trivy-operator 2.5: Patch release for Admisssion controller

October 15, 2022

Page content

Today I am happy to announce the release of trivy-operator 2.5. This blog post focuses on the functionality provided by the trivy-operator 2.5 release.

What is trivy-operator?

Trivy-operator is a Kubernetes Operator based on the open-source container vulnerability scanner Trivy. The goal of this project is to provide a vulnerability scanner that continuously scans containers deployed in a Kubernetes cluster. Built with Kubernetes Operator Pythonic Framework (Kopf) There are a few solution for checking the images when you deploy them to the Kubernetes cluster, but fighting against vulnerabilities is a day to day task. Check once is not enough when every day is a new das for frats. That is why I created trivy-operator so you can create scheduled image scans on your running pods.

What is new?

With the release of trivy-operator 2.5 ther is the fallowin new features:

air-gap install
Kubernetes CIS Benchmark with kube-bench-scnner
defectdojo integration
use insecure registry
add new dashboard

Air-Gapped Install

To run trivy-operator in an air-gapped environment you need to provide the security database for trivy. You can do that by uploading tha database to an OCI compatible registry.

oras pull ghcr.io/aquasecurity/trivy-db:2

oras push docker.mydomain.intra/trivy-db:2 \
db.tar.gz:application/vnd.aquasec.trivy.db.layer.v1.tar+gzip

curl -X GET https://docker.mydomain.intra/v2/_catalog
{"repositories":["nginx","trivy-db"]}

curl -X GET https://docker.mydomain.intra/v2/trivy-db/tags/list
{"name":"trivy-db","tags":["2"]}

In the helm chart you need to specify the url of your OCI registry with the db_repository option.

# Don't try to download trivy db, run in air-gapped env:
offline:
  enabled: true
  db_repository: docker.mydomain.intra/trivy-db

Kubernetes CIS Benchmark

CIS Benchmark best practices are an important first step to securing Kubernetes in production by hardening Kubernetes environments. Trivy-operator use kube-bench to scan the kubernetes cluster and create CIS Benchmark reports. To enable the CIS Benchmark scanning function you need to create a ClusterScanner.

The following example object is configured to:

run the vulnerability scan every hour (crontab: '00 * * * *')
use the cis-1.23 scan profile
enable integration to defectdojo

apiVersion: trivy-operator.devopstales.io/v1
kind: ClusterScanner
metadata:
  name: main-config
spec:
  crontab: "00 * * * *"
  scanProfileName: "cis-1.23"
  integrations:
    defectdojo:
      host: "http://defectdojo.rancher-desktop.intra"
      api_key: "3880d84590915e5c96cec075444f22285ff3659c"
      k8s-cluster-name: "eks-prod"

The following list show the ClusterScanner objects listed by the kubectl cli:

kubectl get cs-scan
NAME          CLUSTERSCANPROFILE   CRONTAB
main-config   cis-1.23             00 * * * *

Enable DefectDojo integration for trivy-operator

To enable the DefectDojo integration for trivy-operator you need to enable it in the NamespaceScanner object:

  integrations:
    policyreport: True
    defectdojo:
      host: "https://defectdojo.mydomain.intra"
      api_key: "xyz456ucdssd67sd67dsg"

Usage

To ease deployment I created a helm chart for trivy-operator.

helm repo add devopstales https://devopstales.github.io/helm-charts
helm repo update

Create a value file for deploy:

cat <<'EOF'> values.yaml
image:
  repository: devopstales/trivy-operator
  pullPolicy: Always
  tag: "2.3"

imagePullSecrets: []
podSecurityContext:
  fsGroup: 10001
  fsGroupChangePolicy: "OnRootMismatch"

serviceAccount:
  create: true
  annotations: {}
  name: "trivy-operator"

monitoring:
  port: "9115"

serviceMonitor:
  enabled: false
  namespace: "kube-system"

storage:
  enabled: true
  size: 1Gi

NamespaceScanner:
  crontab: "*/5 * * * *"
  namespaceSelector: "trivy-scan"

registryAuth:
  enabled: false
  registry:
  - name: docker.io
    user: "user"
    password: "password"

githubToken:
  enabled: false
  token: ""
EOF

When the trivy in the container want to scan an image first download the vulnerability database from github. If you test many images you need a githubToken overcome the github rate limit and dockerhub username and password for overcome the dockerhub rate limit. If your store you images in a private repository you need to add an username and password for authentication.

The following tables lists configurable parameters of the trivy-operator chart and their default values.

Values

Key	Type	Default	Description
TimeZone	string	`"UTC"`	Time Zone in container
admissionController.enabled	bool	`false`	enable adission controller
affinity	object	`{}`	Set the affinity for the pod.
cache.enabled	bool	`false`	enable redis cache
clusterScanner.crontab	string	`"/1 * * *"`	crontab for scheduled scan
clusterScanner.enabled	bool	`false`	enable clusterScanner cr creation
clusterScanner.integrations	object	`{}`	configure defectdojo integration
clusterScanner.scanProfileName	string	`"cis-1.23"`	kube-hunter scan profile
githubToken.enabled	bool	`false`	enable github authentiation token
githubToken.token	string	`""`	github authentiation token value
grafana.dashboards.enabled	bool	`true`	Enable the deployment of grafana dashboards
grafana.dashboards.label	string	`"grafana_dashboard"`	Label to find dashboards using the k8s sidecar
grafana.dashboards.value	string	`"1"`	Label value to find dashboards using the k8s sidecar
grafana.folder.annotation	string	`"grafana_folder"`	Annotation to enable folder storage using the k8s sidecar
grafana.folder.name	string	`"Policy Reporter"`	Grafana folder in which to store the dashboards
grafana.namespace	string	`nil`	namespace for configMap of grafana dashboards
image.pullPolicy	string	`"Always"`	The docker image pull policy
image.repository	string	`"devopstales/trivy-operator"`	The docker image repository to use
image.tag	string	`"2.5.0"`	The docker image tag to use
imagePullSecrets	list	`[]`	list of secrets to use for imae pull
kube_bench_scnner.image.pullPolicy	string	`"Always"`	The docker image pull policy
kube_bench_scnner.image.repository	string	`"devopstales/kube-bench-scnner"`	The docker image repository to use
kube_bench_scnner.image.tag	string	`"2.5"`	The docker image tag to use
log_level	string	`"INFO"`	Log level
monitoring.port	string	`"9115"`	configure prometheus monitoring port
namespaceScanner.clusterWide	bool	`false`
namespaceScanner.crontab	string	`"/5 * * *"`
namespaceScanner.integrations.policyreport	bool	`false`
namespaceScanner.namespaceSelector	string	`"trivy-scan"`
nodeSelector	object	`{}`	Set the node selector for the pod.
offline.db_repository	string	`"localhost:5000/trivy-db"`	repository to use for download trivy vuln db
offline.db_repository_insecure	bool	`false`	insecure repository
offline.enabled	bool	`false`	enable air-gapped mode
persistence.accessMode	string	`"ReadWriteOnce"`	Volumes mode
persistence.annotations	object	`{}`	Volumes annotations
persistence.enabled	bool	`true`	Volumes for the pod
persistence.size	string	`"1Gi"`	Volumes size
podSecurityContext	object	`{"fsGroup":10001,"fsGroupChangePolicy":"OnRootMismatch"}`	security options for the pod
registryAuth.enabled	bool	`false`	enable registry authentication
registryAuth.image_pull_secrets	list	`["regcred"]`	list of image pull secrets for authentication
serviceAccount.annotations	object	`{}`	serviceAccount annotations
serviceAccount.create	bool	`true`	Enable serviceAccount creation
serviceAccount.name	string	`"trivy-operator"`	Name of the serviceAccount
serviceMonitor.enabled	bool	`false`	allow to override the namespace for serviceMonitor
serviceMonitor.labels.release	string	`"prometheus"`	labels to match the serviceMonitorSelector of the Prometheus Resource
serviceMonitor.metricRelabelings	list	`[]`	metricRelabeling config for serviceMonitor
serviceMonitor.namespace	object	`{}`	Name of the namespace for serviceMonitor
serviceMonitor.relabelings	list	`[]`	relabel config for serviceMonitor
tolerations	list	`[]`	Set the tolerations for the pod.

kubectl create ns trivy-operator
kubens trivy-operator
helm upgrade --install trivy devopstales/trivy-operator -f values.yaml