88 lines
3.3 KiB
YAML
88 lines
3.3 KiB
YAML
# Trivy Operator — in-cluster image vulnerability + config reports (Aqua trivy-operator Helm chart).
|
|
# **Talos:** **nodeCollector** uses **emptyDir** for systemd paths (see **nodeCollector** below); default host mounts fail on RO **/etc**.
|
|
# Deploy via Argo CD: **noble-trivy-operator** (`clusters/noble/bootstrap/argocd/app-of-apps/trivy-operator-application.yaml`).
|
|
#
|
|
# Web UI (separate chart; OAuth via Traefik ForwardAuth → oauth2-proxy / Authentik): sync **noble-trivy-dashboard**
|
|
# after the operator — values in **dashboard-values.yaml** (host **trivy.apps.noble.lab.pcenicni.dev**).
|
|
#
|
|
# Manual Helm (if not using Argo):
|
|
# helm repo add aqua https://aquasecurity.github.io/helm-charts/ && helm repo update
|
|
# kubectl apply -f clusters/noble/apps/trivy/namespace.yaml
|
|
# helm upgrade --install trivy-operator aqua/trivy-operator -n trivy-system \
|
|
# --version 0.32.1 -f clusters/noble/apps/trivy/values.yaml --wait --timeout 15m
|
|
#
|
|
# Inspect: kubectl get vulnerabilityreports,configauditreports -A
|
|
# Docs: https://aquasecurity.github.io/trivy-operator/
|
|
|
|
# Skip platform/system namespaces (mirrors Kyverno excludes; reduces scan load).
|
|
excludeNamespaces: "argocd,cert-manager,headlamp,kyverno,local-path-storage,logging,longhorn-system,loki,metallb-system,monitoring,newt,traefik,trivy-system,velero,kube-node-lease,kube-public,kube-system"
|
|
|
|
operator:
|
|
scanJobsConcurrentLimit: 5
|
|
# SBOM / cluster compliance add CPU and CR volume; keep vulnerability + config audit.
|
|
sbomGenerationEnabled: false
|
|
clusterSbomCacheEnabled: false
|
|
clusterComplianceEnabled: false
|
|
|
|
trivyOperator:
|
|
# Run scan Jobs on every node (Talos / mixed taints).
|
|
scanJobTolerations:
|
|
- operator: Exists
|
|
|
|
# Talos: default node-collector **hostPath** mounts for **/etc/systemd** and **/lib/systemd** hit a read-only
|
|
# rootfs → `failed to mkdir "/etc/systemd": read-only file system`. Use **emptyDir** for those two paths only
|
|
# (cluster compliance / node checks see no host unit files there — expected on Talos). See trivy-operator#1326.
|
|
nodeCollector:
|
|
tolerations:
|
|
- operator: Exists
|
|
volumeMounts:
|
|
- name: var-lib-etcd
|
|
mountPath: /var/lib/etcd
|
|
readOnly: true
|
|
- name: var-lib-kubelet
|
|
mountPath: /var/lib/kubelet
|
|
readOnly: true
|
|
- name: var-lib-kube-scheduler
|
|
mountPath: /var/lib/kube-scheduler
|
|
readOnly: true
|
|
- name: var-lib-kube-controller-manager
|
|
mountPath: /var/lib/kube-controller-manager
|
|
readOnly: true
|
|
- name: etc-systemd
|
|
mountPath: /etc/systemd
|
|
- name: lib-systemd
|
|
mountPath: /lib/systemd/
|
|
- name: etc-kubernetes
|
|
mountPath: /etc/kubernetes
|
|
readOnly: true
|
|
- name: etc-cni-netd
|
|
mountPath: /etc/cni/net.d/
|
|
readOnly: true
|
|
volumes:
|
|
- name: var-lib-etcd
|
|
hostPath:
|
|
path: /var/lib/etcd
|
|
- name: var-lib-kubelet
|
|
hostPath:
|
|
path: /var/lib/kubelet
|
|
- name: var-lib-kube-scheduler
|
|
hostPath:
|
|
path: /var/lib/kube-scheduler
|
|
- name: var-lib-kube-controller-manager
|
|
hostPath:
|
|
path: /var/lib/kube-controller-manager
|
|
- name: etc-systemd
|
|
emptyDir: {}
|
|
- name: lib-systemd
|
|
emptyDir: {}
|
|
- name: etc-kubernetes
|
|
hostPath:
|
|
path: /etc/kubernetes
|
|
- name: etc-cni-netd
|
|
hostPath:
|
|
path: /etc/cni/net.d/
|
|
|
|
serviceMonitor:
|
|
enabled: true
|
|
namespace: monitoring
|