CIS Benchmark k8s-cis-1.23 is empty

[Halogenmake]

What steps did you take and what happened:
I’m using the latest version of Trivy Operator, 0.22. All components are functioning as expected, but the k8s-cis-1.23 report is not being generated. Meanwhile, the k8s-pss-baseline-0.1 report is generated without issues.

What did you expect to happen:

Anything else you would like to add:
The configuration file for the modified settings is as follows:

---
trivy:
  command: filesystem

trivyOperator:
  scanJobPodTemplateContainerSecurityContext:
    # For filesystem scanning, Trivy needs to run as the root user
    runAsUser: 0
  scanJobNodeSelector:
    node.kubernetes.io/role: worker

nodeSelector:
  node.kubernetes.io/role: worker

compliance:
  reportType: all

operator:
  scanJobsConcurrentLimit: 5
  scannerReportTTL: "120h"

nodeCollector:
  tolerations:
    - key: ***/control-plane
      operator: "Equal"
      effect: NoSchedule
    - key: ***/dedicated
      value: engineering
      operator: "Equal"
      effect: NoSchedule
    - key: ***/dedicated
      value: s***a
      operator: "Equal"
      effect: NoSchedule     

Environment:

• Trivy-Operator version (use trivy-operator version): 0.22
• Kubernetes version (use kubectl version): v1.30.4+rke2r1

[elaurensx]

Can confirm the issue. Observed during the installation of the trivy-operator-polr-adapter..

kubectl logs -f trivy-operator-polr-adapter-5f647d56b9-5k9jk
kind.go] "if kind is a CRD, it should be installed before calling Start" err="no matches for kind \"CISKubeBenchReport\" in version \"aquasecurity.github.io/v1alpha1\"" logger="controller-runtime.source.EventHandler" kind="CISKubeBenchReport.aquasecurity.github.io"

[Halogenmake]

additional information: I use helm chart version 0.24.1

[Halogenmake]

More details: I have multiple Kubernetes clusters, and on some clusters, the report is generated correctly, while on others, it isn’t. The cluster versions, Helm chart versions, and application versions are all the same.

Meanwhile, on the clusters where the report is not generated, the ClusterComplianceReport:k8s-cis-1.23 resource exists, but it lacks a status section—only the spec section is present.

[simar7]

@Halogenmake and @elaurensx do you still have this issue with the latest release and the latest helm chart?

[afdesk]

@Halogenmake and @elaurensx thanks for the report and sorry for long response from my side.

first of all, as @simar7 said, could you check the last version of trivy-operator v0.23.0 (helm chart v0.25.0)?

also, I see a similar issue here: #2178, #2178 (comment), #2179
there are some reasons there.
but if it's not your case, please feel free to update this ticket, and I'll try to investigate it.

thanks!

[elaurensx]

@simar7 and @afdesk Updated to the latest version and can confirm that the report is being generated..

$ k get clustercompliancereports.aquasecurity.github.io -A -o wide
NAME                     AGE    FAIL   PASS
k8s-cis-1.23             3h1m   15     101
k8s-nsa-1.0              3h1m   12     15
k8s-pss-baseline-0.1     3h1m   3      8
k8s-pss-restricted-0.1   3h1m   3      14

Thank you very much for the follow-up.

[simar7]

thanks for the confirmation, @elaurensx!