The operator-trivy module: configuration

Available in editions: EE

Experimental version. The functionality may undergo significant changes. Compatibility with future versions is not guaranteed.

The module is not enabled by default in any bundles.

How to explicitly enable the module…

Set the spec.enabled module parameter to true or false in the ModuleConfig/operator-trivy resource (create it, if necessary) to explicitly enable or disable the module, or use the deckhouse-controller module command in the d8-system/deckhouse pod.

Example of enabling the module:

by using the ModuleConfig resource:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: operator-trivy
spec:
  enabled: true

by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module enable operator-trivy

Example of disabling the module:

by using the ModuleConfig resource:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: operator-trivy
spec:
  enabled: false

by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module disable operator-trivy

The module is configured using the ModuleConfig custom resource named operator-trivy (learn more about setting up Deckhouse…).

Example of the ModuleConfig/operator-trivy resource for configuring the module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: operator-trivy
spec:
  version: 1
  enabled: true
  settings: # <-- Module parameters from the "Parameters" section below.

Parameters

Schema version: 1

settings
object
- settings.additionalRegistryCA
  array of objects
  List of registry CA certificates for connecting to private registries.
  
  If it is necessary to specify a certificate with an intermediate certificate, the chain is specified without additional line breaks.
  
  Example:
  additionalRegistryCA: - name: example CA ca: | -----BEGIN CERTIFICATE----- ................. -----END CERTIFICATE----- - name: CA with intermediate CA ca: | -----BEGIN CERTIFICATE----- ................. -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ................. -----END CERTIFICATE-----
  - settings.additionalRegistryCA.ca
    string
  - settings.additionalRegistryCA.name
    string
- settings.additionalVulnerabilityReportFields
  array of strings
  A list of additional fields from the vulnerability database to add to the VulnerabilityReport.
  
  Example:
  additionalVulnerabilityReportFields: - Class - Target
- settings.disableSBOMGeneration
  boolean
  Disables SBOM reports generation.
  
  Warning. When this options is set to true, all current SBOM reports are deleted from the cluster (the cleanup is executed only once).
  
  Default: false
  Examples:
  disableSBOMGeneration: true
  disableSBOMGeneration: false
- settings.insecureDbRegistry
  boolean
  Allows Trivy to download vulnerability databases using insecure HTTPS connections (not passed TLS certificate verification) or HTTP connections.
  
  Default: false
  Examples:
  insecureDbRegistry: true
  insecureDbRegistry: false
- settings.insecureRegistries
  array of strings
  List of container registry addresses to which insecure HTTPS connections (not passed TLS certificate verification) or HTTP connections are allowed.
  
  Example:
  insecureRegistries: - my.registry.com - http-only.registry.io
- settings.linkCVEtoBDU
  boolean
  Convert vulnerability reports. Convert CVE database vulnerabilities to BDU database records.
  
  Default: false
  Examples:
  linkCVEtoBDU: true
  linkCVEtoBDU: false
- settings.nodeSelector
  object
  Optional nodeSelector for operator-trivy and scan jobs.
  
  The same as spec.nodeSelector for the Kubernetes pod.
  
  If the parameter is omitted or false, it will be determined automatically.
  
  Example:
  nodeSelector: disktype: ssd
- settings.reportResourceLabels
  array of strings
  A list of additional labels for marking Trivi’s reports (VulnerabilityReport).
  
  The values of these labels will correspond to the values of the scanned resources’ labels.
  
  Example:
  reportResourceLabels: - app - env
- settings.severities
  array of strings
  Filter vulnerability reports by their severities.
  
  Example:
  severities: - UNKNOWN - CRITICAl
  - Element of the array
    string
    Allowed values: UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL
- settings.storageClass
  string
  The name of StorageClass that will be used in the cluster by default.
  
  If the value is not specified, the StorageClass will be used according to the global storageClass parameter setting.
  
  The global storageClass parameter is only considered when the module is enabled. Changing the global storageClass parameter while the module is enabled will not trigger disk re-provisioning.
  
  Warning. Specifying a value different from the one currently used (in the existing PVC) will result in disk re-provisioning and all data will be deleted.
  
  If false is specified, emptyDir will be forced to be used.
  
  Examples:
  storageClass: ceph-ssd
  storageClass: 'false'
- settings.tolerations
  array of objects
  Optional tolerations for operator-trivy and scan jobs.
  
  The same as spec.tolerations for the Kubernetes pod.
  
  If the parameter is omitted or false, it will be determined automatically.
  
  Example:
  tolerations: - key: key1 operator: Equal value: value1 effect: NoSchedule
  - settings.tolerations.effect
    string
  - settings.tolerations.key
    string
  - settings.tolerations.operator
    string
  - settings.tolerations.tolerationSeconds
    integer
  - settings.tolerations.value
    string

The operator-trivy module: configuration

Parameters

Request trial access

Thank you

Error

Request callback

Thank you

Something went wrong

Book your sessions

Thank you

Error

Request demo

Thank you

Error

Get the PCI SSC Compliance Report

Thank you

Error