gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b90ee2d531e895d46739d6f8cd176e54632da7ab
home-server/clusters/noble/apps/trivy/values.yaml

52 lines
2.5 KiB
YAML
Raw Blame History

# Trivy Operator — in-cluster image vulnerability + config reports (Aqua trivy-operator Helm chart).
# **Talos:** **infra assessment** runs **node-collector** Jobs that expect traditional paths under **/etc** (systemd, kubernetes, CNI).
# The image/runtime still hits **`mkdir /etc/systemd: read-only file system`** even without those volume mounts — a PVC for logs does not change that.
# This repo disables **infra assessment** (no node-collector). Re-enable only if you accept reduced mounts below or upstream fixes Talos.
# Deploy via Argo CD: **noble-trivy-operator** (`clusters/noble/bootstrap/argocd/app-of-apps/trivy-operator-application.yaml`).
#
# Web UI (separate chart; OAuth via Traefik ForwardAuth → oauth2-proxy / Authentik): sync **noble-trivy-dashboard**
# after the operator — values in **dashboard-values.yaml** (host **trivy.apps.noble.lab.pcenicni.dev**).
#
# Manual Helm (if not using Argo):
# helm repo add aqua https://aquasecurity.github.io/helm-charts/ && helm repo update
# kubectl apply -f clusters/noble/apps/trivy/namespace.yaml
# helm upgrade --install trivy-operator aqua/trivy-operator -n trivy-system \
# --version 0.32.1 -f clusters/noble/apps/trivy/values.yaml --wait --timeout 15m
#
# Inspect: kubectl get vulnerabilityreports,configauditreports -A
# Docs: https://aquasecurity.github.io/trivy-operator/
# Skip platform/system namespaces (mirrors Kyverno excludes; reduces scan load).
excludeNamespaces: "argocd,cert-manager,headlamp,kyverno,local-path-storage,logging,longhorn-system,loki,metallb-system,monitoring,newt,traefik,trivy-system,velero,kube-node-lease,kube-public,kube-system"
operator:
scanJobsConcurrentLimit: 5
# SBOM / cluster compliance add CPU and CR volume; keep vulnerability + config audit.
sbomGenerationEnabled: false
clusterSbomCacheEnabled: false
clusterComplianceEnabled: false
# Node-collector Jobs (hostPath under /etc, systemd) break on Talos RO layout; disable infra assessment entirely.
infraAssessmentScannerEnabled: false
trivyOperator:
# Run scan Jobs on every node (Talos / mixed taints).
scanJobTolerations:
- operator: Exists
# If you set **infraAssessmentScannerEnabled: true** on Talos, keep mounts off **/etc** (RO in the image). Kubelet is the main useful host path.
nodeCollector:
tolerations:
- operator: Exists
volumeMounts:
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
readOnly: true
volumes:
- name: var-lib-kubelet
hostPath:
path: /var/lib/kubelet
serviceMonitor:
enabled: true
namespace: monitoring
Reference in New Issue View Git Blame Copy Permalink