Errors Troubleshooting in ImageScan Agent
The environment page of Container A lightweight and portable executable image that contains software and all of its dependencies. Containers decouple applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for easier scaling. Registries and Kubernetes Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. clusters shows information about their agents' status.
Error Messages in Agent Status
The agent status can show these error messages:
-
Image scan fails. Last scan date is <date> with scan status code: <error>
This error message appears when all image scans fail (no successful image scans).
The handling of this error depends on the specific error that is shown in the agent status description. See Image Scan Status.
-
Unable to access the registry, last successful communication with the registry is at: <date>
This error message appears if the ImageScan agent cannot get access to the registry.
Do these steps:
-
Make sure that your cluster has outbound network connectivity. Make sure that no proxy/firewall blocks traffic.
-
If your authentication method requires to create a secret, make sure that you did it on the cluster correctly.
The command to create a secret:
kubectl create secret docker-registry <secret_name> \
--namespace <namespace> \
--docker-server=<registry_uri> \
--docker-username=<key> \
--docker-password=<password>
Make sure that:
-
the values in
registry_uri
andsecret_name
match the values in Registry URI and Pull Secret Name in the CloudGuard portal. -
the
namespace
is the same as configured during the cluster onboarding (by default, checkpoint).
Make sure that your
key
andpassword
are:-
defined for your registry
-
have the correct permissions to get access to the registry
-
not expired
-
-
If your authentication method does not require a secret (GKE/AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services./Azure Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. internal authentication):
-
Make sure that your cluster has the correct permissions to get access to the registry.
-
Make sure that you assigned the needed roles/permissions for the cluster to get access to your registry. Make sure to follow the steps related to the specific authentication method for your specific registry.
-
For more information, see the documentation of registries - Onboarding Container Registries.
-
-
If none of the steps worked for you, run this command to examine the agent logs for errors:
-
kubectl –n <namespace> logs deployments/<release-name>-imagescan-list
-
kubectl –n <namespace> logs deployments/<release-name>-imagescan-engine
-
-
-
Failed to get image list from the registry, last image list is received at: <date>
This error message appears when CloudGuard does not receive the list of registry images in the expected time.
By default, the configuration is to send the registry image list every 12 hours. You can change it with Advanced Configurations option of Scan period in hours on the registry Scanners page.
To solve the issue, do the procedure in Step 2 above.
Note - It can take five minutes at most after solving the problem to see the change in the agent status.
-
Agent is disconnected
This error message appears when the agent has no successful connection with CloudGuard for more than one hour.
Do these steps:
-
Make sure that your cluster has outbound network connectivity. Make sure that no proxy/firewall blocks traffic.
-
Make sure that your CloudGuard credentials on the cluster, API key and API secret, are correct.
If you use Helm A Kubernetes deployment tool for automating creation, packaging, configuration, and deployment of applications and services to Kubernetes clusters. to install CloudGuard resources on your cluster, run this command to see the installation command arguments:
helm –n <namespace> get values <release-name>
Verify that
credentials.user
andcredentials.secret
are correct. -
If none of the steps worked for you, run this command to verify the agent logs for errors:
-
kubectl –n <namespace> logs deployments/<release-name>-imagescan-list
-
kubectl –n <namespace> logs deployments/<release-name>-imagescan-engine
-
-
|
Note - In the above examples, the default values for |
Image Scan Status
The Scan Status of an image is shown on the Images page (Workload Protection > Container Assets > Images) and on the image details page.
See the table below for all statuses.
Scan Status | Description | Corrective Action |
---|---|---|
Scanned |
The image is successfully scanned. |
|
Pending Scan |
Applicable to Fargate images:
|
|
Partial |
Scan results are partial; the image will be scheduled for rescanning. |
|
Unsupported OS |
The image operating system is not supported (for example, Windows is not supported). |
|
Unmatched |
Applicable for ECS Amazon Elastic Container Service (ECS) - a fully managed container orchestration service that helps you deploy, manage, and scale Docker containers running applications, services, and batch processes. images: No matching image scans were found for the ECS task image. |
|
Not an image |
An artifact found in the registry is not an image (for example, Helm chart). |
|
Network Error |
Unable to create a connection to scanning services, possibly because of a firewall or a proxy. |
Verify your firewall/proxy configuration to make sure it does not block access to the required CloudGuard URLs. See the Connectivity Requirements section in Kubernetes Containers. |
Unauthorized |
Failed on one of these:
|
Verify your firewall/proxy configuration to make sure it does not block access to the required CloudGuard URLs. See the Connectivity Requirements section in Kubernetes Containers. If the image is from a container registry environment, follow the procedure for Error 2 of Error Messages in Agent Status. |
Insufficient resources |
|
The maximum allowed image size is 20 GB. If you need to scan larger images, contact Check Point Support Center. If the image size is less than 20 GB, examine the space left on your cluster machine. |
Timeout |
Timeout on pulling the image to be scanned. |
Examine your network connectivity on the cluster and try to increase the image pull timeouts by setting the environment variables. See the Central Agent Environment Variables section in Image Assurance Troubleshooting. |
Internal Error |
An unknown error has occurred. The image will be rescheduled for a scan. |
If the problem continues, contact Check Point Support Center. |
More Links