The module is not enabled by default in any bundles.

How to explicitly enable the module…

Set the spec.enabled module parameter to true or false in the ModuleConfig/operator-trivy resource (create it, if necessary) to explicitly enable or disable the module, or use the deckhouse-controller module command in the d8-system/deckhouse pod.

Example of enabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
    kind: ModuleConfig
    metadata:
      name: operator-trivy
    spec:
      enabled: true
    
  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module enable operator-trivy
    

Example of disabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
    kind: ModuleConfig
    metadata:
      name: operator-trivy
    spec:
      enabled: false
    
  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module disable operator-trivy
    

The module is configured using the ModuleConfig custom resource named operator-trivy (learn more about setting up Deckhouse…).

Example of the ModuleConfig/operator-trivy resource for configuring the module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: operator-trivy
spec:
  version: 1
  enabled: true
  settings: # <-- Module parameters from the "Parameters" section below.

Parameters

Schema version: 1

  • linkCVEtoBDU
    boolean

    Convert vulnerability reports. Convert CVE database vulnerabilities to BDU database records.

    Default: false

    Examples:

    linkCVEtoBDU: true
    
    linkCVEtoBDU: false
    
  • nodeSelector
    object

    Optional nodeSelector for operator-trivy and scan jobs.

    The same as spec.nodeSelector for the Kubernetes pod.

    If the parameter is omitted or false, it will be determined automatically.

    Example:

    nodeSelector:
      disktype: ssd
    
  • reportResourceLabels
    array of strings

    A list of additional labels for marking Trivi’s reports (VulnerabilityReport).

    The values of these labels will correspond to the values of the scanned resources’ labels.

  • severities
    array of strings

    Filter vulnerability reports by their severities.

    • Element of the array
      string

      Allowed values: UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL

  • storageClass
    string

    The name of the StorageClass to be used.

    • If the value is not specified, the StorageClass will be used according to the global storageClass parameter setting.
    • The global storageClass parameter is only considered when the module is enabled. Changing the global storageClass parameter while the module is enabled will not trigger disk re-provisioning.
    • Warning. Specifying a value different from the one currently used (in the existing PVC) will result in disk re-provisioning and all data will be deleted.
    • If false is specified, emptyDir will be forced to be used.

    Examples:

    storageClass: ceph-ssd
    
    storageClass: 'false'
    
  • tolerations
    array of objects

    Optional tolerations for operator-trivy and scan jobs.

    The same as spec.tolerations for the Kubernetes pod.

    If the parameter is omitted or false, it will be determined automatically.

    Example:

    tolerations:
    - key: key1
      operator: Equal
      value: value1
      effect: NoSchedule
    
    • tolerations.effect
      string
    • tolerations.key
      string
    • tolerations.operator
      string
    • tolerations.tolerationSeconds
      integer
    • tolerations.value
      string