Met an issue with node collector pod

[J-Are]

Hi,
First of all, happy new year.

I met an issue when I try to deploy Trivy operator Helm chart in Standard GKE Cluster. I have the same error as this ticket #1965
`Error: unknown
Usage:
node-collector k8s [flags]

Flags:
-h, --help help for k8s

Global Flags:
-n, --node string node name. default: minikube (default "minikube")
-o, --output string Output format. One of table|json (default "json")
-s, --spec string spec name. default: cis (default "cis")
-v, --version string spec version. default: 1.23 (default "1.23")`

Environment:
Trivy Operator Helm chart: 0.20.1
OS: cos-113-18244-151-27
GKE version: 1.30.5-gke.1014003

Way to reproduce:
values.yaml file:

# the templates into valid k8s Resources.

# -- global values provide a centralized configuration for 'image.registry', reducing the potential for errors.
# If left blank, the chart will default to the individually set 'image.registry' values
global:
  image:
    registry: ""

# -- managedBy is similar to .Release.Service but allows to overwrite the value
managedBy: Helm

# -- targetNamespace defines where you want trivy-operator to operate. By
# default, it's a blank string to select all namespaces, but you can specify
# another namespace, or a comma separated list of namespaces.
targetNamespaces: ""

# -- excludeNamespaces is a comma separated list of namespaces (or glob patterns)
# to be excluded from scanning. Only applicable in the all namespaces install
# mode, i.e. when the targetNamespaces values is a blank string.
excludeNamespaces: ""

# -- targetWorkloads is a comma seperated list of Kubernetes workload resources
# to be included in the vulnerability and config-audit scans
# if left blank, all workload resources will be scanned
targetWorkloads: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job"

# -- nameOverride override operator name
nameOverride: ""

# -- fullnameOverride override operator full name
fullnameOverride: ""

operator:
  # -- namespace to install the operator, defaults to the .Release.Namespace
  namespace: ""
  # -- replicas the number of replicas of the operator's pod
  replicas: 1

  # -- number of old history to retain to allow rollback (if not set, default Kubernetes value is set to 10)
  revisionHistoryLimit: ~

  # -- additional labels for the operator pod
  podLabels: {}

  # -- leaderElectionId determines the name of the resource that leader election
  # will use for holding the leader lock.
  leaderElectionId: "trivyoperator-lock"

  # -- logDevMode the flag to enable development mode (more human-readable output, extra stack traces and logging information, etc)
  logDevMode: false

  # -- scanJobTTL the set automatic cleanup time after the job is completed
  scanJobTTL: ""

  # -- scanJobTimeout the length of time to wait before giving up on a scan job
  scanJobTimeout: 60m

  # -- scanJobsConcurrentLimit the maximum number of scan jobs create by the operator
  scanJobsConcurrentLimit: 10

  # -- scanNodeCollectorLimit the maximum number of node collector jobs create by the operator
  scanNodeCollectorLimit: 1

  # -- scanJobsRetryDelay the duration to wait before retrying a failed scan job
  scanJobsRetryDelay: 30s

  # -- the flag to enable vulnerability scanner
  vulnerabilityScannerEnabled: true
  # -- the flag to enable sbom generation
  sbomGenerationEnabled: true
  # -- scannerReportTTL the flag to set how long a report should exist. "" means that the ScannerReportTTL feature is disabled
  scannerReportTTL: "24h"
  # -- configAuditScannerEnabled the flag to enable configuration audit scanner
  configAuditScannerEnabled: true
  # -- rbacAssessmentScannerEnabled the flag to enable rbac assessment scanner
  rbacAssessmentScannerEnabled: true
  # -- infraAssessmentScannerEnabled the flag to enable infra assessment scanner
  infraAssessmentScannerEnabled: true
  # -- clusterComplianceEnabled the flag to enable cluster compliance scanner
  clusterComplianceEnabled: true
  # -- batchDeleteLimit the maximum number of config audit reports deleted by the operator when the plugin's config has changed.
  batchDeleteLimit: 10
  # -- vulnerabilityScannerScanOnlyCurrentRevisions the flag to only create vulnerability scans on the current revision of a deployment.
  vulnerabilityScannerScanOnlyCurrentRevisions: true
  # -- configAuditScannerScanOnlyCurrentRevisions the flag to only create config audit scans on the current revision of a deployment.
  configAuditScannerScanOnlyCurrentRevisions: true
  # -- batchDeleteDelay the duration to wait before deleting another batch of config audit reports.
  batchDeleteDelay: 10s
  # -- accessGlobalSecretsAndServiceAccount The flag to enable access to global secrets/service accounts to allow `vulnerability scan job` to pull images from private registries
  accessGlobalSecretsAndServiceAccount: true
  # -- builtInTrivyServer The flag enable the usage of built-in trivy server in cluster ,its also override the following trivy params with built-in values
  # trivy.mode = ClientServer and serverURL = http://<serverServiceName>.<trivy operator namespace>:4975
  builtInTrivyServer: false
  # -- controllerCacheSyncTimeout the duration to wait for controller resources cache sync (default: 5m).
  controllerCacheSyncTimeout: "60m"

  # -- trivyServerHealthCheckCacheExpiration The flag to set the interval for trivy server health cache before it invalidate
  trivyServerHealthCheckCacheExpiration: 10h

  # -- metricsFindingsEnabled the flag to enable metrics for findings
  metricsFindingsEnabled: true

  # -- metricsVulnIdEnabled the flag to enable metrics about cve vulns id
  # be aware of metrics cardinality is significantly increased with this feature enabled.
  metricsVulnIdEnabled: false

  # -- exposedSecretScannerEnabled the flag to enable exposed secret scanner
  exposedSecretScannerEnabled: true

  # -- MetricsExposedSecretInfo the flag to enable metrics about exposed secrets
  # be aware of metrics cardinality is significantly increased with this feature enabled.
  metricsExposedSecretInfo: false

  # -- MetricsConfigAuditInfo the flag to enable metrics about configuration audits
  # be aware of metrics cardinality is significantly increased with this feature enabled.
  metricsConfigAuditInfo: false

  # -- MetricsRbacAssessmentInfo the flag to enable metrics about Rbac Assessment
  # be aware of metrics cardinality is significantly increased with this feature enabled.
  metricsRbacAssessmentInfo: false

    # -- MetricsInfraAssessmentInfo the flag to enable metrics about Infra Assessment
  # be aware of metrics cardinality is significantly increased with this feature enabled.
  metricsInfraAssessmentInfo: false

  # -- webhookBroadcastURL the flag to set reports should be sent to a webhook endpoint. "" means that the webhookBroadcastURL feature is disabled
  webhookBroadcastURL: ""

  # -- webhookBroadcastTimeout the flag to set timeout for webhook requests if webhookBroadcastURL is enabled
  webhookBroadcastTimeout: 30s

  # -- webhookSendDeletedReports the flag to enable sending deleted reports if webhookBroadcastURL is enabled
  webhookSendDeletedReports: false

  # -- privateRegistryScanSecretsNames is map of namespace:secrets, secrets are comma seperated which can be used to authenticate in private registries in case if there no imagePullSecrets provided example : {"mynamespace":"mySecrets,anotherSecret"}
  privateRegistryScanSecretsNames: {}

  # -- mergeRbacFindingWithConfigAudit the flag to enable merging rbac finding with config-audit report
  mergeRbacFindingWithConfigAudit: false

image:
  registry: "ghcr.io"
  repository: "aquasecurity/trivy-operator"
  # -- tag is an override of the image tag, which is by default set by the
  # appVersion field in Chart.yaml.
  tag: ""
  # -- pullPolicy set the operator pullPolicy
  pullPolicy: IfNotPresent
  # -- pullSecrets set the operator pullSecrets
  pullSecrets: []

# -- service only expose a metrics endpoint for prometheus to scrape,
# trivy-operator does not have a user interface.
service:
  headless: true
  metricsPort: 80
  # -- annotations added to the operator's service
  annotations: {}

# -- Prometheus ServiceMonitor configuration -- to install the trivy operator with the ServiceMonitor
# you must have Prometheus already installed and running. If you do not have Prometheus installed, enabling this will
# have no effect.
serviceMonitor:
  # -- enabled determines whether a serviceMonitor should be deployed
  enabled: false
  # -- The namespace where Prometheus expects to find service monitors
  namespace: ~
  # -- Interval at which metrics should be scraped. If not specified Prometheus’ global scrape interval is used.
  interval: ~
  # -- Additional annotations for the serviceMonitor
  annotations: {}
  # -- Additional labels for the serviceMonitor
  labels: {}
  # -- HonorLabels chooses the metric’s labels on collisions with target labels
  honorLabels: true
  # -- EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.
  endpointAdditionalProperties: {}

trivyOperator:
  # -- vulnerabilityReportsPlugin the name of the plugin that generates vulnerability reports `Trivy`
  vulnerabilityReportsPlugin: "Trivy"
  # -- configAuditReportsPlugin the name of the plugin that generates config audit reports.
  configAuditReportsPlugin: "Trivy"
  # -- scanJobCompressLogs control whether scanjob output should be compressed or plain
  scanJobCompressLogs: true
  # -- scanJobTolerations tolerations to be applied to the scanner pods and node-collector so that they can run on nodes with matching taints
  scanJobTolerations: []
  # -- If you do want to specify tolerations, uncomment the following lines, adjust them as necessary, and remove the
  # square brackets after 'scanJobTolerations:'.
  # - key: "key1"
  #   operator: "Equal"
  #   value: "value1"
  #   effect: "NoSchedule"

  # -- scanJobNodeSelector nodeSelector to be applied to the scanner pods so that they can run on nodes with matching labels
  scanJobNodeSelector: {}
  # -- If you do want to specify nodeSelector, uncomment the following lines, adjust them as necessary, and remove the
  # square brackets after 'scanJobNodeSelector:'.
  #   nodeType: worker
  #   cpu: sandylake
  #   teamOwner: operators

  # -- scanJobAutomountServiceAccountToken the flag to enable automount for service account token on scan job
  scanJobAutomountServiceAccountToken: true

  # -- scanJobAnnotations comma-separated representation of the annotations which the user wants the scanner pods to be
  # annotated with. Example: `foo=bar,env=stage` will annotate the scanner pods with the annotations `foo: bar` and `env: stage`
  scanJobAnnotations: ""

  # -- scanJobPodTemplateLabels comma-separated representation of the labels which the user wants the scanner pods to be
  # labeled with. Example: `foo=bar,env=stage` will labeled the scanner pods with the labels `foo: bar` and `env: stage`
  scanJobPodTemplateLabels: ""

  # -- skipInitContainers when this flag is set to true, the initContainers will be skipped for the scanner and node collector pods
  skipInitContainers: false

  # -- scanJobPodTemplatePodSecurityContext podSecurityContext the user wants the scanner and node collector pods to be amended with.
  # Example:
  #   RunAsUser: 10000
  #   RunAsGroup: 10000
  #   RunAsNonRoot: true
  scanJobPodTemplatePodSecurityContext: {}

  # -- scanJobPodTemplateContainerSecurityContext SecurityContext the user wants the scanner and node collector containers (and their
  # initContainers) to be amended with.
  scanJobPodTemplateContainerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
    privileged: false
    readOnlyRootFilesystem: true
    # -- For filesystem scanning, Trivy needs to run as the root user
    # runAsUser: 0

  # -- scanJobPodPriorityClassName Priority class name to be set on the pods created by trivy operator jobs. This accepts a string value
  scanJobPodPriorityClassName: ""

  # -- reportResourceLabels comma-separated scanned resource labels which the user wants to include in the Prometheus
  # metrics report. Example: `owner,app`
  reportResourceLabels: ""

  # -- reportRecordFailedChecksOnly flag is to record only failed checks on misconfiguration reports (config-audit and rbac assessment)
  reportRecordFailedChecksOnly: true

  # -- skipResourceByLabels comma-separated labels keys which trivy-operator will skip scanning on resources with matching labels
  skipResourceByLabels: ""

  # -- metricsResourceLabelsPrefix Prefix that will be prepended to the labels names indicated in `reportResourceLabels`
  # when including them in the Prometheus metrics
  metricsResourceLabelsPrefix: "k8s_label_"

  # -- additionalReportLabels comma-separated representation of the labels which the user wants the scanner pods to be
  # labeled with. Example: `foo=bar,env=stage` will labeled the reports with the labels `foo: bar` and `env: stage`
  additionalReportLabels: ""

  # -- policiesConfig Custom Rego Policies to be used by the config audit scanner
  # See https://github.com/aquasecurity/trivy-operator/blob/main/docs/tutorials/writing-custom-configuration-audit-policies.md for more details.
  policiesConfig: ""

trivy:
  # -- createConfig indicates whether to create config objects
  createConfig: true
  image:
    # -- registry of the Trivy image
    registry: ghcr.io
    # -- repository of the Trivy image
    repository: aquasecurity/trivy
    # -- tag version of the Trivy image
    tag: 0.45.1
    # -- imagePullSecret is the secret name to be used when pulling trivy image from private registries example : reg-secret
    # It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace
    imagePullSecret: ~

    # -- pullPolicy is the imge pull policy used for trivy image , valid values are (Always, Never, IfNotPresent)
    pullPolicy: IfNotPresent

  # -- mode is the Trivy client mode. Either Standalone or ClientServer. Depending
  # on the active mode other settings might be applicable or required.
  mode: Standalone

  # -- whether to use a storage class for trivy server or emptydir (one mey want to use ephemeral storage)
  storageClassEnabled: true

  # -- storageClassName is the name of the storage class to be used for trivy server PVC. If empty, tries to find default storage class
  storageClassName: ""

  # -- podLabels is the extra pod labels to be used for trivy server
  podLabels:

  # -- priorityClassName is the name of the priority class used for trivy server
  priorityClassName: ""

  # -- additionalVulnerabilityReportFields is a comma separated list of additional fields which
  # can be added to the VulnerabilityReport. Supported parameters: Description, Links, CVSS, Target, Class, PackagePath and PackageType
  additionalVulnerabilityReportFields: ""

  # -- httpProxy is the HTTP proxy used by Trivy to download the vulnerabilities database from GitHub.
  httpProxy: ~

  # -- httpsProxy is the HTTPS proxy used by Trivy to download the vulnerabilities database from GitHub.
  httpsProxy: ~

  # -- noProxy is a comma separated list of IPs and domain names that are not subject to proxy settings.
  noProxy: ~

  # -- Registries without SSL. There can be multiple registries with different keys.
  nonSslRegistries: {}
  #  pocRegistry: poc.myregistry.harbor.com.pl
  #  qaRegistry: qa.registry.aquasec.com
  #  internalRegistry: registry.registry.svc:5000

  # -- sslCertDir can be used to override the system default locations for SSL certificate files directory, example: /ssl/certs
  sslCertDir: ~

  # -- The registry to which insecure connections are allowed. There can be multiple registries with different keys.
  insecureRegistries: {}
  #  pocRegistry: poc.myregistry.harbor.com.pl
  #  qaRegistry: qa.registry.aquasec.com
  #  internalRegistry: registry.registry.svc:5000

  # -- Mirrored registries. There can be multiple registries with different keys.
  # Make sure to quote registries containing dots
  registry:
    mirror: {}
    # "docker.io": docker-mirror.example.com

  # -- severity is a comma separated list of severity levels reported by Trivy.
  severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL

  # -- slow this flag is to use less CPU/memory for scanning though it takes more time than normal scanning. It fits small-footprint
  slow: true
  # -- ignoreUnfixed is the flag to show only fixed vulnerabilities in
  # vulnerabilities reported by Trivy. Set to true to enable it.
  #
  ignoreUnfixed: true
  # -- a comma separated list of directories for Trivy to skip
  skipDirs:

  # -- offlineScan is the flag to enable the offline scan functionality in Trivy
  # This will prevent outgoing HTTP requests, e.g. to search.maven.org
  offlineScan: false

  # -- timeout is the duration to wait for scan completion.
  timeout: "60m0s"

  # -- ignoreFile can be used to tell Trivy to ignore vulnerabilities by ID (one per line)
  ignoreFile: ~
  # ignoreFile: |
  #   CVE-1970-0001
  #   CVE-1970-0002

  # -- ignorePolicy can be used to tell Trivy to ignore vulnerabilities by a policy
  # If multiple policies would match, then the most specific one has precedence over the others.
  # See https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#by-open-policy-agent for more details.
  #
  # ignorePolicy.application.my-app-.: |
  #   # applies to all workloads in namespace "application" with the name pattern "my-app-*"
  # ignorePolicy.kube-system: |
  #   # applies to all workloads in namespace "kube-system"
  # ignorePolicy: |
  #   # applies to all other workloads

  # -- vulnType can be used to tell Trivy to filter vulnerabilities by a pkg-type (library, os)
  vulnType: ~

  # -- resources resource requests and limits for scan job containers
  resources:
    requests:
      cpu: 100m
      memory: 100M
      # ephemeralStorage: "2Gi"
    limits:
      cpu: 2500m
      memory: 4000M
      # ephemeralStorage: "2Gi"

  # -- githubToken is the GitHub access token used by Trivy to download the vulnerabilities
  # database from GitHub. Only applicable in Standalone mode.
  githubToken: ~

  # -- serverURL is the endpoint URL of the Trivy server. Required in ClientServer mode.
  #
  # serverURL: "https://trivy.trivy:4975"

  # -- clientServerSkipUpdate is the flag to enable skip databases update for Trivy client.
  # Only applicable in ClientServer mode.
  clientServerSkipUpdate: false

  # -- skipJavaDBUpdate is the flag to enable skip Java index databases update for Trivy client.
  skipJavaDBUpdate: false

  # -- serverInsecure is the flag to enable insecure connection to the Trivy server.
  serverInsecure: false

  # -- serverToken is the token to authenticate Trivy client with Trivy server. Only
  # applicable in ClientServer mode.
  serverToken: ~

  # -- existingSecret if a secret containing gitHubToken, serverToken or serverCustomHeaders has been created outside the chart (e.g external-secrets, sops, etc...).
  # Keys must be at least one of the following: trivy.githubToken, trivy.serverToken, trivy.serverCustomHeaders
  # Overrides trivy.gitHubToken, trivy.serverToken, trivy.serverCustomHeaders values.
  # Note: The secret has to be named "trivy-operator-trivy-config".
  # existingSecret: true

  # -- serverTokenHeader is the name of the HTTP header used to send the authentication
  # token to Trivy server. Only application in ClientServer mode when
  # trivy.serverToken is specified.
  serverTokenHeader: "Trivy-Token"

  # -- serverCustomHeaders is a comma separated list of custom HTTP headers sent by
  # Trivy client to Trivy server. Only applicable in ClientServer mode.
  serverCustomHeaders: ~
  # serverCustomHeaders: "foo=bar"

  dbRegistry: "ghcr.io"
  dbRepository: "aquasecurity/trivy-db"

  # -- javaDbRegistry is the registry for the Java vulnerability database.
  javaDbRegistry: "ghcr.io"
  javaDbRepository: "aquasecurity/trivy-java-db"

  # -- The Flag to enable insecure connection for downloading trivy-db via proxy (air-gaped env)
  #
  dbRepositoryInsecure: "false"

  # -- The Flag to enable the usage of builtin rego policies by default
  #
  useBuiltinRegoPolicies: "true"

  # -- The Flag is the list of supported kinds separated by comma delimiter to be scanned by the config audit scanner
  #
  supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"

  # -- command. One of `image`, `filesystem` or `rootfs` scanning, depending on the target type required for the scan.
  # For 'filesystem' and `rootfs` scanning, ensure that the `trivyOperator.scanJobPodTemplateContainerSecurityContext` is configured
  # to run as the root user (runAsUser = 0).
  command: image
  # -- serverUser this param is the server user to be used to download db from private registry
  serverUser: ""
  # -- serverPassword this param is the server user to be used to download db from private registry
  serverPassword: ""
  # -- serverServiceName this param is the server service name to be used in cluster
  serverServiceName: "trivy-service"
  # -- debug One of `true` or `false`. Enables debug mode.
  debug: false

  server:
    # -- resources set trivy-server resource
    resources:
      requests:
        cpu: 200m
        memory: 512Mi
        # ephemeral-storage: "2Gi"
      limits:
        cpu: 1
        memory: 1Gi
        # ephemeral-storage: "2Gi"

    # -- podSecurityContext set trivy-server podSecurityContext
    podSecurityContext:
      runAsUser: 65534
      runAsNonRoot: true
      fsGroup: 65534

    # -- securityContext set trivy-server securityContext
    securityContext:
      privileged: false
      readOnlyRootFilesystem: true

    # -- the number of replicas of the trivy-server
    replicas: 1

compliance:
  # -- failEntriesLimit the flag to limit the number of fail entries per control check in the cluster compliance detail report
  failEntriesLimit: 10
  # -- reportType this flag control the type of report generated (summary or all)
  reportType: summary
  # -- cron this flag control the cron interval for compliance report generation
  cron: 0 */6 * * *

rbac:
  create: true
serviceAccount:
  # -- Specifies whether a service account should be created.
  create: true
  annotations: 
      "iam.gke.io/gcp-service-account": "[email protected]"
  # -- name specifies the name of the k8s Service Account. If not set and create is
  # true, a name is generated using the fullname template.
  name: "trivy-sa"
  

# -- podAnnotations annotations added to the operator's pod
podAnnotations: {}

podSecurityContext: {}
  # fsGroup: 2000

# -- securityContext security context
securityContext:
  privileged: false
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  capabilities:
    drop:
      - ALL

volumeMounts: []
# Example:
#  - mountPath: /tmp
#    name: tmp-data
#    readOnly: false

volumes: []
# Example:
#  - name: tmp-data
#    emptyDir: {}

resources: {}
  # -- We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi
# -- nodeSelector set the operator nodeSelector
nodeSelector:
  kubernetes.io/os: linux
  environment: common

# -- tolerations set the operator tolerations
tolerations: []

# -- affinity set the operator affinity
affinity: {}

# -- priorityClassName set the operator priorityClassName
priorityClassName: ""

  # -- automountServiceAccountToken the flag to enable automount for service account token
automountServiceAccountToken: true

nodeCollector:
  # -- registry of the node-collector image
  registry: ghcr.io
  # -- repository of the node-collector image
  repository: aquasecurity/node-collector
  # -- tag version of the node-collector image
  tag: 0.0.8
  # -- imagePullSecret is the secret name to be used when pulling node-collector image from private registries example : reg-secret
  # It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace
  imagePullSecret: ~
  # -- excludeNodes comma-separated node labels that the node-collector job should exclude from scanning (example kubernetes.io/arch=arm64,team=dev)
  excludeNodes:
  # -- node-collector pod volumeMounts definition for collecting config files information
  volumeMounts:
    - name: var-lib-etcd
      mountPath: /var/lib/etcd
      readOnly: true
    - name: var-lib-kubelet
      mountPath: /var/lib/kubelet
      readOnly: true
    - name: var-lib-kube-scheduler
      mountPath: /var/lib/kube-scheduler
      readOnly: true
    - name: var-lib-kube-controller-manager
      mountPath: /var/lib/kube-controller-manager
      readOnly: true
    - name: etc-systemd
      mountPath: /etc/systemd
      readOnly: true
    - name: lib-systemd
      mountPath: /lib/systemd/
      readOnly: true
    - name: etc-kubernetes
      mountPath: /etc/kubernetes
      readOnly: true
    - name: etc-cni-netd
      mountPath: /etc/cni/net.d/
      readOnly: true

  # -- node-collector pod volumes definition for collecting config files information
  volumes:
    - name: var-lib-etcd
      hostPath:
        path: /var/lib/etcd
    - name: var-lib-kubelet
      hostPath:
        path: /var/lib/kubelet
    - name: var-lib-kube-scheduler
      hostPath:
        path: /var/lib/kube-scheduler
    - name: var-lib-kube-controller-manager
      hostPath:
        path: /var/lib/kube-controller-manager
    - name: etc-systemd
      hostPath:
        path: /etc/systemd
    - name: lib-systemd
      hostPath:
        path: /lib/systemd
    - name: etc-kubernetes
      hostPath:
        path: /etc/kubernetes
    - name: etc-cni-netd
      hostPath:
        path: /etc/cni/net.d/`

# Install commands
helm repo add trivy-operator https://aquasecurity.github.io/helm-charts/
helm repo update
helm upgrade --install --create-namespace trivy-operator trivy-operator --namespace trivy-operator -f values.yaml --version 0.20.1 --repo https://aquasecurity.github.io/helm-charts/

Thanks in advance for you help
Have a nice day

[tom1299]

Would it be possible to share the Pod Spec in yaml for one of the failing node collector Pods ? That information might help find the reason for the problem.

[J-Are]

Hi @tom1299, this is the Pod spec for the node collector:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: "2025-01-13T09:05:07Z"
  finalizers:
  - batch.kubernetes.io/job-tracking
  generateName: node-collector-84f7dd68d9-
  labels:
    app: node-collector
    batch.kubernetes.io/controller-uid: 493e4929-3c8e-48e9-9557-a7b6aa1e1aaf
    batch.kubernetes.io/job-name: node-collector-84f7dd68d9
    controller-uid: 493e4929-3c8e-48e9-9557-a7b6aa1e1aaf
    job-name: node-collector-84f7dd68d9
  name: node-collector-84f7dd68d9-cvltq
  namespace: trivy-operator
  ownerReferences:
  - apiVersion: batch/v1
    blockOwnerDeletion: true
    controller: true
    kind: Job
    name: node-collector-84f7dd68d9
    uid: 493e4929-3c8e-48e9-9557-a7b6aa1e1aaf
  resourceVersion: "44271134"
  uid: bd961f35-fd19-4caa-8aad-46047785cd0c
spec:
  automountServiceAccountToken: true
  containers:
  - args:
    - k8s
    - --node
    - gke-rni-myproject-gke-01-ew1-workloads-2aef09b1-9mv4
    command:
    - node-collector
    image: ghcr.io/aquasecurity/node-collector:0.0.8
    imagePullPolicy: IfNotPresent
    name: node-collector
    resources:
      limits:
        cpu: 100m
        memory: 100M
      requests:
        cpu: 50m
        memory: 50M
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: true
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /var/lib/etcd
      name: var-lib-etcd
      readOnly: true
    - mountPath: /var/lib/kubelet
      name: var-lib-kubelet
      readOnly: true
    - mountPath: /var/lib/kube-scheduler
      name: var-lib-kube-scheduler
      readOnly: true
    - mountPath: /var/lib/kube-controller-manager
      name: var-lib-kube-controller-manager
      readOnly: true
    - mountPath: /etc/systemd
      name: etc-systemd
      readOnly: true
    - mountPath: /lib/systemd/
      name: lib-systemd
      readOnly: true
    - mountPath: /etc/kubernetes
      name: etc-kubernetes
      readOnly: true
    - mountPath: /etc/cni/net.d/
      name: etc-cni-netd
      readOnly: true
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-5pjwn
      readOnly: true
  dnsPolicy: ClusterFirst
  enableServiceLinks: true
  hostPID: true
  nodeSelector:
    kubernetes.io/hostname: gke-rni-myproject-gke-01-ew1-workloads-2aef09b1-9mv4
  preemptionPolicy: PreemptLowerPriority
  priority: 0
  restartPolicy: Never
  schedulerName: default-scheduler
  securityContext:
    runAsGroup: 0
    runAsUser: 0
    seccompProfile:
      type: RuntimeDefault
  serviceAccount: rni-myproject-sa-05-sbx
  serviceAccountName: rni-myproject-sa-05-sbx
  terminationGracePeriodSeconds: 30
  tolerations:
  - effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 300
  - effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 300
  volumes:
  - hostPath:
      path: /var/lib/etcd
      type: ""
    name: var-lib-etcd
  - hostPath:
      path: /var/lib/kubelet
      type: ""
    name: var-lib-kubelet
  - hostPath:
      path: /var/lib/kube-scheduler
      type: ""
    name: var-lib-kube-scheduler
  - hostPath:
      path: /var/lib/kube-controller-manager
      type: ""
    name: var-lib-kube-controller-manager
  - hostPath:
      path: /etc/systemd
      type: ""
    name: etc-systemd
  - hostPath:
      path: /lib/systemd
      type: ""
    name: lib-systemd
  - hostPath:
      path: /etc/kubernetes
      type: ""
    name: etc-kubernetes
  - hostPath:
      path: /etc/cni/net.d/
      type: ""
    name: etc-cni-netd
  - name: kube-api-access-5pjwn
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          expirationSeconds: 3607
          path: token
      - configMap:
          items:
          - key: ca.crt
            path: ca.crt
          name: kube-root-ca.crt
      - downwardAPI:
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
            path: namespace

Thanks for your help