The module is not enabled by default in any bundles.
The module is configured using the ModuleConfig custom resource named operator-trivy
(learn more about setting up Deckhouse…).
Example of the ModuleConfig/operator-trivy
resource for configuring the module:
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: operator-trivy
spec:
version: 1
enabled: true
settings: # <-- Module parameters from the "Parameters" section below.
Parameters
Schema version: 1
- linkCVEtoBDU
Convert vulnerability reports. Convert CVE database vulnerabilities to BDU database records.
Default:
false
Examples:
linkCVEtoBDU: true
linkCVEtoBDU: false
- nodeSelector
Optional
nodeSelector
foroperator-trivy
and scan jobs.The same as
spec.nodeSelector
for the Kubernetes pod.If the parameter is omitted or
false
, it will be determined automatically.Example:
nodeSelector: disktype: ssd
- reportResourceLabels
A list of additional labels for marking Trivi’s reports (VulnerabilityReport).
The values of these labels will correspond to the values of the scanned resources’ labels.
- severities
Filter vulnerability reports by their severities.
- Element of the array
Allowed values:
UNKNOWN
,LOW
,MEDIUM
,HIGH
,CRITICAL
- storageClass
The name of the StorageClass to be used.
- If the value is not specified, the StorageClass will be used according to the global storageClass parameter setting.
- The global
storageClass
parameter is only considered when the module is enabled. Changing the globalstorageClass
parameter while the module is enabled will not trigger disk re-provisioning. - Warning. Specifying a value different from the one currently used (in the existing PVC) will result in disk re-provisioning and all data will be deleted.
- If
false
is specified, emptyDir will be forced to be used.
Examples:
storageClass: ceph-ssd
storageClass: 'false'
- tolerations
Optional
tolerations
foroperator-trivy
and scan jobs.The same as
spec.tolerations
for the Kubernetes pod.If the parameter is omitted or
false
, it will be determined automatically.Example:
tolerations: - key: key1 operator: Equal value: value1 effect: NoSchedule
- tolerations.effect
- tolerations.key
- tolerations.operator
- tolerations.tolerationSeconds
- tolerations.value