gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Disable infra assessment in Trivy configuration for Talos to prevent node-collector job failures due to read-only file system issues. Updated comments for clarity and removed unnecessary volume mounts to align with Talos constraints.

Browse Source
This commit is contained in:
Nikholas Pcenicni
2026-05-14 19:33:36 -04:00
parent b994e2d6d0
commit b90ee2d531
1 changed files with 6 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
clusters/noble/apps/trivy/values.yaml
View File

@@ -1,5 +1,7 @@
# Trivy Operator — in-cluster image vulnerability + config reports (Aqua trivy-operator Helm chart). # Trivy Operator — in-cluster image vulnerability + config reports (Aqua trivy-operator Helm chart).
# **Talos:** **nodeCollector** omits **/etc/systemd** and **/lib/systemd** mounts (RO **/etc** in the image → mkdir fails for any mount there). See trivy-operator#1326. # **Talos:** **infra assessment** runs **node-collector** Jobs that expect traditional paths under **/etc** (systemd, kubernetes, CNI).
# The image/runtime still hits **`mkdir /etc/systemd: read-only file system`** even without those volume mounts — a PVC for logs does not change that.
# This repo disables **infra assessment** (no node-collector). Re-enable only if you accept reduced mounts below or upstream fixes Talos.
# Deploy via Argo CD: **noble-trivy-operator** (`clusters/noble/bootstrap/argocd/app-of-apps/trivy-operator-application.yaml`). # Deploy via Argo CD: **noble-trivy-operator** (`clusters/noble/bootstrap/argocd/app-of-apps/trivy-operator-application.yaml`).
# #
# Web UI (separate chart; OAuth via Traefik ForwardAuth → oauth2-proxy / Authentik): sync **noble-trivy-dashboard** # Web UI (separate chart; OAuth via Traefik ForwardAuth → oauth2-proxy / Authentik): sync **noble-trivy-dashboard**
@@ -23,55 +25,26 @@ operator:
sbomGenerationEnabled: false sbomGenerationEnabled: false
clusterSbomCacheEnabled: false clusterSbomCacheEnabled: false
clusterComplianceEnabled: false clusterComplianceEnabled: false
# Node-collector Jobs (hostPath under /etc, systemd) break on Talos RO layout; disable infra assessment entirely.
infraAssessmentScannerEnabled: false
trivyOperator: trivyOperator:
# Run scan Jobs on every node (Talos / mixed taints). # Run scan Jobs on every node (Talos / mixed taints).
scanJobTolerations: scanJobTolerations:
- operator: Exists - operator: Exists
# Talos: exclude **etc-systemd** / **lib-systemd** mounts entirely — mounting under **/etc** still triggers # If you set **infraAssessmentScannerEnabled: true** on Talos, keep mounts off **/etc** (RO in the image). Kubelet is the main useful host path.
# `mkdir /etc/systemd: read-only file system` (container **/etc** is RO). Upstream: override volumes/mounts (#1326).
nodeCollector: nodeCollector:
tolerations: tolerations:
- operator: Exists - operator: Exists
volumeMounts: volumeMounts:
- name: var-lib-etcd
mountPath: /var/lib/etcd
readOnly: true
- name: var-lib-kubelet - name: var-lib-kubelet
mountPath: /var/lib/kubelet mountPath: /var/lib/kubelet
readOnly: true readOnly: true
- name: var-lib-kube-scheduler
mountPath: /var/lib/kube-scheduler
readOnly: true
- name: var-lib-kube-controller-manager
mountPath: /var/lib/kube-controller-manager
readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
- name: etc-cni-netd
mountPath: /etc/cni/net.d/
readOnly: true
volumes: volumes:
- name: var-lib-etcd
hostPath:
path: /var/lib/etcd
- name: var-lib-kubelet - name: var-lib-kubelet
hostPath: hostPath:
path: /var/lib/kubelet path: /var/lib/kubelet
- name: var-lib-kube-scheduler
hostPath:
path: /var/lib/kube-scheduler
- name: var-lib-kube-controller-manager
hostPath:
path: /var/lib/kube-controller-manager
- name: etc-kubernetes
hostPath:
path: /etc/kubernetes
- name: etc-cni-netd
hostPath:
path: /etc/cni/net.d/
serviceMonitor: serviceMonitor:
enabled: true enabled: true