This feature is available in Enterprise Edition only.
This feature is actively developed. It might significantly change in the future.

The module is not enabled by default in any bundles.

How to explicitly enable the module…

Set the spec.enabled module parameter to true or false in the ModuleConfig/operator-trivy resource (create it, if necessary) to explicitly enable or disable the module, or use the deckhouse-controller module command in the d8-system/deckhouse pod.

Example of enabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
    kind: ModuleConfig
    metadata:
      name: operator-trivy
    spec:
      enabled: true
    
  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec deploy/deckhouse -c deckhouse -- deckhouse-controller module enable operator-trivy
    

Example of disabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
    kind: ModuleConfig
    metadata:
      name: operator-trivy
    spec:
      enabled: false
    
  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec deploy/deckhouse -c deckhouse -- deckhouse-controller module disable operator-trivy
    

The module is configured using the ModuleConfig custom resource named operator-trivy (learn more about setting up Deckhouse…).

Example of the ModuleConfig/operator-trivy resource for configuring the module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: operator-trivy
spec:
  version: 1
  enabled: true
  settings: # <-- Module parameters from the "Parameters" section below.

Parameters

Schema version: 1

  • linkCVEtoBDUboolean

    Convert vulnerability reports. Convert CVE database vulnerabilities to BDU database records.

    Default: false

    Examples:

    linkCVEtoBDU: true
    
    linkCVEtoBDU: false
    
  • nodeSelectorobject

    Optional nodeSelector for operator-trivy and scan jobs.

    The same as spec.nodeSelector for the Kubernetes pod.

    If the parameter is omitted or false, it will be determined automatically.

    Example:

    nodeSelector:
      disktype: ssd
    
  • severitiesarray of strings

    Filter vulnerability reports by their severities.

    • Element of the arraystring

      Allowed values: UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL

  • storageClassstring

    The name of the StorageClass to use.

    false — forces the emptyDir usage. Manually delete the old PVC and restart Pod, after setting the parameter.

    Examples:

    storageClass: ceph-ssd
    
    storageClass: 'false'
    
  • tolerationsarray of objects

    Optional tolerations for operator-trivy and scan jobs.

    The same as spec.tolerations for the Kubernetes pod.

    If the parameter is omitted or false, it will be determined automatically.

    Example:

    tolerations:
    - key: key1
      operator: Equal
      value: value1
      effect: NoSchedule
    
    • tolerations.effectstring
    • tolerations.keystring
    • tolerations.operatorstring
    • tolerations.tolerationSecondsinteger
    • tolerations.valuestring