Available in:  EE

The module lifecycle stageGeneral Availability
The module has requirements for installation

How to explicitly enable the module…

You may explicitly enable or disable the module in one of the following ways:

  • Via Deckhouse web UI. In the “System” → “System Management” → “Deckhouse” → “Modules” section, open the operator-trivy module and enable (or disable) the “Module enabled” toggle. Save changes.

    Example:

    Module enable/disable interface

  • Via Deckhouse CLI (d8).

    Use the d8 system module enable command for enabling, or d8 system module disable command for disabling the module (you need Deckhouse CLI (d8), configured to work with the cluster).

    Example of enabling the module:

    d8 system module enable operator-trivy

  • Using ModuleConfig operator-trivy.

    Set spec.enabled to true or false in ModuleConfig operator-trivy (create it if necessary);

    Example of a manifest to enable module operator-trivy:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: operator-trivy
spec:
  enabled: true

How to configure the module…

You can configure the module in one of the following ways:

  • Via Deckhouse web UI.

    In the “System” → “System Management” → “Deckhouse” → “Modules” section, open the operator-trivy module and enable the “Advanced Settings” switch. Fill in the required fields in the “Configuration” tab or specify the module settings in YAML format on the “YAML” tab, excluding the settings section. Save the changes.

    Example:

    Module Setup Interface

    You can also edit the ModuleConfig object operator-trivy on the “YAML” tab in the module settings window (“System” → “System Management” → “Deckhouse” → “Modules”, open the module operator-trivy) by specifying the schema version in the spec.version parameter and the necessary module parameters in the spec.settings section.

  • Via Deckhouse CLI (d8) (requires Deckhouse CLI (d8) configured to work with the cluster).

    Edit the existing ModuleConfig operator-trivy (for more details on configuring Deckhouse, see the documentation) by executing the following command:

    d8 k edit mc operator-trivy

    Make the necessary changes in the spec.settings section. If necessary, specify the schema version in the spec.version parameter. Save the changes.

    You can also create a file with manifest for ModuleConfig operator-trivy using the example below. Fill in the spec.settings section with the required module parameters. If necessary, specify the schema version in the spec.version parameter.

    Apply the manifest using the following command (indicate the manifest file name):

    d8 k apply -f <FILENAME>

    Example of a manifest for ModuleConfig operator-trivy:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: operator-trivy
spec:
  version: 2
  enabled: true
  settings: # Module parameters from the "Parameters" section below.

How to change the module release channel…

To change the module release channel, follow the instruction.

Requirements

To the Deckhouse version: 1.75 and above.

Conversions

The module is configured using the ModuleConfig resource, the schema of which contains a version number. When you apply an old version of the ModuleConfig schema in a cluster, automatic transformations are performed. To manually update the ModuleConfig schema version, the following steps must be completed sequentially for each version:

  • Updates from version 1 to 2:

    nodeScanning.scanners and nodeScanning.pkgTypes now use PascalCase values (Vuln/Secret, OS/Library). Existing lowercase values (vuln/secret, os/library) are automatically converted.

Parameters

Schema version: 2

  • settings
    object
    • settings.additionalRegistryCA
      array of objects

      List of registry CA certificates for connecting to private registries.

      If it is necessary to specify a certificate with an intermediate certificate, the chain is specified without additional line breaks.

      Example: 


      additionalRegistryCA:
  - name: example CA
    ca: |
      -----BEGIN CERTIFICATE-----
      .................
      -----END CERTIFICATE-----
  - name: CA with intermediate CA
    ca: |
      -----BEGIN CERTIFICATE-----
      .................
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      .................
      -----END CERTIFICATE-----
      • settings.additionalRegistryCA.ca
        string
      • settings.additionalRegistryCA.name
        string
    • settings.additionalVulnerabilityReportFields
      array of strings
      A list of additional fields from the vulnerability database to add to the VulnerabilityReport.

      Example: 


      additionalVulnerabilityReportFields:
- Class
- Target
    • settings.complianceReports
      object
      Configures which ClusterComplianceReport resources are deployed by the module.

      Default: {}

      • settings.complianceReports.enabled
        array of strings

        List of compliance frameworks to deploy as ClusterComplianceReport resources.

        Available values:

        • CIS — CIS Kubernetes Benchmark v1.23.
        • PCI-DSS — PCI DSS v4.0 (key controls for protecting cardholder data).
        • NSA — NSA-CISA Kubernetes Hardening Guidance v1.0.
        • GDPR — General Data Protection Regulation (key security-relevant articles).
        • HIPAA — HIPAA Security Rule (key technical safeguards).
        • FSTEC-21 — Order of FSTEC of Russia No. 21 (personal data protection in personal data information systems).
        • FZ-187 — Order of FSTEC of Russia No. 239 (security requirements for significant CII objects, Federal Law 187-FZ).

        By default GDPR and HIPAA are disabled.

        Default: [ "CIS", "PCI-DSS", "NSA", "FSTEC-21", "FZ-187" ]

        Examples: 


        enabled:
- CIS
- NSA

        enabled:
- CIS
- PCI-DSS
- NSA
- GDPR
- HIPAA
- FSTEC-21
- FZ-187
        • settings.complianceReports.enabled.Element of the array
          string

          Allowed values: CIS, PCI-DSS, NSA, GDPR, HIPAA, FSTEC-21, FZ-187

      • settings.complianceReports.skipSystemResources
        boolean

        Skip platform-owned and user-opted-out resources from compliance reports.

        When enabled (default), the module applies two complementary filters:

        1. No-create filter (namespace-level, at Write time). ConfigAuditReport and RbacAssessmentReport CRs are not created in namespaces that are either:

          • matching one of the patterns d8-*, kube-*, default;
          • or carrying the security.deckhouse.io/skip-compliance=true label on the Namespace object itself.

          Together this keeps kubectl get configauditreports -A clean of platform noise and gives users a way to opt entire namespaces out of compliance. InfraAssessmentReport is exempt — control plane components in kube-system (kube-apiserver, etcd, kube-scheduler, kube-controller-manager) keep producing infra checks that feed CIS Kubernetes Benchmark section 1.x.

        2. Compliance aggregation filter (by owner label). When ClusterComplianceReport is aggregated, the compliance reconciler skips findings whose owner is a cluster-scoped object carrying one of these label key=value pairs:

          • heritage=deckhouse — Deckhouse-managed resources.
          • kubernetes.io/bootstrapping=rbac-defaults — Kubernetes built-in RBAC defaults (system:*, cluster-admin, etc.).

          This catches cluster-scoped resources (such as built-in ClusterRoles) that the namespace-level filter cannot reach.

        Per-resource report CRs that do get created (VulnerabilityReport, ExposedSecretReport, SbomReport, InfraAssessmentReport) keep being generated for every scanned workload — vulnerability scanning of platform images, exposed-secret scanning, etc. are not affected.

        Note on scanning scope. The module decouples the heavy image-pull-based vulnerability scanner (which also produces ExposedSecretReport and SbomReport) from the lightweight configuration scanners (ConfigAudit, RbacAssessment, InfraAssessment). The vulnerability scanner stays opt-in via the security-scanning.deckhouse.io/enabled="" namespace label, while configuration scanners run cluster-wide so compliance reports cover the whole cluster — only this skipSystemResources filter narrows what they record.

        Disable this parameter if you explicitly need platform-owned resources to appear in compliance reports.

        Default: true

        Examples: 


        skipSystemResources: true

        skipSystemResources: false
    • settings.concurrentScanJobsLimit
      integer
      Maximum number of scan jobs that the operator can run concurrently.

      Default: 10

      Allowed values: 1 <= X

      Examples: 


      concurrentScanJobsLimit: 3

      concurrentScanJobsLimit: 5

      concurrentScanJobsLimit: 10
    • settings.denyVulnerableImages
      object

      Settings to prohibit the creation of Pod/Deployment/StatefulSet/DaemonSet with vulnerable images in namespaces labeled security.deckhouse.io/trivy-provider: "".

      Note: This constraint is enforced only during admission (resource creation/update). Gatekeeper audit does not evaluate this constraint.

      Default: {}

      • settings.denyVulnerableImages.allowedSeverityLevels
        array of strings
        Images containing only vulnerabilities of specified severities will not be denied.
        • settings.denyVulnerableImages.allowedSeverityLevels.Element of the array
          string

          Allowed values: UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL

      • settings.denyVulnerableImages.enabled
        boolean
        Deny use of vulnerable images in cluster namespaces labeled as security.deckhouse.io/trivy-provider: "".

        Default: false

      • settings.denyVulnerableImages.registrySecrets
        array of objects

        List of additional registry secrets to use for downloading images from private registries.

        By default, the deckhouse-registry secret is used to download images for scanning.

        Default: []

        • settings.denyVulnerableImages.registrySecrets.name
          string
        • settings.denyVulnerableImages.registrySecrets.namespace
          string
    • settings.disableSBOMGeneration
      boolean

      Disables SBOM reports generation.

      Warning. When this options is set to true, all current SBOM reports are deleted from the cluster (the cleanup is executed only once).

      Default: false

      Examples: 


      disableSBOMGeneration: true

      disableSBOMGeneration: false
    • settings.insecureDbRegistry
      boolean
      Allows Trivy to download vulnerability databases using insecure HTTPS connections (not passed TLS certificate verification) or HTTP connections.

      Default: false

      Examples: 


      insecureDbRegistry: true

      insecureDbRegistry: false
    • settings.insecureRegistries
      array of strings
      List of container registry addresses to which insecure HTTPS connections (not passed TLS certificate verification) or HTTP connections are allowed.

      Example: 


      insecureRegistries:
- my.registry.com
- http-only.registry.io
    • settings.linkCVEtoBDU
      boolean
      Converts CVE database vulnerability records to BDU (FSTEC Russia) database records.

      Default: false

      Examples: 


      linkCVEtoBDU: true

      linkCVEtoBDU: false
    • settings.nodeAgent
      object

      Runtime application and network map (in preview).

      When enabled, a privileged eBPF agent runs on every node and observes the runtime behaviour of each workload — the processes it launches, the files it opens, the Linux capabilities and syscalls it uses, and the network connections it makes. The observations are aggregated per workload into an ApplicationProfile and a NetworkNeighborhood, giving an accurate map of what each application actually does at runtime.

      Requirements. Node kernels must be Linux 5.4 or newer and expose BTF at /sys/kernel/btf/vmlinux. The agent runs privileged with host PID access.

      Default: {}

      • settings.nodeAgent.enabled
        boolean
        Enables runtime observation and building of the application/network map.

        Default: false

        Examples: 


        enabled: true

        enabled: false
      • settings.nodeAgent.generatePolicies
        object

        Generate least-privilege policies from the observed map.

        The map itself (ApplicationProfile, NetworkNeighborhood) is always built when nodeAgent is enabled. These toggles additionally expose generated policies derived from it.

        Default: {}

        • settings.nodeAgent.generatePolicies.networkPolicy
          boolean
          Expose GeneratedNetworkPolicy objects — Kubernetes NetworkPolicy definitions computed from each workload’s observed NetworkNeighborhood. Review and apply them to enforce least privilege.

          Default: false

          Examples: 


          networkPolicy: true

          networkPolicy: false
        • settings.nodeAgent.generatePolicies.seccomp
          boolean
          Generate and expose SeccompProfile objects from each workload’s observed system calls. Attach them to your pods to restrict the allowed syscalls.

          Default: false

          Examples: 


          seccomp: true

          seccomp: false
      • settings.nodeAgent.learningPeriod
        string
        How long a workload is observed before its profile is considered complete. During this window the map keeps absorbing newly seen behaviour; afterwards the profile is finalized.

        Default: 1h

        Examples: 


        learningPeriod: 1h

        learningPeriod: 24h
      • settings.nodeAgent.nodeSelector
        object

        Restrict the eBPF agent to nodes matching these labels.

        By default the agent runs on every node. Use this to limit it to a subset, for example nodes whose kernels meet the BTF requirement.

        Default: {}

        Example: 


        node-role.kubernetes.io/worker: ''
      • settings.nodeAgent.tolerations
        array of objects

        Optional tolerations for the eBPF agent DaemonSet.

        The same as spec.tolerations for the Kubernetes pod. If omitted, the agent tolerates all taints so it can run on every node.

        Example: 


        tolerations:
- operator: Exists
        • settings.nodeAgent.tolerations.effect
          string
        • settings.nodeAgent.tolerations.key
          string
        • settings.nodeAgent.tolerations.operator
          string
        • settings.nodeAgent.tolerations.tolerationSeconds
          integer
        • settings.nodeAgent.tolerations.value
          string
    • settings.nodeScanning
      object
      Configuration for node (host filesystem) vulnerability scanning. This feature scans the host filesystem of each Kubernetes node to detect OS package vulnerabilities.

      Default: {}

      • settings.nodeScanning.concurrentLimit
        integer
        Maximum number of concurrent node scan jobs.

        Default: 1

        Allowed values: 1 <= X

        Examples: 


        concurrentLimit: 1

        concurrentLimit: 2

        concurrentLimit: 3
      • settings.nodeScanning.enabled
        boolean

        Enables node vulnerability scanning.

        When enabled, the operator will scan the host filesystem of each node for OS package vulnerabilities.

        Default: false

        Examples: 


        enabled: true

        enabled: false
      • settings.nodeScanning.hideUnfixedCVEs
        boolean

        When true, only report vulnerabilities that have a fix available.

        This significantly reduces report size but hides unfixed vulnerabilities.

        Default: false

        Examples: 


        hideUnfixedCVEs: true

        hideUnfixedCVEs: false
      • settings.nodeScanning.nodeSelector
        object
        Filter nodes by labels. Only nodes matching all labels will be scanned.

        Default: {}

        Examples: 


        node-role.kubernetes.io/worker: ''

        env: production
      • settings.nodeScanning.pkgTypes
        array of strings

        List of package types to include in node scanning:

        • OS — operating system packages (rpm, deb, apk, etc.).
        • Library — application-level libraries (jars, npm modules, Python packages, etc.) found on the node filesystem.

        Default: [ "OS" ]

        Examples: 


        pkgTypes:
- OS

        pkgTypes:
- OS
- Library
        • settings.nodeScanning.pkgTypes.Element of the array
          string

          Allowed values: OS, Library

      • settings.nodeScanning.scanners
        array of strings

        List of scanners to enable on each node:

        • Vuln — vulnerability scanner (matches known CVEs in OS and library packages of the node host filesystem).
        • Secret — secret scanner (detects hardcoded credentials such as AWS keys, GitHub tokens, etc. in files on the node).

        Default: [ "Vuln" ]

        Examples: 


        scanners:
- Vuln

        scanners:
- Vuln
- Secret
        • settings.nodeScanning.scanners.Element of the array
          string

          Allowed values: Vuln, Secret

      • settings.nodeScanning.severities
        array of strings

        Filter vulnerabilities by severity.

        Warning. Without filtering, reports can exceed etcd’s 3MB object size limit on nodes with many packages.

        Default: [ "CRITICAL", "HIGH" ]

        Examples: 


        severities:
- CRITICAL
- HIGH

        severities:
- CRITICAL
- HIGH
- MEDIUM
        • settings.nodeScanning.severities.Element of the array
          string

          Allowed values: UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL

      • settings.nodeScanning.skipDirs
        array of strings

        List of directories to skip during node scanning.

        By default, container runtime directories and virtual filesystems are excluded.

        Default: [ "/proc", "/sys", "/dev", "/run", "/var/lib/containerd", "/var/lib/docker", "/var/lib/kubelet/pods" ]

        Example: 


        skipDirs:
- /proc
- /sys
- /dev
      • settings.nodeScanning.timeout
        string

        Timeout for node scan jobs.

        If not set, the default scan job timeout is used.

        Default: ‘’

        Examples: 


        timeout: 10m

        timeout: 30m
    • settings.nodeSelector
      object

      Optional nodeSelector for operator-trivy and scan jobs.

      The same as spec.nodeSelector for the Kubernetes pod.

      If the parameter is omitted or false, it will be determined automatically.

      Example: 


      disktype: ssd
    • settings.reportResourceLabels
      array of strings

      A list of additional labels for marking Trivy’s reports (VulnerabilityReport).

      The values of these labels will correspond to the values of the scanned resources’ labels.

      Examples: 


      reportResourceLabels: app

      reportResourceLabels: env
    • settings.scanJobResources
      object

      Resource requests/limits for scan jobs (ScanJob pods).

      If the parameter is omitted, the module uses the default values (as it did before this setting existed). If the parameter is specified, you may set only some of the fields (e.g. only memory) — unspecified fields will not be forced by the module.

      Default: {}

      Example: 


      limits:
  cpu: 500m
  memory: 500M
requests:
  cpu: 100m
  memory: 100M
      • settings.scanJobResources.limits
        object

        Default: {}

        • settings.scanJobResources.limits.cpu
          string

          Examples: 


          cpu: 500m

          cpu: '1'
        • settings.scanJobResources.limits.memory
          string

          Examples: 


          memory: 500M

          memory: 1Gi
      • settings.scanJobResources.requests
        object

        Default: {}

        • settings.scanJobResources.requests.cpu
          string

          Examples: 


          cpu: 100m

          cpu: 250m
        • settings.scanJobResources.requests.memory
          string

          Examples: 


          memory: 100M

          memory: 256Mi
    • settings.severities
      array of strings
      Filter vulnerability reports by their severities.

      Examples: 


      severities:
- CRITICAL
- HIGH
- MEDIUM
- LOW
- UNKNOWN

      severities:
- CRITICAL
- HIGH
      • settings.severities.Element of the array
        string

        Allowed values: UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL

    • settings.storageClass
      string

      The name of StorageClass that will be used to store the module’s data.

      If the value is not specified, the StorageClass will be used according to the global storageClass parameter setting.

      The global storageClass parameter is only considered when the module is enabled. Changing the global storageClass parameter while the module is enabled will not trigger disk re-provisioning.

      Warning. Specifying a value different from the one currently used (in the existing PVC) will result in disk re-provisioning and all data will be deleted.

      If false is specified, emptyDir will be forced to be used.

      Examples: 


      storageClass: ceph-ssd

      storageClass: 'false'
    • settings.tolerations
      array of objects

      Optional tolerations for operator-trivy and scan jobs.

      The same as spec.tolerations for the Kubernetes pod.

      If the parameter is omitted or false, it will be determined automatically.

      Example: 


      effect: NoSchedule
key: key1
operator: Equal
value: value1
      • settings.tolerations.effect
        string
      • settings.tolerations.key
        string
      • settings.tolerations.operator
        string
      • settings.tolerations.tolerationSeconds
        integer
      • settings.tolerations.value
        string
    • settings.useVEXFromOCI
      boolean
      Search OCI registry for VEX Attestations of scanned images and suppress reporting of vulnerabilities declared in them.

      Default: false

      Examples: 


      useVEXFromOCI: true

      useVEXFromOCI: false