Errors Troubleshooting in ImageScan Agent

The environment page of Container A lightweight and portable executable image that contains software and all of its dependencies. Containers decouple applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for easier scaling. Registries and Kubernetes Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. clusters shows information about their agents' status.

Error Messages in Agent Status

The agent status can show these error messages:

1. Image scan fails. Last scan date is <date> with scan status code: <error>

   This error message appears when all image scans fail (no successful image scans).

   The handling of this error depends on the specific error that is shown in the agent status description. See Image Scan Status.

2. Unable to access the registry, last successful communication with the registry is at: <date>

   This error message appears if the ImageScan agent cannot get access to the registry.

   Do these steps:

   1. Make sure that your cluster has outbound network connectivity. Make sure that no proxy/firewall blocks traffic.

   2. If your authentication method requires to create a secret, make sure that you did it on the cluster correctly.

      The command to create a secret:

      kubectl create secret docker-registry <secret_name> \ --namespace <namespace> \ --docker-server=<registry_uri> \ --docker-username=<key> \ --docker-password=<password>

      Make sure that:

      • the values in registry_uri and secret_name match the values in Registry URI and Pull Secret Name in the CloudGuard portal.

      • the namespace is the same as configured during the cluster onboarding (by default, checkpoint).

      Make sure that your key and password are:

      • defined for your registry

      • have the correct permissions to get access to the registry

      • not expired

   3. If your authentication method does not require a secret (GKE/AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services./Azure Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. internal authentication):

      • Make sure that your cluster has the correct permissions to get access to the registry.

      • Make sure that you assigned the needed roles/permissions for the cluster to get access to your registry. Make sure to follow the steps related to the specific authentication method for your specific registry.

      • For more information, see the documentation of registries - Onboarding Container Registries.

   4. If none of the steps worked for you, run this command to examine the agent logs for errors:

      • kubectl –n <namespace> logs deployments/<release-name>-imagescan-list

      • kubectl –n <namespace> logs deployments/<release-name>-imagescan-engine

3. Failed to get image list from the registry, last image list is received at: <date>

   This error message appears when CloudGuard does not receive the list of registry images in the expected time.

   By default, the configuration is to send the registry image list every 12 hours. You can change it with Advanced Configurations option of Scan period in hours on the registry Scanners page.

   To solve the issue, do the procedure in Step 2 above.

   Note - It can take five minutes at most after solving the problem to see the change in the agent status.

4. Agent is disconnected

   This error message appears when the agent has no successful connection with CloudGuard for more than one hour.

   Do these steps:

   1. Make sure that your cluster has outbound network connectivity. Make sure that no proxy/firewall blocks traffic.

   2. Make sure that your CloudGuard credentials on the cluster, API key and API secret, are correct.

      If you use Helm A Kubernetes deployment tool for automating creation, packaging, configuration, and deployment of applications and services to Kubernetes clusters. to install CloudGuard resources on your cluster, run this command to see the installation command arguments:

      helm –n <namespace> get values <release-name>

      Verify that credentials.user and credentials.secret are correct.

   3. If none of the steps worked for you, run this command to verify the agent logs for errors:

      • kubectl –n <namespace> logs deployments/<release-name>-imagescan-list

      • kubectl –n <namespace> logs deployments/<release-name>-imagescan-engine

Note - In the above examples, the default values for namespace and release-name are checkpoint and asset-mgmt, respectively.

Image Scan Status

The Scan Status of an image is shown on the Images page (Workload Protection > Container Assets > Images) and on the image details page.

See the table below for all statuses.

Scan Status	Description	Corrective Action
Scanned	The image is successfully scanned.
Pending Scan	The image awaits to be scheduled for a scan. Applicable to Fargate images: No matching image scans are found for the Fargate image.
Partial	Scan results are partial; the image will be scheduled for rescanning.
Unsupported OS	The image operating system is not supported (for example, Windows is not supported).
Unmatched	Applicable for ECS Amazon Elastic Container Service (ECS) - a fully managed container orchestration service that helps you deploy, manage, and scale Docker containers running applications, services, and batch processes. images: No matching image scans were found for the ECS task image.
Not an image	An artifact found in the registry is not an image (for example, Helm chart).
Network Error	Unable to create a connection to scanning services, possibly because of a firewall or a proxy.	Verify your firewall/proxy configuration to make sure it does not block access to the required CloudGuard URLs. See the Connectivity Requirements section in Kubernetes Containers.
Unauthorized	Failed on one of these: Failed to authenticate with CloudGuard. Failed to authenticate with the container registry (for example, because of expired credentials). Failed to verify CloudGuard certificate, possibly because of the firewall/proxy.	Verify your firewall/proxy configuration to make sure it does not block access to the required CloudGuard URLs. See the Connectivity Requirements section in Kubernetes Containers. If the image is from a container registry environment, follow the procedure for Error 2 of Error Messages in Agent Status.
Insufficient resources	The image is too large to be scanned. or No space left on your host machine.	The maximum allowed image size is 20 GB. If you need to scan larger images, contact Check Point Support Center. If the image size is less than 20 GB, examine the space left on your cluster machine.
Timeout	Timeout on pulling the image to be scanned.	Examine your network connectivity on the cluster and try to increase the image pull timeouts by setting the environment variables. See the Central Agent Environment Variables section in Image Assurance Troubleshooting.
Internal Error	An unknown error has occurred. The image will be rescheduled for a scan.	Review the imagescan-engine logs, identify the engine container reporting errors and the node running it. Examine the container metrics. If it reaches memory limits, increase the limits. If the node’s memory utilization is high, increase the number of memory requests of the container. Examine the free disk space of the node. For ECS scanning environments, examine the ephemeral storage of the task (the default is 20 GB). If the problem continues, contact Check Point Support Center.

More Links

• Container Registry Scanning

• Image Assurance Troubleshooting

• Asset Details

• Images