From c3bdda1dd72d8f3ae8fcb4051e6c36e50af9990b Mon Sep 17 00:00:00 2001
From: Nikholas Pcenicni <82239765+nikpcenicni@users.noreply.github.com>
Date: Thu, 14 May 2026 19:26:58 -0400
Subject: [PATCH] Enhance Trivy configuration for Talos by adding nodeCollector
 settings with emptyDir for systemd paths to address read-only file system
 issues. Updated volume mounts and volumes for improved compliance and
 functionality.

---
 clusters/noble/apps/trivy/values.yaml | 54 +++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)

diff --git a/clusters/noble/apps/trivy/values.yaml b/clusters/noble/apps/trivy/values.yaml
index 312c43e..32c4a32 100644
--- a/clusters/noble/apps/trivy/values.yaml
+++ b/clusters/noble/apps/trivy/values.yaml
@@ -1,4 +1,5 @@
 # Trivy Operator — in-cluster image vulnerability + config reports (Aqua trivy-operator Helm chart).
+# **Talos:** **nodeCollector** uses **emptyDir** for systemd paths (see **nodeCollector** below); default host mounts fail on RO **/etc**.
 # Deploy via Argo CD: **noble-trivy-operator** (`clusters/noble/bootstrap/argocd/app-of-apps/trivy-operator-application.yaml`).
 #
 # Web UI (separate chart; OAuth via Traefik ForwardAuth → oauth2-proxy / Authentik): sync **noble-trivy-dashboard**
@@ -28,6 +29,59 @@ trivyOperator:
   scanJobTolerations:
     - operator: Exists
 
+# Talos: default node-collector **hostPath** mounts for **/etc/systemd** and **/lib/systemd** hit a read-only
+# rootfs → `failed to mkdir "/etc/systemd": read-only file system`. Use **emptyDir** for those two paths only
+# (cluster compliance / node checks see no host unit files there — expected on Talos). See trivy-operator#1326.
+nodeCollector:
+  tolerations:
+    - operator: Exists
+  volumeMounts:
+    - name: var-lib-etcd
+      mountPath: /var/lib/etcd
+      readOnly: true
+    - name: var-lib-kubelet
+      mountPath: /var/lib/kubelet
+      readOnly: true
+    - name: var-lib-kube-scheduler
+      mountPath: /var/lib/kube-scheduler
+      readOnly: true
+    - name: var-lib-kube-controller-manager
+      mountPath: /var/lib/kube-controller-manager
+      readOnly: true
+    - name: etc-systemd
+      mountPath: /etc/systemd
+    - name: lib-systemd
+      mountPath: /lib/systemd/
+    - name: etc-kubernetes
+      mountPath: /etc/kubernetes
+      readOnly: true
+    - name: etc-cni-netd
+      mountPath: /etc/cni/net.d/
+      readOnly: true
+  volumes:
+    - name: var-lib-etcd
+      hostPath:
+        path: /var/lib/etcd
+    - name: var-lib-kubelet
+      hostPath:
+        path: /var/lib/kubelet
+    - name: var-lib-kube-scheduler
+      hostPath:
+        path: /var/lib/kube-scheduler
+    - name: var-lib-kube-controller-manager
+      hostPath:
+        path: /var/lib/kube-controller-manager
+    - name: etc-systemd
+      emptyDir: {}
+    - name: lib-systemd
+      emptyDir: {}
+    - name: etc-kubernetes
+      hostPath:
+        path: /etc/kubernetes
+    - name: etc-cni-netd
+      hostPath:
+        path: /etc/cni/net.d/
+
 serviceMonitor:
   enabled: true
   namespace: monitoring