Add Trivy integration to noble cluster setup, including namespace and application configurations. Update README and playbook tags to reflect new security scanning capabilities. Enhance Longhorn and kube-prometheus-stack deployment reliability with increased timeout settings and retry mechanisms.
This commit is contained in:
Nikholas Pcenicni
10
clusters/noble/bootstrap/trivy/namespace.yaml
Normal file
10
clusters/noble/bootstrap/trivy/namespace.yaml
Normal file
@@ -0,0 +1,10 @@
|
||||
# Trivy Operator — apply before Helm (Ansible **noble_trivy**).
|
||||
# Scan jobs may use elevated capabilities; align with other operator namespaces.
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: trivy-system
|
||||
labels:
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
pod-security.kubernetes.io/audit: privileged
|
||||
pod-security.kubernetes.io/warn: privileged
|
||||
28
clusters/noble/bootstrap/trivy/values.yaml
Normal file
28
clusters/noble/bootstrap/trivy/values.yaml
Normal file
@@ -0,0 +1,28 @@
|
||||
# Trivy Operator — in-cluster image vulnerability + config reports (Aqua trivy-operator Helm chart).
|
||||
#
|
||||
# helm repo add aqua https://aquasecurity.github.io/helm-charts/ && helm repo update
|
||||
# kubectl apply -f clusters/noble/bootstrap/trivy/namespace.yaml
|
||||
# helm upgrade --install trivy-operator aqua/trivy-operator -n trivy-system \
|
||||
# --version 0.32.1 -f clusters/noble/bootstrap/trivy/values.yaml --wait --timeout 15m
|
||||
#
|
||||
# Inspect: kubectl get vulnerabilityreports,configauditreports -A
|
||||
# Docs: https://aquasecurity.github.io/trivy-operator/
|
||||
|
||||
# Skip platform/system namespaces (mirrors Kyverno excludes; reduces scan load).
|
||||
excludeNamespaces: "argocd,cert-manager,headlamp,kyverno,local-path-storage,logging,longhorn-system,loki,metallb-system,monitoring,newt,traefik,trivy-system,velero,kube-node-lease,kube-public,kube-system"
|
||||
|
||||
operator:
|
||||
scanJobsConcurrentLimit: 5
|
||||
# SBOM / cluster compliance add CPU and CR volume; keep vulnerability + config audit.
|
||||
sbomGenerationEnabled: false
|
||||
clusterSbomCacheEnabled: false
|
||||
clusterComplianceEnabled: false
|
||||
|
||||
trivyOperator:
|
||||
# Run scan Jobs on every node (Talos / mixed taints).
|
||||
scanJobTolerations:
|
||||
- operator: Exists
|
||||
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
namespace: monitoring
|
||||
Reference in New Issue
Block a user