The operator-trivy module: configuration

parameters

Schema version: 1

• settings

  object
  • settings.additionalRegistryCA

    array of objects

    List of registry CA certificates for connecting to private registries.

    If it is necessary to specify a certificate with an intermediate certificate, the chain is specified without additional line breaks.

    Example:

    
    

    additionalRegistryCA:
      - name: example CA
        ca: |
          -----BEGIN CERTIFICATE-----
          .................
          -----END CERTIFICATE-----
      - name: CA with intermediate CA
        ca: |
          -----BEGIN CERTIFICATE-----
          .................
          -----END CERTIFICATE-----
          -----BEGIN CERTIFICATE-----
          .................
          -----END CERTIFICATE-----
    

    • settings.additionalRegistryCA.ca

      string
    • settings.additionalRegistryCA.name

      string
  • settings.additionalVulnerabilityReportFields

    array of strings

    A list of additional fields from the vulnerability database to add to the VulnerabilityReport.

    Example:

    
    

    additionalVulnerabilityReportFields:
    - Class
    - Target
    

  • settings.denyVulnerableImages

    object

    Trivy operator will deny creation of the Pod/Deployment/StatefulSet/DaemonSet with vulnerable images in namespaces with security.deckhouse.io/trivy-provider: "" label.

    Default: {}

    • settings.denyVulnerableImages.allowedSeverityLevels

      array of strings

      Images containing only vulnerabilities of specified severities will not be denied.
      • settings.denyVulnerableImages.allowedSeverityLevels.Element of the array

        string

        Allowed values: UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL

    • settings.denyVulnerableImages.enabled

      boolean

      Deny use of vulnerable images is cluster namespaces labeled as security.deckhouse.io/trivy-provider: "".

      Default: false

    • settings.denyVulnerableImages.registrySecrets

      array of objects

      List of additional registry secrets to use for downloading images from private registries.

      By default, the deckhouse-registry secret is used to download images for scanning.

      Default: []

      • settings.denyVulnerableImages.registrySecrets.name

        string
      • settings.denyVulnerableImages.registrySecrets.namespace

        string
  • settings.disableSBOMGeneration

    boolean

    Disables SBOM reports generation.

    Warning. When this options is set to true, all current SBOM reports are deleted from the cluster (the cleanup is executed only once).

    Default: false

    Examples:

    
    

    disableSBOMGeneration: true
    

    disableSBOMGeneration: false
    

  • settings.insecureDbRegistry

    boolean

    Allows Trivy to download vulnerability databases using insecure HTTPS connections (not passed TLS certificate verification) or HTTP connections.

    Default: false

    Examples:

    
    

    insecureDbRegistry: true
    

    insecureDbRegistry: false
    

  • settings.insecureRegistries

    array of strings

    List of container registry addresses to which insecure HTTPS connections (not passed TLS certificate verification) or HTTP connections are allowed.

    Example:

    
    

    insecureRegistries:
    - my.registry.com
    - http-only.registry.io
    

  • settings.linkCVEtoBDU

    boolean

    Convert vulnerability reports. Convert CVE database vulnerabilities to BDU database records.

    Default: false

    Examples:

    
    

    linkCVEtoBDU: true
    

    linkCVEtoBDU: false
    

  • settings.nodeSelector

    object

    Optional nodeSelector for operator-trivy and scan jobs.

    The same as spec.nodeSelector for the Kubernetes pod.

    If the parameter is omitted or false, it will be determined automatically.

    Example:

    
    

    disktype: ssd
    

  • settings.reportResourceLabels

    array of strings

    A list of additional labels for marking Trivi’s reports (VulnerabilityReport).

    The values of these labels will correspond to the values of the scanned resources’ labels.

    Examples:

    
    

    reportResourceLabels: app
    

    reportResourceLabels: env
    

  • settings.severities

    array of strings

    Filter vulnerability reports by their severities.

    Examples:

    
    

    severities: UNKNOWN
    

    severities: CRITICAl
    

    • settings.severities.Element of the array

      string

      Allowed values: UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL

  • settings.storageClass

    string

    The name of StorageClass that will be used in the cluster by default.

    If the value is not specified, the StorageClass will be used according to the global storageClass parameter setting.

    The global storageClass parameter is only considered when the module is enabled. Changing the global storageClass parameter while the module is enabled will not trigger disk re-provisioning.

    Warning. Specifying a value different from the one currently used (in the existing PVC) will result in disk re-provisioning and all data will be deleted.

    If false is specified, emptyDir will be forced to be used.

    Examples:

    
    

    storageClass: ceph-ssd
    

    storageClass: "false"
    

  • settings.tolerations

    array of objects

    Optional tolerations for operator-trivy and scan jobs.

    The same as spec.tolerations for the Kubernetes pod.

    If the parameter is omitted or false, it will be determined automatically.

    Example:

    
    

    effect: NoSchedule
    key: key1
    operator: Equal
    value: value1
    

    • settings.tolerations.effect

      string
    • settings.tolerations.key

      string
    • settings.tolerations.operator

      string
    • settings.tolerations.tolerationSeconds

      integer
    • settings.tolerations.value

      string