--node-collector-namespace: Do not delete existing namespace

[codinux-gmbh]

Description

When using trivy kubernetes --node-collector-namespace <namespace> ..., then the namespace <namespace> gets deleted after the operation even if it's an existing namespace that contains resources.

That deleted almost our whole (for sake test) cluster.

(Scanning the whole cluster for misconfiguration ran into a timeout, so we decided to automatically scan namespace per namespace. But then jobs sometimes failed as the previous job in the trivy-temp namespace was still running, so we decided to run each job in the namespace to scan via --node-collector-namespace flag.)

The issue is in pkg/jobs/collector.go:

func (jb *jobCollector) Cleanup(ctx context.Context) {
	jb.deleteTrivyNamespace(ctx) // TODO: check if namespace has been created by Trivy first; don't delete existing namespaces
}

Desired Behavior

First check if Trivy created that namespace before deleting it.

Actual Behavior

The namespace passed with --node-collector-namespace gets deleted regardless if Trivy created that namespace or if it's an existing namespace that contains resources.

Reproduction Steps

Run a script, program etc. that does the following:

For each namespace in the cluster run:
`trivy kubernetes --node-collector-namespace <namespace> ...`, e.g. `--scanners misconfig`.

Except the Kubernetes default namespaces (`kube-system` etc.) the cluster is wonderfully clean then.

Target

Kubernetes

Scanner

None

Output Format

None

Mode

None

Debug Output

The output doesn't matter, the clean up behavior is the issue.

Operating System

Arch Linux, but also the OS doesn't matter

Version

`trivy --version` shows only:
`version: dev`

The version is:
`0.49.1-1`

But the issue still persists on current main branch.

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

@chen-keinan can you take a look?

[chen-keinan]

@codinux-gmbh thanks for the input, just to clarify the --node-collector-namespace should be a namespace to run node-collector scan job, the purpose of this flag was for the user to add a designated namespace (instead of default trivy-temp) for the node-collector scan job only.

The namespace should not include other resources in it.

[codinux-gmbh]

But the documentation (trivy --help) does not state this.

And I think it's a good and reliable program behavior if it doesn't delete existing resources.

You may can imagine that you're a little bit surprised when you see that you whole cluster is deleted.

[chen-keinan]

@codinux-gmbh thanks for the feed back , I'll convert this discussion to issue and improve the functionality that for custom namespaces it should not delete the namespace at the end

[chen-keinan]

Related issue #6558