The module lifecycle stageGeneral Availability

Available in:  EE

How to explicitly enable the module…

You may explicitly enable or disable the module in one of the following ways:

  • Via Deckhouse web UI. In the “System” → “System Management” → “Deckhouse” → “Modules” section, open the operator-trivy module and enable (or disable) the “Module enabled” toggle. Save changes.

    Example:

    Module enable/disable interface

  • Via Deckhouse CLI (d8).

    Use the d8 system module enable command for enabling, or d8 system module disable command for disabling the module (you need Deckhouse CLI (d8), configured to work with the cluster).

    Example of enabling the module:

    d8 system module enable operator-trivy

  • Using ModuleConfig operator-trivy.

    Set spec.enabled to true or false in ModuleConfig operator-trivy (create it if necessary);

    Example of a manifest to enable module operator-trivy:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: operator-trivy
spec:
  enabled: true

How to configure the module…

You can configure the module in one of the following ways:

  • Via Deckhouse web UI.

    In the “System” → “System Management” → “Deckhouse” → “Modules” section, open the operator-trivy module and enable the “Advanced Settings” switch. Fill in the required fields in the “Configuration” tab or specify the module settings in YAML format on the “YAML” tab, excluding the settings section. Save the changes.

    Example:

    Module Setup Interface

    You can also edit the ModuleConfig object operator-trivy on the “YAML” tab in the module settings window (“System” → “System Management” → “Deckhouse” → “Modules”, open the module operator-trivy) by specifying the schema version in the spec.version parameter and the necessary module parameters in the spec.settings section.

  • Via Deckhouse CLI (d8) (requires Deckhouse CLI (d8) configured to work with the cluster).

    Edit the existing ModuleConfig operator-trivy (for more details on configuring Deckhouse, see the documentation) by executing the following command:

    d8 k edit mc operator-trivy

    Make the necessary changes in the spec.settings section. If necessary, specify the schema version in the spec.version parameter. Save the changes.

    You can also create a file with manifest for ModuleConfig operator-trivy using the example below. Fill in the spec.settings section with the required module parameters. If necessary, specify the schema version in the spec.version parameter.

    Apply the manifest using the following command (indicate the manifest file name):

    d8 k apply -f <FILENAME>

    Example of a manifest for ModuleConfig operator-trivy:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: operator-trivy
spec:
  version: 1
  enabled: true
  settings: # Module parameters from the "Parameters" section below.

Requirements

To the Deckhouse version: 1.75 and above.

Parameters

Schema version: 1

  • settings
    object
    • settings.additionalRegistryCA
      array of objects

      List of registry CA certificates for connecting to private registries.

      If it is necessary to specify a certificate with an intermediate certificate, the chain is specified without additional line breaks.

      Example: 


      additionalRegistryCA:
  - name: example CA
    ca: |
      -----BEGIN CERTIFICATE-----
      .................
      -----END CERTIFICATE-----
  - name: CA with intermediate CA
    ca: |
      -----BEGIN CERTIFICATE-----
      .................
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      .................
      -----END CERTIFICATE-----
      • settings.additionalRegistryCA.ca
        string
      • settings.additionalRegistryCA.name
        string
    • settings.additionalVulnerabilityReportFields
      array of strings
      A list of additional fields from the vulnerability database to add to the VulnerabilityReport.

      Example: 


      additionalVulnerabilityReportFields:
- Class
- Target
    • settings.denyVulnerableImages
      object
      Trivy operator will deny creation of the Pod/Deployment/StatefulSet/DaemonSet with vulnerable images in namespaces with security.deckhouse.io/trivy-provider: "" label.

      Default: {}

      • settings.denyVulnerableImages.allowedSeverityLevels
        array of strings
        Images containing only vulnerabilities of specified severities will not be denied.
        • settings.denyVulnerableImages.allowedSeverityLevels.Element of the array
          string

          Allowed values: UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL

      • settings.denyVulnerableImages.enabled
        boolean
        Deny use of vulnerable images is cluster namespaces labeled as security.deckhouse.io/trivy-provider: "".

        Default: false

      • settings.denyVulnerableImages.registrySecrets
        array of objects

        List of additional registry secrets to use for downloading images from private registries.

        By default, the deckhouse-registry secret is used to download images for scanning.

        Default: []

        • settings.denyVulnerableImages.registrySecrets.name
          string
        • settings.denyVulnerableImages.registrySecrets.namespace
          string
    • settings.disableSBOMGeneration
      boolean

      Disables SBOM reports generation.

      Warning. When this options is set to true, all current SBOM reports are deleted from the cluster (the cleanup is executed only once).

      Default: false

      Examples: 


      disableSBOMGeneration: true

      disableSBOMGeneration: false
    • settings.insecureDbRegistry
      boolean
      Allows Trivy to download vulnerability databases using insecure HTTPS connections (not passed TLS certificate verification) or HTTP connections.

      Default: false

      Examples: 


      insecureDbRegistry: true

      insecureDbRegistry: false
    • settings.insecureRegistries
      array of strings
      List of container registry addresses to which insecure HTTPS connections (not passed TLS certificate verification) or HTTP connections are allowed.

      Example: 


      insecureRegistries:
- my.registry.com
- http-only.registry.io
    • settings.linkCVEtoBDU
      boolean
      Convert vulnerability reports. Convert CVE database vulnerabilities to BDU database records.

      Default: false

      Examples: 


      linkCVEtoBDU: true

      linkCVEtoBDU: false
    • settings.nodeSelector
      object

      Optional nodeSelector for operator-trivy and scan jobs.

      The same as spec.nodeSelector for the Kubernetes pod.

      If the parameter is omitted or false, it will be determined automatically.

      Example: 


      disktype: ssd
    • settings.reportResourceLabels
      array of strings

      A list of additional labels for marking Trivi’s reports (VulnerabilityReport).

      The values of these labels will correspond to the values of the scanned resources’ labels.

      Examples: 


      reportResourceLabels: app

      reportResourceLabels: env
    • settings.severities
      array of strings
      Filter vulnerability reports by their severities.

      Examples: 


      severities: UNKNOWN

      severities: CRITICAl
      • settings.severities.Element of the array
        string

        Allowed values: UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL

    • settings.storageClass
      string

      The name of StorageClass that will be used in the cluster by default.

      If the value is not specified, the StorageClass will be used according to the global storageClass parameter setting.

      The global storageClass parameter is only considered when the module is enabled. Changing the global storageClass parameter while the module is enabled will not trigger disk re-provisioning.

      Warning. Specifying a value different from the one currently used (in the existing PVC) will result in disk re-provisioning and all data will be deleted.

      If false is specified, emptyDir will be forced to be used.

      Examples: 


      storageClass: ceph-ssd

      storageClass: "false"
    • settings.tolerations
      array of objects

      Optional tolerations for operator-trivy and scan jobs.

      The same as spec.tolerations for the Kubernetes pod.

      If the parameter is omitted or false, it will be determined automatically.

      Example: 


      effect: NoSchedule
key: key1
operator: Equal
value: value1
      • settings.tolerations.effect
        string
      • settings.tolerations.key
        string
      • settings.tolerations.operator
        string
      • settings.tolerations.tolerationSeconds
        integer
      • settings.tolerations.value
        string