Troubleshooting Cloud Security Management Vulnerabilities
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Overview
If you experience issues with Cloud Security Management (CSM) Vulnerabilities, use the following troubleshooting guidelines. If you need further assistance, contact Datadog support.
Error messages
Disk space requirements
Ensure your free disk space is equal to the size of your largest container image. This space is needed for the Datadog Agent to scan the container image for vulnerabilities (1 GB by default).
The resulting error appears as:
Error: failed to check current disk usage: not enough disk space to safely collect sbom, 192108482560 available, 1073741824000 required
Workaround:
- Increase the available disk space to at least 1 GB. If your images are larger than 1 GB, increase your disk space accordingly.
- If all of your images are smaller than 1 GB, you can decrease the default Agent request disk space with the environment variable:
DD_SBOM_CONTAINER_IMAGE_MIN_AVAILABLE_DISK
(default value 1GB).
Uncompressed container image layers
The SBOM scan only works with uncompressed container image layers. Certain Kubernetes distributions (such as AWS EKS, minikube, and kind), configure their container runtime to discard the uncompressed layers, causing the scan to fail.
The resulting error appears as:
ERROR | (pkg/workloadmeta/collectors/internal/containerd/image_sbom_trivy.go:80 in func2) | Failed to generate SBOM for containerd image: unable to marshal report to sbom format, err: analyze error: failed to analyze layer: : unable to get uncompressed layer
The workaround for this issue is to set the configuration option:
- For containerd: set
discard_unpacked_layers=false
in the containerd configuration file. - For Helm: set
datadog.sbom.containerImage.uncompressedLayersSupport: true
in your values.yaml
file. - For Datadog Operator: set
features.sbom.containerImage.uncompressedLayersSupport
to true
in your DatadogAgent CRD.
Disable CSM Vulnerabilities
In the datadog-values.yaml
file for the Agent, set the following configuration settings to false
:
# datadog-values.yaml file
datadog:
sbom:
containerImage:
enabled: false
# Uncomment the following line if you are using Google Kubernetes Engine (GKE) or Amazon Elastic Kubernetes (EKS)
# uncompressedLayersSupport: true
# Enables Host Vulnerability Management
host:
enabled: false
# Enables Container Vulnerability Management
# Image collection is enabled by default with Datadog Helm version `>= 3.46.0`
containerImageCollection:
enabled: false
Further Reading
Documentation, liens et articles supplémentaires utiles: