gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refine Trivy configuration for Talos by removing systemd mounts from nodeCollector to prevent read-only file system errors. Updated comments for clarity and aligned with upstream changes regarding volume management.

Browse Source
This commit is contained in:
Nikholas Pcenicni
2026-05-14 19:29:34 -04:00
parent c3bdda1dd7
commit b994e2d6d0
1 changed files with 3 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
clusters/noble/apps/trivy/values.yaml
View File

@@ -1,5 +1,5 @@
# Trivy Operator — in-cluster image vulnerability + config reports (Aqua trivy-operator Helm chart). # Trivy Operator — in-cluster image vulnerability + config reports (Aqua trivy-operator Helm chart).
# **Talos:** **nodeCollector** uses **emptyDir** for systemd paths (see **nodeCollector** below); default host mounts fail on RO **/etc**. # **Talos:** **nodeCollector** omits **/etc/systemd** and **/lib/systemd** mounts (RO **/etc** in the image → mkdir fails for any mount there). See trivy-operator#1326.
# Deploy via Argo CD: **noble-trivy-operator** (`clusters/noble/bootstrap/argocd/app-of-apps/trivy-operator-application.yaml`). # Deploy via Argo CD: **noble-trivy-operator** (`clusters/noble/bootstrap/argocd/app-of-apps/trivy-operator-application.yaml`).
# #
# Web UI (separate chart; OAuth via Traefik ForwardAuth → oauth2-proxy / Authentik): sync **noble-trivy-dashboard** # Web UI (separate chart; OAuth via Traefik ForwardAuth → oauth2-proxy / Authentik): sync **noble-trivy-dashboard**
@@ -29,9 +29,8 @@ trivyOperator:
scanJobTolerations: scanJobTolerations:
- operator: Exists - operator: Exists
# Talos: default node-collector **hostPath** mounts for **/etc/systemd** and **/lib/systemd** hit a read-only # Talos: exclude **etc-systemd** / **lib-systemd** mounts entirely — mounting under **/etc** still triggers
# rootfs → `failed to mkdir "/etc/systemd": read-only file system`. Use **emptyDir** for those two paths only # `mkdir /etc/systemd: read-only file system` (container **/etc** is RO). Upstream: override volumes/mounts (#1326).
# (cluster compliance / node checks see no host unit files there — expected on Talos). See trivy-operator#1326.
nodeCollector: nodeCollector:
tolerations: tolerations:
- operator: Exists - operator: Exists
@@ -48,10 +47,6 @@ nodeCollector:
- name: var-lib-kube-controller-manager - name: var-lib-kube-controller-manager
mountPath: /var/lib/kube-controller-manager mountPath: /var/lib/kube-controller-manager
readOnly: true readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
- name: lib-systemd
mountPath: /lib/systemd/
- name: etc-kubernetes - name: etc-kubernetes
mountPath: /etc/kubernetes mountPath: /etc/kubernetes
readOnly: true readOnly: true
@@ -71,10 +66,6 @@ nodeCollector:
- name: var-lib-kube-controller-manager - name: var-lib-kube-controller-manager
hostPath: hostPath:
path: /var/lib/kube-controller-manager path: /var/lib/kube-controller-manager
- name: etc-systemd
emptyDir: {}
- name: lib-systemd
emptyDir: {}
- name: etc-kubernetes - name: etc-kubernetes
hostPath: hostPath:
path: /etc/kubernetes path: /etc/kubernetes