├── .Mend ├── .github ├── ISSUE_TEMPLATE │ ├── FEATURE_REQUEST.md │ └── bug_report.md └── workflows │ ├── publish-docs.yaml │ ├── release.yaml │ └── snyk-security.yml ├── .gitignore ├── .whitesource ├── LICENSE ├── Makefile ├── OLM ├── community-operators-prod │ └── community-trivy-operator │ │ ├── 2.1.1 │ │ ├── manifests │ │ │ ├── namespace-scanners.trivy-operator.devopstales.io.crd.yaml │ │ │ ├── trivy-operator.service.yaml │ │ │ └── trivy-operator.v2.1.1.clusterserviceversion.yaml │ │ └── metadata │ │ │ └── annotations.yaml │ │ ├── 2.2.0 │ │ ├── manifests │ │ │ ├── namespace-scanners.trivy-operator.devopstales.io.crd.yaml │ │ │ ├── trivy-operator.service.yaml │ │ │ └── trivy-operator.v2.2.0.clusterserviceversion.yaml │ │ └── metadata │ │ │ └── annotations.yaml │ │ ├── 2.3.0 │ │ ├── manifests │ │ │ ├── namespace-scanners.trivy-operator.devopstales.io.crd.yaml │ │ │ ├── trivy-operator.service.yaml │ │ │ └── trivy-operator.v2.3.0.clusterserviceversion.yaml │ │ └── metadata │ │ │ └── annotations.yaml │ │ ├── 2.4.0 │ │ ├── manifests │ │ │ ├── VulnerabilityReport.yaml │ │ │ ├── namespace-scanners.trivy-operator.devopstales.io.crd.yaml │ │ │ ├── trivy-operator.service.yaml │ │ │ └── trivy-operator.v2.4.0.clusterserviceversion.yaml │ │ └── metadata │ │ │ └── annotations.yaml │ │ ├── 2.5.0 │ │ ├── manifests │ │ │ ├── ClusterScanner.yaml │ │ │ ├── NamespaceScanner.yaml │ │ │ ├── VulnerabilityReport.yaml │ │ │ ├── trivy-operator.service.yaml │ │ │ └── trivy-operator.v2.5.0.clusterserviceversion.yaml │ │ └── metadata │ │ │ └── annotations.yaml │ │ └── ci.yaml └── community-operators │ └── community-trivy-operator │ ├── 2.1.0 │ ├── manifests │ │ ├── namespace-scanners.trivy-operator.devopstales.io.crd.yaml │ │ └── trivy-operator.v2.1.0.clusterserviceversion.yaml │ └── metadata │ │ └── annotations.yaml │ ├── 2.1.1 │ ├── manifests │ │ ├── namespace-scanners.trivy-operator.devopstales.io.crd.yaml │ │ ├── trivy-operator.service.yaml │ │ └── trivy-operator.v2.1.1.clusterserviceversion.yaml │ └── metadata │ │ └── annotations.yaml │ ├── 2.2.0 │ ├── manifests │ │ ├── namespace-scanners.trivy-operator.devopstales.io.crd.yaml │ │ ├── trivy-operator.service.yaml │ │ └── trivy-operator.v2.2.0.clusterserviceversion.yaml │ └── metadata │ │ └── annotations.yaml │ ├── 2.3.0 │ ├── manifests │ │ ├── namespace-scanners.trivy-operator.devopstales.io.crd.yaml │ │ ├── trivy-operator.service.yaml │ │ └── trivy-operator.v2.3.0.clusterserviceversion.yaml │ └── metadata │ │ └── annotations.yaml │ ├── 2.4.0 │ ├── manifests │ │ ├── VulnerabilityReport.yaml │ │ ├── namespace-scanners.trivy-operator.devopstales.io.crd.yaml │ │ ├── trivy-operator.service.yaml │ │ └── trivy-operator.v2.4.0.clusterserviceversion.yaml │ └── metadata │ │ └── annotations.yaml │ ├── 2.5.0 │ ├── manifests │ │ ├── ClusterScanner.yaml │ │ ├── NamespaceScanner.yaml │ │ ├── VulnerabilityReport.yaml │ │ ├── trivy-operator.service.yaml │ │ └── trivy-operator.v2.5.0.clusterserviceversion.yaml │ └── metadata │ │ └── annotations.yaml │ ├── bundle.Dockerfile │ └── ci.yaml ├── README.md ├── deploy ├── dev │ ├── 04_trivy_operator.yaml │ ├── 05_namespace-scanner.yaml │ ├── 06_kube-bench_operator.yaml │ ├── 07_cluster-scanner.yaml │ └── docker-compose.yaml ├── helm │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── README.md.gotmpl │ ├── crds │ │ ├── ClusterScanner.yaml │ │ ├── NamespaceScanner.yaml │ │ ├── VulnerabilityReport.yaml │ │ ├── wgpolicyk8s.io_clusterpolicyreports.yaml │ │ └── wgpolicyk8s.io_policyreports.yaml │ ├── namespace-image-overview.json │ ├── namespace-vulnerabilities.json │ ├── templates │ │ ├── 1-rbac.yaml │ │ ├── 10-image-overview.dashboard.yaml │ │ ├── 11-namespace-vulnerabilities.dashboard.yaml │ │ ├── 12-admissioncontroller.dashboard.yaml │ │ ├── 2-pvc.yaml │ │ ├── 3-deployment.yaml │ │ ├── 4-namespace-scanner.yaml │ │ ├── 5-service.yaml │ │ ├── 6-servicemonitor.yaml │ │ ├── 7-cache.yaml │ │ ├── 8-cluster-scanner.yaml │ │ └── _helpers.tpl │ ├── trivy-operator-admissioncontroller.json │ └── values.yaml └── kubernetes │ ├── 01_rbac.yaml │ ├── 02_crds.yaml │ ├── 03_cache.yaml │ ├── 04_trivy_operator.yaml │ ├── 05_namespace-scanner.yaml │ ├── 06_cluster-scanner.yaml │ ├── 10_demo.yaml │ └── 11_redisinsight.yaml ├── docker ├── kube-bench-scnner │ ├── Dockerfile │ ├── cfg │ │ ├── ack-1.0 │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── managedservices.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── aks-1.0 │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── managedservices.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── cis-1.20 │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── cis-1.23 │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── cis-1.4 │ │ │ ├── config.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ └── node.yaml │ │ ├── cis-1.5 │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── cis-1.6 │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── config.yaml │ │ ├── eks-1.0.1 │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── managedservices.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── gke-1.0 │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── managedservices.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── gke-1.2.0 │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── managedservices.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── k3s-cis-1.20-hardened │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── k3s-cis-1.20-permissive │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── k3s-cis-1.23-hardened │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── k3s-cis-1.23-permissive │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── k3s-cis-1.6-hardened │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── k3s-cis-1.6-permissive │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── rh-0.7 │ │ │ ├── config.yaml │ │ │ ├── master.yaml │ │ │ └── node.yaml │ │ ├── rh-1.0 │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── rke-cis-1.20-hardened │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── rke-cis-1.20-permissive │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── rke-cis-1.23-hardened │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── rke-cis-1.23-permissive │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── rke-cis-1.4 │ │ │ ├── config.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ └── node.yaml │ │ ├── rke-cis-1.5-hardened │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── rke-cis-1.5-permissive │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── rke-cis-1.6-hardened │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── rke-cis-1.6-permissive │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── rke2-cis-1.20-hardened │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── rke2-cis-1.20-permissive │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── rke2-cis-1.23-hardened │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── rke2-cis-1.23-permissive │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── rke2-cis-1.5-hardened │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── rke2-cis-1.5-permissive │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ ├── rke2-cis-1.6-hardened │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ │ └── rke2-cis-1.6-permissive │ │ │ ├── config.yaml │ │ │ ├── controlplane.yaml │ │ │ ├── etcd.yaml │ │ │ ├── master.yaml │ │ │ ├── node.yaml │ │ │ └── policies.yaml │ └── entrypoint.sh └── trivy-operator │ ├── Dockerfile │ └── entrypoint.sh ├── docs ├── build │ └── requirements.txt ├── configuration.md ├── crds │ ├── cluster-policy-report.md │ ├── cluster-scanner.md │ ├── index.md │ ├── namespace-scanner.md │ ├── policy-report.md │ └── vulnerability-report.md ├── functions │ ├── airgap-mode.md │ ├── cis-benchmark.md │ └── image-validator.md ├── img │ ├── application-settings.png │ ├── cluster_policy_report.png │ ├── duplication-settings.png │ ├── policy_report.png │ ├── trivy-exporter.png │ ├── trivy-operator-OH.png │ └── trivy-operator-OH2.png ├── index.md ├── installation.md ├── integrations │ ├── defectdojo.md │ ├── monitoring.md │ └── policy-reporter.md └── quickstart.md ├── grafana-dashboard ├── admissioncontroller.json ├── image-overview.json ├── namespace-image-overview.json └── namespace.json ├── kube-bench-scnner.py ├── mkdocs.yml └── trivy-operator.py /.Mend: -------------------------------------------------------------------------------- 1 | { 2 | "checkRunSettings": { 3 | "vulnerableCheckRunConclusionLevel": "failure" 4 | }, 5 | "issueSettings": { 6 | "minSeverityLevel": "LOW" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/FEATURE_REQUEST.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature Request 3 | labels: kind/feature 4 | about: I have a suggestion (and might want to implement myself)! 5 | --- 6 | 7 | 10 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: bug 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | 14 | **Expected behavior** 15 | A clear and concise description of what you expected to happen. 16 | 17 | **Configuration file** 18 | Paste here your trivy-operator NamespaceScanner object file 19 | 20 | **Helm Values file** 21 | Paste here your helm values file if you installed trivy-operator with helm 22 | 23 | **Environment:** 24 | 25 | - Trivy-Operator version (use `trivy-operator version`): 26 | - Installation type (Helm, Kubernetes, OperatorFramework): 27 | - Kubernetes version (use `kubectl version`): 28 | - OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): 29 | 30 | **Additional context** 31 | Add any other context about the problem here. 32 | -------------------------------------------------------------------------------- /.github/workflows/publish-docs.yaml: -------------------------------------------------------------------------------- 1 | name: Publish documentation 2 | 3 | on: 4 | workflow_dispatch: 5 | inputs: 6 | ref: 7 | description: The branch, tag or SHA to deploy 8 | required: true 9 | version: 10 | description: Version to be deployed 11 | required: false 12 | 13 | permissions: {} 14 | 15 | jobs: 16 | deploy: 17 | name: Publish documentation 18 | runs-on: ubuntu-20.04 19 | permissions: 20 | contents: write 21 | steps: 22 | - name: Checkout code 23 | uses: actions/checkout@v3 24 | with: 25 | ref: ${{ github.event.inputs.ref }} 26 | fetch-depth: 0 27 | persist-credentials: true 28 | - uses: actions/setup-python@v4 29 | with: 30 | python-version: 3.x 31 | - name: Install dependencies 32 | run: | 33 | pip install -r docs/build/requirements.txt 34 | - name: Configure the git user 35 | run: | 36 | git config user.name "devopstales-bot" 37 | git config user.email "devopstales-bot@users.noreply.github.com" 38 | - name: Deploy the latest documents from new tag push 39 | if: ${{ github.event.inputs.version == '' }} 40 | run: | 41 | VERSION=$(echo ${{ github.ref }} | sed -e "s#refs/tags/##g") 42 | mike deploy --push $VERSION 43 | mike deploy --push --update-aliases $VERSION latest 44 | mike set-default --push latest 45 | - name: Deploy the latest documents from manual trigger 46 | if: ${{ github.event.inputs.version != '' }} 47 | run: | 48 | mike deploy --push ${{ github.event.inputs.version }} 49 | mike deploy --push --update-aliases ${{ github.event.inputs.version }} latest 50 | mike set-default --push latest 51 | -------------------------------------------------------------------------------- /.github/workflows/snyk-security.yml: -------------------------------------------------------------------------------- 1 | # This workflow uses actions that are not certified by GitHub. 2 | # They are provided by a third-party and are governed by 3 | # separate terms of service, privacy policy, and support 4 | # documentation. 5 | 6 | # A sample workflow which sets up Snyk to analyze the full Snyk platform (Snyk Open Source, Snyk Code, 7 | # Snyk Container and Snyk Infrastructure as Code) 8 | # The setup installs the Snyk CLI - for more details on the possible commands 9 | # check https://docs.snyk.io/snyk-cli/cli-reference 10 | # The results of Snyk Code are then uploaded to GitHub Security Code Scanning 11 | # 12 | # In order to use the Snyk Action you will need to have a Snyk API token. 13 | # More details in https://github.com/snyk/actions#getting-your-snyk-token 14 | # or you can signup for free at https://snyk.io/login 15 | # 16 | # For more examples, including how to limit scans to only high-severity issues 17 | # and fail PR checks, see https://github.com/snyk/actions/ 18 | 19 | name: Snyk Security 20 | 21 | on: 22 | push: 23 | branches: ["main" ] 24 | pull_request: 25 | branches: ["main"] 26 | 27 | permissions: 28 | contents: read 29 | 30 | jobs: 31 | snyk: 32 | permissions: 33 | contents: read # for actions/checkout to fetch code 34 | security-events: write # for github/codeql-action/upload-sarif to upload SARIF results 35 | actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 36 | runs-on: ubuntu-latest 37 | steps: 38 | - uses: actions/checkout@v3 39 | - name: Set up Snyk CLI to check for security issues 40 | # Snyk can be used to break the build when it detects security issues. 41 | # In this case we want to upload the SAST issues to GitHub Code Scanning 42 | uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb 43 | 44 | # For Snyk Open Source you must first set up the development environment for your application's dependencies 45 | # For example for Node 46 | #- uses: actions/setup-node@v3 47 | # with: 48 | # node-version: 16 49 | 50 | env: 51 | # This is where you will need to introduce the Snyk API token created with your Snyk account 52 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 53 | 54 | # Runs Snyk Code (SAST) analysis and uploads result into GitHub. 55 | # Use || true to not fail the pipeline 56 | - name: Snyk Code test 57 | run: snyk code test --sarif > snyk-code.sarif # || true 58 | 59 | # Runs Snyk Open Source (SCA) analysis and uploads result to Snyk. 60 | - name: Snyk Open Source monitor 61 | run: snyk monitor --all-projects 62 | 63 | # Runs Snyk Infrastructure as Code (IaC) analysis and uploads result to Snyk. 64 | # Use || true to not fail the pipeline. 65 | - name: Snyk IaC test and report 66 | run: snyk iac test --report # || true 67 | 68 | # Build the docker image for testing 69 | - name: Build a Docker image 70 | run: docker build -t your/image-to-test . 71 | # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. 72 | - name: Snyk Container monitor 73 | run: snyk container monitor your/image-to-test --file=Dockerfile 74 | 75 | # Push the Snyk Code results into GitHub Code Scanning tab 76 | - name: Upload result to GitHub Code Scanning 77 | uses: github/codeql-action/upload-sarif@v2 78 | with: 79 | sarif_file: snyk-code.sarif 80 | -------------------------------------------------------------------------------- /.whitesource: -------------------------------------------------------------------------------- 1 | { 2 | "scanSettings": { 3 | "baseBranches": [] 4 | }, 5 | "checkRunSettings": { 6 | "vulnerableCheckRunConclusionLevel": "failure", 7 | "displayMode": "diff", 8 | "useMendCheckNames": true 9 | }, 10 | "issueSettings": { 11 | "minSeverityLevel": "LOW", 12 | "issueType": "DEPENDENCY" 13 | } 14 | } -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | codeSHELL=/bin/bash -o pipefail 2 | export VERSION=2.5.1 3 | 4 | .PHONY: all 5 | all: trivy 6 | 7 | .DEFAULT_GOAL := help 8 | 9 | #TRIVY := $(shell curl --silent https://api.github.com/repos/aquasecurity/trivy/releases/latest | jq -r .name | cut -d "v" -f2) 10 | TRIVY := 0.36.1 11 | BENCH := $(shell curl --silent https://api.github.com/repos/aquasecurity/kube-bench/releases/latest | jq -r .name | cut -d "v" -f2) 12 | 13 | 14 | #help: @ List available tasks on this project 15 | help: 16 | @grep -E '[a-zA-Z\.\-]+:.*?@ .*$$' $(MAKEFILE_LIST)| tr -d '#' | awk 'BEGIN {FS = ":.*?@ "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' 17 | 18 | #bins: @ download binaris 19 | bins: 20 | @if [ ! -f /tmp/trivy ]; then \ 21 | echo "Get Trivy Version:"; \ 22 | echo $(TRIVY); \ 23 | wget -q -O /tmp/trivy.tar.gz https://github.com/aquasecurity/trivy/releases/download/v$(TRIVY)/trivy_"$(TRIVY)"_Linux-64bit.tar.gz; \ 24 | echo "Extract Trivy"; \ 25 | tar -C /tmp -xf /tmp/trivy.tar.gz; \ 26 | fi 27 | @if [ ! -f /tmp/kube-bench ]; then \ 28 | echo "Get kube-bench Version"; \ 29 | echo $(BENCH); \ 30 | wget -q -O /tmp/kube-bench.tar.gz https://github.com/aquasecurity/kube-bench/releases/download/v$(BENCH)/kube-bench_"$(BENCH)"_linux_amd64.tar.gz; \ 31 | tar -C /tmp -xf /tmp/kube-bench.tar.gz; \ 32 | fi 33 | rm -f docker/trivy-operator/trivy docker/kube-bench-scnner/kube-bench 34 | cp /tmp/trivy docker/trivy-operator/trivy 35 | cp /tmp/kube-bench docker/kube-bench-scnner/kube-bench 36 | 37 | #to-devel: @ Build local trivy-operator devel image with nerdctl 38 | to-devel: 39 | cp trivy-operator.py docker/trivy-operator/trivy-operator.py 40 | nerdctl --namespace k8s.io build --tag devopstales/trivy-operator:$(VERSION)-devel docker/trivy-operator 41 | rm -f docker/trivy-operator/trivy-operator.py 42 | 43 | #to-devel-delete: @ Delete local trivy-operator dev image with nerdctl 44 | to-devel-delete: 45 | #nerdctl --namespace k8s.io image ls | grep devopstales | grep trivy-operator | grep $(VERSION)-devel | awk '{print "nerdctl --namespace k8s.io rmi "$$3}' | bash 46 | nerdctl --namespace k8s.io rmi devopstales/trivy-operator:$(VERSION)-devel 47 | 48 | #kbs-devel: @ Build local kube-bench-scnner devel image with nerdctl 49 | kbs-devel: 50 | cp kube-bench-scnner.py docker/kube-bench-scnner/kube-bench-scnner.py 51 | nerdctl --namespace k8s.io build --tag devopstales/kube-bench-scnner:$(VERSION)-devel docker/kube-bench-scnner 52 | rm -f docker/kube-bench-scnner/kube-bench-scnner.py 53 | 54 | #kbs-devel-delete: @ Delete local kube-bench-scnner dev image with nerdctl 55 | kbs-devel-delete: 56 | #nerdctl --namespace k8s.io image ls | grep devopstales | grep kube-bench-scnner | grep $(VERSION)-devel | awk '{print "nerdctl --namespace k8s.io rmi "$$3}' | bash 57 | nerdctl --namespace k8s.io rmi devopstales/kube-bench-scnner:$(VERSION)-devel 58 | 59 | version: 60 | cp trivy-operator.py docker/trivy-operator.py 61 | docker build -t devopstales/trivy-operator:$(VERSION)-amd64 --build-arg ARCH=amd64/ docker/ 62 | docker build -t devopstales/trivy-operator:$(VERSION)-arm64v8 --build-arg ARCH=arm64v8/ docker/ 63 | rm -f docker/trivy-operator.py 64 | # docker build -t devopstales/trivy-operator:$(VERSION)-arm32v7 --build-arg ARCH=arm32v7/ docker/ 65 | 66 | 67 | push-version: 68 | docker push devopstales/trivy-operator:$(VERSION)-amd64 69 | docker push devopstales/trivy-operator:$(VERSION)-arm64v8 70 | docker manifest create devopstales/trivy-operator:$(VERSION) \ 71 | --amend devopstales/trivy-operator:$(VERSION)-amd64 \ 72 | --amend devopstales/trivy-operator:$(VERSION)-arm64v8 73 | docker manifest push devopstales/trivy-operator:$(VERSION) 74 | 75 | # docker push devopstales/trivy-operator:$(VERSION)-arm32v7 76 | 77 | push-latest: 78 | docker manifest create devopstales/trivy-operator:latest \ 79 | --amend devopstales/trivy-operator:$(VERSION)-amd64 \ 80 | --amend devopstales/trivy-operator:$(VERSION)-arm64v8 81 | docker manifest push devopstales/trivy-operator:latest 82 | 83 | # --amend devopstales/trivy-operator:$(VERSION)-arm32v7 \ 84 | -------------------------------------------------------------------------------- /OLM/community-operators-prod/community-trivy-operator/2.1.1/manifests/namespace-scanners.trivy-operator.devopstales.io.crd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: namespace-scanners.trivy-operator.devopstales.io 5 | spec: 6 | conversion: 7 | strategy: None 8 | group: trivy-operator.devopstales.io 9 | names: 10 | kind: NamespaceScanner 11 | listKind: NamespaceScannerList 12 | plural: namespace-scanners 13 | shortNames: 14 | - ns-scan 15 | singular: namespace-scanner 16 | scope: Namespaced 17 | versions: 18 | - additionalPrinterColumns: 19 | - description: Namespace Selector for pod scanning 20 | jsonPath: .spec.namespace_selector 21 | name: NamespaceSelector 22 | type: string 23 | - description: crontab value 24 | jsonPath: .spec.crontab 25 | name: Crontab 26 | type: string 27 | - description: As returned from the handler (sometimes). 28 | jsonPath: .status.create_fn.message 29 | name: Message 30 | type: string 31 | name: v1 32 | schema: 33 | openAPIV3Schema: 34 | properties: 35 | crontab: 36 | pattern: ^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$ 37 | type: string 38 | namespace_selector: 39 | type: string 40 | spec: 41 | type: object 42 | x-kubernetes-preserve-unknown-fields: true 43 | status: 44 | type: object 45 | x-kubernetes-preserve-unknown-fields: true 46 | type: object 47 | served: true 48 | storage: true 49 | subresources: 50 | status: {} 51 | -------------------------------------------------------------------------------- /OLM/community-operators-prod/community-trivy-operator/2.1.1/manifests/trivy-operator.service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: trivy-operator 5 | labels: 6 | app: trivy-operator 7 | spec: 8 | selector: 9 | app: trivy-operator 10 | ports: 11 | - name: metric 12 | port: 9115 13 | protocol: TCP 14 | targetPort: 9115 15 | --- 16 | apiVersion: v1 17 | kind: Service 18 | metadata: 19 | name: trivy-image-validator 20 | labels: 21 | app: trivy-operator 22 | spec: 23 | selector: 24 | app: trivy-operator 25 | ports: 26 | - name: webhook 27 | targetPort: 8443 28 | protocol: TCP 29 | port: 443 30 | -------------------------------------------------------------------------------- /OLM/community-operators-prod/community-trivy-operator/2.1.1/metadata/annotations.yaml: -------------------------------------------------------------------------------- 1 | annotations: 2 | operators.operatorframework.io.bundle.channels.v1: stable 3 | operators.operatorframework.io.bundle.manifests.v1: manifests/ 4 | operators.operatorframework.io.bundle.mediatype.v1: registry+v1 5 | operators.operatorframework.io.bundle.metadata.v1: metadata/ 6 | operators.operatorframework.io.bundle.package.v1: community-trivy-operator 7 | -------------------------------------------------------------------------------- /OLM/community-operators-prod/community-trivy-operator/2.2.0/manifests/namespace-scanners.trivy-operator.devopstales.io.crd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: namespace-scanners.trivy-operator.devopstales.io 5 | spec: 6 | conversion: 7 | strategy: None 8 | group: trivy-operator.devopstales.io 9 | names: 10 | kind: NamespaceScanner 11 | listKind: NamespaceScannerList 12 | plural: namespace-scanners 13 | shortNames: 14 | - ns-scan 15 | singular: namespace-scanner 16 | scope: Namespaced 17 | versions: 18 | - additionalPrinterColumns: 19 | - description: Namespace Selector for pod scanning 20 | jsonPath: .spec.namespace_selector 21 | name: NamespaceSelector 22 | type: string 23 | - description: crontab value 24 | jsonPath: .spec.crontab 25 | name: Crontab 26 | type: string 27 | - description: As returned from the handler (sometimes). 28 | jsonPath: .status.create_fn.message 29 | name: Message 30 | type: string 31 | name: v1 32 | schema: 33 | openAPIV3Schema: 34 | properties: 35 | crontab: 36 | pattern: ^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$ 37 | type: string 38 | namespace_selector: 39 | type: string 40 | spec: 41 | type: object 42 | x-kubernetes-preserve-unknown-fields: true 43 | status: 44 | type: object 45 | x-kubernetes-preserve-unknown-fields: true 46 | type: object 47 | served: true 48 | storage: true 49 | subresources: 50 | status: {} 51 | -------------------------------------------------------------------------------- /OLM/community-operators-prod/community-trivy-operator/2.2.0/manifests/trivy-operator.service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: trivy-operator 5 | labels: 6 | app: trivy-operator 7 | spec: 8 | selector: 9 | app: trivy-operator 10 | ports: 11 | - name: metric 12 | port: 9115 13 | protocol: TCP 14 | targetPort: 9115 15 | --- 16 | apiVersion: v1 17 | kind: Service 18 | metadata: 19 | name: trivy-image-validator 20 | labels: 21 | app: trivy-operator 22 | spec: 23 | selector: 24 | app: trivy-operator 25 | ports: 26 | - name: webhook 27 | targetPort: 8443 28 | protocol: TCP 29 | port: 443 30 | -------------------------------------------------------------------------------- /OLM/community-operators-prod/community-trivy-operator/2.2.0/metadata/annotations.yaml: -------------------------------------------------------------------------------- 1 | annotations: 2 | operators.operatorframework.io.bundle.channels.v1: stable 3 | operators.operatorframework.io.bundle.manifests.v1: manifests/ 4 | operators.operatorframework.io.bundle.mediatype.v1: registry+v1 5 | operators.operatorframework.io.bundle.metadata.v1: metadata/ 6 | operators.operatorframework.io.bundle.package.v1: community-trivy-operator 7 | -------------------------------------------------------------------------------- /OLM/community-operators-prod/community-trivy-operator/2.3.0/manifests/namespace-scanners.trivy-operator.devopstales.io.crd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: namespace-scanners.trivy-operator.devopstales.io 5 | spec: 6 | conversion: 7 | strategy: None 8 | group: trivy-operator.devopstales.io 9 | names: 10 | kind: NamespaceScanner 11 | listKind: NamespaceScannerList 12 | plural: namespace-scanners 13 | shortNames: 14 | - ns-scan 15 | singular: namespace-scanner 16 | scope: Namespaced 17 | versions: 18 | - additionalPrinterColumns: 19 | - description: Namespace Selector for pod scanning 20 | jsonPath: .spec.namespace_selector 21 | name: NamespaceSelector 22 | type: string 23 | - description: crontab value 24 | jsonPath: .spec.crontab 25 | name: Crontab 26 | type: string 27 | - description: As returned from the handler (sometimes). 28 | jsonPath: .status.create_fn.message 29 | name: Message 30 | type: string 31 | name: v1 32 | schema: 33 | openAPIV3Schema: 34 | properties: 35 | crontab: 36 | pattern: ^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$ 37 | type: string 38 | namespace_selector: 39 | type: string 40 | clusterWide: 41 | type: string 42 | spec: 43 | type: object 44 | x-kubernetes-preserve-unknown-fields: true 45 | status: 46 | type: object 47 | x-kubernetes-preserve-unknown-fields: true 48 | type: object 49 | served: true 50 | storage: true 51 | subresources: 52 | status: {} 53 | -------------------------------------------------------------------------------- /OLM/community-operators-prod/community-trivy-operator/2.3.0/manifests/trivy-operator.service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: trivy-operator 5 | labels: 6 | app: trivy-operator 7 | spec: 8 | selector: 9 | app: trivy-operator 10 | ports: 11 | - name: metric 12 | port: 9115 13 | protocol: TCP 14 | targetPort: 9115 15 | --- 16 | apiVersion: v1 17 | kind: Service 18 | metadata: 19 | name: trivy-image-validator 20 | labels: 21 | app: trivy-operator 22 | spec: 23 | selector: 24 | app: trivy-operator 25 | ports: 26 | - name: webhook 27 | targetPort: 8443 28 | protocol: TCP 29 | port: 443 30 | -------------------------------------------------------------------------------- /OLM/community-operators-prod/community-trivy-operator/2.3.0/metadata/annotations.yaml: -------------------------------------------------------------------------------- 1 | annotations: 2 | operators.operatorframework.io.bundle.channels.v1: stable 3 | operators.operatorframework.io.bundle.manifests.v1: manifests/ 4 | operators.operatorframework.io.bundle.mediatype.v1: registry+v1 5 | operators.operatorframework.io.bundle.metadata.v1: metadata/ 6 | operators.operatorframework.io.bundle.package.v1: community-trivy-operator 7 | -------------------------------------------------------------------------------- /OLM/community-operators-prod/community-trivy-operator/2.4.0/manifests/namespace-scanners.trivy-operator.devopstales.io.crd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: namespace-scanners.trivy-operator.devopstales.io 5 | labels: 6 | app.kubernetes.io/managed-by: trivy-operator 7 | spec: 8 | conversion: 9 | strategy: None 10 | group: trivy-operator.devopstales.io 11 | names: 12 | kind: NamespaceScanner 13 | listKind: NamespaceScannerList 14 | plural: namespace-scanners 15 | shortNames: 16 | - ns-scan 17 | singular: namespace-scanner 18 | scope: Namespaced 19 | versions: 20 | - additionalPrinterColumns: 21 | - description: Namespace Selector for pod scanning 22 | jsonPath: .spec.namespace_selector 23 | name: NamespaceSelector 24 | type: string 25 | - description: crontab value 26 | jsonPath: .spec.crontab 27 | name: Crontab 28 | type: string 29 | - description: As returned from the handler (sometimes). 30 | jsonPath: .status.create_fn.message 31 | name: Message 32 | type: string 33 | name: v1 34 | schema: 35 | openAPIV3Schema: 36 | properties: 37 | crontab: 38 | pattern: ^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$ 39 | type: string 40 | namespace_selector: 41 | type: string 42 | clusterWide: 43 | type: string 44 | policyreport: 45 | type: string 46 | spec: 47 | type: object 48 | x-kubernetes-preserve-unknown-fields: true 49 | status: 50 | type: object 51 | x-kubernetes-preserve-unknown-fields: true 52 | type: object 53 | served: true 54 | storage: true 55 | subresources: 56 | status: {} 57 | -------------------------------------------------------------------------------- /OLM/community-operators-prod/community-trivy-operator/2.4.0/manifests/trivy-operator.service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: trivy-operator 5 | labels: 6 | app: trivy-operator 7 | spec: 8 | selector: 9 | app: trivy-operator 10 | ports: 11 | - name: metric 12 | port: 9115 13 | protocol: TCP 14 | targetPort: 9115 15 | --- 16 | apiVersion: v1 17 | kind: Service 18 | metadata: 19 | name: trivy-image-validator 20 | labels: 21 | app: trivy-operator 22 | spec: 23 | selector: 24 | app: trivy-operator 25 | ports: 26 | - name: webhook 27 | targetPort: 8443 28 | protocol: TCP 29 | port: 443 30 | -------------------------------------------------------------------------------- /OLM/community-operators-prod/community-trivy-operator/2.4.0/metadata/annotations.yaml: -------------------------------------------------------------------------------- 1 | annotations: 2 | operators.operatorframework.io.bundle.channels.v1: stable 3 | operators.operatorframework.io.bundle.manifests.v1: manifests/ 4 | operators.operatorframework.io.bundle.mediatype.v1: registry+v1 5 | operators.operatorframework.io.bundle.metadata.v1: metadata/ 6 | operators.operatorframework.io.bundle.package.v1: community-trivy-operator 7 | -------------------------------------------------------------------------------- /OLM/community-operators-prod/community-trivy-operator/2.5.0/manifests/ClusterScanner.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: cluster-scanners.trivy-operator.devopstales.io 5 | spec: 6 | conversion: 7 | strategy: None 8 | group: trivy-operator.devopstales.io 9 | names: 10 | kind: ClusterScanner 11 | listKind: ClusterScannerList 12 | plural: cluster-scanners 13 | shortNames: 14 | - cs-scan 15 | singular: cluster-scanner 16 | scope: Cluster 17 | versions: 18 | - additionalPrinterColumns: 19 | - description: Kubernetes Scan Profile 20 | jsonPath: .spec.scanProfileName 21 | name: ClusterScanProfile 22 | type: string 23 | - description: crontab value 24 | jsonPath: .spec.crontab 25 | name: Crontab 26 | type: string 27 | name: v1 28 | schema: 29 | openAPIV3Schema: 30 | properties: 31 | crontab: 32 | pattern: ^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$ 33 | type: string 34 | scanProfileName: 35 | type: string 36 | enum: 37 | - ack-1.0 38 | - aks-1.0 39 | - gke-1.0 40 | - gke-1.2.0 41 | - eks-1.0.1 42 | - cis-1.5 43 | - cis-1.6 44 | - cis-1.20 45 | - cis-1.23 46 | - rh-0.7 47 | - rh-1.0 48 | - k3s-cis-1.6-permissive 49 | - k3s-cis-1.6-hardened 50 | - k3s-cis-1.20-hardened 51 | - k3s-cis-1.20-permissive 52 | - k3s-cis-1.23-hardened 53 | - k3s-cis-1.23-permissive 54 | - rke-cis-1.4 55 | - rke-cis-1.5-hardened 56 | - rke-cis-1.5-permissive 57 | - rke-cis-1.6-hardened 58 | - rke-cis-1.6-permissive 59 | - rke-cis-1.20-hardened 60 | - rke-cis-1.20-permissive 61 | - rke-cis-1.23-hardened 62 | - rke-cis-1.23-permissive 63 | - rke2-cis-1.5-hardened 64 | - rke2-cis-1.5-permissive 65 | - rke2-cis-1.6-hardened 66 | - rke2-cis-1.6-permissive 67 | - rke2-cis-1.20-hardened 68 | - rke2-cis-1.20-permissive 69 | - rke2-cis-1.23-hardened 70 | - rke2-cis-1.23-permissive 71 | integrations: 72 | type: object 73 | properties: 74 | defectdojo: 75 | description: DefectDojo integration options 76 | type: object 77 | properties: 78 | host: 79 | description: URL of the DefectDojo server. 80 | type: string 81 | api_key: 82 | description: Api key for DefectDojo api authentication. 83 | type: string 84 | k8s-cluster-name: 85 | description: Name of the Kubernetes Cluster in defectdojo. 86 | type: string 87 | spec: 88 | type: object 89 | x-kubernetes-preserve-unknown-fields: true 90 | status: 91 | type: object 92 | x-kubernetes-preserve-unknown-fields: true 93 | type: object 94 | served: true 95 | storage: true 96 | subresources: 97 | status: {} -------------------------------------------------------------------------------- /OLM/community-operators-prod/community-trivy-operator/2.5.0/manifests/NamespaceScanner.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: namespace-scanners.trivy-operator.devopstales.io 5 | labels: 6 | app.kubernetes.io/managed-by: trivy-operator 7 | spec: 8 | conversion: 9 | strategy: None 10 | group: trivy-operator.devopstales.io 11 | names: 12 | kind: NamespaceScanner 13 | listKind: NamespaceScannerList 14 | plural: namespace-scanners 15 | shortNames: 16 | - ns-scan 17 | singular: namespace-scanner 18 | scope: Namespaced 19 | versions: 20 | - additionalPrinterColumns: 21 | - description: Namespace Selector for pod scanning 22 | jsonPath: .spec.namespace_selector 23 | name: NamespaceSelector 24 | type: string 25 | - description: crontab value 26 | jsonPath: .spec.crontab 27 | name: Crontab 28 | type: string 29 | - description: As returned from the handler (sometimes). 30 | jsonPath: .status.create_fn.message 31 | name: Message 32 | type: string 33 | name: v1 34 | schema: 35 | openAPIV3Schema: 36 | properties: 37 | crontab: 38 | description: Crontab format expression for scheduling scans. 39 | pattern: ^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$ 40 | type: string 41 | namespace_selector: 42 | description: NamespaceSelector selects the namespaces to scan 43 | images. 44 | type: string 45 | clusterWide: 46 | description: Selector for cluster wide scan. 47 | type: boolean 48 | integrations: 49 | type: object 50 | properties: 51 | policyreport: 52 | description: Selector to enable policy report object creation 53 | and integration wit plicy-reporter. 54 | type: boolean 55 | defectdojo: 56 | description: DefectDojo integration options 57 | type: object 58 | properties: 59 | host: 60 | description: URL of the DefectDojo server. 61 | type: string 62 | api_key: 63 | description: Api key for DefectDojo api authentication. 64 | type: string 65 | k8s-cluster-name: 66 | description: Name of the Kubernetes Cluster in defectdojo. 67 | type: string 68 | image_pull_secrets: 69 | description: List of image pull secret names in the operator's 70 | namespace for image pulls. 71 | type: array 72 | items: 73 | type: string 74 | spec: 75 | type: object 76 | x-kubernetes-preserve-unknown-fields: true 77 | status: 78 | type: object 79 | x-kubernetes-preserve-unknown-fields: true 80 | type: object 81 | served: true 82 | storage: true 83 | -------------------------------------------------------------------------------- /OLM/community-operators-prod/community-trivy-operator/2.5.0/manifests/trivy-operator.service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: trivy-operator 5 | labels: 6 | app: trivy-operator 7 | spec: 8 | selector: 9 | app: trivy-operator 10 | ports: 11 | - name: metric 12 | port: 9115 13 | protocol: TCP 14 | targetPort: 9115 15 | --- 16 | apiVersion: v1 17 | kind: Service 18 | metadata: 19 | name: trivy-image-validator 20 | labels: 21 | app: trivy-operator 22 | spec: 23 | selector: 24 | app: trivy-operator 25 | ports: 26 | - name: webhook 27 | targetPort: 8443 28 | protocol: TCP 29 | port: 443 30 | -------------------------------------------------------------------------------- /OLM/community-operators-prod/community-trivy-operator/2.5.0/metadata/annotations.yaml: -------------------------------------------------------------------------------- 1 | annotations: 2 | operators.operatorframework.io.bundle.channels.v1: stable 3 | operators.operatorframework.io.bundle.manifests.v1: manifests/ 4 | operators.operatorframework.io.bundle.mediatype.v1: registry+v1 5 | operators.operatorframework.io.bundle.metadata.v1: metadata/ 6 | operators.operatorframework.io.bundle.package.v1: community-trivy-operator 7 | -------------------------------------------------------------------------------- /OLM/community-operators-prod/community-trivy-operator/ci.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Use `replaces-mode` or `semver-mode`. Once you switch to `semver-mode`, there is no easy way back. 3 | updateGraph: replaces-mode 4 | reviewers: 5 | - devopstales 6 | -------------------------------------------------------------------------------- /OLM/community-operators/community-trivy-operator/2.1.0/manifests/namespace-scanners.trivy-operator.devopstales.io.crd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: namespace-scanners.trivy-operator.devopstales.io 5 | spec: 6 | conversion: 7 | strategy: None 8 | group: trivy-operator.devopstales.io 9 | names: 10 | kind: NamespaceScanner 11 | listKind: NamespaceScannerList 12 | plural: namespace-scanners 13 | shortNames: 14 | - ns-scan 15 | singular: namespace-scanner 16 | scope: Namespaced 17 | versions: 18 | - additionalPrinterColumns: 19 | - description: Namespace Selector for pod scanning 20 | jsonPath: .spec.namespace_selector 21 | name: NamespaceSelector 22 | type: string 23 | - description: crontab value 24 | jsonPath: .spec.crontab 25 | name: Crontab 26 | type: string 27 | - description: As returned from the handler (sometimes). 28 | jsonPath: .status.create_fn.message 29 | name: Message 30 | type: string 31 | name: v1 32 | schema: 33 | openAPIV3Schema: 34 | properties: 35 | crontab: 36 | pattern: ^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$ 37 | type: string 38 | namespace_selector: 39 | type: string 40 | spec: 41 | type: object 42 | x-kubernetes-preserve-unknown-fields: true 43 | status: 44 | type: object 45 | x-kubernetes-preserve-unknown-fields: true 46 | type: object 47 | served: true 48 | storage: true 49 | subresources: 50 | status: {} 51 | -------------------------------------------------------------------------------- /OLM/community-operators/community-trivy-operator/2.1.0/metadata/annotations.yaml: -------------------------------------------------------------------------------- 1 | annotations: 2 | operators.operatorframework.io.bundle.channels.v1: stable 3 | operators.operatorframework.io.bundle.manifests.v1: manifests/ 4 | operators.operatorframework.io.bundle.mediatype.v1: registry+v1 5 | operators.operatorframework.io.bundle.metadata.v1: metadata/ 6 | operators.operatorframework.io.bundle.package.v1: community-trivy-operator 7 | -------------------------------------------------------------------------------- /OLM/community-operators/community-trivy-operator/2.1.1/manifests/namespace-scanners.trivy-operator.devopstales.io.crd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: namespace-scanners.trivy-operator.devopstales.io 5 | spec: 6 | conversion: 7 | strategy: None 8 | group: trivy-operator.devopstales.io 9 | names: 10 | kind: NamespaceScanner 11 | listKind: NamespaceScannerList 12 | plural: namespace-scanners 13 | shortNames: 14 | - ns-scan 15 | singular: namespace-scanner 16 | scope: Namespaced 17 | versions: 18 | - additionalPrinterColumns: 19 | - description: Namespace Selector for pod scanning 20 | jsonPath: .spec.namespace_selector 21 | name: NamespaceSelector 22 | type: string 23 | - description: crontab value 24 | jsonPath: .spec.crontab 25 | name: Crontab 26 | type: string 27 | - description: As returned from the handler (sometimes). 28 | jsonPath: .status.create_fn.message 29 | name: Message 30 | type: string 31 | name: v1 32 | schema: 33 | openAPIV3Schema: 34 | properties: 35 | crontab: 36 | pattern: ^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$ 37 | type: string 38 | namespace_selector: 39 | type: string 40 | spec: 41 | type: object 42 | x-kubernetes-preserve-unknown-fields: true 43 | status: 44 | type: object 45 | x-kubernetes-preserve-unknown-fields: true 46 | type: object 47 | served: true 48 | storage: true 49 | subresources: 50 | status: {} 51 | -------------------------------------------------------------------------------- /OLM/community-operators/community-trivy-operator/2.1.1/manifests/trivy-operator.service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: trivy-operator 5 | labels: 6 | app: trivy-operator 7 | spec: 8 | selector: 9 | app: trivy-operator 10 | ports: 11 | - name: metric 12 | port: 9115 13 | protocol: TCP 14 | targetPort: 9115 15 | --- 16 | apiVersion: v1 17 | kind: Service 18 | metadata: 19 | name: trivy-image-validator 20 | labels: 21 | app: trivy-operator 22 | spec: 23 | selector: 24 | app: trivy-operator 25 | ports: 26 | - name: webhook 27 | targetPort: 8443 28 | protocol: TCP 29 | port: 443 30 | -------------------------------------------------------------------------------- /OLM/community-operators/community-trivy-operator/2.1.1/metadata/annotations.yaml: -------------------------------------------------------------------------------- 1 | annotations: 2 | operators.operatorframework.io.bundle.channels.v1: stable 3 | operators.operatorframework.io.bundle.channel.default.v1: stable 4 | operators.operatorframework.io.bundle.manifests.v1: manifests/ 5 | operators.operatorframework.io.bundle.mediatype.v1: registry+v1 6 | operators.operatorframework.io.bundle.metadata.v1: metadata/ 7 | operators.operatorframework.io.bundle.package.v1: community-trivy-operator 8 | -------------------------------------------------------------------------------- /OLM/community-operators/community-trivy-operator/2.2.0/manifests/namespace-scanners.trivy-operator.devopstales.io.crd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: namespace-scanners.trivy-operator.devopstales.io 5 | spec: 6 | conversion: 7 | strategy: None 8 | group: trivy-operator.devopstales.io 9 | names: 10 | kind: NamespaceScanner 11 | listKind: NamespaceScannerList 12 | plural: namespace-scanners 13 | shortNames: 14 | - ns-scan 15 | singular: namespace-scanner 16 | scope: Namespaced 17 | versions: 18 | - additionalPrinterColumns: 19 | - description: Namespace Selector for pod scanning 20 | jsonPath: .spec.namespace_selector 21 | name: NamespaceSelector 22 | type: string 23 | - description: crontab value 24 | jsonPath: .spec.crontab 25 | name: Crontab 26 | type: string 27 | - description: As returned from the handler (sometimes). 28 | jsonPath: .status.create_fn.message 29 | name: Message 30 | type: string 31 | name: v1 32 | schema: 33 | openAPIV3Schema: 34 | properties: 35 | crontab: 36 | pattern: ^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$ 37 | type: string 38 | namespace_selector: 39 | type: string 40 | spec: 41 | type: object 42 | x-kubernetes-preserve-unknown-fields: true 43 | status: 44 | type: object 45 | x-kubernetes-preserve-unknown-fields: true 46 | type: object 47 | served: true 48 | storage: true 49 | subresources: 50 | status: {} 51 | -------------------------------------------------------------------------------- /OLM/community-operators/community-trivy-operator/2.2.0/manifests/trivy-operator.service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: trivy-operator 5 | labels: 6 | app: trivy-operator 7 | spec: 8 | selector: 9 | app: trivy-operator 10 | ports: 11 | - name: metric 12 | port: 9115 13 | protocol: TCP 14 | targetPort: 9115 15 | --- 16 | apiVersion: v1 17 | kind: Service 18 | metadata: 19 | name: trivy-image-validator 20 | labels: 21 | app: trivy-operator 22 | spec: 23 | selector: 24 | app: trivy-operator 25 | ports: 26 | - name: webhook 27 | targetPort: 8443 28 | protocol: TCP 29 | port: 443 30 | -------------------------------------------------------------------------------- /OLM/community-operators/community-trivy-operator/2.2.0/metadata/annotations.yaml: -------------------------------------------------------------------------------- 1 | annotations: 2 | operators.operatorframework.io.bundle.channels.v1: stable 3 | operators.operatorframework.io.bundle.channel.default.v1: stable 4 | operators.operatorframework.io.bundle.manifests.v1: manifests/ 5 | operators.operatorframework.io.bundle.mediatype.v1: registry+v1 6 | operators.operatorframework.io.bundle.metadata.v1: metadata/ 7 | operators.operatorframework.io.bundle.package.v1: community-trivy-operator 8 | -------------------------------------------------------------------------------- /OLM/community-operators/community-trivy-operator/2.3.0/manifests/namespace-scanners.trivy-operator.devopstales.io.crd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: namespace-scanners.trivy-operator.devopstales.io 5 | spec: 6 | conversion: 7 | strategy: None 8 | group: trivy-operator.devopstales.io 9 | names: 10 | kind: NamespaceScanner 11 | listKind: NamespaceScannerList 12 | plural: namespace-scanners 13 | shortNames: 14 | - ns-scan 15 | singular: namespace-scanner 16 | scope: Namespaced 17 | versions: 18 | - additionalPrinterColumns: 19 | - description: Namespace Selector for pod scanning 20 | jsonPath: .spec.namespace_selector 21 | name: NamespaceSelector 22 | type: string 23 | - description: crontab value 24 | jsonPath: .spec.crontab 25 | name: Crontab 26 | type: string 27 | - description: As returned from the handler (sometimes). 28 | jsonPath: .status.create_fn.message 29 | name: Message 30 | type: string 31 | name: v1 32 | schema: 33 | openAPIV3Schema: 34 | properties: 35 | crontab: 36 | pattern: ^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$ 37 | type: string 38 | namespace_selector: 39 | type: string 40 | clusterWide: 41 | type: string 42 | spec: 43 | type: object 44 | x-kubernetes-preserve-unknown-fields: true 45 | status: 46 | type: object 47 | x-kubernetes-preserve-unknown-fields: true 48 | type: object 49 | served: true 50 | storage: true 51 | subresources: 52 | status: {} 53 | -------------------------------------------------------------------------------- /OLM/community-operators/community-trivy-operator/2.3.0/manifests/trivy-operator.service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: trivy-operator 5 | labels: 6 | app: trivy-operator 7 | spec: 8 | selector: 9 | app: trivy-operator 10 | ports: 11 | - name: metric 12 | port: 9115 13 | protocol: TCP 14 | targetPort: 9115 15 | --- 16 | apiVersion: v1 17 | kind: Service 18 | metadata: 19 | name: trivy-image-validator 20 | labels: 21 | app: trivy-operator 22 | spec: 23 | selector: 24 | app: trivy-operator 25 | ports: 26 | - name: webhook 27 | targetPort: 8443 28 | protocol: TCP 29 | port: 443 30 | -------------------------------------------------------------------------------- /OLM/community-operators/community-trivy-operator/2.3.0/metadata/annotations.yaml: -------------------------------------------------------------------------------- 1 | annotations: 2 | operators.operatorframework.io.bundle.channels.v1: stable 3 | operators.operatorframework.io.bundle.channel.default.v1: stable 4 | operators.operatorframework.io.bundle.manifests.v1: manifests/ 5 | operators.operatorframework.io.bundle.mediatype.v1: registry+v1 6 | operators.operatorframework.io.bundle.metadata.v1: metadata/ 7 | operators.operatorframework.io.bundle.package.v1: community-trivy-operator 8 | -------------------------------------------------------------------------------- /OLM/community-operators/community-trivy-operator/2.4.0/manifests/namespace-scanners.trivy-operator.devopstales.io.crd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: namespace-scanners.trivy-operator.devopstales.io 5 | spec: 6 | conversion: 7 | strategy: None 8 | group: trivy-operator.devopstales.io 9 | names: 10 | kind: NamespaceScanner 11 | listKind: NamespaceScannerList 12 | plural: namespace-scanners 13 | shortNames: 14 | - ns-scan 15 | singular: namespace-scanner 16 | scope: Namespaced 17 | versions: 18 | - additionalPrinterColumns: 19 | - description: Namespace Selector for pod scanning 20 | jsonPath: .spec.namespace_selector 21 | name: NamespaceSelector 22 | type: string 23 | - description: crontab value 24 | jsonPath: .spec.crontab 25 | name: Crontab 26 | type: string 27 | - description: As returned from the handler (sometimes). 28 | jsonPath: .status.create_fn.message 29 | name: Message 30 | type: string 31 | name: v1 32 | schema: 33 | openAPIV3Schema: 34 | properties: 35 | crontab: 36 | pattern: ^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$ 37 | type: string 38 | namespace_selector: 39 | type: string 40 | clusterWide: 41 | type: string 42 | policyreport: 43 | type: string 44 | spec: 45 | type: object 46 | x-kubernetes-preserve-unknown-fields: true 47 | status: 48 | type: object 49 | x-kubernetes-preserve-unknown-fields: true 50 | type: object 51 | served: true 52 | storage: true 53 | subresources: 54 | status: {} 55 | -------------------------------------------------------------------------------- /OLM/community-operators/community-trivy-operator/2.4.0/manifests/trivy-operator.service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: trivy-operator 5 | labels: 6 | app: trivy-operator 7 | spec: 8 | selector: 9 | app: trivy-operator 10 | ports: 11 | - name: metric 12 | port: 9115 13 | protocol: TCP 14 | targetPort: 9115 15 | --- 16 | apiVersion: v1 17 | kind: Service 18 | metadata: 19 | name: trivy-image-validator 20 | labels: 21 | app: trivy-operator 22 | spec: 23 | selector: 24 | app: trivy-operator 25 | ports: 26 | - name: webhook 27 | targetPort: 8443 28 | protocol: TCP 29 | port: 443 30 | -------------------------------------------------------------------------------- /OLM/community-operators/community-trivy-operator/2.4.0/metadata/annotations.yaml: -------------------------------------------------------------------------------- 1 | annotations: 2 | operators.operatorframework.io.bundle.channels.v1: stable 3 | operators.operatorframework.io.bundle.channel.default.v1: stable 4 | operators.operatorframework.io.bundle.manifests.v1: manifests/ 5 | operators.operatorframework.io.bundle.mediatype.v1: registry+v1 6 | operators.operatorframework.io.bundle.metadata.v1: metadata/ 7 | operators.operatorframework.io.bundle.package.v1: community-trivy-operator 8 | -------------------------------------------------------------------------------- /OLM/community-operators/community-trivy-operator/2.5.0/manifests/ClusterScanner.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: cluster-scanners.trivy-operator.devopstales.io 5 | spec: 6 | conversion: 7 | strategy: None 8 | group: trivy-operator.devopstales.io 9 | names: 10 | kind: ClusterScanner 11 | listKind: ClusterScannerList 12 | plural: cluster-scanners 13 | shortNames: 14 | - cs-scan 15 | singular: cluster-scanner 16 | scope: Cluster 17 | versions: 18 | - additionalPrinterColumns: 19 | - description: Kubernetes Scan Profile 20 | jsonPath: .spec.scanProfileName 21 | name: ClusterScanProfile 22 | type: string 23 | - description: crontab value 24 | jsonPath: .spec.crontab 25 | name: Crontab 26 | type: string 27 | name: v1 28 | schema: 29 | openAPIV3Schema: 30 | properties: 31 | crontab: 32 | pattern: ^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$ 33 | type: string 34 | scanProfileName: 35 | type: string 36 | enum: 37 | - ack-1.0 38 | - aks-1.0 39 | - gke-1.0 40 | - gke-1.2.0 41 | - eks-1.0.1 42 | - cis-1.5 43 | - cis-1.6 44 | - cis-1.20 45 | - cis-1.23 46 | - rh-0.7 47 | - rh-1.0 48 | - k3s-cis-1.6-permissive 49 | - k3s-cis-1.6-hardened 50 | - k3s-cis-1.20-hardened 51 | - k3s-cis-1.20-permissive 52 | - k3s-cis-1.23-hardened 53 | - k3s-cis-1.23-permissive 54 | - rke-cis-1.4 55 | - rke-cis-1.5-hardened 56 | - rke-cis-1.5-permissive 57 | - rke-cis-1.6-hardened 58 | - rke-cis-1.6-permissive 59 | - rke-cis-1.20-hardened 60 | - rke-cis-1.20-permissive 61 | - rke-cis-1.23-hardened 62 | - rke-cis-1.23-permissive 63 | - rke2-cis-1.5-hardened 64 | - rke2-cis-1.5-permissive 65 | - rke2-cis-1.6-hardened 66 | - rke2-cis-1.6-permissive 67 | - rke2-cis-1.20-hardened 68 | - rke2-cis-1.20-permissive 69 | - rke2-cis-1.23-hardened 70 | - rke2-cis-1.23-permissive 71 | integrations: 72 | type: object 73 | properties: 74 | defectdojo: 75 | description: DefectDojo integration options 76 | type: object 77 | properties: 78 | host: 79 | description: URL of the DefectDojo server. 80 | type: string 81 | api_key: 82 | description: Api key for DefectDojo api authentication. 83 | type: string 84 | k8s-cluster-name: 85 | description: Name of the Kubernetes Cluster in defectdojo. 86 | type: string 87 | spec: 88 | type: object 89 | x-kubernetes-preserve-unknown-fields: true 90 | status: 91 | type: object 92 | x-kubernetes-preserve-unknown-fields: true 93 | type: object 94 | served: true 95 | storage: true 96 | subresources: 97 | status: {} -------------------------------------------------------------------------------- /OLM/community-operators/community-trivy-operator/2.5.0/manifests/NamespaceScanner.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: namespace-scanners.trivy-operator.devopstales.io 5 | labels: 6 | app.kubernetes.io/managed-by: trivy-operator 7 | spec: 8 | conversion: 9 | strategy: None 10 | group: trivy-operator.devopstales.io 11 | names: 12 | kind: NamespaceScanner 13 | listKind: NamespaceScannerList 14 | plural: namespace-scanners 15 | shortNames: 16 | - ns-scan 17 | singular: namespace-scanner 18 | scope: Namespaced 19 | versions: 20 | - additionalPrinterColumns: 21 | - description: Namespace Selector for pod scanning 22 | jsonPath: .spec.namespace_selector 23 | name: NamespaceSelector 24 | type: string 25 | - description: crontab value 26 | jsonPath: .spec.crontab 27 | name: Crontab 28 | type: string 29 | - description: As returned from the handler (sometimes). 30 | jsonPath: .status.create_fn.message 31 | name: Message 32 | type: string 33 | name: v1 34 | schema: 35 | openAPIV3Schema: 36 | properties: 37 | crontab: 38 | description: Crontab format expression for scheduling scans. 39 | pattern: ^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$ 40 | type: string 41 | namespace_selector: 42 | description: NamespaceSelector selects the namespaces to scan 43 | images. 44 | type: string 45 | clusterWide: 46 | description: Selector for cluster wide scan. 47 | type: boolean 48 | integrations: 49 | type: object 50 | properties: 51 | policyreport: 52 | description: Selector to enable policy report object creation 53 | and integration wit plicy-reporter. 54 | type: boolean 55 | defectdojo: 56 | description: DefectDojo integration options 57 | type: object 58 | properties: 59 | host: 60 | description: URL of the DefectDojo server. 61 | type: string 62 | api_key: 63 | description: Api key for DefectDojo api authentication. 64 | type: string 65 | k8s-cluster-name: 66 | description: Name of the Kubernetes Cluster in defectdojo. 67 | type: string 68 | image_pull_secrets: 69 | description: List of image pull secret names in the operator's 70 | namespace for image pulls. 71 | type: array 72 | items: 73 | type: string 74 | spec: 75 | type: object 76 | x-kubernetes-preserve-unknown-fields: true 77 | status: 78 | type: object 79 | x-kubernetes-preserve-unknown-fields: true 80 | type: object 81 | served: true 82 | storage: true 83 | -------------------------------------------------------------------------------- /OLM/community-operators/community-trivy-operator/2.5.0/manifests/trivy-operator.service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: trivy-operator 5 | labels: 6 | app: trivy-operator 7 | spec: 8 | selector: 9 | app: trivy-operator 10 | ports: 11 | - name: metric 12 | port: 9115 13 | protocol: TCP 14 | targetPort: 9115 15 | --- 16 | apiVersion: v1 17 | kind: Service 18 | metadata: 19 | name: trivy-image-validator 20 | labels: 21 | app: trivy-operator 22 | spec: 23 | selector: 24 | app: trivy-operator 25 | ports: 26 | - name: webhook 27 | targetPort: 8443 28 | protocol: TCP 29 | port: 443 30 | -------------------------------------------------------------------------------- /OLM/community-operators/community-trivy-operator/2.5.0/metadata/annotations.yaml: -------------------------------------------------------------------------------- 1 | annotations: 2 | operators.operatorframework.io.bundle.channels.v1: stable 3 | operators.operatorframework.io.bundle.channel.default.v1: stable 4 | operators.operatorframework.io.bundle.manifests.v1: manifests/ 5 | operators.operatorframework.io.bundle.mediatype.v1: registry+v1 6 | operators.operatorframework.io.bundle.metadata.v1: metadata/ 7 | operators.operatorframework.io.bundle.package.v1: community-trivy-operator 8 | -------------------------------------------------------------------------------- /OLM/community-operators/community-trivy-operator/bundle.Dockerfile: -------------------------------------------------------------------------------- 1 | FROM scratch 2 | 3 | LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 4 | LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ 5 | LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ 6 | LABEL operators.operatorframework.io.bundle.package.v1=trivy-operator 7 | LABEL operators.operatorframework.io.bundle.channels.v1=alpha 8 | COPY 0.0.1/manifests /manifests/ 9 | COPY 0.0.1/metadata /metadata/ 10 | -------------------------------------------------------------------------------- /OLM/community-operators/community-trivy-operator/ci.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Use `replaces-mode` or `semver-mode`. Once you switch to `semver-mode`, there is no easy way back. 3 | updateGraph: replaces-mode 4 | reviewers: 5 | - devopstales 6 | -------------------------------------------------------------------------------- /deploy/dev/04_trivy_operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: trivy-operator 6 | namespace: trivy-operator 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: trivy-operator 11 | template: 12 | metadata: 13 | labels: 14 | app: trivy-operator 15 | annotations: 16 | prometheus.io/port: "9115" 17 | prometheus.io/scrape: "true" 18 | spec: 19 | securityContext: 20 | fsGroup: 10001 21 | fsGroupChangePolicy: "OnRootMismatch" 22 | serviceAccountName: trivy-operator 23 | containers: 24 | - image: devopstales/trivy-operator:2.5-devel 25 | imagePullPolicy: IfNotPresent 26 | name: trivy-operator 27 | env: 28 | - name: MY_POD_NAMESPACE 29 | valueFrom: 30 | fieldRef: 31 | fieldPath: metadata.namespace 32 | - name: REDIS_ENABLED 33 | value: "True" 34 | - name: REDIS_BACKEND 35 | value: "redis://trivy-cache:6379" 36 | # - name: SKIP_DB_UPDATE 37 | # value: "true" 38 | # - name: ADMISSION_CONTROLLER 39 | # value: "true" 40 | # - name: GITHUB_TOKEN 41 | # value: MY-TOKEN-FROM-GITHUB 42 | volumeMounts: 43 | - name: cache 44 | mountPath: "/home/trivy-operator/trivy-cache/" 45 | # - name: config-json 46 | # mountPath: "/home/trivy-operator/.docker" 47 | ports: 48 | - containerPort: 9115 49 | volumes: 50 | - name: cache 51 | persistentVolumeClaim: 52 | claimName: "trivy-cache" 53 | # - name: config-json 54 | # secret: 55 | # secretName: config-json 56 | --- 57 | apiVersion: v1 58 | kind: PersistentVolumeClaim 59 | metadata: 60 | name: trivy-cache 61 | namespace: trivy-operator 62 | spec: 63 | accessModes: 64 | - ReadWriteOnce 65 | resources: 66 | requests: 67 | storage: 1Gi 68 | --- 69 | apiVersion: v1 70 | kind: Service 71 | metadata: 72 | labels: 73 | app: trivy-operator 74 | name: trivy-operator 75 | namespace: trivy-operator 76 | spec: 77 | selector: 78 | app: trivy-operator 79 | ports: 80 | - name: metrics 81 | protocol: TCP 82 | port: 9115 83 | targetPort: 9115 84 | -------------------------------------------------------------------------------- /deploy/dev/05_namespace-scanner.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: trivy-operator.devopstales.io/v1 2 | kind: NamespaceScanner 3 | metadata: 4 | name: main-config 5 | spec: 6 | crontab: "*/1 * * * *" 7 | namespace_selector: "trivy-scan" 8 | clusterWide: False 9 | integrations: 10 | policyreport: True 11 | # defectdojo: 12 | # host: "https://defectdojo.k8s.intra" 13 | # api_key: "xyz456ucdssd67sd67dsg" 14 | image_pull_secrets: 15 | - devopstales-dockerhub 16 | # registry: 17 | # - name: docker.io 18 | # username: "devopstales" 19 | # password: "" 20 | # insecure: True 21 | -------------------------------------------------------------------------------- /deploy/dev/06_kube-bench_operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: kube-bench-scnner 6 | namespace: trivy-operator 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: kube-bench-scnner 11 | template: 12 | metadata: 13 | labels: 14 | app: kube-bench-scnner 15 | annotations: 16 | prometheus.io/port: "9115" 17 | prometheus.io/scrape: "true" 18 | spec: 19 | nodeSelector: 20 | node-role.kubernetes.io/builder: "true" 21 | securityContext: 22 | fsGroup: 10001 23 | fsGroupChangePolicy: "OnRootMismatch" 24 | serviceAccountName: trivy-operator 25 | hostPID: true 26 | containers: 27 | - image: devopstales/kube-bench-scnner:2.5-devel 28 | imagePullPolicy: IfNotPresent 29 | name: kube-bench-scnner 30 | env: 31 | - name: VERBOSE_LOG 32 | value: "true" 33 | - name: NODE_NAME 34 | valueFrom: 35 | fieldRef: 36 | fieldPath: spec.nodeName 37 | volumeMounts: 38 | - name: var-lib-etcd 39 | mountPath: /var/lib/etcd 40 | readOnly: true 41 | - name: var-lib-kubelet 42 | mountPath: /var/lib/kubelet 43 | readOnly: true 44 | - name: var-lib-kube-scheduler 45 | mountPath: /var/lib/kube-scheduler 46 | readOnly: true 47 | - name: var-lib-kube-controller-manager 48 | mountPath: /var/lib/kube-controller-manager 49 | readOnly: true 50 | - name: etc-systemd 51 | mountPath: /etc/systemd 52 | readOnly: true 53 | - name: lib-systemd 54 | mountPath: /lib/systemd/ 55 | readOnly: true 56 | - name: srv-kubernetes 57 | mountPath: /srv/kubernetes/ 58 | readOnly: true 59 | - name: etc-kubernetes 60 | mountPath: /etc/kubernetes 61 | readOnly: true 62 | - name: usr-bin 63 | mountPath: /usr/local/mount-from-host/bin 64 | readOnly: true 65 | - name: etc-cni-netd 66 | mountPath: /etc/cni/net.d/ 67 | readOnly: true 68 | - name: opt-cni-bin 69 | mountPath: /opt/cni/bin/ 70 | readOnly: true 71 | - name: etc-passwd 72 | mountPath: /etc/passwd 73 | readOnly: true 74 | - name: etc-group 75 | mountPath: /etc/group 76 | readOnly: true 77 | ports: 78 | - containerPort: 9115 79 | volumes: 80 | - name: var-lib-etcd 81 | hostPath: 82 | path: "/var/lib/etcd" 83 | - name: var-lib-kubelet 84 | hostPath: 85 | path: "/var/lib/kubelet" 86 | - name: var-lib-kube-scheduler 87 | hostPath: 88 | path: "/var/lib/kube-scheduler" 89 | - name: var-lib-kube-controller-manager 90 | hostPath: 91 | path: "/var/lib/kube-controller-manager" 92 | - name: etc-systemd 93 | hostPath: 94 | path: "/etc/systemd" 95 | - name: lib-systemd 96 | hostPath: 97 | path: "/lib/systemd" 98 | - name: srv-kubernetes 99 | hostPath: 100 | path: "/srv/kubernetes" 101 | - name: etc-kubernetes 102 | hostPath: 103 | path: "/etc/kubernetes" 104 | - name: usr-bin 105 | hostPath: 106 | path: "/usr/bin" 107 | - name: etc-cni-netd 108 | hostPath: 109 | path: "/etc/cni/net.d/" 110 | - name: opt-cni-bin 111 | hostPath: 112 | path: "/opt/cni/bin/" 113 | - name: etc-passwd 114 | hostPath: 115 | path: "/etc/passwd" 116 | - name: etc-group 117 | hostPath: 118 | path: "/etc/group" 119 | --- 120 | apiVersion: v1 121 | kind: Service 122 | metadata: 123 | labels: 124 | app: kube-bench-scnner 125 | name: kube-bench-scnner 126 | namespace: trivy-operator 127 | spec: 128 | selector: 129 | app: kube-bench-scnner 130 | ports: 131 | - name: metrics 132 | protocol: TCP 133 | port: 9115 134 | targetPort: 9115 135 | -------------------------------------------------------------------------------- /deploy/dev/07_cluster-scanner.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: trivy-operator.devopstales.io/v1 2 | kind: ClusterScanner 3 | metadata: 4 | name: main-config 5 | spec: 6 | crontab: "*/1 * * * *" 7 | scanProfileName: "cis-1.23" 8 | integrations: 9 | # defectdojo: 10 | # host: "https://defectdojo.k8s.intra" 11 | # api_key: "xyz456ucdssd67sd67dsg" 12 | # k8s-cluster-name: "eks-prod" -------------------------------------------------------------------------------- /deploy/dev/docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | services: 3 | redis: 4 | container_name: redis 5 | hostname: redis 6 | image: redis 7 | ports: 8 | - "6379:6379" 9 | 10 | redis-commander: 11 | container_name: redis-commander 12 | hostname: redis-commander 13 | image: rediscommander/redis-commander:latest 14 | restart: always 15 | environment: 16 | - REDIS_HOSTS=local:redis:6379 17 | ports: 18 | - "8081:8081" 19 | -------------------------------------------------------------------------------- /deploy/helm/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /deploy/helm/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: trivy-operator 3 | description: "This chart deploys an operator that default every 5 minutes execute a scan script. It will get image list from all namespaces with the label `trivy-scan=true`, and then scan this images with trivy, finally we will get metrics on `http://[pod-ip]:9115/metrics`" 4 | type: application 5 | version: 2.5.0 6 | appVersion: "0.23.0" 7 | kubeVersion: ">=1.19.x-0" 8 | keywords: 9 | - Trivy 10 | - Admission Controller 11 | - Operator 12 | - Image Secutity 13 | home: https://github.com/devopstales/trivy-operator 14 | icon: https://github.com/devopstales/helm-charts/raw/main/icons/trivy.png 15 | sources: 16 | - https://github.com/devopstales/trivy-operator 17 | - https://github.com/devopstales/helm-charts 18 | deprecated: false -------------------------------------------------------------------------------- /deploy/helm/README.md.gotmpl: -------------------------------------------------------------------------------- 1 | ### Trivy Operator 2 | 3 | ![Version: {{ .Version }}](https://img.shields.io/badge/Version-{{ .Version | replace "-" "--" }}-informational?style=for-the-badge) 4 | {{ if .Type }}![Type: {{ .Type }}](https://img.shields.io/badge/Type-{{ .Type }}-informational?style=for-the-badge) {{ end }} 5 | {{ if .AppVersion }}![AppVersion: {{ .AppVersion }}](https://img.shields.io/badge/AppVersion-{{ .AppVersion | replace "-" "--" }}-informational?style=for-the-badge) {{ end }} 6 | 7 | ![Alpine Linux 3.15.0](https://img.shields.io/badge/alpine_linux_3.15.0-0D597F?style=for-the-badge&logo=alpine-linux&logoColor=white) 8 | ![Helm](https://img.shields.io/badge/helm-0F1689?style=for-the-badge&logo=helm&logoColor=white) 9 | 10 | [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/minecraft-exporter&style=for-the-badge)](https://artifacthub.io/packages/helm/devopstales/trivy-operator) 11 | 12 | ## Description 13 | 14 | {{ template "chart.description" . }} 15 | 16 | ## Configuration 17 | 18 | The following tables lists configurable parameters of the trivy-operator chart and their default values. 19 | 20 | 21 | 22 | {{ template "chart.valuesSection" . }} 23 | 24 | {{ template "chart.homepageLine" . }} 25 | 26 | {{ template "chart.sourcesSection" . }} 27 | 28 | {{ template "chart.maintainersSection" . }} -------------------------------------------------------------------------------- /deploy/helm/crds/ClusterScanner.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: cluster-scanners.trivy-operator.devopstales.io 5 | spec: 6 | conversion: 7 | strategy: None 8 | group: trivy-operator.devopstales.io 9 | names: 10 | kind: ClusterScanner 11 | listKind: ClusterScannerList 12 | plural: cluster-scanners 13 | shortNames: 14 | - cs-scan 15 | singular: cluster-scanner 16 | scope: Cluster 17 | versions: 18 | - additionalPrinterColumns: 19 | - description: Kubernetes Scan Profile 20 | jsonPath: .spec.scanProfileName 21 | name: ClusterScanProfile 22 | type: string 23 | - description: crontab value 24 | jsonPath: .spec.crontab 25 | name: Crontab 26 | type: string 27 | name: v1 28 | schema: 29 | openAPIV3Schema: 30 | properties: 31 | crontab: 32 | pattern: ^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$ 33 | type: string 34 | scanProfileName: 35 | type: string 36 | enum: 37 | - ack-1.0 38 | - aks-1.0 39 | - gke-1.0 40 | - gke-1.2.0 41 | - eks-1.0.1 42 | - cis-1.5 43 | - cis-1.6 44 | - cis-1.20 45 | - cis-1.23 46 | - rh-0.7 47 | - rh-1.0 48 | - k3s-cis-1.6-permissive 49 | - k3s-cis-1.6-hardened 50 | - k3s-cis-1.20-hardened 51 | - k3s-cis-1.20-permissive 52 | - k3s-cis-1.23-hardened 53 | - k3s-cis-1.23-permissive 54 | - rke-cis-1.4 55 | - rke-cis-1.5-hardened 56 | - rke-cis-1.5-permissive 57 | - rke-cis-1.6-hardened 58 | - rke-cis-1.6-permissive 59 | - rke-cis-1.20-hardened 60 | - rke-cis-1.20-permissive 61 | - rke-cis-1.23-hardened 62 | - rke-cis-1.23-permissive 63 | - rke2-cis-1.5-hardened 64 | - rke2-cis-1.5-permissive 65 | - rke2-cis-1.6-hardened 66 | - rke2-cis-1.6-permissive 67 | - rke2-cis-1.20-hardened 68 | - rke2-cis-1.20-permissive 69 | - rke2-cis-1.23-hardened 70 | - rke2-cis-1.23-permissive 71 | integrations: 72 | type: object 73 | properties: 74 | defectdojo: 75 | description: DefectDojo integration options 76 | type: object 77 | properties: 78 | host: 79 | description: URL of the DefectDojo server. 80 | type: string 81 | api_key: 82 | description: Api key for DefectDojo api authentication. 83 | type: string 84 | k8s-cluster-name: 85 | description: Name of the Kubernetes Cluster in defectdojo. 86 | type: string 87 | spec: 88 | type: object 89 | x-kubernetes-preserve-unknown-fields: true 90 | status: 91 | type: object 92 | x-kubernetes-preserve-unknown-fields: true 93 | type: object 94 | served: true 95 | storage: true 96 | subresources: 97 | status: {} -------------------------------------------------------------------------------- /deploy/helm/crds/NamespaceScanner.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: namespace-scanners.trivy-operator.devopstales.io 5 | labels: 6 | app.kubernetes.io/managed-by: trivy-operator 7 | spec: 8 | conversion: 9 | strategy: None 10 | group: trivy-operator.devopstales.io 11 | names: 12 | kind: NamespaceScanner 13 | listKind: NamespaceScannerList 14 | plural: namespace-scanners 15 | shortNames: 16 | - ns-scan 17 | singular: namespace-scanner 18 | scope: Namespaced 19 | versions: 20 | - additionalPrinterColumns: 21 | - description: Namespace Selector for pod scanning 22 | jsonPath: .spec.namespace_selector 23 | name: NamespaceSelector 24 | type: string 25 | - description: crontab value 26 | jsonPath: .spec.crontab 27 | name: Crontab 28 | type: string 29 | - description: As returned from the handler (sometimes). 30 | jsonPath: .status.create_fn.message 31 | name: Message 32 | type: string 33 | name: v1 34 | schema: 35 | openAPIV3Schema: 36 | properties: 37 | crontab: 38 | description: Crontab format expression for scheduling scans. 39 | pattern: ^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$ 40 | type: string 41 | namespace_selector: 42 | description: NamespaceSelector selects the namespaces to scan 43 | images. 44 | type: string 45 | clusterWide: 46 | description: Selector for cluster wide scan. 47 | type: boolean 48 | integrations: 49 | type: object 50 | properties: 51 | policyreport: 52 | description: Selector to enable policy report object creation 53 | and integration wit plicy-reporter. 54 | type: boolean 55 | defectdojo: 56 | description: DefectDojo integration options 57 | type: object 58 | properties: 59 | host: 60 | description: URL of the DefectDojo server. 61 | type: string 62 | api_key: 63 | description: Api key for DefectDojo api authentication. 64 | type: string 65 | k8s-cluster-name: 66 | description: Name of the Kubernetes Cluster in defectdojo. 67 | type: string 68 | image_pull_secrets: 69 | description: List of image pull secret names in the operator's 70 | namespace for image pulls. 71 | type: array 72 | items: 73 | type: string 74 | spec: 75 | type: object 76 | x-kubernetes-preserve-unknown-fields: true 77 | status: 78 | type: object 79 | x-kubernetes-preserve-unknown-fields: true 80 | type: object 81 | served: true 82 | storage: true 83 | -------------------------------------------------------------------------------- /deploy/helm/templates/1-rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: {{ include "trivy-operator.serviceAccountName" . }} 6 | rules: 7 | - apiGroups: 8 | - "apiextensions.k8s.io" 9 | resources: 10 | - customresourcedefinitions 11 | verbs: 12 | - create 13 | - apiGroups: 14 | - "admissionregistration.k8s.io" 15 | resources: 16 | - mutatingwebhookconfigurations 17 | - validatingwebhookconfigurations 18 | verbs: 19 | - create 20 | - patch 21 | - get 22 | - watch 23 | - list 24 | - apiGroups: 25 | - "wgpolicyk8s.io" 26 | resources: 27 | - policyreports 28 | verbs: 29 | - get 30 | - create 31 | - delete 32 | - apiGroups: 33 | - "wgpolicyk8s.io" 34 | resources: 35 | - clusterpolicyreports 36 | verbs: 37 | - get 38 | - create 39 | - delete 40 | - apiGroups: 41 | - "trivy-operator.devopstales.io" 42 | resources: 43 | - vulnerabilityreports 44 | verbs: 45 | - get 46 | - create 47 | - delete 48 | - apiGroups: 49 | - "trivy-operator.devopstales.io" 50 | resources: 51 | - namespace-scanners 52 | - namespace-scanners/status 53 | - cluster-scanners 54 | - cluster-scanners/status 55 | verbs: 56 | - get 57 | - list 58 | - watch 59 | - list 60 | - patch 61 | - apiGroups: 62 | - "apps" 63 | resources: 64 | - daemonsets 65 | verbs: 66 | - get 67 | - create 68 | - delete 69 | - apiGroups: 70 | - "" 71 | resources: 72 | - events 73 | verbs: 74 | - get 75 | - create 76 | - patch 77 | - apiGroups: 78 | - "" 79 | resources: 80 | - pods 81 | - namespaces 82 | - secrets 83 | verbs: 84 | - get 85 | - watch 86 | - list 87 | --- 88 | apiVersion: rbac.authorization.k8s.io/v1 89 | kind: ClusterRoleBinding 90 | metadata: 91 | name: {{ include "trivy-operator.serviceAccountName" . }} 92 | roleRef: 93 | apiGroup: rbac.authorization.k8s.io 94 | kind: ClusterRole 95 | name: {{ include "trivy-operator.serviceAccountName" . }} 96 | subjects: 97 | - kind: ServiceAccount 98 | name: {{ include "trivy-operator.serviceAccountName" . }} 99 | namespace: {{ .Release.Namespace }} 100 | --- 101 | apiVersion: v1 102 | kind: ServiceAccount 103 | metadata: 104 | name: {{ include "trivy-operator.serviceAccountName" . }} 105 | labels: 106 | app: trivy-operator 107 | {{- include "trivy-operator.labels" . | nindent 4 }} 108 | {{- with .Values.serviceAccount.annotations }} 109 | annotations: 110 | {{- toYaml . | nindent 4 }} 111 | {{- end }} 112 | {{- end }} 113 | -------------------------------------------------------------------------------- /deploy/helm/templates/10-image-overview.dashboard.yaml: -------------------------------------------------------------------------------- 1 | {{- if $.Values.grafana.dashboards.enabled }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ include "trivy-operator.fullname" . }}-image-overview-dashboard 6 | {{ if .Values.grafana.namespace }} 7 | namespace: {{ .Values.grafana.namespace }} 8 | {{ else }} 9 | namespace: {{ .Release.Namespace }} 10 | {{ end }} 11 | annotations: 12 | {{ .Values.grafana.folder.annotation }}: {{ .Values.grafana.folder.name }} 13 | labels: 14 | serviceapp: {{ include "trivy-operator.fullname" . }}-trivy-operator 15 | {{ .Values.grafana.dashboards.label }}: {{ .Values.grafana.dashboards.value | quote }} 16 | {{- with .Values.serviceMonitor.labels }} 17 | {{- toYaml . | nindent 4 }} 18 | {{- end }} 19 | data: 20 | {{ (.Files.Glob "namespace-image-overview.json").AsConfig | indent 2 }} 21 | {{- end }} -------------------------------------------------------------------------------- /deploy/helm/templates/11-namespace-vulnerabilities.dashboard.yaml: -------------------------------------------------------------------------------- 1 | {{- if $.Values.grafana.dashboards.enabled }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ include "trivy-operator.fullname" . }}-namespace-vulnerabilities-dashboard 6 | {{ if .Values.grafana.namespace }} 7 | namespace: {{ .Values.grafana.namespace }} 8 | {{ else }} 9 | namespace: {{ .Release.Namespace }} 10 | {{ end }} 11 | annotations: 12 | {{ .Values.grafana.folder.annotation }}: {{ .Values.grafana.folder.name }} 13 | labels: 14 | serviceapp: {{ include "trivy-operator.fullname" . }}-trivy-operator 15 | {{ .Values.grafana.dashboards.label }}: {{ .Values.grafana.dashboards.value | quote }} 16 | {{- with .Values.serviceMonitor.labels }} 17 | {{- toYaml . | nindent 4 }} 18 | {{- end }} 19 | data: 20 | {{ (.Files.Glob "namespace-vulnerabilities.json").AsConfig | indent 2 }} 21 | {{- end }} -------------------------------------------------------------------------------- /deploy/helm/templates/12-admissioncontroller.dashboard.yaml: -------------------------------------------------------------------------------- 1 | {{- if $.Values.grafana.dashboards.enabled }} 2 | {{- if $.Values.admissionController.enabled }} 3 | apiVersion: v1 4 | kind: ConfigMap 5 | metadata: 6 | name: {{ include "trivy-operator.fullname" . }}-admissioncontroller-dashboard 7 | {{ if .Values.grafana.namespace }} 8 | namespace: {{ .Values.grafana.namespace }} 9 | {{ else }} 10 | namespace: {{ .Release.Namespace }} 11 | {{ end }} 12 | annotations: 13 | {{ .Values.grafana.folder.annotation }}: {{ .Values.grafana.folder.name }} 14 | labels: 15 | serviceapp: {{ include "trivy-operator.fullname" . }}-trivy-operator 16 | {{ .Values.grafana.dashboards.label }}: {{ .Values.grafana.dashboards.value | quote }} 17 | {{- with .Values.serviceMonitor.labels }} 18 | {{- toYaml . | nindent 4 }} 19 | {{- end }} 20 | data: 21 | {{ (.Files.Glob "trivy-operator-admissioncontroller.json").AsConfig | indent 2 }} 22 | {{- end }} 23 | {{- end }} -------------------------------------------------------------------------------- /deploy/helm/templates/2-pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.persistence.enabled }} 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: {{ include "trivy-operator.fullname" . }}-trivy-cache 6 | namespace: {{ .Release.Namespace }} 7 | {{- with .Values.persistence.annotations }} 8 | annotations: 9 | {{ toYaml . | indent 4 }} 10 | {{- end }} 11 | spec: 12 | {{- if .Values.persistence.storageClass }} 13 | {{- if (eq "-" .Values.persistence.storageClass) }} 14 | storageClassName: "" 15 | {{- else }} 16 | storageClassName: "{{ .Values.persistence.storageClass }}" 17 | {{- end }} 18 | {{- end }} 19 | accessModes: 20 | - {{ .Values.persistence.accessMode | quote }} 21 | resources: 22 | requests: 23 | storage: {{ .Values.persistence.size | quote }} 24 | {{- end }} -------------------------------------------------------------------------------- /deploy/helm/templates/3-deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | labels: 5 | app: trivy-operator 6 | {{- include "trivy-operator.labels" . | nindent 4 }} 7 | name: {{ include "trivy-operator.fullname" . }} 8 | spec: 9 | replicas: 1 10 | strategy: 11 | type: Recreate 12 | selector: 13 | matchLabels: 14 | app: trivy-operator 15 | {{- include "trivy-operator.selectorLabels" . | nindent 6 }} 16 | template: 17 | metadata: 18 | labels: 19 | app: trivy-operator 20 | {{- include "trivy-operator.selectorLabels" . | nindent 8 }} 21 | annotations: 22 | prometheus.io/port: "9115" 23 | prometheus.io/scrape: "true" 24 | spec: 25 | {{- with .Values.imagePullSecrets }} 26 | imagePullSecrets: 27 | {{- toYaml . | nindent 8 }} 28 | {{- end }} 29 | securityContext: 30 | {{- toYaml .Values.podSecurityContext | nindent 8 }} 31 | serviceAccountName: {{ include "trivy-operator.serviceAccountName" . }} 32 | containers: 33 | - name: {{ .Chart.Name }} 34 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" 35 | imagePullPolicy: {{ .Values.image.pullPolicy }} 36 | env: 37 | - name: POD_NAMESPACE 38 | valueFrom: 39 | fieldRef: 40 | fieldPath: metadata.namespace 41 | - name: POD_NAME 42 | valueFrom: 43 | fieldRef: 44 | fieldPath: metadata.name 45 | - name: POD_UID 46 | valueFrom: 47 | fieldRef: 48 | fieldPath: metadata.uid 49 | - name: SERVICE_ACCOUNT 50 | valueFrom: 51 | fieldRef: 52 | fieldPath: spec.serviceAccountName 53 | - name: TZ 54 | value: {{ .Values.TimeZone }} 55 | - name: LOG_LEVEL 56 | value: "{{ .Values.log_level }}" 57 | {{- if or (eq .Values.log_level "DEBUG") (eq .Values.log_level "HIGH") }} 58 | - name: VERBOSE_LOG 59 | value: "True" 60 | {{- end }} 61 | {{- if .Values.admissionController.enabled }} 62 | - name: ADMISSION_CONTROLLER 63 | value: "{{ .Values.admissionController.enabled }}" 64 | {{- end }} 65 | {{- if .Values.githubToken.enabled }} 66 | - name: GITHUB_TOKEN 67 | value: "{{ .Values.githubToken.token }}" 68 | {{- end }} 69 | {{- if .Values.cache.enabled }} 70 | - name: REDIS_ENABLED 71 | value: "True" 72 | - name: REDIS_BACKEND 73 | value: redis://{{ include "trivy-operator.fullname" . }}-cache:6379 74 | {{- end }} 75 | {{- if .Values.offline.enabled }} 76 | - name: SKIP_DB_UPDATE 77 | value: "true" 78 | {{- if .Values.offline.db_repository }} 79 | - name: DB_REPOSITORY 80 | value: "{{ .Values.offline.db_repository }}" 81 | {{- if .Values.offline.db_repository_insecure }} 82 | - name: DB_REPOSITORY_INSECURE 83 | value: "{{ .Values.offline.db_repository_insecure }}" 84 | {{- end }} 85 | {{- end }} 86 | {{- end }} 87 | {{- if .Values.persistence.enabled }} 88 | volumeMounts: 89 | - name: cache 90 | mountPath: "/home/trivy-operator/trivy-cache" 91 | {{- end }} 92 | ports: 93 | - name: metric 94 | containerPort: 9115 95 | protocol: TCP 96 | - name: https 97 | containerPort: 8443 98 | protocol: TCP 99 | {{- if .Values.persistence.enabled }} 100 | volumes: 101 | - name: cache 102 | persistentVolumeClaim: 103 | claimName: {{ include "trivy-operator.fullname" . }}-trivy-cache 104 | {{- end }} -------------------------------------------------------------------------------- /deploy/helm/templates/4-namespace-scanner.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: trivy-operator.devopstales.io/v1 2 | kind: NamespaceScanner 3 | metadata: 4 | name: {{ include "trivy-operator.fullname" . }}-main-config 5 | annotations: 6 | "helm.sh/hook": post-install,post-upgrade 7 | spec: 8 | crontab: "{{ .Values.namespaceScanner.crontab }}" 9 | namespace_selector: "{{ .Values.namespaceScanner.namespaceSelector }}" 10 | clusterWide: {{ .Values.namespaceScanner.clusterWide | default "false" }} 11 | {{- if .Values.namespaceScanner.integrations }} 12 | integrations: 13 | {{- if .Values.namespaceScanner.integrations.policyreport }} 14 | policyreport: {{ .Values.namespaceScanner.integrations.policyreport | default "false" }} 15 | {{- end }} 16 | {{- if .Values.namespaceScanner.integrations.defectdojo }} 17 | {{- with .Values.namespaceScanner.integrations.defectdojo }} 18 | defectdojo: 19 | {{- toYaml . | nindent 6 }} 20 | {{- end }} 21 | {{- end }} 22 | {{- end }} 23 | {{- if .Values.registryAuth.enabled }} 24 | {{- if .Values.registryAuth.image_pull_secrets }} 25 | {{- with .Values.registryAuth.image_pull_secrets }} 26 | image_pull_secrets: 27 | {{- toYaml . | nindent 4 }} 28 | {{- end }} 29 | {{- end }} 30 | {{- if .Values.registryAuth.registry }} 31 | {{- with .Values.registryAuth.registry }} 32 | registry: 33 | {{- toYaml . | nindent 4 }} 34 | {{- end }} 35 | {{- end }} 36 | {{- end }} 37 | -------------------------------------------------------------------------------- /deploy/helm/templates/5-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "trivy-operator.fullname" . }} 5 | labels: 6 | app: trivy-operator 7 | service: metrics 8 | {{- include "trivy-operator.labels" . | nindent 4 }} 9 | spec: 10 | selector: 11 | app: trivy-operator 12 | {{- include "trivy-operator.selectorLabels" . | nindent 4 }} 13 | ports: 14 | - name: metrics 15 | port: {{ .Values.monitoring.port }} 16 | protocol: TCP 17 | targetPort: 9115 18 | --- 19 | apiVersion: v1 20 | kind: Service 21 | metadata: 22 | name: trivy-image-validator 23 | labels: 24 | app: trivy-operator 25 | {{- include "trivy-operator.labels" . | nindent 4 }} 26 | spec: 27 | selector: 28 | app: trivy-operator 29 | {{- include "trivy-operator.selectorLabels" . | nindent 4 }} 30 | ports: 31 | - name: webhook 32 | targetPort: 8443 33 | protocol: TCP 34 | port: 443 35 | {{- if .Values.clusterScanner.enabled }} 36 | --- 37 | apiVersion: v1 38 | kind: Service 39 | metadata: 40 | labels: 41 | app: kube-bench-scnner 42 | {{- include "trivy-operator.labels" . | nindent 4 }} 43 | name: kube-bench-scnner 44 | spec: 45 | selector: 46 | app: kube-bench-scnner 47 | {{- include "trivy-operator.labels" . | nindent 4 }} 48 | ports: 49 | - name: metrics 50 | protocol: TCP 51 | port: 9115 52 | targetPort: 9115 53 | {{- end }} -------------------------------------------------------------------------------- /deploy/helm/templates/6-servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceMonitor.enabled -}} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | labels: 6 | serviceapp: {{ include "trivy-operator.fullname" . }}-trivy-operator 7 | {{- with .Values.serviceMonitor.labels }} 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | name: {{ include "trivy-operator.fullname" . }}-trivy-operator 11 | {{ if .Values.serviceMonitor.namespace }} 12 | namespace: {{ .Values.serviceMonitor.namespace }} 13 | {{ else }} 14 | namespace: {{ .Release.Namespace }} 15 | {{ end }} 16 | spec: 17 | selector: 18 | matchLabels: 19 | app: trivy-operator 20 | service: metrics 21 | endpoints: 22 | - interval: 60s 23 | path: / 24 | scrapeTimeout: 30s 25 | targetPort: 9115 26 | {{- with .Values.serviceMonitor.relabelings }} 27 | relabelings: 28 | {{- toYaml . | nindent 4 }} 29 | {{- end }} 30 | {{- with .Values.serviceMonitor.metricRelabelings }} 31 | metricRelabelings: 32 | {{- toYaml . | nindent 4 }} 33 | {{- end }} 34 | {{- end }} 35 | -------------------------------------------------------------------------------- /deploy/helm/templates/7-cache.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.cache.enabled }} 2 | --- 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: {{ include "trivy-operator.fullname" . }}-cache 7 | labels: 8 | app: trivy-cache 9 | {{- include "trivy-operator.labels" . | nindent 4 }} 10 | spec: 11 | selector: 12 | matchLabels: 13 | app: trivy-cache 14 | template: 15 | metadata: 16 | labels: 17 | app: trivy-cache 18 | spec: 19 | securityContext: 20 | fsGroup: 10001 21 | fsGroupChangePolicy: "OnRootMismatch" 22 | serviceAccountName: trivy-operator 23 | containers: 24 | - image: redis:latest 25 | name: redis 26 | imagePullPolicy: Always 27 | volumeMounts: 28 | - name: cache 29 | mountPath: "/data" 30 | ports: 31 | - containerPort: 6379 32 | volumes: 33 | - name: cache 34 | persistentVolumeClaim: 35 | claimName: "{{ include "trivy-operator.fullname" . }}-cache" 36 | {{- with .Values.nodeSelector }} 37 | nodeSelector: 38 | {{- . | toYaml | nindent 8 }} 39 | {{- end }} 40 | {{- with .Values.affinity }} 41 | affinity: 42 | {{- . | toYaml | nindent 8 }} 43 | {{- end }} 44 | {{- with .Values.tolerations }} 45 | tolerations: 46 | {{- . | toYaml | nindent 8 }} 47 | {{- end }} 48 | --- 49 | apiVersion: v1 50 | kind: PersistentVolumeClaim 51 | metadata: 52 | name: {{ include "trivy-operator.fullname" . }}-cache 53 | labels: 54 | app: trivy-cache 55 | {{- include "trivy-operator.labels" . | nindent 4 }} 56 | spec: 57 | accessModes: 58 | - ReadWriteOnce 59 | resources: 60 | requests: 61 | storage: 10Gi 62 | --- 63 | apiVersion: v1 64 | kind: Service 65 | metadata: 66 | name: {{ include "trivy-operator.fullname" . }}-cache 67 | labels: 68 | app: trivy-cache 69 | {{- include "trivy-operator.labels" . | nindent 4 }} 70 | spec: 71 | selector: 72 | app: trivy-cache 73 | ports: 74 | - name: cache 75 | protocol: TCP 76 | port: 6379 77 | targetPort: 6379 78 | {{- end }} 79 | -------------------------------------------------------------------------------- /deploy/helm/templates/8-cluster-scanner.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.clusterScanner.enabled }} 2 | apiVersion: trivy-operator.devopstales.io/v1 3 | kind: ClusterScanner 4 | metadata: 5 | name: {{ include "trivy-operator.fullname" . }}-main-config 6 | annotations: 7 | "helm.sh/hook": post-install,post-upgrade 8 | spec: 9 | crontab: "{{ .Values.clusterScanner.crontab }}" 10 | {{- if .Values.clusterScanner.scanProfileName }} 11 | scanProfileName: "{{ .Values.clusterScanner.scanProfileName }}" 12 | {{- end }} 13 | {{- if .Values.clusterScanner.integrations }} 14 | integrations: 15 | {{- if .Values.clusterScanner.integrations.defectdojo }} 16 | {{- with .Values.clusterScanner.integrations.defectdojo }} 17 | defectdojo: 18 | {{- toYaml . | nindent 6 }} 19 | {{- end }} 20 | {{- end }} 21 | {{- end }} 22 | {{- end }} -------------------------------------------------------------------------------- /deploy/helm/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "trivy-operator.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "trivy-operator.fullname" -}} 14 | {{- if .Values.fullnameOverride }} 15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.nameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{/* 27 | Create chart name and version as used by the chart label. 28 | */}} 29 | {{- define "trivy-operator.chart" -}} 30 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 | {{- end }} 32 | 33 | {{/* 34 | Common labels 35 | */}} 36 | {{- define "trivy-operator.labels" -}} 37 | helm.sh/chart: {{ include "trivy-operator.chart" . }} 38 | {{ include "trivy-operator.selectorLabels" . }} 39 | {{- if .Chart.AppVersion }} 40 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 41 | {{- end }} 42 | app.kubernetes.io/managed-by: {{ .Release.Service }} 43 | {{- end }} 44 | 45 | {{/* 46 | Selector labels 47 | */}} 48 | {{- define "trivy-operator.selectorLabels" -}} 49 | app.kubernetes.io/name: {{ include "trivy-operator.name" . }} 50 | app.kubernetes.io/instance: {{ .Release.Name }} 51 | {{- end }} 52 | 53 | {{/* 54 | Create the name of the service account to use 55 | */}} 56 | {{- define "trivy-operator.serviceAccountName" -}} 57 | {{- if .Values.serviceAccount.create }} 58 | {{- default (include "trivy-operator.fullname" .) .Values.serviceAccount.name }} 59 | {{- else }} 60 | {{- default "default" .Values.serviceAccount.name }} 61 | {{- end }} 62 | {{- end }} 63 | -------------------------------------------------------------------------------- /deploy/kubernetes/01_rbac.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: trivy-operator 5 | --- 6 | apiVersion: rbac.authorization.k8s.io/v1 7 | kind: ClusterRole 8 | metadata: 9 | name: trivy-operator 10 | rules: 11 | - apiGroups: 12 | - "apiextensions.k8s.io" 13 | resources: 14 | - customresourcedefinitions 15 | verbs: 16 | - create 17 | - apiGroups: 18 | - "admissionregistration.k8s.io" 19 | resources: 20 | - mutatingwebhookconfigurations 21 | - validatingwebhookconfigurations 22 | verbs: 23 | - create 24 | - patch 25 | - get 26 | - watch 27 | - list 28 | - apiGroups: 29 | - "wgpolicyk8s.io" 30 | resources: 31 | - policyreports 32 | verbs: 33 | - get 34 | - create 35 | - delete 36 | - apiGroups: 37 | - "wgpolicyk8s.io" 38 | resources: 39 | - clusterpolicyreports 40 | verbs: 41 | - get 42 | - create 43 | - delete 44 | - apiGroups: 45 | - "trivy-operator.devopstales.io" 46 | resources: 47 | - vulnerabilityreports 48 | verbs: 49 | - get 50 | - create 51 | - delete 52 | - apiGroups: 53 | - "trivy-operator.devopstales.io" 54 | resources: 55 | - namespace-scanners 56 | - namespace-scanners/status 57 | - cluster-scanners 58 | - cluster-scanners/status 59 | verbs: 60 | - get 61 | - list 62 | - watch 63 | - list 64 | - patch 65 | - apiGroups: 66 | - "apps" 67 | resources: 68 | - daemonsets 69 | verbs: 70 | - get 71 | - create 72 | - delete 73 | - apiGroups: 74 | - "" 75 | resources: 76 | - events 77 | verbs: 78 | - get 79 | - create 80 | - patch 81 | - apiGroups: 82 | - "" 83 | resources: 84 | - pods 85 | - namespaces 86 | - secrets 87 | verbs: 88 | - get 89 | - watch 90 | - list 91 | --- 92 | apiVersion: rbac.authorization.k8s.io/v1 93 | kind: ClusterRoleBinding 94 | metadata: 95 | name: trivy-operator 96 | roleRef: 97 | apiGroup: rbac.authorization.k8s.io 98 | kind: ClusterRole 99 | name: trivy-operator 100 | subjects: 101 | - kind: ServiceAccount 102 | name: trivy-operator 103 | namespace: trivy-operator 104 | --- 105 | apiVersion: v1 106 | kind: ServiceAccount 107 | metadata: 108 | name: trivy-operator 109 | namespace: trivy-operator 110 | -------------------------------------------------------------------------------- /deploy/kubernetes/03_cache.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: trivy-cache 6 | namespace: trivy-operator 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: trivy-cache 11 | template: 12 | metadata: 13 | labels: 14 | app: trivy-cache 15 | spec: 16 | securityContext: 17 | fsGroup: 10001 18 | fsGroupChangePolicy: "OnRootMismatch" 19 | serviceAccountName: trivy-operator 20 | containers: 21 | - image: redis:latest 22 | name: redis 23 | imagePullPolicy: Always 24 | volumeMounts: 25 | - name: cache 26 | mountPath: "/data" 27 | ports: 28 | - containerPort: 6379 29 | volumes: 30 | - name: cache 31 | persistentVolumeClaim: 32 | claimName: "redis-cache" 33 | --- 34 | apiVersion: v1 35 | kind: PersistentVolumeClaim 36 | metadata: 37 | name: redis-cache 38 | namespace: trivy-operator 39 | spec: 40 | accessModes: 41 | - ReadWriteOnce 42 | resources: 43 | requests: 44 | storage: 10Gi 45 | --- 46 | apiVersion: v1 47 | kind: Service 48 | metadata: 49 | labels: 50 | app: trivy-cache 51 | name: trivy-cache 52 | namespace: trivy-operator 53 | spec: 54 | selector: 55 | app: trivy-cache 56 | ports: 57 | - name: cache 58 | protocol: TCP 59 | port: 6379 60 | targetPort: 6379 61 | -------------------------------------------------------------------------------- /deploy/kubernetes/04_trivy_operator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: trivy-operator 6 | namespace: trivy-operator 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: trivy-operator 11 | template: 12 | metadata: 13 | labels: 14 | app: trivy-operator 15 | annotations: 16 | prometheus.io/port: "9115" 17 | prometheus.io/scrape: "true" 18 | spec: 19 | securityContext: 20 | fsGroup: 10001 21 | fsGroupChangePolicy: "OnRootMismatch" 22 | serviceAccountName: trivy-operator 23 | containers: 24 | - image: devopstales/trivy-operator:2.4 25 | imagePullPolicy: IfNotPresent 26 | name: trivy-operator 27 | env: 28 | - name: POD_NAMESPACE 29 | valueFrom: 30 | fieldRef: 31 | fieldPath: metadata.namespace 32 | - name: POD_NAME 33 | valueFrom: 34 | fieldRef: 35 | fieldPath: metadata.name 36 | - name: POD_UID 37 | valueFrom: 38 | fieldRef: 39 | fieldPath: metadata.uid 40 | - name: SERVICE_ACCOUNT 41 | valueFrom: 42 | fieldRef: 43 | fieldPath: spec.serviceAccountName 44 | - name: REDIS_ENABLED 45 | value: "True" 46 | - name: REDIS_BACKEND 47 | value: "redis://trivy-cache:6379" 48 | # - name: GITHUB_TOKEN 49 | # value: MY-TOKEN-FROM-GITHUB 50 | volumeMounts: 51 | - name: cache 52 | mountPath: "/home/trivy-operator/trivy-cache/" 53 | # - name: config-json 54 | # mountPath: "/home/trivy-operator/.docker" 55 | ports: 56 | - containerPort: 9115 57 | volumes: 58 | - name: cache 59 | persistentVolumeClaim: 60 | claimName: "trivy-cache" 61 | # - name: config-json 62 | # secret: 63 | # secretName: config-json 64 | --- 65 | apiVersion: v1 66 | kind: PersistentVolumeClaim 67 | metadata: 68 | name: trivy-cache 69 | namespace: trivy-operator 70 | spec: 71 | accessModes: 72 | - ReadWriteOnce 73 | resources: 74 | requests: 75 | storage: 1Gi 76 | --- 77 | apiVersion: v1 78 | kind: Service 79 | metadata: 80 | labels: 81 | app: trivy-operator 82 | name: trivy-operator 83 | namespace: trivy-operator 84 | spec: 85 | selector: 86 | app: trivy-operator 87 | ports: 88 | - name: metrics 89 | protocol: TCP 90 | port: 9115 91 | targetPort: 9115 92 | -------------------------------------------------------------------------------- /deploy/kubernetes/05_namespace-scanner.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: trivy-operator.devopstales.io/v1 2 | kind: NamespaceScanner 3 | metadata: 4 | name: main-config 5 | spec: 6 | crontab: "*/5 * * * *" 7 | namespace_selector: "trivy-scan" 8 | clusterWide: False 9 | integrations: 10 | policyreport: True 11 | # defectdojo: 12 | # host: "https://defectdojo.k8s.intra" 13 | # api_key: "xyz456ucdssd67sd67dsg" 14 | image_pull_secrets: 15 | - devopstales-dockerhub 16 | # registry: 17 | # - name: docker.io 18 | # username: "devopstales" 19 | # password: "" 20 | # insecure: True 21 | -------------------------------------------------------------------------------- /deploy/kubernetes/06_cluster-scanner.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: trivy-operator.devopstales.io/v1 2 | kind: ClusterScanner 3 | metadata: 4 | name: main-config 5 | spec: 6 | crontab: "*/5 * * * *" 7 | scanProfileName: "cis-1.23" 8 | integrations: 9 | # defectdojo: 10 | # host: "https://defectdojo.k8s.intra" 11 | # api_key: "xyz456ucdssd67sd67dsg" 12 | # k8s-cluster-name: "eks-prod" -------------------------------------------------------------------------------- /deploy/kubernetes/10_demo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | labels: 6 | trivy-scan: "true" 7 | trivy-operator-validation: "true" 8 | name: trivytest 9 | --- 10 | apiVersion: v1 11 | kind: Pod 12 | metadata: 13 | name: nginx 14 | namespace: trivytest 15 | spec: 16 | initContainers: 17 | - name: init 18 | image: alpine:latest 19 | command: ['sh', '-c', 'echo The app is running! && sleep 10'] 20 | - name: init2 21 | image: ubuntu:latest 22 | command: ['sh', '-c', 'echo The app is running! && sleep 10'] 23 | containers: 24 | - image: registry.rancher-decktop.intra/devopstales/demo:insecure 25 | imagePullPolicy: IfNotPresent 26 | name: nginx 27 | - image: library/nginx:bad 28 | imagePullPolicy: IfNotPresent 29 | name: nginx-bad 30 | -------------------------------------------------------------------------------- /deploy/kubernetes/11_redisinsight.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: redisinsight 5 | labels: 6 | app: redisinsight 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | app: redisinsight 12 | template: 13 | metadata: 14 | labels: 15 | app: redisinsight 16 | spec: 17 | containers: 18 | 19 | - name: redisinsight 20 | image: redislabs/redisinsight:1.7.0 21 | imagePullPolicy: IfNotPresent 22 | volumeMounts: 23 | - name: db 24 | mountPath: /db 25 | ports: 26 | - containerPort: 8001 27 | protocol: TCP 28 | volumes: 29 | - name: db 30 | emptyDir: {} 31 | --- 32 | apiVersion: v1 33 | kind: Service 34 | metadata: 35 | name: redisinsight-service 36 | spec: 37 | type: ClusterIP 38 | ports: 39 | - port: 80 40 | targetPort: 8001 41 | selector: 42 | app: redisinsight 43 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG ARCH 2 | FROM ${ARCH}python:3.8-alpine 3 | ARG ARCH 4 | ENV IN_CLUSTER=true 5 | 6 | COPY entrypoint.sh /entrypoint.sh 7 | 8 | # gcompat 9 | RUN apk add --no-cache procps apk-tools openssl bash && \ 10 | apk upgrade 11 | 12 | RUN wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub && \ 13 | wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.33-r0/glibc-2.33-r0.apk && \ 14 | apk add --force-overwrite glibc-2.33-r0.apk && \ 15 | mkdir /etc/kube-bench 16 | 17 | RUN pip3 install --no-cache-dir kopf kubernetes croniter prometheus_client 18 | 19 | COPY kube-bench-scnner.py /kube-bench-scnner.py 20 | ADD cfg /etc/kube-bench/cfg 21 | COPY ${ARCH}kube-bench /usr/local/bin/ 22 | 23 | ENV PATH=$PATH:/usr/local/mount-from-host/bin 24 | 25 | ENTRYPOINT ["/entrypoint.sh"] 26 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/ack-1.0/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/ack-1.0/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: "ack-1.0" 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Revoke client certificate when possible leakage (Manual)" 13 | type: "manual" 14 | remediation: | 15 | Kubernetes provides the option to use client certificates for user authentication. 16 | ACK issues kubeconfig with its client certificates as the user credentials for connecing to target cluster. 17 | User should revoke his/her issued kubeconfig when possible leakage. 18 | scored: false 19 | 20 | - id: 3.2 21 | text: "Logging" 22 | checks: 23 | - id: 3.2.1 24 | text: "Ensure that a minimal audit policy is created (Manual)" 25 | audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 26 | tests: 27 | test_items: 28 | - flag: "--audit-policy-file" 29 | remediation: | 30 | Create an audit policy file for your cluster. 31 | scored: false 32 | 33 | - id: 3.2.2 34 | text: "Ensure that the audit policy covers key security concerns (Manual)" 35 | type: "manual" 36 | remediation: | 37 | Consider modification of the audit policy in use on the cluster to include these items, at a 38 | minimum. 39 | scored: false 40 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/aks-1.0/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/aks-1.0/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: "aks-1.0" 4 | id: 2 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 2.1 9 | text: "Logging" 10 | checks: 11 | - id: 2.1.1 12 | text: "Enable audit Logs" 13 | type: "manual" 14 | remediation: | 15 | Azure audit logs are enabled and managed in the Azure portal. To enable log collection for 16 | the Kubernetes master components in your AKS cluster, open the Azure portal in a web 17 | browser and complete the following steps: 18 | 1. Select the resource group for your AKS cluster, such as myResourceGroup. Don't 19 | select the resource group that contains your individual AKS cluster resources, such 20 | as MC_myResourceGroup_myAKSCluster_eastus. 21 | 2. On the left-hand side, choose Diagnostic settings. 22 | 3. Select your AKS cluster, such as myAKSCluster, then choose to Add diagnostic setting. 23 | 4. Enter a name, such as myAKSClusterLogs, then select the option to Send to Log Analytics. 24 | 5. Select an existing workspace or create a new one. If you create a workspace, provide 25 | a workspace name, a resource group, and a location. 26 | 6. In the list of available logs, select the logs you wish to enable. For this example, 27 | enable the kube-audit and kube-audit-admin logs. Common logs include the kube- 28 | apiserver, kube-controller-manager, and kube-scheduler. You can return and change 29 | the collected logs once Log Analytics workspaces are enabled. 30 | 7. When ready, select Save to enable collection of the selected logs. 31 | scored: false 32 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/aks-1.0/master.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: "aks-1.0" 4 | id: 1 5 | text: "Control Plane Components" 6 | type: "master" 7 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/cis-1.20/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/cis-1.20/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: "1.20" 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Manual)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Manual)" 24 | audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 25 | tests: 26 | test_items: 27 | - flag: "--audit-policy-file" 28 | set: true 29 | remediation: | 30 | Create an audit policy file for your cluster. 31 | scored: false 32 | 33 | - id: 3.2.2 34 | text: "Ensure that the audit policy covers key security concerns (Manual)" 35 | type: "manual" 36 | remediation: | 37 | Consider modification of the audit policy in use on the cluster to include these items, at a 38 | minimum. 39 | scored: false 40 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/cis-1.23/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/cis-1.23/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: "1.23" 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Manual)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Manual)" 24 | audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 25 | tests: 26 | test_items: 27 | - flag: "--audit-policy-file" 28 | set: true 29 | remediation: | 30 | Create an audit policy file for your cluster. 31 | scored: false 32 | 33 | - id: 3.2.2 34 | text: "Ensure that the audit policy covers key security concerns (Manual)" 35 | type: "manual" 36 | remediation: | 37 | Review the audit policy provided for the cluster and ensure that it covers 38 | at least the following areas, 39 | - Access to Secrets managed by the cluster. Care should be taken to only 40 | log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in 41 | order to avoid risk of logging sensitive data. 42 | - Modification of Pod and Deployment objects. 43 | - Use of `pods/exec`, `pods/portforward`, `pods/proxy` and `services/proxy`. 44 | For most requests, minimally logging at the Metadata level is recommended 45 | (the most basic level of logging). 46 | scored: false 47 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/cis-1.4/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/cis-1.5/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/cis-1.5/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: 1.5 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Not Scored) " 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Scored) " 24 | type: "manual" 25 | remediation: | 26 | Create an audit policy file for your cluster. 27 | scored: true 28 | 29 | - id: 3.2.2 30 | text: "Ensure that the audit policy covers key security concerns (Not Scored) " 31 | type: "manual" 32 | remediation: | 33 | Consider modification of the audit policy in use on the cluster to include these items, at a 34 | minimum. 35 | scored: false 36 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/cis-1.6/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/cis-1.6/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: 1.6 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Manual)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Manual)" 24 | audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 25 | tests: 26 | test_items: 27 | - flag: "--audit-policy-file" 28 | set: true 29 | remediation: | 30 | Create an audit policy file for your cluster. 31 | scored: false 32 | 33 | - id: 3.2.2 34 | text: "Ensure that the audit policy covers key security concerns (Manual)" 35 | type: "manual" 36 | remediation: | 37 | Consider modification of the audit policy in use on the cluster to include these items, at a 38 | minimum. 39 | scored: false 40 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/eks-1.0.1/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | ## These settings are required if you are using the --asff option to report findings to AWS Security Hub 4 | ## AWS account number is required. 5 | AWS_ACCOUNT: "" 6 | ## AWS region is required. 7 | AWS_REGION: "" 8 | ## EKS Cluster ARN is required. 9 | CLUSTER_ARN: "" 10 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/eks-1.0.1/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: "eks-1.0.1" 4 | id: 2 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 2.1 9 | text: "Logging" 10 | checks: 11 | - id: 2.1.1 12 | text: "Enable audit logs (Manual)" 13 | remediation: "Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler." 14 | scored: false 15 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/eks-1.0.1/managedservices.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: "eks-1.0.1" 4 | id: 5 5 | text: "Managed Services" 6 | type: "managedservices" 7 | groups: 8 | - id: 5.1 9 | text: "Image Registry and Image Scanning" 10 | checks: 11 | - id: 5.1.1 12 | text: "Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third-party provider (Manual)" 13 | type: "manual" 14 | remediation: "No remediation" 15 | scored: false 16 | 17 | - id: 5.1.2 18 | text: "Minimize user access to Amazon ECR (Manual)" 19 | type: "manual" 20 | remediation: "No remediation" 21 | scored: false 22 | 23 | - id: 5.1.3 24 | text: "Minimize cluster access to read-only for Amazon ECR (Manual)" 25 | type: "manual" 26 | remediation: "No remediation" 27 | scored: false 28 | 29 | - id: 5.1.4 30 | text: "Minimize Container Registries to only those approved (Manual)" 31 | type: "manual" 32 | remediation: "No remediation" 33 | scored: false 34 | 35 | - id: 5.2 36 | text: "Identity and Access Management (IAM)" 37 | checks: 38 | - id: 5.2.1 39 | text: "Prefer using dedicated Amazon EKS Service Accounts (Manual)" 40 | type: "manual" 41 | remediation: "No remediation" 42 | scored: false 43 | 44 | - id: 5.3 45 | text: "AWS Key Management Service (KMS)" 46 | checks: 47 | - id: 5.3.1 48 | text: "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Manual)" 49 | type: "manual" 50 | remediation: "No remediation" 51 | scored: false 52 | 53 | - id: 5.4 54 | text: "Cluster Networking" 55 | checks: 56 | - id: 5.4.1 57 | text: "Restrict Access to the Control Plane Endpoint (Manual)" 58 | type: "manual" 59 | remediation: "No remediation" 60 | scored: false 61 | 62 | - id: 5.4.2 63 | text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)" 64 | type: "manual" 65 | remediation: "No remediation" 66 | scored: false 67 | 68 | - id: 5.4.3 69 | text: "Ensure clusters are created with Private Nodes (Manual)" 70 | type: "manual" 71 | remediation: "No remediation" 72 | scored: false 73 | 74 | - id: 5.4.4 75 | text: "Ensure Network Policy is Enabled and set as appropriate (Manual)" 76 | type: "manual" 77 | remediation: "No remediation" 78 | scored: false 79 | 80 | - id: 5.4.5 81 | text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Manual)" 82 | type: "manual" 83 | remediation: "No remediation" 84 | scored: false 85 | 86 | 87 | - id: 5.5 88 | text: "Authentication and Authorization" 89 | checks: 90 | - id: 5.5.1 91 | text: "Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes (Manual)" 92 | type: "manual" 93 | remediation: "No remediation" 94 | scored: false 95 | 96 | 97 | - id: 5.6 98 | text: "Other Cluster Configurations" 99 | checks: 100 | - id: 5.6.1 101 | text: "Consider Fargate for running untrusted workloads (Manual)" 102 | type: "manual" 103 | remediation: "No remediation" 104 | scored: false 105 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/eks-1.0.1/master.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: "eks-1.0.1" 4 | id: 1 5 | text: "Control Plane Components" 6 | type: "master" 7 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/gke-1.0/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/gke-1.0/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: "gke-1.0" 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Not Scored)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | You can remediate the availability of client certificates in your GKE cluster. See 18 | Recommendation 6.8.2. 19 | scored: false 20 | 21 | - id: 3.2 22 | text: "Logging" 23 | type: skip 24 | checks: 25 | - id: 3.2.1 26 | text: "Ensure that a minimal audit policy is created (Not Scored)" 27 | remediation: "This control cannot be modified in GKE." 28 | scored: false 29 | 30 | - id: 3.2.2 31 | text: "Ensure that the audit policy covers key security concerns (Not Scored) " 32 | remediation: "This control cannot be modified in GKE." 33 | scored: false 34 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/gke-1.0/etcd.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: "gke-1.0" 4 | id: 2 5 | text: "Etcd Node Configuration" 6 | type: "etcd" 7 | groups: 8 | - id: 2 9 | text: "Etcd Node Configuration Files" 10 | type: skip 11 | checks: 12 | - id: 2.1 13 | text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Not Scored)" 14 | remediation: "This control cannot be modified in GKE." 15 | scored: false 16 | 17 | - id: 2.2 18 | text: "Ensure that the --client-cert-auth argument is set to true (Not Scored)" 19 | remediation: "This control cannot be modified in GKE." 20 | scored: false 21 | 22 | - id: 2.3 23 | text: "Ensure that the --auto-tls argument is not set to true (Not Scored)" 24 | remediation: "This control cannot be modified in GKE." 25 | scored: false 26 | 27 | - id: 2.4 28 | text: "Ensure that the --peer-cert-file and --peer-key-file arguments are 29 | set as appropriate (Not Scored)" 30 | remediation: "This control cannot be modified in GKE." 31 | scored: false 32 | 33 | - id: 2.5 34 | text: "Ensure that the --peer-client-cert-auth argument is set to true (Not Scored)" 35 | remediation: "This control cannot be modified in GKE." 36 | scored: false 37 | 38 | - id: 2.6 39 | text: "Ensure that the --peer-auto-tls argument is not set to true (Not Scored)" 40 | remediation: "This control cannot be modified in GKE." 41 | scored: false 42 | 43 | - id: 2.7 44 | text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)" 45 | remediation: "This control cannot be modified in GKE." 46 | scored: false 47 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/gke-1.2.0/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/gke-1.2.0/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: "gke-1.2.0" 4 | id: 2 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 2.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 2.1.1 12 | text: "Client certificate authentication should not be used for users (Manual)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | You can remediate the availability of client certificates in your GKE cluster. See 18 | Recommendation 6.8.2. 19 | scored: false 20 | 21 | - id: 2.2 22 | text: "Logging" 23 | type: skip 24 | checks: 25 | - id: 2.2.1 26 | text: "Ensure that a minimal audit policy is created (Manual)" 27 | type: "manual" 28 | remediation: "This control cannot be modified in GKE." 29 | scored: false 30 | 31 | - id: 2.2.2 32 | text: "Ensure that the audit policy covers key security concerns (Manual)" 33 | type: "manual" 34 | remediation: "This control cannot be modified in GKE." 35 | scored: false 36 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/gke-1.2.0/master.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: "gke-1.2.0" 4 | id: 1 5 | text: "Control Plane Components" 6 | type: "master" 7 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/k3s-cis-1.20-hardened/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | 4 | master: 5 | components: 6 | - apiserver 7 | - scheduler 8 | - controllermanager 9 | - etcd 10 | - policies 11 | 12 | apiserver: 13 | bins: 14 | - containerd 15 | 16 | scheduler: 17 | bins: 18 | - containerd 19 | 20 | controllermanager: 21 | bins: 22 | - containerd 23 | 24 | etcd: 25 | bins: 26 | - containerd 27 | 28 | node: 29 | components: 30 | - kubelet 31 | - proxy 32 | 33 | kubelet: 34 | bins: 35 | - containerd 36 | defaultkubeconfig: /var/lib/rancher/k3s/agent/kubelet.kubeconfig 37 | defaultcafile: /var/lib/rancher/k3s/agent/client-ca.crt 38 | 39 | proxy: 40 | bins: 41 | - containerd 42 | defaultkubeconfig: /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig 43 | 44 | policies: 45 | components: 46 | - policies 47 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/k3s-cis-1.20-hardened/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: 1.20 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Manual)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Manual)" 24 | audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-policy-file'" 25 | type: "manual" 26 | tests: 27 | test_items: 28 | - flag: "--audit-policy-file" 29 | set: true 30 | remediation: | 31 | Create an audit policy file for your cluster. 32 | scored: false 33 | 34 | - id: 3.2.2 35 | text: "Ensure that the audit policy covers key security concerns (Manual)" 36 | type: "manual" 37 | remediation: | 38 | Consider modification of the audit policy in use on the cluster to include these items, at a 39 | minimum. 40 | scored: false 41 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/k3s-cis-1.20-permissive/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | 4 | master: 5 | components: 6 | - apiserver 7 | - scheduler 8 | - controllermanager 9 | - etcd 10 | - policies 11 | 12 | apiserver: 13 | bins: 14 | - containerd 15 | 16 | scheduler: 17 | bins: 18 | - containerd 19 | 20 | controllermanager: 21 | bins: 22 | - containerd 23 | 24 | etcd: 25 | bins: 26 | - containerd 27 | 28 | node: 29 | components: 30 | - kubelet 31 | - proxy 32 | 33 | kubelet: 34 | bins: 35 | - containerd 36 | defaultkubeconfig: /var/lib/rancher/k3s/agent/kubelet.kubeconfig 37 | defaultcafile: /var/lib/rancher/k3s/agent/client-ca.crt 38 | 39 | proxy: 40 | bins: 41 | - containerd 42 | defaultkubeconfig: /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig 43 | 44 | policies: 45 | components: 46 | - policies 47 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/k3s-cis-1.20-permissive/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: 1.20 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Manual)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Manual)" 24 | audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-policy-file'" 25 | type: "manual" 26 | tests: 27 | test_items: 28 | - flag: "--audit-policy-file" 29 | set: true 30 | remediation: | 31 | Create an audit policy file for your cluster. 32 | scored: false 33 | 34 | - id: 3.2.2 35 | text: "Ensure that the audit policy covers key security concerns (Manual)" 36 | type: "manual" 37 | remediation: | 38 | Consider modification of the audit policy in use on the cluster to include these items, at a 39 | minimum. 40 | scored: false 41 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/k3s-cis-1.23-hardened/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | 4 | master: 5 | components: 6 | - apiserver 7 | - scheduler 8 | - controllermanager 9 | - etcd 10 | - policies 11 | 12 | apiserver: 13 | bins: 14 | - containerd 15 | 16 | scheduler: 17 | bins: 18 | - containerd 19 | 20 | controllermanager: 21 | bins: 22 | - containerd 23 | 24 | etcd: 25 | bins: 26 | - containerd 27 | 28 | node: 29 | components: 30 | - kubelet 31 | - proxy 32 | 33 | kubelet: 34 | bins: 35 | - containerd 36 | defaultkubeconfig: /var/lib/rancher/k3s/agent/kubelet.kubeconfig 37 | defaultcafile: /var/lib/rancher/k3s/agent/client-ca.crt 38 | 39 | proxy: 40 | bins: 41 | - containerd 42 | defaultkubeconfig: /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig 43 | 44 | policies: 45 | components: 46 | - policies 47 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/k3s-cis-1.23-hardened/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: 1.23 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Manual)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Manual)" 24 | audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-policy-file'" 25 | type: "manual" 26 | tests: 27 | test_items: 28 | - flag: "--audit-policy-file" 29 | set: true 30 | remediation: | 31 | Create an audit policy file for your cluster. 32 | scored: false 33 | 34 | - id: 3.2.2 35 | text: "Ensure that the audit policy covers key security concerns (Manual)" 36 | type: "manual" 37 | remediation: | 38 | Review the audit policy provided for the cluster and ensure that it covers 39 | at least the following areas, 40 | - Access to Secrets managed by the cluster. Care should be taken to only 41 | log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in 42 | order to avoid risk of logging sensitive data. 43 | - Modification of Pod and Deployment objects. 44 | - Use of `pods/exec`, `pods/portforward`, `pods/proxy` and `services/proxy`. 45 | For most requests, minimally logging at the Metadata level is recommended 46 | (the most basic level of logging). 47 | scored: false 48 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/k3s-cis-1.23-permissive/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | 4 | master: 5 | components: 6 | - apiserver 7 | - scheduler 8 | - controllermanager 9 | - etcd 10 | - policies 11 | 12 | apiserver: 13 | bins: 14 | - containerd 15 | 16 | scheduler: 17 | bins: 18 | - containerd 19 | 20 | controllermanager: 21 | bins: 22 | - containerd 23 | 24 | etcd: 25 | bins: 26 | - containerd 27 | 28 | node: 29 | components: 30 | - kubelet 31 | - proxy 32 | 33 | kubelet: 34 | bins: 35 | - containerd 36 | defaultkubeconfig: /var/lib/rancher/k3s/agent/kubelet.kubeconfig 37 | defaultcafile: /var/lib/rancher/k3s/agent/client-ca.crt 38 | 39 | proxy: 40 | bins: 41 | - containerd 42 | defaultkubeconfig: /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig 43 | 44 | policies: 45 | components: 46 | - policies 47 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/k3s-cis-1.23-permissive/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: 1.23 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Manual)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Manual)" 24 | audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-policy-file'" 25 | type: "manual" 26 | tests: 27 | test_items: 28 | - flag: "--audit-policy-file" 29 | set: true 30 | remediation: | 31 | Create an audit policy file for your cluster. 32 | scored: false 33 | 34 | - id: 3.2.2 35 | text: "Ensure that the audit policy covers key security concerns (Manual)" 36 | type: "manual" 37 | remediation: | 38 | Review the audit policy provided for the cluster and ensure that it covers 39 | at least the following areas, 40 | - Access to Secrets managed by the cluster. Care should be taken to only 41 | log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in 42 | order to avoid risk of logging sensitive data. 43 | - Modification of Pod and Deployment objects. 44 | - Use of `pods/exec`, `pods/portforward`, `pods/proxy` and `services/proxy`. 45 | For most requests, minimally logging at the Metadata level is recommended 46 | (the most basic level of logging). 47 | scored: false 48 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/k3s-cis-1.6-hardened/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | 4 | master: 5 | components: 6 | - apiserver 7 | - scheduler 8 | - controllermanager 9 | - etcd 10 | - policies 11 | 12 | apiserver: 13 | bins: 14 | - containerd 15 | 16 | scheduler: 17 | bins: 18 | - containerd 19 | 20 | controllermanager: 21 | bins: 22 | - containerd 23 | 24 | etcd: 25 | bins: 26 | - containerd 27 | 28 | node: 29 | components: 30 | - kubelet 31 | - proxy 32 | 33 | kubelet: 34 | bins: 35 | - containerd 36 | defaultkubeconfig: /var/lib/rancher/k3s/agent/kubelet.kubeconfig 37 | defaultcafile: /var/lib/rancher/k3s/agent/client-ca.crt 38 | 39 | proxy: 40 | bins: 41 | - containerd 42 | defaultkubeconfig: /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig 43 | 44 | policies: 45 | components: 46 | - policies 47 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/k3s-cis-1.6-hardened/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: 1.6 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Manual)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Manual)" 24 | audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-policy-file'" 25 | type: "manual" 26 | tests: 27 | test_items: 28 | - flag: "--audit-policy-file" 29 | set: true 30 | remediation: | 31 | Create an audit policy file for your cluster. 32 | scored: false 33 | 34 | - id: 3.2.2 35 | text: "Ensure that the audit policy covers key security concerns (Manual)" 36 | type: "manual" 37 | remediation: | 38 | Consider modification of the audit policy in use on the cluster to include these items, at a 39 | minimum. 40 | scored: false 41 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/k3s-cis-1.6-permissive/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | 4 | master: 5 | components: 6 | - apiserver 7 | - scheduler 8 | - controllermanager 9 | - etcd 10 | - policies 11 | 12 | apiserver: 13 | bins: 14 | - containerd 15 | 16 | scheduler: 17 | bins: 18 | - containerd 19 | 20 | controllermanager: 21 | bins: 22 | - containerd 23 | 24 | etcd: 25 | bins: 26 | - containerd 27 | 28 | node: 29 | components: 30 | - kubelet 31 | - proxy 32 | 33 | kubelet: 34 | bins: 35 | - containerd 36 | defaultkubeconfig: /var/lib/rancher/k3s/agent/kubelet.kubeconfig 37 | defaultcafile: /var/lib/rancher/k3s/agent/client-ca.crt 38 | 39 | proxy: 40 | bins: 41 | - containerd 42 | defaultkubeconfig: /var/lib/rancher/k3s/agent/kubeproxy.kubeconfig 43 | 44 | policies: 45 | components: 46 | - policies 47 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/k3s-cis-1.6-permissive/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: 1.6 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Manual)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Manual)" 24 | audit: "journalctl -D /var/log/journal -u k3s | grep 'Running kube-apiserver' | tail -n1 | grep 'audit-policy-file'" 25 | type: "manual" 26 | tests: 27 | test_items: 28 | - flag: "--audit-policy-file" 29 | set: true 30 | remediation: | 31 | Create an audit policy file for your cluster. 32 | scored: false 33 | 34 | - id: 3.2.2 35 | text: "Ensure that the audit policy covers key security concerns (Manual)" 36 | type: "manual" 37 | remediation: | 38 | Consider modification of the audit policy in use on the cluster to include these items, at a 39 | minimum. 40 | scored: false 41 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rh-0.7/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rh-1.0/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rh-1.0/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: rh-1.0 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Manual)" 13 | audit: | 14 | # To verify user authentication is enabled 15 | oc describe authentication 16 | # To verify that an identity provider is configured 17 | oc get identity 18 | # To verify that a custom cluster-admin user exists 19 | oc get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind | grep cluster-admin | grep User 20 | # To verity that kbueadmin is removed, no results should be returned 21 | oc get secrets kubeadmin -n kube-system 22 | type: manual 23 | remediation: | 24 | Configure an identity provider for the OpenShift cluster. 25 | Understanding identity provider configuration | Authentication | OpenShift 26 | Container Platform 4.5. Once an identity provider has been defined, 27 | you can use RBAC to define and apply permissions. 28 | After you define an identity provider and create a new cluster-admin user, 29 | remove the kubeadmin user to improve cluster security. 30 | scored: false 31 | 32 | - id: 3.2 33 | text: "Logging" 34 | checks: 35 | - id: 3.2.1 36 | text: "Ensure that a minimal audit policy is created (Manual)" 37 | audit: | 38 | #To view kube apiserver log files 39 | oc adm node-logs --role=master --path=kube-apiserver/ 40 | #To view openshift apiserver log files 41 | oc adm node-logs --role=master --path=openshift-apiserver/ 42 | #To verify kube apiserver audit config 43 | oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig[]' 44 | #To verify openshift apiserver audit config 45 | oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig[]' 46 | type: manual 47 | remediation: | 48 | No remediation required. 49 | scored: false 50 | 51 | - id: 3.2.2 52 | text: "Ensure that the audit policy covers key security concerns (Manual)" 53 | audit: | 54 | #To verify openshift apiserver audit config 55 | oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]' 56 | #To verify kube apiserver audit config 57 | oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]' 58 | type: manual 59 | remediation: | 60 | In OpenShift 4.6 and higher, if appropriate for your needs, 61 | modify the audit policy. 62 | scored: false 63 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke-cis-1.20-hardened/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | 4 | node: 5 | kubelet: 6 | defaultkubeconfig: "/etc/kubernetes/ssl/kubecfg-kube-node.yaml" 7 | defaultcafile: "/etc/kubernetes/ssl/kube-ca.pem" 8 | 9 | proxy: 10 | defaultkubeconfig: "/etc/kubernetes/ssl/kubecfg-kube-proxy.yaml" 11 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke-cis-1.20-hardened/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: 1.20 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Manual)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Automated)" 24 | audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 25 | tests: 26 | test_items: 27 | - flag: "--audit-policy-file" 28 | set: true 29 | remediation: | 30 | Create an audit policy file for your cluster. 31 | scored: true 32 | 33 | - id: 3.2.2 34 | text: "Ensure that the audit policy covers key security concerns (Manual)" 35 | type: "manual" 36 | remediation: | 37 | Consider modification of the audit policy in use on the cluster to include these items, at a 38 | minimum. 39 | scored: false 40 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke-cis-1.20-permissive/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | 4 | node: 5 | kubelet: 6 | defaultkubeconfig: "/etc/kubernetes/ssl/kubecfg-kube-node.yaml" 7 | defaultcafile: "/etc/kubernetes/ssl/kube-ca.pem" 8 | 9 | proxy: 10 | defaultkubeconfig: "/etc/kubernetes/ssl/kubecfg-kube-proxy.yaml" 11 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke-cis-1.20-permissive/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: 1.20 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Manual)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Automated)" 24 | audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 25 | tests: 26 | test_items: 27 | - flag: "--audit-policy-file" 28 | set: true 29 | remediation: | 30 | Create an audit policy file for your cluster. 31 | scored: true 32 | 33 | - id: 3.2.2 34 | text: "Ensure that the audit policy covers key security concerns (Manual)" 35 | type: "manual" 36 | remediation: | 37 | Consider modification of the audit policy in use on the cluster to include these items, at a 38 | minimum. 39 | scored: false 40 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke-cis-1.23-hardened/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | 4 | node: 5 | kubelet: 6 | defaultkubeconfig: "/etc/kubernetes/ssl/kubecfg-kube-node.yaml" 7 | defaultcafile: "/etc/kubernetes/ssl/kube-ca.pem" 8 | 9 | proxy: 10 | defaultkubeconfig: "/etc/kubernetes/ssl/kubecfg-kube-proxy.yaml" 11 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke-cis-1.23-hardened/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: 1.23 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Manual)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Automated)" 24 | audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 25 | tests: 26 | test_items: 27 | - flag: "--audit-policy-file" 28 | set: true 29 | remediation: | 30 | Create an audit policy file for your cluster. 31 | scored: true 32 | 33 | - id: 3.2.2 34 | text: "Ensure that the audit policy covers key security concerns (Manual)" 35 | type: "manual" 36 | remediation: | 37 | Review the audit policy provided for the cluster and ensure that it covers 38 | at least the following areas, 39 | - Access to Secrets managed by the cluster. Care should be taken to only 40 | log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in 41 | order to avoid risk of logging sensitive data. 42 | - Modification of Pod and Deployment objects. 43 | - Use of `pods/exec`, `pods/portforward`, `pods/proxy` and `services/proxy`. 44 | For most requests, minimally logging at the Metadata level is recommended 45 | (the most basic level of logging). 46 | scored: false 47 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke-cis-1.23-permissive/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | 4 | node: 5 | kubelet: 6 | defaultkubeconfig: "/etc/kubernetes/ssl/kubecfg-kube-node.yaml" 7 | defaultcafile: "/etc/kubernetes/ssl/kube-ca.pem" 8 | 9 | proxy: 10 | defaultkubeconfig: "/etc/kubernetes/ssl/kubecfg-kube-proxy.yaml" 11 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke-cis-1.23-permissive/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: 1.23 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Manual)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Manual)" 24 | audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 25 | tests: 26 | test_items: 27 | - flag: "--audit-policy-file" 28 | set: true 29 | remediation: | 30 | Create an audit policy file for your cluster. 31 | scored: true 32 | 33 | - id: 3.2.2 34 | text: "Ensure that the audit policy covers key security concerns (Manual)" 35 | type: "manual" 36 | remediation: | 37 | Review the audit policy provided for the cluster and ensure that it covers 38 | at least the following areas, 39 | - Access to Secrets managed by the cluster. Care should be taken to only 40 | log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in 41 | order to avoid risk of logging sensitive data. 42 | - Modification of Pod and Deployment objects. 43 | - Use of `pods/exec`, `pods/portforward`, `pods/proxy` and `services/proxy`. 44 | For most requests, minimally logging at the Metadata level is recommended 45 | (the most basic level of logging). 46 | scored: false 47 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke-cis-1.4/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | 4 | node: 5 | kubelet: 6 | defaultkubeconfig: "/etc/kubernetes/ssl/kubecfg-kube-node.yaml" 7 | defaultcafile: "/etc/kubernetes/ssl/kube-ca.pem" 8 | 9 | proxy: 10 | defaultkubeconfig: "/etc/kubernetes/ssl/kubecfg-kube-proxy.yaml" 11 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke-cis-1.5-hardened/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | 4 | node: 5 | kubelet: 6 | defaultkubeconfig: "/etc/kubernetes/ssl/kubecfg-kube-node.yaml" 7 | defaultcafile: "/etc/kubernetes/ssl/kube-ca.pem" 8 | 9 | proxy: 10 | defaultkubeconfig: "/etc/kubernetes/ssl/kubecfg-kube-proxy.yaml" 11 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke-cis-1.5-hardened/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: 1.5 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Not Scored) " 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Scored) " 24 | audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 25 | tests: 26 | test_items: 27 | - flag: "--audit-policy-file" 28 | set: true 29 | remediation: | 30 | Create an audit policy file for your cluster. 31 | scored: true 32 | 33 | - id: 3.2.2 34 | text: "Ensure that the audit policy covers key security concerns (Not Scored) " 35 | type: "manual" 36 | remediation: | 37 | Consider modification of the audit policy in use on the cluster to include these items, at a 38 | minimum. 39 | scored: false 40 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke-cis-1.5-permissive/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | 4 | node: 5 | kubelet: 6 | defaultkubeconfig: "/etc/kubernetes/ssl/kubecfg-kube-node.yaml" 7 | defaultcafile: "/etc/kubernetes/ssl/kube-ca.pem" 8 | 9 | proxy: 10 | defaultkubeconfig: "/etc/kubernetes/ssl/kubecfg-kube-proxy.yaml" 11 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke-cis-1.5-permissive/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: 1.5 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Not Scored) " 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Scored) " 24 | audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 25 | tests: 26 | test_items: 27 | - flag: "--audit-policy-file" 28 | set: true 29 | remediation: | 30 | Create an audit policy file for your cluster. 31 | scored: true 32 | 33 | - id: 3.2.2 34 | text: "Ensure that the audit policy covers key security concerns (Not Scored) " 35 | type: "manual" 36 | remediation: | 37 | Consider modification of the audit policy in use on the cluster to include these items, at a 38 | minimum. 39 | scored: false 40 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke-cis-1.6-hardened/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | 4 | node: 5 | kubelet: 6 | defaultkubeconfig: "/etc/kubernetes/ssl/kubecfg-kube-node.yaml" 7 | defaultcafile: "/etc/kubernetes/ssl/kube-ca.pem" 8 | 9 | proxy: 10 | defaultkubeconfig: "/etc/kubernetes/ssl/kubecfg-kube-proxy.yaml" 11 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke-cis-1.6-hardened/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: 1.6 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Manual)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Automated)" 24 | audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 25 | tests: 26 | test_items: 27 | - flag: "--audit-policy-file" 28 | set: true 29 | remediation: | 30 | Create an audit policy file for your cluster. 31 | scored: true 32 | 33 | - id: 3.2.2 34 | text: "Ensure that the audit policy covers key security concerns (Manual)" 35 | type: "manual" 36 | remediation: | 37 | Consider modification of the audit policy in use on the cluster to include these items, at a 38 | minimum. 39 | scored: false 40 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke-cis-1.6-permissive/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | 4 | node: 5 | kubelet: 6 | defaultkubeconfig: "/etc/kubernetes/ssl/kubecfg-kube-node.yaml" 7 | defaultcafile: "/etc/kubernetes/ssl/kube-ca.pem" 8 | 9 | proxy: 10 | defaultkubeconfig: "/etc/kubernetes/ssl/kubecfg-kube-proxy.yaml" 11 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke-cis-1.6-permissive/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: 1.6 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Manual)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Automated)" 24 | audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep" 25 | tests: 26 | test_items: 27 | - flag: "--audit-policy-file" 28 | set: true 29 | remediation: | 30 | Create an audit policy file for your cluster. 31 | scored: true 32 | 33 | - id: 3.2.2 34 | text: "Ensure that the audit policy covers key security concerns (Manual)" 35 | type: "manual" 36 | remediation: | 37 | Consider modification of the audit policy in use on the cluster to include these items, at a 38 | minimum. 39 | scored: false 40 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke2-cis-1.20-hardened/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | 4 | master: 5 | components: 6 | - apiserver 7 | - scheduler 8 | - controllermanager 9 | - etcd 10 | - policies 11 | 12 | apiserver: 13 | bins: 14 | - kube-apiserver 15 | confs: 16 | - /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml 17 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml 18 | 19 | scheduler: 20 | bins: 21 | - kube-scheduler 22 | confs: 23 | - /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml 24 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml 25 | 26 | controllermanager: 27 | bins: 28 | - kube-controller-manager 29 | confs: 30 | - /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml 31 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml 32 | 33 | etcd: 34 | bins: 35 | - etcd 36 | confs: 37 | - /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml 38 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml 39 | 40 | node: 41 | components: 42 | - kubelet 43 | - proxy 44 | 45 | kubelet: 46 | defaultkubeconfig: /var/lib/rancher/rke2/agent/kubelet.kubeconfig 47 | defaultcafile: /var/lib/rancher/rke2/agent/client-ca.crt 48 | 49 | proxy: 50 | defaultkubeconfig: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig 51 | 52 | policies: 53 | components: 54 | - policies 55 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke2-cis-1.20-hardened/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: 1.20 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Manual)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Automated)" 24 | audit: "/bin/ps -ef | grep kube-apiserver | grep -v grep | grep -o audit-policy-file" 25 | tests: 26 | test_items: 27 | - flag: "audit-policy-file" 28 | compare: 29 | op: eq 30 | value: "audit-policy-file" 31 | set: true 32 | remediation: | 33 | Create an audit policy file for your cluster. 34 | scored: true 35 | 36 | - id: 3.2.2 37 | text: "Ensure that the audit policy covers key security concerns (Manual)" 38 | type: "manual" 39 | remediation: | 40 | Consider modification of the audit policy in use on the cluster to include these items, at a 41 | minimum. 42 | scored: false 43 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke2-cis-1.20-permissive/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | 4 | master: 5 | components: 6 | - apiserver 7 | - scheduler 8 | - controllermanager 9 | - etcd 10 | - policies 11 | 12 | apiserver: 13 | bins: 14 | - kube-apiserver 15 | confs: 16 | - /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml 17 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml 18 | 19 | scheduler: 20 | bins: 21 | - kube-scheduler 22 | confs: 23 | - /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml 24 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml 25 | 26 | controllermanager: 27 | bins: 28 | - kube-controller-manager 29 | confs: 30 | - /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml 31 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml 32 | 33 | etcd: 34 | bins: 35 | - etcd 36 | confs: 37 | - /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml 38 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml 39 | 40 | node: 41 | components: 42 | - kubelet 43 | - proxy 44 | 45 | kubelet: 46 | defaultkubeconfig: /var/lib/rancher/rke2/agent/kubelet.kubeconfig 47 | defaultcafile: /var/lib/rancher/rke2/agent/client-ca.crt 48 | 49 | proxy: 50 | defaultkubeconfig: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig 51 | 52 | policies: 53 | components: 54 | - policies 55 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke2-cis-1.20-permissive/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: 1.20 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Manual)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Automated)" 24 | audit: "/bin/ps -ef | grep kube-apiserver | grep -v grep | grep -o audit-policy-file" 25 | type: "skip" 26 | tests: 27 | test_items: 28 | - flag: "--audit-policy-file" 29 | compare: 30 | op: eq 31 | value: "--audit-policy-file" 32 | set: true 33 | remediation: | 34 | Create an audit policy file for your cluster. 35 | scored: true 36 | 37 | - id: 3.2.2 38 | text: "Ensure that the audit policy covers key security concerns (Manual)" 39 | type: "manual" 40 | remediation: | 41 | Consider modification of the audit policy in use on the cluster to include these items, at a 42 | minimum. 43 | scored: false 44 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke2-cis-1.23-hardened/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | 4 | master: 5 | components: 6 | - apiserver 7 | - scheduler 8 | - controllermanager 9 | - etcd 10 | - policies 11 | 12 | apiserver: 13 | bins: 14 | - kube-apiserver 15 | confs: 16 | - /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml 17 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml 18 | 19 | scheduler: 20 | bins: 21 | - kube-scheduler 22 | confs: 23 | - /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml 24 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml 25 | 26 | controllermanager: 27 | bins: 28 | - kube-controller-manager 29 | confs: 30 | - /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml 31 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml 32 | 33 | etcd: 34 | bins: 35 | - etcd 36 | confs: 37 | - /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml 38 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml 39 | 40 | node: 41 | components: 42 | - kubelet 43 | - proxy 44 | 45 | kubelet: 46 | defaultkubeconfig: /var/lib/rancher/rke2/agent/kubelet.kubeconfig 47 | defaultcafile: /var/lib/rancher/rke2/agent/client-ca.crt 48 | 49 | proxy: 50 | defaultkubeconfig: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig 51 | 52 | policies: 53 | components: 54 | - policies 55 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke2-cis-1.23-hardened/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: 1.23 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Manual)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Automated)" 24 | audit: "/bin/ps -ef | grep kube-apiserver | grep -v grep | grep -o audit-policy-file" 25 | tests: 26 | test_items: 27 | - flag: "audit-policy-file" 28 | compare: 29 | op: eq 30 | value: "audit-policy-file" 31 | set: true 32 | remediation: | 33 | Create an audit policy file for your cluster. 34 | scored: true 35 | 36 | - id: 3.2.2 37 | text: "Ensure that the audit policy covers key security concerns (Manual)" 38 | type: "manual" 39 | remediation: | 40 | Review the audit policy provided for the cluster and ensure that it covers 41 | at least the following areas, 42 | - Access to Secrets managed by the cluster. Care should be taken to only 43 | log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in 44 | order to avoid risk of logging sensitive data. 45 | - Modification of Pod and Deployment objects. 46 | - Use of `pods/exec`, `pods/portforward`, `pods/proxy` and `services/proxy`. 47 | For most requests, minimally logging at the Metadata level is recommended 48 | (the most basic level of logging). 49 | scored: false 50 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke2-cis-1.23-permissive/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | 4 | master: 5 | components: 6 | - apiserver 7 | - scheduler 8 | - controllermanager 9 | - etcd 10 | - policies 11 | 12 | apiserver: 13 | bins: 14 | - kube-apiserver 15 | confs: 16 | - /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml 17 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml 18 | 19 | scheduler: 20 | bins: 21 | - kube-scheduler 22 | confs: 23 | - /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml 24 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml 25 | 26 | controllermanager: 27 | bins: 28 | - kube-controller-manager 29 | confs: 30 | - /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml 31 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml 32 | 33 | etcd: 34 | bins: 35 | - etcd 36 | confs: 37 | - /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml 38 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml 39 | 40 | node: 41 | components: 42 | - kubelet 43 | - proxy 44 | 45 | kubelet: 46 | defaultkubeconfig: /var/lib/rancher/rke2/agent/kubelet.kubeconfig 47 | defaultcafile: /var/lib/rancher/rke2/agent/client-ca.crt 48 | 49 | proxy: 50 | defaultkubeconfig: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig 51 | 52 | policies: 53 | components: 54 | - policies 55 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke2-cis-1.23-permissive/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: 1.23 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Manual)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Automated)" 24 | audit: "/bin/ps -ef | grep kube-apiserver | grep -v grep | grep -o audit-policy-file" 25 | type: "skip" 26 | tests: 27 | test_items: 28 | - flag: "--audit-policy-file" 29 | compare: 30 | op: eq 31 | value: "--audit-policy-file" 32 | set: true 33 | remediation: | 34 | Create an audit policy file for your cluster. 35 | scored: true 36 | 37 | - id: 3.2.2 38 | text: "Ensure that the audit policy covers key security concerns (Manual)" 39 | type: "manual" 40 | remediation: | 41 | Review the audit policy provided for the cluster and ensure that it covers 42 | at least the following areas, 43 | - Access to Secrets managed by the cluster. Care should be taken to only 44 | log Metadata for requests to Secrets, ConfigMaps, and TokenReviews, in 45 | order to avoid risk of logging sensitive data. 46 | - Modification of Pod and Deployment objects. 47 | - Use of `pods/exec`, `pods/portforward`, `pods/proxy` and `services/proxy`. 48 | For most requests, minimally logging at the Metadata level is recommended 49 | (the most basic level of logging). 50 | scored: false 51 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke2-cis-1.5-hardened/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | 4 | master: 5 | components: 6 | - apiserver 7 | - scheduler 8 | - controllermanager 9 | - etcd 10 | - policies 11 | 12 | apiserver: 13 | bins: 14 | - kube-apiserver 15 | confs: 16 | - /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml 17 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml 18 | 19 | scheduler: 20 | bins: 21 | - kube-scheduler 22 | confs: 23 | - /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml 24 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml 25 | 26 | controllermanager: 27 | bins: 28 | - kube-controller-manager 29 | confs: 30 | - /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml 31 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml 32 | 33 | etcd: 34 | bins: 35 | - etcd 36 | confs: 37 | - /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml 38 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml 39 | 40 | node: 41 | components: 42 | - kubelet 43 | - proxy 44 | 45 | kubelet: 46 | defaultkubeconfig: /var/lib/rancher/rke2/agent/kubelet.kubeconfig 47 | defaultcafile: /var/lib/rancher/rke2/agent/client-ca.crt 48 | 49 | proxy: 50 | defaultkubeconfig: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig 51 | 52 | policies: 53 | components: 54 | - policies 55 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke2-cis-1.5-hardened/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: 1.5 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Not Scored)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Scored)" 24 | audit: "/bin/ps -ef | grep kube-apiserver | grep -v grep | grep -o audit-policy-file" 25 | tests: 26 | test_items: 27 | - flag: "audit-policy-file" 28 | compare: 29 | op: eq 30 | value: "audit-policy-file" 31 | set: true 32 | remediation: | 33 | Create an audit policy file for your cluster. 34 | scored: true 35 | 36 | - id: 3.2.2 37 | text: "Ensure that the audit policy covers key security concerns (Not Scored)" 38 | type: "manual" 39 | remediation: | 40 | Consider modification of the audit policy in use on the cluster to include these items, at a 41 | minimum. 42 | scored: false 43 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke2-cis-1.5-permissive/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | 4 | master: 5 | components: 6 | - apiserver 7 | - scheduler 8 | - controllermanager 9 | - etcd 10 | - policies 11 | 12 | apiserver: 13 | bins: 14 | - kube-apiserver 15 | confs: 16 | - /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml 17 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml 18 | 19 | scheduler: 20 | bins: 21 | - kube-scheduler 22 | confs: 23 | - /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml 24 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml 25 | 26 | controllermanager: 27 | bins: 28 | - kube-controller-manager 29 | confs: 30 | - /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml 31 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml 32 | 33 | etcd: 34 | bins: 35 | - etcd 36 | confs: 37 | - /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml 38 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml 39 | 40 | node: 41 | components: 42 | - kubelet 43 | - proxy 44 | 45 | kubelet: 46 | defaultkubeconfig: /var/lib/rancher/rke2/agent/kubelet.kubeconfig 47 | defaultcafile: /var/lib/rancher/rke2/agent/client-ca.crt 48 | 49 | proxy: 50 | defaultkubeconfig: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig 51 | 52 | policies: 53 | components: 54 | - policies 55 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke2-cis-1.5-permissive/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: 1.5 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Not Scored)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Scored)" 24 | audit: "/bin/ps -ef | grep kube-apiserver | grep -v grep | grep audit-policy-file" 25 | type: "skip" 26 | tests: 27 | test_items: 28 | - flag: "--audit-policy-file" 29 | compare: 30 | op: eq 31 | value: "--audit-policy-file" 32 | set: true 33 | remediation: | 34 | Create an audit policy file for your cluster. 35 | scored: true 36 | 37 | - id: 3.2.2 38 | text: "Ensure that the audit policy covers key security concerns (Not Scored)" 39 | type: "manual" 40 | remediation: | 41 | Consider modification of the audit policy in use on the cluster to include these items, at a 42 | minimum. 43 | scored: false 44 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke2-cis-1.6-hardened/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | 4 | master: 5 | components: 6 | - apiserver 7 | - scheduler 8 | - controllermanager 9 | - etcd 10 | - policies 11 | 12 | apiserver: 13 | bins: 14 | - kube-apiserver 15 | confs: 16 | - /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml 17 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml 18 | 19 | scheduler: 20 | bins: 21 | - kube-scheduler 22 | confs: 23 | - /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml 24 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml 25 | 26 | controllermanager: 27 | bins: 28 | - kube-controller-manager 29 | confs: 30 | - /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml 31 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml 32 | 33 | etcd: 34 | bins: 35 | - etcd 36 | confs: 37 | - /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml 38 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml 39 | 40 | node: 41 | components: 42 | - kubelet 43 | - proxy 44 | 45 | kubelet: 46 | defaultkubeconfig: /var/lib/rancher/rke2/agent/kubelet.kubeconfig 47 | defaultcafile: /var/lib/rancher/rke2/agent/client-ca.crt 48 | 49 | proxy: 50 | defaultkubeconfig: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig 51 | 52 | policies: 53 | components: 54 | - policies 55 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke2-cis-1.6-hardened/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: 1.6 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Manual)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Automated)" 24 | audit: "/bin/ps -ef | grep kube-apiserver | grep -v grep | grep -o audit-policy-file" 25 | tests: 26 | test_items: 27 | - flag: "audit-policy-file" 28 | compare: 29 | op: eq 30 | value: "audit-policy-file" 31 | set: true 32 | remediation: | 33 | Create an audit policy file for your cluster. 34 | scored: true 35 | 36 | - id: 3.2.2 37 | text: "Ensure that the audit policy covers key security concerns (Manual)" 38 | type: "manual" 39 | remediation: | 40 | Consider modification of the audit policy in use on the cluster to include these items, at a 41 | minimum. 42 | scored: false 43 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke2-cis-1.6-permissive/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ## Version-specific settings that override the values in cfg/config.yaml 3 | 4 | master: 5 | components: 6 | - apiserver 7 | - scheduler 8 | - controllermanager 9 | - etcd 10 | - policies 11 | 12 | apiserver: 13 | bins: 14 | - kube-apiserver 15 | confs: 16 | - /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml 17 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-apiserver.yaml 18 | 19 | scheduler: 20 | bins: 21 | - kube-scheduler 22 | confs: 23 | - /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml 24 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-scheduler.yaml 25 | 26 | controllermanager: 27 | bins: 28 | - kube-controller-manager 29 | confs: 30 | - /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml 31 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/kube-controller-manager.yaml 32 | 33 | etcd: 34 | bins: 35 | - etcd 36 | confs: 37 | - /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml 38 | defaultconf: /var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml 39 | 40 | node: 41 | components: 42 | - kubelet 43 | - proxy 44 | 45 | kubelet: 46 | defaultkubeconfig: /var/lib/rancher/rke2/agent/kubelet.kubeconfig 47 | defaultcafile: /var/lib/rancher/rke2/agent/client-ca.crt 48 | 49 | proxy: 50 | defaultkubeconfig: /var/lib/rancher/rke2/agent/kubeproxy.kubeconfig 51 | 52 | policies: 53 | components: 54 | - policies 55 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/cfg/rke2-cis-1.6-permissive/controlplane.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | controls: 3 | version: 1.6 4 | id: 3 5 | text: "Control Plane Configuration" 6 | type: "controlplane" 7 | groups: 8 | - id: 3.1 9 | text: "Authentication and Authorization" 10 | checks: 11 | - id: 3.1.1 12 | text: "Client certificate authentication should not be used for users (Manual)" 13 | type: "manual" 14 | remediation: | 15 | Alternative mechanisms provided by Kubernetes such as the use of OIDC should be 16 | implemented in place of client certificates. 17 | scored: false 18 | 19 | - id: 3.2 20 | text: "Logging" 21 | checks: 22 | - id: 3.2.1 23 | text: "Ensure that a minimal audit policy is created (Automated)" 24 | audit: "/bin/ps -ef | grep kube-apiserver | grep -v grep | grep -o audit-policy-file" 25 | type: "skip" 26 | tests: 27 | test_items: 28 | - flag: "--audit-policy-file" 29 | compare: 30 | op: eq 31 | value: "--audit-policy-file" 32 | set: true 33 | remediation: | 34 | Create an audit policy file for your cluster. 35 | scored: true 36 | 37 | - id: 3.2.2 38 | text: "Ensure that the audit policy covers key security concerns (Manual)" 39 | type: "manual" 40 | remediation: | 41 | Consider modification of the audit policy in use on the cluster to include these items, at a 42 | minimum. 43 | scored: false 44 | -------------------------------------------------------------------------------- /docker/kube-bench-scnner/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [[ $LOG_LEVEL == "DEBUG" ]]; 4 | then 5 | kopf run -v -A /kube-bench-scnner.py --log-format=full 6 | else 7 | kopf run -A /kube-bench-scnner.py --log-format=full 8 | fi 9 | -------------------------------------------------------------------------------- /docker/trivy-operator/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG ARCH 2 | FROM ${ARCH}python:3.8-alpine 3 | ARG ARCH 4 | ENV TRIVY_CACHE_DIR=/home/trivy-operator/trivy-cache \ 5 | TRIVY_QUIET=true \ 6 | IN_CLUSTER=true 7 | 8 | COPY entrypoint.sh /entrypoint.sh 9 | 10 | RUN apk -U upgrade && \ 11 | apk add --no-cache gcc musl-dev libffi-dev openssl-dev curl bash rust cargo 12 | 13 | RUN pip3 install --no-cache-dir kopf[dev] kubernetes croniter prometheus_client oscrypto certvalidator certbuilder validators pyOpenSSL 14 | 15 | COPY trivy-operator.py /trivy-operator.py 16 | COPY ${ARCH}trivy /usr/local/bin/ 17 | 18 | RUN addgroup -S -g 10001 trivy-operator && \ 19 | adduser -S -u 10001 trivy-operator -G trivy-operator && \ 20 | mkdir /home/trivy-operator/trivy-cache && \ 21 | chown -R trivy-operator:trivy-operator /home/trivy-operator/trivy-cache 22 | 23 | USER 10001:10001 24 | 25 | ENTRYPOINT ["/entrypoint.sh"] 26 | 27 | VOLUME [ "/data/trivy", "/data/cache" ] -------------------------------------------------------------------------------- /docker/trivy-operator/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Fix getpwuid(): uid not found: 1001 by setting the USER env var to prevent python from looking for a matching uid/gid in the password database. 4 | # See https://github.com/python/cpython/blob/v3.6.0/Lib/getpass.py#L155-L170. 5 | USER=$(id -u) 6 | echo "Setting USER environment variable to ${USER}" 7 | export USER=$USER 8 | 9 | if [[ $LOG_LEVEL == "DEBUG" ]]; 10 | then 11 | kopf run -v -A /trivy-operator.py --log-format=full 12 | else 13 | kopf run -A /trivy-operator.py --log-format=full 14 | fi 15 | -------------------------------------------------------------------------------- /docs/build/requirements.txt: -------------------------------------------------------------------------------- 1 | mkdocs 2 | mkdocs-material 3 | mkdocs-macros-plugin 4 | mike 5 | -------------------------------------------------------------------------------- /docs/configuration.md: -------------------------------------------------------------------------------- 1 | # Configuration 2 | 3 | Create a values file for your helm deploy: 4 | 5 | ```yaml 6 | cat <<'EOF'> values.yaml 7 | image: 8 | repository: devopstales/trivy-operator 9 | pullPolicy: Always 10 | tag: "2.3" 11 | 12 | imagePullSecrets: [] 13 | podSecurityContext: 14 | fsGroup: 10001 15 | fsGroupChangePolicy: "OnRootMismatch" 16 | 17 | serviceAccount: 18 | create: true 19 | annotations: {} 20 | name: "trivy-operator" 21 | 22 | monitoring: 23 | port: "9115" 24 | 25 | serviceMonitor: 26 | enabled: false 27 | namespace: "monitoring-system" 28 | 29 | storage: 30 | enabled: true 31 | size: 1Gi 32 | 33 | NamespaceScanner: 34 | crontab: "*/5 * * * *" 35 | namespaceSelector: "trivy-scan" 36 | 37 | registryAuth: 38 | enabled: false 39 | registry: 40 | - name: docker.io 41 | user: "user" 42 | password: "password" 43 | 44 | githubToken: 45 | enabled: false 46 | token: "" 47 | EOF 48 | ``` 49 | 50 | ## Operator Configuration 51 | 52 | The following tables lists configurable parameters of the trivy-operator chart and their default values. 53 | 54 | | Parameter | Description | Default | 55 | | ----------------------------------- | ------------------------------------------- | -----------------------------------------| 56 | | image.repository | image | devopstales/trivy-operator | 57 | | image.pullPolicy | pullPolicy | Always | 58 | | image.tag | image tag | 2.4.1 | 59 | | imagePullSecrets | imagePullSecrets list | [] | 60 | | podSecurityContext.fsGroup | mount id | 10001 | 61 | | serviceAccount.create | create serviceAccount | true | 62 | | serviceAccount.annotations | add annotation to serviceAccount | {} | 63 | | serviceAccount.name | name of the serviceAccount | trivy-operator | 64 | | monitoring.port | prometheus endpoint port | 9115 | 65 | | serviceMonitor.enabled | enable serviceMonitor object creation | false | 66 | | serviceMonitor.namespace | where to create serviceMonitor object | kube-system | 67 | | serviceMonitor.interval | set interval to serviceMonitor | 60s | 68 | | serviceMonitor.scrapeTimeout | set scrapeTimeout to serviceMonitor | 30s | 69 | | serviceMonitor.relabelings | set relabelings to serviceMonitor | [] | 70 | | serviceMonitor.metricRelabelings | set metricRelabelings to serviceMonitor | [] | 71 | | persistence.enabled | enable pv to store trivy database | true | 72 | | persistence.size | pv size | 1Gi | 73 | | persistence.storageClass | storageClass | Not defined | 74 | | persistence.accessMode | accessMode | ReadWriteOnce | 75 | | persistence.annotations | add extra annotations | No value | 76 | | NamespaceScanner.crontab | cronjob scheduler | "*/5 * * * *" | 77 | | NamespaceScanner.namespaceSelector | Namespace Selector | "trivy-scan" | 78 | | NamespaceScanner.clusterWide | scan all namespaces | "false" | 79 | | NamespaceScanner.policyreport | generate policy reports | "false" | 80 | | registryAuth.enabled | enable registry authentication in operator | false | 81 | | registryAuth.registry | registry name for authentication | 82 | | registryAuth.user | username for authentication | 83 | | registryAuth.password | password for authentication | 84 | | githubToken.enabled | Enable githubToken usage for trivy database update | false | 85 | | githubToken.token | githubToken value | "" | 86 | | nodeSelector | Select node where deploy | "" | 87 | | tolerations | Tolerations for use with node taints | [] | 88 | | affinity | Assign custom affinity rules to the trivy operator | {} | -------------------------------------------------------------------------------- /docs/crds/cluster-policy-report.md: -------------------------------------------------------------------------------- 1 | # ClusterPolicyReport 2 | 3 | The [ClusterPolicyReport](https://github.com/kubernetes-sigs/wg-policy-prototypes/tree/master/policy-report) object is a prototype object proposed by the Kubernetes policy work group. The Cluster Policy Report Custom Resource Definition (CRD) can be used as a common way to provide policy results to Kubernetes cluster administrators and users, using native tools. See the [proposal](https://docs.google.com/document/d/1nICYLkYS1RE3gJzuHOfHeAC25QIkFZfgymFjgOzMDVw/edit#) for background and details. 4 | 5 | This objects can be visualized by the [Policy Reporter UI](../../integrations/policy-reporter/). 6 | 7 | ### Installing 8 | 9 | Add the PolicyReport CRDs to your cluster (v1alpha2): 10 | ```yaml 11 | kubectl create -f https://github.com/kubernetes-sigs/wg-policy-prototypes/raw/master/policy-report/crd/v1alpha2/wgpolicyk8s.io_clusterpolicyreports.yaml 12 | ``` 13 | 14 | !!! note 15 | If you installed the trivy-operator by the helm chart the Cluster Policy Report Custom Resource Definition is installed automatically. -------------------------------------------------------------------------------- /docs/crds/cluster-scanner.md: -------------------------------------------------------------------------------- 1 | # ClusterScanner 2 | 3 | The ClusterScanner Custom Resource is the main configuration object for the trivy-operator's Kubernetes CIS scans. 4 | 5 | The following example object is configured to: 6 | 7 | * run the vulnerability scan every hour (`crontab: '00 * * * *'`) 8 | * use the `cis-1.23` scan profile 9 | * enable integration to defectdojo 10 | 11 | ```yaml 12 | apiVersion: trivy-operator.devopstales.io/v1 13 | kind: ClusterScanner 14 | metadata: 15 | name: main-config 16 | spec: 17 | crontab: "00 * * * *" 18 | scanProfileName: "cis-1.23" 19 | integrations: 20 | defectdojo: 21 | host: "http://defectdojo.rancher-desktop.intra" 22 | api_key: "3880d84590915e5c96cec075444f22285ff3659c" 23 | k8s-cluster-name: "eks-prod" 24 | ``` 25 | 26 | The following list show the ClusterScanner objects listed by the kubectl cli: 27 | 28 | ```bash 29 | kubectl get cs-scan 30 | NAME CLUSTERSCANPROFILE CRONTAB 31 | main-config cis-1.23 00 * * * * 32 | ``` -------------------------------------------------------------------------------- /docs/crds/index.md: -------------------------------------------------------------------------------- 1 | # Overview 2 | 3 | The trivy-operator uses CustomResourceDefinitions (CRDs). These are the fallowing 4 | 5 | | NAME | SHORTNAMES | APIGROUP | NAMESPACED | 6 | |-------------------------------|---------------------------------------------------------|------------------------|------------| 7 | | [NamespaceScanner](./namespace-scanner.md) | ns-scan | trivy-operator.devopstales.io | true | 8 | | [ClusterScanner](./cluster-scanner.md) | cs-scan | trivy-operator.devopstales.io | false | 9 | | [VulnerabilityReport](./vulnerability-report.md) | vuln,vulns | trivy-operator.devopstales.io | true | 10 | | [ClusterVulnerabilityReport](./cluster-policy-report.md) | cpolr | wgpolicyk8s.io | false | 11 | | [PolicyReport](./policy-report.md) | rpolr | wgpolicyk8s.io | true | 12 | -------------------------------------------------------------------------------- /docs/crds/namespace-scanner.md: -------------------------------------------------------------------------------- 1 | # NamespaceScanner 2 | 3 | The NamespaceScanner Custom Resource is the main configuration object for the trivy-operator's vulnerability scans. 4 | 5 | The following example object is configured to: 6 | 7 | * run the vulnerability scan every hour (`crontab: '00 * * * *'`) 8 | * test only the namespaces wit the the `trivy-scan: "true"` 9 | * enable integration to defectdojo 10 | * use the `users` fo authentication to pulling image 11 | * use the `devopstales-dockerhub` secret to pulling image 12 | 13 | ```yaml 14 | apiVersion: trivy-operator.devopstales.io/v1 15 | kind: NamespaceScanner 16 | metadata: 17 | name: main-config 18 | namespace: trivy-operator 19 | spec: 20 | crontab: '00 * * * *' 21 | namespace_selector: trivy-scan 22 | clusterWide: "false" 23 | integrations: 24 | policyreport: True 25 | defectdojo: 26 | host: "https://defectdojo.rancher-desktop.intra" 27 | api_key: "xyz456ucdssd67sd67dsg" 28 | image_pull_secrets: 29 | - devopstales-dockerhub 30 | registry: 31 | - name: registry.rancher-desktop.intra 32 | user: "user" 33 | password: "password" 34 | insecure: true 35 | ``` 36 | 37 | The following list show the NamespaceScanner objects listed by the kubectl cli: 38 | 39 | ```bash 40 | kubectl get ns-scan 41 | NAMESPACE NAME NAMESPACESELECTOR CRONTAB MESSAGE 42 | trivy-operator main-config trivy-scan 00 * * * * 43 | ``` -------------------------------------------------------------------------------- /docs/crds/policy-report.md: -------------------------------------------------------------------------------- 1 | # PolicyReport 2 | 3 | The [PolicyReport](https://github.com/kubernetes-sigs/wg-policy-prototypes/tree/master/policy-report) object is a prototype object proposed by the Kubernetes policy work group. The Policy Report Custom Resource Definition (CRD) can be used as a common way to provide policy results to Kubernetes cluster administrators and users, using native tools. See the [proposal](https://docs.google.com/document/d/1nICYLkYS1RE3gJzuHOfHeAC25QIkFZfgymFjgOzMDVw/edit#) for background and details. 4 | 5 | This objects can be visualized by the [Policy Reporter UI](../../integrations/policy-reporter/). 6 | 7 | ### Installing 8 | 9 | Add the PolicyReport CRDs to your cluster (v1alpha2): 10 | ```yaml 11 | kubectl create -f https://github.com/kubernetes-sigs/wg-policy-prototypes/raw/master/policy-report/crd/v1alpha2/wgpolicyk8s.io_policyreports.yaml 12 | ``` 13 | 14 | !!! note 15 | If you installed the trivy-operator by the helm chart the Policy Report Custom Resource Definition is installed automatically. -------------------------------------------------------------------------------- /docs/functions/cis-benchmark.md: -------------------------------------------------------------------------------- 1 | # Kubernetes CIS Benchmark 2 | 3 | ## What is Kubernetes CIS Benchmark? 4 | 5 | The Kubernetes CIS Benchmark is published by the Center for Internet Security (CIS), a not-for-profit organization that publishes cybersecurity best practices. 6 | 7 | CIS Benchmark best practices are an important first step to securing Kubernetes in production by hardening Kubernetes environments. Several open source and commercial tools are available that automatically check Kubernetes clusters to see they are in line with the controls outlined in the benchmark, and flag any non-compliant configurations. 8 | 9 | Trivy-operator use kube-bench to scan the kubernetes cluster and create CIS Benchmark reports. 10 | 11 | ## Example Deploy: 12 | 13 | To enable the CIS Benchmark scanning function you need to create a [ClusterScanner](/trivy-operator/crds/cluster-scanner/) -------------------------------------------------------------------------------- /docs/functions/image-validator.md: -------------------------------------------------------------------------------- 1 | # Trivy Image Validator 2 | 3 | ## Admission Controller 4 | The admission controller function can be configured as a ValidatingWebhook in a k8s cluster. Kubernetes will send requests to the admission server when a Pod creation is initiated. The admission controller checks the image using trivy if it is in a namespace with the label `trivy-operator-validation=true`. 5 | 6 | ## Example Deploy: 7 | You can define policy to the Admission Controller, by adding annotation to the pod trough the deployment: 8 | 9 | ``` 10 | spec: 11 | ... 12 | template: 13 | metadata: 14 | annotations: 15 | trivy.security.devopstales.io/medium: "5" 16 | trivy.security.devopstales.io/low: "10" 17 | trivy.security.devopstales.io/critical: "2" 18 | ... 19 | ``` -------------------------------------------------------------------------------- /docs/img/application-settings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devopstales/trivy-operator/cf8f3c137728e40215c8c248ac2918e2de40bd15/docs/img/application-settings.png -------------------------------------------------------------------------------- /docs/img/cluster_policy_report.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devopstales/trivy-operator/cf8f3c137728e40215c8c248ac2918e2de40bd15/docs/img/cluster_policy_report.png -------------------------------------------------------------------------------- /docs/img/duplication-settings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devopstales/trivy-operator/cf8f3c137728e40215c8c248ac2918e2de40bd15/docs/img/duplication-settings.png -------------------------------------------------------------------------------- /docs/img/policy_report.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devopstales/trivy-operator/cf8f3c137728e40215c8c248ac2918e2de40bd15/docs/img/policy_report.png -------------------------------------------------------------------------------- /docs/img/trivy-exporter.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devopstales/trivy-operator/cf8f3c137728e40215c8c248ac2918e2de40bd15/docs/img/trivy-exporter.png -------------------------------------------------------------------------------- /docs/img/trivy-operator-OH.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devopstales/trivy-operator/cf8f3c137728e40215c8c248ac2918e2de40bd15/docs/img/trivy-operator-OH.png -------------------------------------------------------------------------------- /docs/img/trivy-operator-OH2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devopstales/trivy-operator/cf8f3c137728e40215c8c248ac2918e2de40bd15/docs/img/trivy-operator-OH2.png -------------------------------------------------------------------------------- /docs/index.md: -------------------------------------------------------------------------------- 1 | # What is trivy-operator? 2 | 3 | Trivy-operator is a Kubernetes Operator based on the open-source container vulnerability scanner [Trivy](https://aquasecurity.github.io/trivy/). The goal of this project is to provide a vulnerability scanner that continuously scans containers deployed in a Kubernetes cluster. [Built with Kubernetes Operator Pythonic Framework (Kopf)](https://github.com/nolar/kopf). There are a few solution for checking the images when you deploy them to the Kubernetes cluster, but fighting against vulnerabilities is a day to day task. Check once is not enough when every day is a new day for security frats. That is why I created trivy-operator so you can create scheduled image scans on your running pods. -------------------------------------------------------------------------------- /docs/installation.md: -------------------------------------------------------------------------------- 1 | # Installation 2 | 3 | ## Helm 4 | 5 | [Helm], which is a popular package manager for Kubernetes, allows installing applications from parameterized 6 | YAML manifests called Helm [charts]. 7 | 8 | ### Installing from the DevOpsTales Chart Repository 9 | 10 | ``` 11 | helm repo add devopstales https://devopstales.github.io/helm-charts 12 | helm repo update 13 | helm upgrade --install trivy-operator devopstales/trivy-operator 14 | ``` 15 | 16 | > **Tip**: List all releases using `helm list`. 17 | 18 | ### Advanced Configuration 19 | 20 | The command deploys trivy-operator on the Kubernetes cluster in the default configuration. The [Parameters](/trivy-operator/configuration/) 21 | section lists the parameters that can be configured during installation. 22 | 23 | ### Uninstall 24 | 25 | You can uninstall the operator with the following command: 26 | 27 | ``` 28 | helm uninstall trivy-operator 29 | ``` 30 | 31 | You have to manually delete custom resource definitions an the validating webhook configurations created by the `helm install` command: 32 | 33 | !!! danger 34 | Deleting custom resource definitions will also delete all security reports generated by the operator. 35 | 36 | ``` 37 | kubectl delete crd namespace-scanners.trivy-operator.devopstales.io 38 | kubectl delete crd vulnerabilityreports.trivy-operator.devopstales.io 39 | ``` 40 | 41 | ``` 42 | kubectl delete validatingwebhookconfigurations trivy-image-validator.devopstales.io 43 | ``` 44 | 45 | ## OperatorFramework 46 | 47 | With the release of trivy-operator 2.3 I published trivy-operator with OperatorFramework to OperatorHub: 48 | 49 | ![OperatorHub1](img/trivy-operator-OH.png) 50 | 51 | ![OperatorHub2](img/trivy-operator-OH2.png) 52 | 53 | [Helm]: https://helm.sh/docs/helm/helm/#helm 54 | [charts]: https://helm.sh/docs/topics/charts/ -------------------------------------------------------------------------------- /docs/integrations/defectdojo.md: -------------------------------------------------------------------------------- 1 | # DefectDojo 2 | 3 | DefectDojo is an Open-Source DevSecOps and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, triage vulnerabilities and push findings to systems like JIRA and Slack. DefectDojo enriches and refines vulnerability data using a number of heuristic algorithms that improve with the more you use the platform. 4 | 5 | ## Install with Helm chart 6 | 7 | ```bash 8 | helm repo add defectdojo 'https://raw.githubusercontent.com/DefectDojo/django-DefectDojo/helm-charts' 9 | helm repo update 10 | 11 | helm upgrade --install \ 12 | defectdojo \ 13 | defectdojo/defectdojo \ 14 | --set django.ingress.enabled=true \ 15 | --set django.ingress.activateTLS=false \ 16 | --set createSecret=true \ 17 | --set createRabbitMqSecret=true \ 18 | --set createRedisSecret=true \ 19 | --set createMysqlSecret=true \ 20 | --set createPostgresqlSecret=true \ 21 | --set host=defectdojo.k8s.intra 22 | ``` 23 | 24 | To find out the password, run the following command: 25 | 26 | 27 | 28 | ```bash 29 | echo "DefectDojo admin password: $(kubectl \ 30 | get secret defectdojo \ 31 | --output jsonpath='{.data.DD_ADMIN_PASSWORD}' \ 32 | | base64 --decode)" 33 | ``` 34 | 35 | Enable deduplication for findings: 36 | 37 | Select Gear icon and `Aplication Settings`: 38 | 39 | ![Application settings](../img/application-settings.png) 40 | 41 | Then thick `Deduplicate findings`: 42 | 43 | ![Deduplicate findings](../img/duplication-settings.png) 44 | ### Enable DefectDojo integration for trivy-operator 45 | 46 | To enable the DefectDojo integration for trivy-operator you need to enable it in the `NamespaceScanner` object: 47 | 48 | ```yaml 49 | integrations: 50 | policyreport: True 51 | defectdojo: 52 | host: "https://defectdojo.rancher-desktop.intra" 53 | api_key: "xyz456ucdssd67sd67dsg" 54 | ``` -------------------------------------------------------------------------------- /docs/integrations/monitoring.md: -------------------------------------------------------------------------------- 1 | # Monitoring 2 | 3 | Trivy-operatos has a prometheus endpoint on port `9115` and can be deployed wit `ServiceMonitor` for automated scrapping. You can enable monitoring in the helm chart: 4 | 5 | ```yaml 6 | monitoring: 7 | port: "9115" 8 | 9 | serviceMonitor: 10 | enabled: true 11 | namespace: "monitoring-system" 12 | ``` 13 | 14 | ```bash 15 | curl -s http://10.43.179.39:9115/metrics | grep trivy_vulnerabilities 16 | # HELP trivy_vulnerabilities_sum Container vulnerabilities 17 | # TYPE trivy_vulnerabilities_sum gauge 18 | trivy_vulnerabilities_sum{exported_namespace="trivytest",image="docker.io/openshift/mysql-56-centos7:latest",severity="scanning_error"} 1.0 19 | trivy_vulnerabilities_sum{exported_namespace="trivytest",image="docker.io/nginxinc/nginx-unprivileged:latest",severity="UNKNOWN"} 0.0 20 | trivy_vulnerabilities_sum{exported_namespace="trivytest",image="docker.io/nginxinc/nginx-unprivileged:latest",severity="LOW"} 83.0 21 | trivy_vulnerabilities_sum{exported_namespace="trivytest",image="docker.io/nginxinc/nginx-unprivileged:latest",severity="MEDIUM"} 5.0 22 | trivy_vulnerabilities_sum{exported_namespace="trivytest",image="docker.io/nginxinc/nginx-unprivileged:latest",severity="HIGH"} 7.0 23 | trivy_vulnerabilities_sum{exported_namespace="trivytest",image="docker.io/nginxinc/nginx-unprivileged:latest",severity="CRITICAL"} 4.0 24 | trivy_vulnerabilities_sum{exported_namespace="trivytest",image="docker.io/library/nginx:1.18",severity="UNKNOWN"} 0.0 25 | trivy_vulnerabilities_sum{exported_namespace="trivytest",image="docker.io/library/nginx:1.18",severity="LOW"} 126.0 26 | trivy_vulnerabilities_sum{exported_namespace="trivytest",image="docker.io/library/nginx:1.18",severity="MEDIUM"} 25.0 27 | trivy_vulnerabilities_sum{exported_namespace="trivytest",image="docker.io/library/nginx:1.18",severity="HIGH"} 43.0 28 | trivy_vulnerabilities_sum{exported_namespace="trivytest",image="docker.io/library/nginx:1.18",severity="CRITICAL"} 21.0 29 | # HELP trivy_vulnerabilities Container vulnerabilities 30 | # TYPE trivy_vulnerabilities gauge 31 | trivy_vulnerabilities{exported_namespace="trivytest",image="docker.io/nginxinc/nginx-unprivileged:latest",installedVersion="2.2.4",pkgName="pkgName",severity="LOW",vulnerabilityId="CVE-2011-3374"} 1.0 32 | trivy_vulnerabilities{exported_namespace="trivytest",image="docker.io/nginxinc/nginx-unprivileged:latest",installedVersion="8.32-4",pkgName="pkgName",severity="LOW",vulnerabilityId="CVE-2016-2781"} 1.0 33 | trivy_vulnerabilities{exported_namespace="trivytest",image="docker.io/nginxinc/nginx-unprivileged:latest",installedVersion="8.32-4",pkgName="pkgName",severity="LOW",vulnerabilityId="CVE-2017-18018"} 1.0 34 | trivy_vulnerabilities{exported_namespace="trivytest",image="docker.io/nginxinc/nginx-unprivileged:latest",installedVersion="7.74.0-1.3",pkgName="pkgName",severity="CRITICAL",vulnerabilityId="CVE-2021-22945"} 1.0 35 | trivy_vulnerabilities{exported_namespace="trivytest",image="docker.io/nginxinc/nginx-unprivileged:latest",installedVersion="7.74.0-1.3",pkgName="pkgName",severity="HIGH",vulnerabilityId="CVE-2021-22946"} 1.0 36 | trivy_vulnerabilities{exported_namespace="trivytest",image="docker.io/nginxinc/nginx-unprivileged:latest",installedVersion="7.74.0-1.3",pkgName="pkgName",severity="MEDIUM",vulnerabilityId="CVE-2021-22947"} 1.0 37 | trivy_vulnerabilities{exported_namespace="trivytest",image="docker.io/nginxinc/nginx-unprivileged:latest",installedVersion="7.74.0-1.3",pkgName="pkgName",severity="LOW",vulnerabilityId="CVE-2021-22898"} 1.0 38 | ``` 39 | 40 | ```bash 41 | curl -s http://10.43.179.39:9115/metrics | grep ac_vulnerabilities 42 | 43 | # HELP ac_vulnerabilities Admission Controller vulnerabilities 44 | # TYPE ac_vulnerabilities gauge 45 | ac_vulnerabilities{exported_namespace="trivytest",image="nginxinc/nginx-unprivileged:latest",severity="UNKNOWN"} 0.0 46 | ac_vulnerabilities{exported_namespace="trivytest",image="nginxinc/nginx-unprivileged:latest",severity="LOW"} 83.0 47 | ac_vulnerabilities{exported_namespace="trivytest",image="nginxinc/nginx-unprivileged:latest",severity="MEDIUM"} 6.0 48 | ac_vulnerabilities{exported_namespace="trivytest",image="nginxinc/nginx-unprivileged:latest",severity="HIGH"} 6.0 49 | ac_vulnerabilities{exported_namespace="trivytest",image="nginxinc/nginx-unprivileged:latest",severity="CRITICAL"} 4.0 50 | ``` 51 | 52 | ![trivy-exporter](../img/trivy-exporter.png) 53 | -------------------------------------------------------------------------------- /docs/integrations/policy-reporter.md: -------------------------------------------------------------------------------- 1 | # Policy Reporter UI 2 | 3 | The [Policy Reporter UI](https://github.com/kyverno/policy-reporter) is a monitoring and Observability Tool for the PolicyReport CRD with an optional UI. It is created by Kyverno. The main goal was a tool to visualize the resolutes of the Kyverno policies, but because it uses the [PolicyReports](../..//crds/policy-report/) CRD it can visualize the resolutes of the trivy-operator scans. 4 | 5 | ### Installation with Helm v3 6 | 7 | ```bash 8 | helm repo add policy-reporter https://kyverno.github.io/policy-reporter 9 | helm repo update 10 | 11 | helm install policy-reporter policy-reporter/policy-reporter \ 12 | --set kyvernoPlugin.enabled=true --set ui.enabled=true --set ui.plugins.kyverno=true \ 13 | -n policy-reporter --create-namespace 14 | 15 | kubectl port-forward service/policy-reporter-ui 8082:8080 -n policy-reporter 16 | ``` 17 | 18 | Open `http://localhost:8082/` in your browser. 19 | 20 | ### VulnerabilityReports 21 | ![VulnerabilityReports](../img/policy_report.png) 22 | 23 | ### ClusterVulnerabilityReports 24 | ![ClusterVulnerabilityReports](../img/cluster_policy_report.png) -------------------------------------------------------------------------------- /docs/quickstart.md: -------------------------------------------------------------------------------- 1 | # Quick Start 2 | 3 | ## Before you Begin 4 | 5 | You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your 6 | cluster. If you do not already have a cluster, you can create one by installing [minikube], [kind] or [microk8s], or you can use the following [Kubernetes playground]. 7 | 8 | You also need the Trivy-Operator to be installed with [Helm](./installation.md). 9 | 10 | ## Workloads Scanning 11 | 12 | Let's create a Deployment that we know is vulnerable: 13 | 14 | ``` 15 | kubectl apply -f https://raw.githubusercontent.com/devopstales/trivy-operator/main/deploy/kubernetes/10_demo.yaml 16 | ``` 17 | 18 | ## Scheduled Image scans 19 | 20 | Default trivy-operator execute a scan script every 5 minutes. It will get images from all the namespaces with the label `trivy-scan=true`, and then check these images with trivy for vulnerabilities. You can label an existing namespace with the fallowing command: 21 | 22 | ``` 23 | kubectl label namespaces guestbook-demo trivy-scan=true 24 | ``` 25 | 26 | ## Reports 27 | If enabled the operator creates a VulnerabilityReport, and a PolicyReport for each different container. 28 | 29 | ``` 30 | kubectl get vulnerabilityreports -n trivytest 31 | ``` 32 | 33 |
34 | Result 35 | ``` 36 | NAME REPOSITORY TAG AGE STATUS 37 | pod-nginx-container-init library/alpine latest 18m OK 38 | pod-nginx-container-init2 library/ubuntu latest 18m OK 39 | pod-nginx-container-nginx library/nginx latest 18m OK 40 | ``` 41 |
42 | 43 | ``` 44 | kubectl get policyreports -n trivytest 45 | ``` 46 | 47 |
48 | Result 49 | ``` 50 | NAME PASS FAIL WARN ERROR SKIP AGE 51 | trivy-vuln-pod-nginx-container-init 1 0 0 0 0 17m 52 | trivy-vuln-pod-nginx-container-init2 0 0 21 0 0 17m 53 | trivy-vuln-pod-nginx-container-nginx 0 32 106 0 0 17m 54 | ``` 55 |
56 | 57 | !!! tip 58 | You can get and describe `vulnerabilityreports` and `policyreports` as built-in Kubernetes objects: 59 | ``` 60 | kubectl get vulnerabilityreport pod-nginx-container-init -o json 61 | kubectl describe policyreport trivy-vuln-pod-nginx-container-init 62 | ``` 63 | 64 | Notice that scan reports generated by the operator are controlled by Kubernetes workloads. 65 | 66 | ``` 67 | kubectl tree pod nginx -n trivytest 68 | ``` 69 | 70 |
71 | Result 72 | ``` 73 | NAMESPACE NAME READY REASON AGE 74 | trivytest Pod/nginx True 4h40m 75 | trivytest ├─CiliumEndpoint/nginx - 4h40m 76 | trivytest ├─PolicyReport/trivy-vuln-pod-nginx-container-init - 20m 77 | trivytest ├─PolicyReport/trivy-vuln-pod-nginx-container-init2 - 20m 78 | trivytest ├─PolicyReport/trivy-vuln-pod-nginx-container-nginx - 20m 79 | trivytest ├─VulnerabilityReport/pod-nginx-container-init - 20m 80 | trivytest ├─VulnerabilityReport/pod-nginx-container-init2 - 20m 81 | trivytest └─VulnerabilityReport/pod-nginx-container-nginx - 20m 82 | ``` 83 |
84 | 85 | !!! note 86 | The [tree] command is a kubectl plugin to browse Kubernetes object hierarchies as a tree. 87 | 88 | ## Policy Reporter UI Screenshots 89 | 90 | VulnerabilityReports 91 | ![VulnerabilityReports](img/policy_report.png) 92 | 93 | 94 | 95 | [minikube]: https://minikube.sigs.k8s.io/docs/ 96 | [kind]: https://kind.sigs.k8s.io/docs/ 97 | [microk8s]: https://microk8s.io/ 98 | [Kubernetes playground]: http://labs.play-with-k8s.com/ 99 | [tree]: https://github.com/ahmetb/kubectl-tree 100 | -------------------------------------------------------------------------------- /mkdocs.yml: -------------------------------------------------------------------------------- 1 | site_name: trivy-operator 2 | site_description: Kubernetes Operator based on the open-source container vulnerability scanner Trivy. 3 | site_url: https://devopstales.github.io/trivy-operator/ 4 | docs_dir: docs/ 5 | repo_name: GitHub 6 | repo_url: https://github.com/devopstales/trivy-operator 7 | edit_uri: "" 8 | 9 | nav: 10 | - Overview: index.md 11 | - Quick Start: quickstart.md 12 | - Installation: installation.md 13 | - Configuration: configuration.md 14 | - Functions: 15 | - CIS Benchmark: functions/cis-benchmark.md 16 | - Admission Controller: functions/image-validator.md 17 | - Air-Gapped Environment: functions/airgap-mode.md 18 | - Integrations: 19 | - Monitoring: integrations/monitoring.md 20 | - Policy Reporter: integrations/policy-reporter.md 21 | - DefectDojo: integrations/defectdojo.md 22 | - Custom Resource Definitions: 23 | - Overview: crds/index.md 24 | - NamespaceScanner: crds/namespace-scanner.md 25 | - ClusterScanner: crds/cluster-scanner.md 26 | - VulnerabilityReport: crds/vulnerability-report.md 27 | - PolicyReport: crds/policy-report.md 28 | - ClusterPolicyReport: crds/cluster-policy-report.md 29 | 30 | 31 | theme: 32 | name: material 33 | language: "en" 34 | 35 | markdown_extensions: 36 | - pymdownx.highlight 37 | - pymdownx.superfences 38 | - admonition 39 | - footnotes 40 | - attr_list 41 | - pymdownx.tabbed 42 | - def_list 43 | - pymdownx.details 44 | 45 | extra: 46 | generator: false 47 | version: 48 | default: latest 49 | method: mike 50 | provider: mike 51 | 52 | plugins: 53 | - search 54 | - macros 55 | --------------------------------------------------------------------------------