Available in:  EE

The module lifecycle stageGeneral Availability
The module has requirements for installation

How to explicitly enable the module…

You may explicitly enable or disable the module in one of the following ways:

  • Via Deckhouse web UI. In the “System” → “System Management” → “Deckhouse” → “Modules” section, open the operator-trivy module and enable (or disable) the “Module enabled” toggle. Save changes.

    Example:

    Module enable/disable interface

  • Via Deckhouse CLI (d8).

    Use the d8 system module enable command for enabling, or d8 system module disable command for disabling the module (you need Deckhouse CLI (d8), configured to work with the cluster).

    Example of enabling the module:

    d8 system module enable operator-trivy

  • Using ModuleConfig operator-trivy.

    Set spec.enabled to true or false in ModuleConfig operator-trivy (create it if necessary);

    Example of a manifest to enable module operator-trivy:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: operator-trivy
spec:
  enabled: true

How to configure the module…

You can configure the module in one of the following ways:

  • Via Deckhouse web UI.

    In the “System” → “System Management” → “Deckhouse” → “Modules” section, open the operator-trivy module and enable the “Advanced Settings” switch. Fill in the required fields in the “Configuration” tab or specify the module settings in YAML format on the “YAML” tab, excluding the settings section. Save the changes.

    Example:

    Module Setup Interface

    You can also edit the ModuleConfig object operator-trivy on the “YAML” tab in the module settings window (“System” → “System Management” → “Deckhouse” → “Modules”, open the module operator-trivy) by specifying the schema version in the spec.version parameter and the necessary module parameters in the spec.settings section.

  • Via Deckhouse CLI (d8) (requires Deckhouse CLI (d8) configured to work with the cluster).

    Edit the existing ModuleConfig operator-trivy (for more details on configuring Deckhouse, see the documentation) by executing the following command:

    d8 k edit mc operator-trivy

    Make the necessary changes in the spec.settings section. If necessary, specify the schema version in the spec.version parameter. Save the changes.

    You can also create a file with manifest for ModuleConfig operator-trivy using the example below. Fill in the spec.settings section with the required module parameters. If necessary, specify the schema version in the spec.version parameter.

    Apply the manifest using the following command (indicate the manifest file name):

    d8 k apply -f <FILENAME>

    Example of a manifest for ModuleConfig operator-trivy:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: operator-trivy
spec:
  version: 1
  enabled: true
  settings: # Module parameters from the "Parameters" section below.

How to change the module release channel…

To change the module release channel, follow the instruction.

Requirements

To the Deckhouse version: 1.75 and above.

Parameters

Schema version: 1

  • settings
    object
    • settings.additionalRegistryCA
      array of objects

      List of registry CA certificates for connecting to private registries.

      If it is necessary to specify a certificate with an intermediate certificate, the chain is specified without additional line breaks.

      Example: 


      additionalRegistryCA:
  - name: example CA
    ca: |
      -----BEGIN CERTIFICATE-----
      .................
      -----END CERTIFICATE-----
  - name: CA with intermediate CA
    ca: |
      -----BEGIN CERTIFICATE-----
      .................
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      .................
      -----END CERTIFICATE-----
      • settings.additionalRegistryCA.ca
        string
      • settings.additionalRegistryCA.name
        string
    • settings.additionalVulnerabilityReportFields
      array of strings
      A list of additional fields from the vulnerability database to add to the VulnerabilityReport.

      Example: 


      additionalVulnerabilityReportFields:
- Class
- Target
    • settings.concurrentScanJobsLimit
      integer
      Maximum number of scan jobs that the operator can run concurrently.

      Default: 10

      Allowed values: 1 <= X

      Examples: 


      concurrentScanJobsLimit: 3

      concurrentScanJobsLimit: 5

      concurrentScanJobsLimit: 10
    • settings.denyVulnerableImages
      object

      Settings to prohibit the creation of Pod/Deployment/StatefulSet/DaemonSet with vulnerable images in namespaces labeled security.deckhouse.io/trivy-provider: "".

      Note: This constraint is enforced only during admission (resource creation/update). Gatekeeper audit does not evaluate this constraint.

      Default: {}

      • settings.denyVulnerableImages.allowedSeverityLevels
        array of strings
        Images containing only vulnerabilities of specified severities will not be denied.
        • settings.denyVulnerableImages.allowedSeverityLevels.Element of the array
          string

          Allowed values: UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL

      • settings.denyVulnerableImages.enabled
        boolean
        Deny use of vulnerable images in cluster namespaces labeled as security.deckhouse.io/trivy-provider: "".

        Default: false

      • settings.denyVulnerableImages.registrySecrets
        array of objects

        List of additional registry secrets to use for downloading images from private registries.

        By default, the deckhouse-registry secret is used to download images for scanning.

        Default: []

        • settings.denyVulnerableImages.registrySecrets.name
          string
        • settings.denyVulnerableImages.registrySecrets.namespace
          string
    • settings.disableSBOMGeneration
      boolean

      Disables SBOM reports generation.

      Warning. When this options is set to true, all current SBOM reports are deleted from the cluster (the cleanup is executed only once).

      Default: false

      Examples: 


      disableSBOMGeneration: true

      disableSBOMGeneration: false
    • settings.insecureDbRegistry
      boolean
      Allows Trivy to download vulnerability databases using insecure HTTPS connections (not passed TLS certificate verification) or HTTP connections.

      Default: false

      Examples: 


      insecureDbRegistry: true

      insecureDbRegistry: false
    • settings.insecureRegistries
      array of strings
      List of container registry addresses to which insecure HTTPS connections (not passed TLS certificate verification) or HTTP connections are allowed.

      Example: 


      insecureRegistries:
- my.registry.com
- http-only.registry.io
    • settings.linkCVEtoBDU
      boolean
      Converts CVE database vulnerability records to BDU (FSTEC Russia) database records.

      Default: false

      Examples: 


      linkCVEtoBDU: true

      linkCVEtoBDU: false
    • settings.nodeScanning
      object
      Configuration for node (host filesystem) vulnerability scanning. This feature scans the host filesystem of each Kubernetes node to detect OS package vulnerabilities.

      Default: {}

      • settings.nodeScanning.concurrentLimit
        integer
        Maximum number of concurrent node scan jobs.

        Default: 1

        Allowed values: 1 <= X

        Examples: 


        concurrentLimit: 1

        concurrentLimit: 2

        concurrentLimit: 3
      • settings.nodeScanning.enabled
        boolean

        Enables node vulnerability scanning.

        When enabled, the operator will scan the host filesystem of each node for OS package vulnerabilities.

        Default: false

        Examples: 


        enabled: true

        enabled: false
      • settings.nodeScanning.hideUnfixedCVEs
        boolean

        When true, only report vulnerabilities that have a fix available.

        This significantly reduces report size but hides unfixed vulnerabilities.

        Default: false

        Examples: 


        hideUnfixedCVEs: true

        hideUnfixedCVEs: false
      • settings.nodeScanning.nodeSelector
        object
        Filter nodes by labels. Only nodes matching all labels will be scanned.

        Default: {}

        Examples: 


        node-role.kubernetes.io/worker: ""

        env: production
      • settings.nodeScanning.pkgTypes
        array of strings

        List of package types to scan:

        • os — OS packages;
        • library — application libraries.

        Default: [ "os" ]

        Examples: 


        pkgTypes:
- os

        pkgTypes:
- os
- library
        • settings.nodeScanning.pkgTypes.Element of the array
          string

          Allowed values: os, library

      • settings.nodeScanning.scanners
        array of strings

        List of scanners to use for node scanning:

        • vuln — vulnerability scanner;
        • secret — secret scanner.

        Default: [ "vuln" ]

        Examples: 


        scanners:
- vuln

        scanners:
- vuln
- secret
        • settings.nodeScanning.scanners.Element of the array
          string

          Allowed values: vuln, secret

      • settings.nodeScanning.severities
        array of strings

        Filter vulnerabilities by severity.

        Warning. Without filtering, reports can exceed etcd’s 3MB object size limit on nodes with many packages.

        Default: [ "CRITICAL", "HIGH" ]

        Examples: 


        severities:
- CRITICAL
- HIGH

        severities:
- CRITICAL
- HIGH
- MEDIUM
        • settings.nodeScanning.severities.Element of the array
          string

          Allowed values: UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL

      • settings.nodeScanning.skipDirs
        array of strings

        List of directories to skip during node scanning.

        By default, container runtime directories and virtual filesystems are excluded.

        Default: [ "/proc", "/sys", "/dev", "/run", "/var/lib/containerd", "/var/lib/docker", "/var/lib/kubelet/pods" ]

        Example: 


        skipDirs:
- /proc
- /sys
- /dev
      • settings.nodeScanning.timeout
        string

        Timeout for node scan jobs.

        If not set, the default scan job timeout is used.

        Default:

        Examples: 


        timeout: 10m

        timeout: 30m
    • settings.nodeSelector
      object

      Optional nodeSelector for operator-trivy and scan jobs.

      The same as spec.nodeSelector for the Kubernetes pod.

      If the parameter is omitted or false, it will be determined automatically.

      Example: 


      disktype: ssd
    • settings.reportResourceLabels
      array of strings

      A list of additional labels for marking Trivy’s reports (VulnerabilityReport).

      The values of these labels will correspond to the values of the scanned resources’ labels.

      Examples: 


      reportResourceLabels: app

      reportResourceLabels: env
    • settings.scanJobResources
      object

      Resource requests/limits for scan jobs (ScanJob pods).

      If the parameter is omitted, the module uses the default values (as it did before this setting existed). If the parameter is specified, you may set only some of the fields (e.g. only memory) — unspecified fields will not be forced by the module.

      Default: {}

      Example: 


      limits:
  cpu: 500m
  memory: 500M
requests:
  cpu: 100m
  memory: 100M
      • settings.scanJobResources.limits
        object

        Default: {}

        • settings.scanJobResources.limits.cpu
          string

          Examples: 


          cpu: 500m

          cpu: "1"
        • settings.scanJobResources.limits.memory
          string

          Examples: 


          memory: 500M

          memory: 1Gi
      • settings.scanJobResources.requests
        object

        Default: {}

        • settings.scanJobResources.requests.cpu
          string

          Examples: 


          cpu: 100m

          cpu: 250m
        • settings.scanJobResources.requests.memory
          string

          Examples: 


          memory: 100M

          memory: 256Mi
    • settings.severities
      array of strings
      Filter vulnerability reports by their severities.

      Examples: 


      severities:
- CRITICAL
- HIGH
- MEDIUM
- LOW
- UNKNOWN

      severities:
- CRITICAL
- HIGH
      • settings.severities.Element of the array
        string

        Allowed values: UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL

    • settings.storageClass
      string

      The name of StorageClass that will be used in the cluster by default.

      If the value is not specified, the StorageClass will be used according to the global storageClass parameter setting.

      The global storageClass parameter is only considered when the module is enabled. Changing the global storageClass parameter while the module is enabled will not trigger disk re-provisioning.

      Warning. Specifying a value different from the one currently used (in the existing PVC) will result in disk re-provisioning and all data will be deleted.

      If false is specified, emptyDir will be forced to be used.

      Examples: 


      storageClass: ceph-ssd

      storageClass: "false"
    • settings.tolerations
      array of objects

      Optional tolerations for operator-trivy and scan jobs.

      The same as spec.tolerations for the Kubernetes pod.

      If the parameter is omitted or false, it will be determined automatically.

      Example: 


      effect: NoSchedule
key: key1
operator: Equal
value: value1
      • settings.tolerations.effect
        string
      • settings.tolerations.key
        string
      • settings.tolerations.operator
        string
      • settings.tolerations.tolerationSeconds
        integer
      • settings.tolerations.value
        string
    • settings.useVEXFromOCI
      boolean
      Search OCI registry for VEX Attestations of scanned images and suppress reporting of vulnerabilities declared in them.

      Default: true

      Examples: 


      useVEXFromOCI: true

      useVEXFromOCI: false