Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error exectuateYq err: no matches found when rendering Helm chart #1625

Closed
migruiz4 opened this issue Mar 5, 2024 · 7 comments · Fixed by #1628
Closed

Error exectuateYq err: no matches found when rendering Helm chart #1625

migruiz4 opened this issue Mar 5, 2024 · 7 comments · Fixed by #1628
Labels
bug Something isn't working

Comments

@migruiz4
Copy link

migruiz4 commented Mar 5, 2024

Description

I'm having issues with Kubescape when scanning a git repository:

$ ./kubescape scan https://github.com/migruiz4/demo-bitnami-charts/tree/develop
 ✅  Initialized scanner
 ✅  Loaded policies
 ✅  Loaded exceptions
 ✅  Loaded account configurations
 ✅  Done accessing local objects
 ⚠️   Rendering of Helm chart template 'clickhouse', failed: [GetMapping wrong, err: getYamlLineInfo wrong, the err is exectuateYq err: no matches found]
 ⚠️   Rendering of Helm chart template 'sentry', failed: [GetMapping wrong, err: getYamlLineInfo wrong, the err is exectuateYq err: no matches found]
Control: C-0063 100% |███████████████████████████████| (50/50, 25 it/s)        
 ✅  Done scanning Repo
 ✅  Done aggregating results


Security posture overview for repo: 'https://github.com/migruiz4/demo-bitnami-charts/tree/develop'

Workload
┌─────────────────────┬───────────┬─────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Control name        │ Resources │ View details                                                                                    │
├─────────────────────┼───────────┼─────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Non-root containers │     1     │ $ kubescape scan control C-0013 https://github.com/migruiz4/demo-bitnami-charts/tree/develop -v │
└─────────────────────┴───────────┴─────────────────────────────────────────────────────────────────────────────────────────────────┘

Environment

OS: Debian 11
Version: 3.0.4

Steps To Reproduce

  1. Scan this repository using the latest version 3.0.4: https://github.com/migruiz4/demo-bitnami-charts/tree/develop

The error does not provide a specific reason as to why the render failed, but I was able to run the scan using the previous version 3.0.3

Expected behavior

Kubescape does not fail to render helm chart and the scan is executed successfully.

Additional information

Output when using the previous version of kubescape:

./kubescape-3.0.3 scan https://github.com/migruiz4/demo-bit
nami-charts/tree/develop
 ✅  Initialized scanner
 ✅  Loaded policies
 ✅  Loaded exceptions
 ✅  Loaded account configurations
 ℹ️   cloning. repository url: https://github.com/migruiz4/demo-bitnami-charts
 ✅  Done accessing local objects
Control: C-0017 100% |███████████████████████████████| (34/34, 65 it/s)        
 ✅  Done scanning Repo
 ✅  Done aggregating results


Kubescape security posture overview for cluster: 

In this overview, Kubescape shows you a summary of your cluster security posture, including the number of users who can perform administrative actions. For each result greater than 0, you should evaluate its need, and then define an exception to allow it. This baseline can be used to detect drift in future.

Workload
┌──────────────────────┬───────────┬─────────────────────────────────────┐
│ Control name         │ Resources │ View details                        │
├──────────────────────┼───────────┼─────────────────────────────────────┤
│ Non-root containers  │    33     │ $ kubescape scan control C-0013  -v │
│ Privileged container │     1     │ $ kubescape scan control C-0057  -v │
└──────────────────────┴───────────┴─────────────────────────────────────┘

Secrets
┌─────────────────────────────────────────────────┬───────────┬─────────────────────────────────────┐
│ Control name                                    │ Resources │ View details                        │
├─────────────────────────────────────────────────┼───────────┼─────────────────────────────────────┤
│ Applications credentials in configuration files │     2     │ $ kubescape scan control C-0012  -v │
└─────────────────────────────────────────────────┴───────────┴─────────────────────────────────────┘

Network
┌────────────────────────┬───────────┬─────────────────────────────────────┐
│ Control name           │ Resources │ View details                        │
├────────────────────────┼───────────┼─────────────────────────────────────┤
│ Missing network policy │    33     │ $ kubescape scan control C-0260  -v │
└────────────────────────┴───────────┴─────────────────────────────────────┘


Highest-stake workloads
───────────────────────

High-stakes workloads are defined as those which Kubescape estimates would have the highest impact if they were to be exploited.

1. name: -sentry-worker, kind: Deployment
   $ kubescape scan workload Deployment/-sentry-worker --chart-path=https://github.com/migruiz4/demo-bitnami-charts --file-path=/sentry/templates/deployment-sentry-worker.yaml
2. name: -clickhouse-replica, kind: StatefulSet
   $ kubescape scan workload StatefulSet/-clickhouse-replica --chart-path=https://github.com/migruiz4/demo-bitnami-charts --file-path=/clickhouse/templates/statefulset-clickhouse-replica.yaml
3. name: -clickhouse, kind: StatefulSet
   $ kubescape scan workload StatefulSet/-clickhouse --chart-path=https://github.com/migruiz4/demo-bitnami-charts --file-path=/sentry/charts/clickhouse/templates/statefulset-clickhouse.yaml
@migruiz4 migruiz4 added the bug Something isn't working label Mar 5, 2024
@dwertent
Copy link
Contributor

dwertent commented Mar 5, 2024

Thank you for raising this issue.

@MMMMMMorty can this be related to the PR we merged?

@MMMMMMorty
Copy link
Member

@dwertent Yes, I will check it tonight.

@MMMMMMorty
Copy link
Member

@migruiz4 Hi, could you please provide me with your test data to help me reproduce the bug?

@agarcia-oss
Copy link
Contributor

agarcia-oss commented Mar 5, 2024
edited

I think the test data is all in the repository @migruiz4 shared https://github.com/migruiz4/demo-bitnami-charts/tree/develop

The issue can be reproduced with kubescape scan https://github.com/migruiz4/demo-bitnami-charts/tree/develop using kubescape 3.0.4.

In this example we're using a chart with several subcharts, in case that helps identify the root cause.

@bbrala
Copy link

bbrala commented Mar 6, 2024
edited

We have the same error without any subcharts. Its not that. Seems to break on empty map which then maps.

relevant code:

web:
   env:
   #  - name: ENV_VAR
   #    value: myvalue
spec:
  template:
    spec:
      containers:
        - name: nginx
          env:
            - name: NGINX_BACKEND_APP
              value: localhost
            {{- with .Values.web.env }}
            {{- . | toYaml | nindent 12 }}
            {{- end }}

@MMMMMMorty
Copy link
Member

@bbrala Thank you for your information. I am working on it.

@bbrala
Copy link

bbrala commented Mar 6, 2024

Hopefully it helps :) And thank you for your work on this <3

@MMMMMMorty MMMMMMorty mentioned this issue Mar 8, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix bug for no matches of yalib in one file mapping MMMMMMorty/kubescape
5 participants
@agarcia-oss @bbrala @migruiz4 @MMMMMMorty @dwertent