the server could not find the requested resource (get vulnerabilityreports.aquasecurity.github.io)" error

[ouyangck]

Hi, I tried to run "starboard find vulnerabilities ..." on my k8s deployments but got "the server could not find the requested resource (get vulnerabilityreports.aquasecurity.github.io)" error. However if I ran "kubectl get vulnerabilities --selector starboard.resource.kind=Deployment,starboard.resource.name ..." I could see the output. Could anyone please tell me what I might have missed? Any help would be greatly appreciated!

[danielpacak]

👋 @ouyangck I assume that you'd run starboard init command and its exit code was 0. Could you confirm that the vulnerabilityreports.aquasecurity.github.io CRD was accepted by the Kubernetes API. You can do that with the following command and make sure that the NamesAccepted conditions is true:

kubectl describe crd vulnerabilityreports.aquasecurity.github.io
...
Status:
  Accepted Names:
    Categories:
      all
    Kind:       VulnerabilityReport
    List Kind:  VulnerabilityReportList
    Plural:     vulnerabilityreports
    Short Names:
      vulns
      vuln
    Singular:  vulnerabilityreport
  Conditions:
    Last Transition Time:  2020-10-21T09:30:28Z
    Message:               no conflicts found
    Reason:                NoConflicts
    Status:                True
    Type:                  NamesAccepted
    Last Transition Time:  2020-10-21T09:30:28Z
    Message:               the initial names have been accepted
    Reason:                InitialNamesAccepted
    Status:                True
    Type:                  Established
  Stored Versions:
    v1alpha1

Could you also provide the full command that you used to find vulnerabilities, including all flags and args that you specified? I'm also wondering which version of K8S are you using and whether it's a local cluster or a managed distribution?

[ouyangck]

Thank you, Daniel, for looking into this. I did not get error when I ran starboard init. Here is what I got when I ran your "kubectl describe crd..." command:
Status:
Accepted Names:
Categories:
all
Kind: VulnerabilityReport
List Kind: VulnerabilityReportList
Plural: vulnerabilityreports
Singular: vulnerabilityreport
Conditions:
Last Transition Time: 2020-10-16T16:08:07Z
Message: ["vulns" is already in use, "vuln" is already in use]
Reason: ShortNamesConflict
Status: False
Type: NamesAccepted
Last Transition Time: 2020-10-16T16:08:07Z
Message: not all names are accepted
Reason: NotAccepted
Status: False
Type: Established
Stored Versions:
v1alpha1

The command i used to find vulnerabilities: starboard find vulnerabilities deployment/nginx

Not sure if this is what you were looking for, I ran kubectl version --client and here is what I got:

Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.3", GitCommit:"1e11e4a2108024935ecfcb2912226cedeafd99df", GitTreeState:"clean", BuildDate:"2020-10-14T12:50:19Z", GoVersion:"go1.15.2", Compiler:"gc", Platform:"linux/amd64"}

Thank you so much!

[danielpacak]

Thanks for additional info @ouyangck This is actually very interesting output as it seems that there's a ShortNamesConflict status and there's probably some other CRD in your cluster that's using vulns and vuln short names. Could you check if, by any chance, you have some other CRD that might use the same short names as VulnerabilityReport defined by Starboard?

kubeclt api-resources --api-group aquasecurity.github.io
NAME                   SHORTNAMES   APIGROUP                 NAMESPACED   KIND
vulnerabilityreports   vuln,vulns   aquasecurity.github.io   true         VulnerabilityReport

[ouyangck]

Thank you, Daniel,

I ran the command and got the following:

NAME SHORTNAMES APIGROUP NAMESPACED KIND
ciskubebenchreports kubebench aquasecurity.github.io false CISKubeBenchReport
configauditreports configaudit aquasecurity.github.io true ConfigAuditReport
kubehunterreports kubehunter aquasecurity.github.io false KubeHunterReport
vulnerabilities vulns,vuln aquasecurity.github.io true Vulnerability

The name for vulnerability report I got is "vulnerabilities", not "vulnerability reports", but I am not sure why I got this. So i got the vulnerabilityreports.crd.yaml from github and did a kubectl apply -f vulnerabilityreports.crd.yaml. Finally I can see "vulnerabilityreports" after running the command:

NAME SHORTNAMES APIGROUP NAMESPACED KIND
ciskubebenchreports kubebench aquasecurity.github.io false CISKubeBenchReport
configauditreports configaudit aquasecurity.github.io true ConfigAuditReport
kubehunterreports kubehunter aquasecurity.github.io false KubeHunterReport
vulnerabilityreports vulns,vuln aquasecurity.github.io true VulnerabilityReport

Again, I am not sure why. Maybe the binary file I got is not updated? Here is the file I pulled: https://github.com/aquasecurity/starboard/releases/download/v0.4.0/starboard_linux_x86_64.tar.gz

I will keep looking. But thanks again for your help!
austin

[danielpacak]

For the sake of consistency, we've renamed the CRD from vulnerabilities to vulnerabilityreports so I'd advice using the latest version of Starboard CLI. Also I was more interested in seeing the output of the kubectl api-resources command (without specifying the --api-group flag) to see if there's any other CRD not managed by Starboard that's using the same set of short names (vulns, vuln).

[ouyangck]

Thanks! Here is a list of crds' after I ran the "kubectl api-resources" command:

NAME SHORTNAMES APIGROUP NAMESPACED KIND
bindings true Binding
componentstatuses cs false ComponentStatus
configmaps cm true ConfigMap
endpoints ep true Endpoints
events ev true Event
limitranges limits true LimitRange
namespaces ns false Namespace
nodes no false Node
persistentvolumeclaims pvc true PersistentVolumeClaim
persistentvolumes pv false PersistentVolume
pods po true Pod
podtemplates true PodTemplate
replicationcontrollers rc true ReplicationController
resourcequotas quota true ResourceQuota
secrets true Secret
serviceaccounts sa true ServiceAccount
services svc true Service
mutatingwebhookconfigurations admissionregistration.k8s.io false MutatingWebhookConfiguration
validatingwebhookconfigurations admissionregistration.k8s.io false ValidatingWebhookConfiguration
customresourcedefinitions crd,crds apiextensions.k8s.io false CustomResourceDefinition
apiservices apiregistration.k8s.io false APIService
controllerrevisions apps true ControllerRevision
daemonsets ds apps true DaemonSet
deployments deploy apps true Deployment
replicasets rs apps true ReplicaSet
statefulsets sts apps true StatefulSet
ciskubebenchreports kubebench aquasecurity.github.io false CISKubeBenchReport
configauditreports configaudit aquasecurity.github.io true ConfigAuditReport
kubehunterreports kubehunter aquasecurity.github.io false KubeHunterReport
vulnerabilityreports vulns,vuln aquasecurity.github.io true VulnerabilityReport
tokenreviews authentication.k8s.io false TokenReview
localsubjectaccessreviews authorization.k8s.io true LocalSubjectAccessReview
selfsubjectaccessreviews authorization.k8s.io false SelfSubjectAccessReview
selfsubjectrulesreviews authorization.k8s.io false SelfSubjectRulesReview
subjectaccessreviews authorization.k8s.io false SubjectAccessReview
horizontalpodautoscalers hpa autoscaling true HorizontalPodAutoscaler
cronjobs cj batch true CronJob
jobs batch true Job
certificatesigningrequests csr certificates.k8s.io false CertificateSigningRequest
leases coordination.k8s.io true Lease
endpointslices discovery.k8s.io true EndpointSlice
events ev events.k8s.io true Event
ingresses ing extensions true Ingress
ingressclasses networking.k8s.io false IngressClass
ingresses ing networking.k8s.io true Ingress
networkpolicies netpol networking.k8s.io true NetworkPolicy
runtimeclasses node.k8s.io false RuntimeClass
poddisruptionbudgets pdb policy true PodDisruptionBudget
podsecuritypolicies psp policy false PodSecurityPolicy
clusterrolebindings rbac.authorization.k8s.io false ClusterRoleBinding
clusterroles rbac.authorization.k8s.io false ClusterRole
rolebindings rbac.authorization.k8s.io true RoleBinding
roles rbac.authorization.k8s.io true Role
priorityclasses pc scheduling.k8s.io false PriorityClass
csidrivers storage.k8s.io false CSIDriver
csinodes storage.k8s.io false CSINode
storageclasses sc storage.k8s.io false StorageClass
volumeattachments storage.k8s.io false VolumeAttachment

Sorry about the formatting. Thanks again for your help!

[danielpacak]

@ouyangck Please file an issue is you still have this problem with the most recent release of Starboard. Please provide version / distribution of Kubernetes instance and all steps that you followed so in case of problem we could reproduce what you did.