LAB 1 q3
There was a question in LAB test to Scan the pods with vulnerabilities and delete the pods with Critical vulnerabilities
In this question we are extracting the image and then scanning the image for vulnerability, but trivy has option to scan K8s resources directly like namespace or pods .
- Why we have not scanned pods in delta namesapce directly instead?
- How we assumed that vulnerability will be with image only ?
Thanks in advance
There’s no reason why you shouldn’t be able to scan the running pods using trivy k8s
, other than the fact that the version installed in the lab is quite old and the feature is marked as experimental. When I tried it, it failed with an obscure error.
I installed the latest version in the lab (while running it - not permanent) and it did work…
root@controlplane ~ ➜ curl -LO https://github.com/aquasecurity/trivy/releases/download/v0.51.1/trivy_0.51.1_Linux-64bit.tar.gz
root@controlplane ~ ➜ tar -zxf trivy_0.51.1_Linux-64bit.tar.gz
root@controlplane ~ ➜ ./trivy k8s --include-namespaces delta --report summary
Trivy is about image scanning. All it does is get the pod image names, then scan those images.
I would expect that in the real exam a more up to date trivy will be installed (note that updating it yourself in the real exam is not allowed!), and using trivy k8s
for a similar question would be much quicker than getting the image names by hand (using jsonpath of course) and scanning them directly.
The questions are marked on the end state of the cluster (i.e. correct pods deleted). How you get there is up to you.
1 Like