy-at-04ba374043ccd2fc5c593885c0eacddebabd5ca375f9323\\\" is forbidden: User \\\"system:serviceaccount:securecodebox-system:auto-discovery\\\" cannot delete resource \\\"scheduledscans\\\" in API group \\\"execution.securecodebox.io\\\" in the namespace \\\"app-ws-iris-workstation\\\"\"}\r\ngithub.com/secureCodeBox/secureCodeBox/auto-discovery/kubernetes/controllers.(*ContainerScanReconciler).deleteScans\r\n\t/workspace/controllers/container_scan_controller.go:468\r\ngithub.com/secureCodeBox/secureCodeBox/auto-discovery/kubernetes/controllers.(*ContainerScanReconciler).checkIfScansNeedToBeDeleted\r\n\t/workspace/controllers/container_scan_controller.go:407\r\ngithub.com/secureCodeBox/secureCodeBox/auto-discovery/kubernetes/controllers.(*ContainerScanReconciler).Reconcile\r\n\t/workspace/controllers/container_scan_controller.go:84\r\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\r\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller.go:114\r\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\r\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller.go:311\r\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\r\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller.go:261\r\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\r\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller.go:222\r\n2024-09-26T09:43:01Z\tERROR\tcontrollers.ContainerScanController\tUnable to delete scheduled scan\t{\"scan\": \"nginx-trivy-at-04ba374043ccd2fc5c593885c0eacddebabd5ca375f9323\", \"error\": \"scheduledscans.execution.securecodebox.io \\\"nginx-trivy-at-04ba374043ccd2fc5c593885c0eacddebabd5ca375f9323\\\" is forbidden: User \\\"system:serviceaccount:securecodebox-system:auto-discovery\\\" cannot delete resource \\\"scheduledscans\\\" in API group \\\"execution.securecodebox.io\\\" in the namespace \\\"app-ws-iris-workstation\\\"\"}\r\ngithub.com/secureCodeBox/secureCodeBox/auto-discovery/kubernetes/controllers.(*ContainerScanReconciler).deleteScans\r\n\t/workspace/controllers/container_scan_controller.go:468\r\ngithub.com/secureCodeBox/secureCodeBox/auto-discovery/kubernetes/controllers.(*ContainerScanReconciler).checkIfScansNeedToBeDeleted\r\n\t/workspace/controllers/container_scan_controller.go:407\r\ngithub.com/secureCodeBox/secureCodeBox/auto-discovery/kubernetes/controllers.(*ContainerScanReconciler).Reconcile\r\n\t/workspace/controllers/container_scan_controller.go:84\r\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\r\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller.go:114\r\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\r\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller.go:311\r\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\r\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller.go:261\r\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\r\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller.go:222\r\n2024-09-26T09:43:01Z\tERROR\tcontrollers.ContainerScanController\tUnable to delete scheduled scan\t{\"scan\": \"nginx-trivy-at-04ba374043ccd2fc5c593885c0eacddebabd5ca375f9323\", \"error\": \"scheduledscans.execution.securecodebox.io \\\"nginx-trivy-at-04ba374043ccd2fc5c593885c0eacddebabd5ca375f9323\\\" is forbidden: User \\\"system:serviceaccount:securecodebox-system:auto-discovery\\\" cannot delete resource \\\"scheduledscans\\\" in API group \\\"execution.securecodebox.io\\\" in the namespace \\\"app-ws-iris-workstation\\\"\"}\r\ngithub.com/secureCodeBox/secureCodeBox/auto-discovery/kubernetes/controllers.(*ContainerScanReconciler).deleteScans\r\n\t/workspace/controllers/container_scan_controller.go:468\r\ngithub.com/secureCodeBox/secureCodeBox/auto-discovery/kubernetes/controllers.(*ContainerScanReconciler).checkIfScansNeedToBeDeleted\r\n\t/workspace/controllers/container_scan_controller.go:407\r\ngithub.com/secureCodeBox/secureCodeBox/auto-discovery/kubernetes/controllers.(*ContainerScanReconciler).Reconcile\r\n\t/workspace/controllers/container_scan_controller.go:84\r\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\r\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller.go:114\r\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\r\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller.go:311\r\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\r\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller.go:261\r\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\r\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.2/pkg/internal/controller/controller.go:222\r\n\r\n```\r\n### Additional context\r\n\u003c!-- Add any other context about the problem here. --\u003e\r\n","author":{"url":"https://github.com/LittaKake","@type":"Person","name":"LittaKake"},"datePublished":"2024-09-26T10:41:25.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":3},"url":"https://github.com/2680/secureCodeBox/issues/2680"}