Disable infra assessment in Trivy configuration for Talos to prevent node-collector job failures due to read-only file system issues. Updated comments for clarity and removed unnecessary volume mounts to align with Talos constraints.

clusters/noble/apps/trivy/values.yaml

@@ -1,5 +1,7 @@
 # Trivy Operator — in-cluster image vulnerability + config reports (Aqua trivy-operator Helm chart).
-# **Talos:** **nodeCollector** omits **/etc/systemd** and **/lib/systemd** mounts (RO **/etc** in the image → mkdir fails for any mount there). See trivy-operator#1326.
+# **Talos:** **infra assessment** runs **node-collector** Jobs that expect traditional paths under **/etc** (systemd, kubernetes, CNI).
+# The image/runtime still hits **`mkdir /etc/systemd: read-only file system`** even without those volume mounts — a PVC for logs does not change that.
+# This repo disables **infra assessment** (no node-collector). Re-enable only if you accept reduced mounts below or upstream fixes Talos.
 # Deploy via Argo CD: **noble-trivy-operator** (`clusters/noble/bootstrap/argocd/app-of-apps/trivy-operator-application.yaml`).
 #
 # Web UI (separate chart; OAuth via Traefik ForwardAuth → oauth2-proxy / Authentik): sync **noble-trivy-dashboard**
@@ -23,55 +25,26 @@ operator:
   sbomGenerationEnabled: false
   clusterSbomCacheEnabled: false
   clusterComplianceEnabled: false
+  # Node-collector Jobs (hostPath under /etc, systemd) break on Talos RO layout; disable infra assessment entirely.
+  infraAssessmentScannerEnabled: false
 
 trivyOperator:
   # Run scan Jobs on every node (Talos / mixed taints).
   scanJobTolerations:
     - operator: Exists
 
-# Talos: exclude **etc-systemd** / **lib-systemd** mounts entirely — mounting under **/etc** still triggers
-# `mkdir /etc/systemd: read-only file system` (container **/etc** is RO). Upstream: override volumes/mounts (#1326).
+# If you set **infraAssessmentScannerEnabled: true** on Talos, keep mounts off **/etc** (RO in the image). Kubelet is the main useful host path.
 nodeCollector:
   tolerations:
     - operator: Exists
   volumeMounts:
-    - name: var-lib-etcd
-      mountPath: /var/lib/etcd
-      readOnly: true
     - name: var-lib-kubelet
       mountPath: /var/lib/kubelet
       readOnly: true
-    - name: var-lib-kube-scheduler
-      mountPath: /var/lib/kube-scheduler
-      readOnly: true
-    - name: var-lib-kube-controller-manager
-      mountPath: /var/lib/kube-controller-manager
-      readOnly: true
-    - name: etc-kubernetes
-      mountPath: /etc/kubernetes
-      readOnly: true
-    - name: etc-cni-netd
-      mountPath: /etc/cni/net.d/
-      readOnly: true
   volumes:
-    - name: var-lib-etcd
-      hostPath:
-        path: /var/lib/etcd
     - name: var-lib-kubelet
       hostPath:
         path: /var/lib/kubelet
-    - name: var-lib-kube-scheduler
-      hostPath:
-        path: /var/lib/kube-scheduler
-    - name: var-lib-kube-controller-manager
-      hostPath:
-        path: /var/lib/kube-controller-manager
-    - name: etc-kubernetes
-      hostPath:
-        path: /etc/kubernetes
-    - name: etc-cni-netd
-      hostPath:
-        path: /etc/cni/net.d/
 
 serviceMonitor:
   enabled: true