The module is not enabled by default in any bundles.
The module is configured using the ModuleConfig custom resource named operator-trivy
(learn more about setting up Deckhouse…).
Example of the ModuleConfig/operator-trivy
resource for configuring the module:
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: operator-trivy
spec:
version: 1
enabled: true
settings: # <-- Module parameters from the "Parameters" section below.
Parameters
Schema version: 1
- settings
- settings.additionalRegistryCA
List of registry CA certificates for connecting to private registries.
If it is necessary to specify a certificate with an intermediate certificate, the chain is specified without additional line breaks.
Example:
additionalRegistryCA: - name: example CA ca: | -----BEGIN CERTIFICATE----- ................. -----END CERTIFICATE----- - name: CA with intermediate CA ca: | -----BEGIN CERTIFICATE----- ................. -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ................. -----END CERTIFICATE-----
- settings.additionalRegistryCA.ca
- settings.additionalRegistryCA.name
- settings.additionalVulnerabilityReportFields
A list of additional fields from the vulnerability database to add to the VulnerabilityReport.
Example:
additionalVulnerabilityReportFields: - Class - Target
- settings.disableSBOMGeneration
Disables SBOM reports generation.
Warning. When this options is set to true, all current SBOM reports are deleted from the cluster (the cleanup is executed only once).
Default:
false
Examples:
disableSBOMGeneration: true
disableSBOMGeneration: false
- settings.insecureDbRegistry
Allows Trivy to download vulnerability databases using insecure HTTPS connections (not passed TLS certificate verification) or HTTP connections.
Default:
false
Examples:
insecureDbRegistry: true
insecureDbRegistry: false
- settings.insecureRegistries
List of container registry addresses to which insecure HTTPS connections (not passed TLS certificate verification) or HTTP connections are allowed.
Example:
insecureRegistries: - my.registry.com - http-only.registry.io
- settings.linkCVEtoBDU
Convert vulnerability reports. Convert CVE database vulnerabilities to BDU database records.
Default:
false
Examples:
linkCVEtoBDU: true
linkCVEtoBDU: false
- settings.nodeSelector
Optional
nodeSelector
foroperator-trivy
and scan jobs.The same as
spec.nodeSelector
for the Kubernetes pod.If the parameter is omitted or
false
, it will be determined automatically.Example:
nodeSelector: disktype: ssd
- settings.reportResourceLabels
A list of additional labels for marking Trivi’s reports (VulnerabilityReport).
The values of these labels will correspond to the values of the scanned resources’ labels.
Example:
reportResourceLabels: - app - env
- settings.severities
Filter vulnerability reports by their severities.
Example:
severities: - UNKNOWN - CRITICAl
- Element of the array
Allowed values:
UNKNOWN
,LOW
,MEDIUM
,HIGH
,CRITICAL
- settings.storageClass
The name of StorageClass that will be used in the cluster by default.
If the value is not specified, the StorageClass will be used according to the global storageClass parameter setting.
The global
storageClass
parameter is only considered when the module is enabled. Changing the globalstorageClass
parameter while the module is enabled will not trigger disk re-provisioning.Warning. Specifying a value different from the one currently used (in the existing PVC) will result in disk re-provisioning and all data will be deleted.
If
false
is specified,emptyDir
will be forced to be used.Examples:
storageClass: ceph-ssd
storageClass: 'false'
- settings.tolerations
Optional
tolerations
foroperator-trivy
and scan jobs.The same as
spec.tolerations
for the Kubernetes pod.If the parameter is omitted or
false
, it will be determined automatically.Example:
tolerations: - key: key1 operator: Equal value: value1 effect: NoSchedule
- settings.tolerations.effect
- settings.tolerations.key
- settings.tolerations.operator
- settings.tolerations.tolerationSeconds
- settings.tolerations.value