The audit definitions currently contain incorrect paths for Rancher. All commands in which the platform field contains only rke2 must be updated in the trivy-checks repository.
If a command specifies multiple platforms, for example:
a separate command should be created specifically for rke2 in the same file (verify that trivy-kubernetes can load multiple commands from a single file). Then, remove rke2 from the original command’s platforms list and update compliance by adding the new command.
Example:
Before:
---
- id: CMD-0013
key: adminConfFilePermissions
title: admin.conf file permissions
nodeType: master
audit: stat -c %a /etc/kubernetes/admin.conf
platforms:
- k8s
- rke2After:
---
- id: CMD-0013
key: adminConfFilePermissions
title: admin.conf file permissions
nodeType: master
audit: stat -c %a /etc/kubernetes/admin.conf
platforms:
- k8s
---
- id: <newID>
key: adminConfFilePermissions
title: admin.conf file permissions
nodeType: master
audit: stat -c permissions=%a /var/lib/rancher/rke2/server/cred/admin.kubeconfig
platforms:
- rke2Additionally, ensure that using the same key for multiple commands does not cause conflicts. If it does, create a new key (for example, by appending a -rke2 suffix).
The command can be generated using make command-id.
Discussed in #10162
The audit definitions currently contain incorrect paths for Rancher. All commands in which the platform field contains only
rke2must be updated in thetrivy-checksrepository.If a command specifies multiple platforms, for example:
a separate command should be created specifically for
rke2in the same file (verify thattrivy-kubernetescan load multiple commands from a single file). Then, removerke2from the original command’s platforms list and update compliance by adding the new command.Example:
Before:
After:
Additionally, ensure that using the same
keyfor multiple commands does not cause conflicts. If it does, create a new key (for example, by appending a-rke2suffix).The command can be generated using
make command-id.Discussed in #10162