The module is not enabled by default in any bundles.
The module is configured using the ModuleConfig custom resource named operator-trivy
(learn more about setting up Deckhouse…).
Example of the ModuleConfig/operator-trivy
resource for configuring the module:
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: operator-trivy
spec:
version: 1
enabled: true
settings: # <-- Module parameters from the "Parameters" section below.
Parameters
Schema version: 1
- linkCVEtoBDU
Convert vulnerability reports. Convert CVE database vulnerabilities to BDU database records.
Default:
false
Examples:
linkCVEtoBDU: true
linkCVEtoBDU: false
- nodeSelector
Optional
nodeSelector
foroperator-trivy
and scan jobs.The same as
spec.nodeSelector
for the Kubernetes pod.If the parameter is omitted or
false
, it will be determined automatically.Example:
nodeSelector: disktype: ssd
- reportResourceLabels
A list of additional labels for marking Trivi’s reports (VulnerabilityReport).
The values of these labels will correspond to the values of the scanned resources’ labels.
- severities
Filter vulnerability reports by their severities.
- Element of the array
Allowed values:
UNKNOWN
,LOW
,MEDIUM
,HIGH
,CRITICAL
- storageClass
The name of the StorageClass to use.
false
— forces theemptyDir
usage. Manually delete the old PVC and restart Pod, after setting the parameter.Examples:
storageClass: ceph-ssd
storageClass: 'false'
- tolerations
Optional
tolerations
foroperator-trivy
and scan jobs.The same as
spec.tolerations
for the Kubernetes pod.If the parameter is omitted or
false
, it will be determined automatically.Example:
tolerations: - key: key1 operator: Equal value: value1 effect: NoSchedule
- tolerations.effect
- tolerations.key
- tolerations.operator
- tolerations.tolerationSeconds
- tolerations.value