Enhance Trivy configuration for Talos by adding nodeCollector settings with emptyDir for systemd paths to address read-only file system issues. Updated volume mounts and volumes for improved compliance and functionality.
This commit is contained in:
Nikholas Pcenicni
@@ -1,4 +1,5 @@
|
|||||||
# Trivy Operator — in-cluster image vulnerability + config reports (Aqua trivy-operator Helm chart).
|
# Trivy Operator — in-cluster image vulnerability + config reports (Aqua trivy-operator Helm chart).
|
||||||
|
# **Talos:** **nodeCollector** uses **emptyDir** for systemd paths (see **nodeCollector** below); default host mounts fail on RO **/etc**.
|
||||||
# Deploy via Argo CD: **noble-trivy-operator** (`clusters/noble/bootstrap/argocd/app-of-apps/trivy-operator-application.yaml`).
|
# Deploy via Argo CD: **noble-trivy-operator** (`clusters/noble/bootstrap/argocd/app-of-apps/trivy-operator-application.yaml`).
|
||||||
#
|
#
|
||||||
# Web UI (separate chart; OAuth via Traefik ForwardAuth → oauth2-proxy / Authentik): sync **noble-trivy-dashboard**
|
# Web UI (separate chart; OAuth via Traefik ForwardAuth → oauth2-proxy / Authentik): sync **noble-trivy-dashboard**
|
||||||
@@ -28,6 +29,59 @@ trivyOperator:
|
|||||||
scanJobTolerations:
|
scanJobTolerations:
|
||||||
- operator: Exists
|
- operator: Exists
|
||||||
|
|
||||||
|
# Talos: default node-collector **hostPath** mounts for **/etc/systemd** and **/lib/systemd** hit a read-only
|
||||||
|
# rootfs → `failed to mkdir "/etc/systemd": read-only file system`. Use **emptyDir** for those two paths only
|
||||||
|
# (cluster compliance / node checks see no host unit files there — expected on Talos). See trivy-operator#1326.
|
||||||
|
nodeCollector:
|
||||||
|
tolerations:
|
||||||
|
- operator: Exists
|
||||||
|
volumeMounts:
|
||||||
|
- name: var-lib-etcd
|
||||||
|
mountPath: /var/lib/etcd
|
||||||
|
readOnly: true
|
||||||
|
- name: var-lib-kubelet
|
||||||
|
mountPath: /var/lib/kubelet
|
||||||
|
readOnly: true
|
||||||
|
- name: var-lib-kube-scheduler
|
||||||
|
mountPath: /var/lib/kube-scheduler
|
||||||
|
readOnly: true
|
||||||
|
- name: var-lib-kube-controller-manager
|
||||||
|
mountPath: /var/lib/kube-controller-manager
|
||||||
|
readOnly: true
|
||||||
|
- name: etc-systemd
|
||||||
|
mountPath: /etc/systemd
|
||||||
|
- name: lib-systemd
|
||||||
|
mountPath: /lib/systemd/
|
||||||
|
- name: etc-kubernetes
|
||||||
|
mountPath: /etc/kubernetes
|
||||||
|
readOnly: true
|
||||||
|
- name: etc-cni-netd
|
||||||
|
mountPath: /etc/cni/net.d/
|
||||||
|
readOnly: true
|
||||||
|
volumes:
|
||||||
|
- name: var-lib-etcd
|
||||||
|
hostPath:
|
||||||
|
path: /var/lib/etcd
|
||||||
|
- name: var-lib-kubelet
|
||||||
|
hostPath:
|
||||||
|
path: /var/lib/kubelet
|
||||||
|
- name: var-lib-kube-scheduler
|
||||||
|
hostPath:
|
||||||
|
path: /var/lib/kube-scheduler
|
||||||
|
- name: var-lib-kube-controller-manager
|
||||||
|
hostPath:
|
||||||
|
path: /var/lib/kube-controller-manager
|
||||||
|
- name: etc-systemd
|
||||||
|
emptyDir: {}
|
||||||
|
- name: lib-systemd
|
||||||
|
emptyDir: {}
|
||||||
|
- name: etc-kubernetes
|
||||||
|
hostPath:
|
||||||
|
path: /etc/kubernetes
|
||||||
|
- name: etc-cni-netd
|
||||||
|
hostPath:
|
||||||
|
path: /etc/cni/net.d/
|
||||||
|
|
||||||
serviceMonitor:
|
serviceMonitor:
|
||||||
enabled: true
|
enabled: true
|
||||||
namespace: monitoring
|
namespace: monitoring
|
||||||
|
|||||||
Reference in New Issue
Block a user