Description

When using Trivy to scan a Kubernetes cluster, the scan process gets stuck if any node in the cluster has taints applied. For example, a control-plane node with the taint node-role.kubernetes.io/control-plane causes this issue.

2024-12-12T17:56:21+06:00	FATAL	Fatal error	get k8s artifacts with node info error: running node-collector job: runner received timeout

To improve usability, Trivy should handle such cases more gracefully. It could skip nodes that cannot be scanned without additional tolerations applied, instead of causing the scan to get stuck.

Desired behavior:

• Skip nodes that require tolerations to scan.
• Provide clear warnings or logs about the skipped nodes.

Workaround:

You can set up tolirations through a specific flag:

$ trivy k8s --report summary --tolerations node-role.kubernetes.io/control-plane="":NoSchedule

Steps to Reproduce

$ kind delete cluster --name cilium && kind create cluster --config config.yaml
$ kubectl get nodes  
$ trivy k8s --report summary

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
name: cilium
nodes:
  # controlplane nodes
- role: control-plane
  image: kindest/node:v1.31.2
- role: control-plane
  image: kindest/node:v1.31.2
- role: control-plane
  image: kindest/node:v1.31.2
  # worker nodes
- role: worker
  image: kindest/node:v1.31.2
- role: worker
  image: kindest/node:v1.31.2
- role: worker
  image: kindest/node:v1.31.2

Discussed in #5639 (comment)