Available in editions:  EE

The module is not enabled by default in any bundles.

How to explicitly enable the module…

Set the spec.enabled module parameter to true or false in the ModuleConfig/operator-trivy resource (create it, if necessary) to explicitly enable or disable the module, or use the deckhouse-controller module command in the d8-system/deckhouse pod.

Example of enabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: operator-trivy
spec:
  enabled: true

  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module enable operator-trivy

Example of disabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: operator-trivy
spec:
  enabled: false

  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module disable operator-trivy

Settings

The module is configured using the ModuleConfig custom resource named operator-trivy (learn more about setting up Deckhouse…).

Example of the ModuleConfig/operator-trivy resource for configuring the module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: operator-trivy
spec:
  version: 1
  enabled: true
  settings: # <-- Module parameters from the "Parameters" section below.

Parameters

Schema version: 1

  • settings
    object
    • settings.additionalRegistryCA
      array of objects

      List of registry CA certificates for connecting to private registries.

      If it is necessary to specify a certificate with an intermediate certificate, the chain is specified without additional line breaks.

      Example:

      additionalRegistryCA:
  - name: example CA
    ca: |
      -----BEGIN CERTIFICATE-----
      .................
      -----END CERTIFICATE-----
  - name: CA with intermediate CA
    ca: |
      -----BEGIN CERTIFICATE-----
      .................
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      .................
      -----END CERTIFICATE-----
      • settings.additionalRegistryCA.ca
        string
      • settings.additionalRegistryCA.name
        string
    • settings.additionalVulnerabilityReportFields
      array of strings

      A list of additional fields from the vulnerability database to add to the VulnerabilityReport.

      Example:

      additionalVulnerabilityReportFields:
- Class
- Target
    • settings.disableSBOMGeneration
      boolean

      Disables SBOM reports generation.

      Warning. When this options is set to true, all current SBOM reports are deleted from the cluster (the cleanup is executed only once).

      Default: false

      Examples:

      disableSBOMGeneration: true

      disableSBOMGeneration: false
    • settings.insecureDbRegistry
      boolean

      Allows Trivy to download vulnerability databases using insecure HTTPS connections (not passed TLS certificate verification) or HTTP connections.

      Default: false

      Examples:

      insecureDbRegistry: true

      insecureDbRegistry: false
    • settings.insecureRegistries
      array of strings

      List of container registry addresses to which insecure HTTPS connections (not passed TLS certificate verification) or HTTP connections are allowed.

      Example:

      insecureRegistries:
- my.registry.com
- http-only.registry.io
    • settings.linkCVEtoBDU
      boolean

      Convert vulnerability reports. Convert CVE database vulnerabilities to BDU database records.

      Default: false

      Examples:

      linkCVEtoBDU: true

      linkCVEtoBDU: false
    • settings.nodeSelector
      object

      Optional nodeSelector for operator-trivy and scan jobs.

      The same as spec.nodeSelector for the Kubernetes pod.

      If the parameter is omitted or false, it will be determined automatically.

      Example:

      nodeSelector:
  disktype: ssd
    • settings.reportResourceLabels
      array of strings

      A list of additional labels for marking Trivi’s reports (VulnerabilityReport).

      The values of these labels will correspond to the values of the scanned resources’ labels.

      Example:

      reportResourceLabels:
- app
- env
    • settings.severities
      array of strings

      Filter vulnerability reports by their severities.

      Example:

      severities:
- UNKNOWN
- CRITICAl
      • Element of the array
        string

        Allowed values: UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL

    • settings.storageClass
      string

      The name of StorageClass that will be used in the cluster by default.

      If the value is not specified, the StorageClass will be used according to the global storageClass parameter setting.

      The global storageClass parameter is only considered when the module is enabled. Changing the global storageClass parameter while the module is enabled will not trigger disk re-provisioning.

      Warning. Specifying a value different from the one currently used (in the existing PVC) will result in disk re-provisioning and all data will be deleted.

      If false is specified, emptyDir will be forced to be used.

      Examples:

      storageClass: ceph-ssd

      storageClass: 'false'
    • settings.tolerations
      array of objects

      Optional tolerations for operator-trivy and scan jobs.

      The same as spec.tolerations for the Kubernetes pod.

      If the parameter is omitted or false, it will be determined automatically.

      Example:

      tolerations:
- key: key1
  operator: Equal
  value: value1
  effect: NoSchedule
      • settings.tolerations.effect
        string
      • settings.tolerations.key
        string
      • settings.tolerations.operator
        string
      • settings.tolerations.tolerationSeconds
        integer
      • settings.tolerations.value
        string