--- # Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_clustercompliancereports.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 name: clustercompliancereports.aquasecurity.github.io spec: group: aquasecurity.github.io names: kind: ClusterComplianceReport listKind: ClusterComplianceReportList plural: clustercompliancereports shortNames: - compliance singular: clustercompliancereport scope: Cluster versions: - additionalPrinterColumns: - description: The age of the report jsonPath: .metadata.creationTimestamp name: Age type: date - description: The number of checks that failed jsonPath: .status.summary.failCount name: Fail priority: 1 type: integer - description: The number of checks that passed jsonPath: .status.summary.passCount name: Pass priority: 1 type: integer name: v1alpha1 schema: openAPIV3Schema: description: ClusterComplianceReport is a specification for the ClusterComplianceReport resource. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: ReportSpec represent the compliance specification properties: compliance: properties: controls: description: Control represent the cps controls data and mapping checks items: description: Control represent the cps controls data and mapping checks properties: checks: items: description: SpecCheck represent the scanner who perform the control check properties: id: description: id define the check id as produced by scanner type: string required: - id type: object type: array commands: items: description: Commands represent the commands to be executed by the node-collector properties: id: description: id define the commands id type: string required: - id type: object type: array defaultStatus: description: define the default value for check status in case resource not found enum: - PASS - WARN - FAIL type: string description: type: string id: description: id define the control check id type: string name: type: string severity: description: define the severity of the control enum: - CRITICAL - HIGH - MEDIUM - LOW - UNKNOWN type: string required: - id - name - severity type: object type: array description: type: string id: type: string platform: type: string relatedResources: items: type: string type: array title: type: string type: type: string version: type: string required: - controls - description - id - platform - relatedResources - title - type - version type: object cron: description: cron define the intervals for report generation pattern: ^(((([\*]{1}){1})|((\*\/){0,1}(([0-9]{1}){1}|(([1-5]{1}){1}([0-9]{1}){1}){1}))) ((([\*]{1}){1})|((\*\/){0,1}(([0-9]{1}){1}|(([1]{1}){1}([0-9]{1}){1}){1}|([2]{1}){1}([0-3]{1}){1}))) ((([\*]{1}){1})|((\*\/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))) ((([\*]{1}){1})|((\*\/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))|(jan|feb|mar|apr|may|jun|jul|aug|sep|okt|nov|dec)) ((([\*]{1}){1})|((\*\/){0,1}(([0-7]{1}){1}))|(sun|mon|tue|wed|thu|fri|sat)))$ type: string reportType: enum: - summary - all type: string required: - compliance - cron - reportType type: object status: properties: detailReport: description: ComplianceReport represents a kubernetes scan report properties: description: type: string id: type: string relatedVersion: items: type: string type: array results: items: properties: checks: items: description: ComplianceCheck provides the result of conducting a single compliance step. properties: category: type: string checkID: type: string description: type: string messages: items: type: string type: array remediation: description: Remediation provides description or links to external resources to remediate failing check. type: string severity: description: Severity level of a vulnerability or a configuration audit check. type: string success: type: boolean target: type: string title: type: string required: - checkID - severity - success type: object type: array description: type: string id: type: string name: type: string severity: type: string status: type: string required: - checks type: object type: array title: type: string version: type: string type: object x-kubernetes-preserve-unknown-fields: true summary: properties: failCount: type: integer passCount: type: integer type: object summaryReport: description: SummaryReport represents a kubernetes scan report with consolidated findings properties: controlCheck: items: properties: id: type: string name: type: string severity: type: string totalFail: type: integer type: object type: array id: type: string title: type: string type: object x-kubernetes-preserve-unknown-fields: true updateTimestamp: format: date-time type: string required: - updateTimestamp type: object type: object x-kubernetes-preserve-unknown-fields: true served: true storage: true subresources: status: {} --- # Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_clusterconfigauditreports.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 name: clusterconfigauditreports.aquasecurity.github.io spec: group: aquasecurity.github.io names: kind: ClusterConfigAuditReport listKind: ClusterConfigAuditReportList plural: clusterconfigauditreports shortNames: - clusterconfigaudit singular: clusterconfigauditreport scope: Cluster versions: - additionalPrinterColumns: - description: The name of the config audit scanner jsonPath: .report.scanner.name name: Scanner type: string - description: The age of the report jsonPath: .metadata.creationTimestamp name: Age type: date - description: The number of failed checks with critical severity jsonPath: .report.summary.criticalCount name: Critical priority: 1 type: integer - description: The number of failed checks with high severity jsonPath: .report.summary.highCount name: High priority: 1 type: integer - description: The number of failed checks with medium severity jsonPath: .report.summary.mediumCount name: Medium priority: 1 type: integer - description: The number of failed checks with low severity jsonPath: .report.summary.lowCount name: Low priority: 1 type: integer name: v1alpha1 schema: openAPIV3Schema: description: ClusterConfigAuditReport is a specification for the ClusterConfigAuditReport resource. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object report: properties: checks: description: Checks provides results of conducting audit steps. items: description: Check provides the result of conducting a single audit step. properties: category: type: string checkID: type: string description: type: string messages: items: type: string type: array remediation: description: Remediation provides description or links to external resources to remediate failing check. type: string scope: description: Scope indicates the section of config that was audited. properties: type: description: Type indicates type of this scope, e.g. Container, ConfigMapKey or JSONPath. type: string value: description: Value indicates value of this scope that depends on Type, e.g. container name, ConfigMap key or JSONPath expression type: string required: - type - value type: object severity: description: Severity level of a vulnerability or a configuration audit check. type: string success: type: boolean title: type: string required: - checkID - severity - success type: object type: array scanner: description: Scanner is the spec for a scanner generating a security assessment report. properties: name: description: Name the name of the scanner. type: string vendor: description: Vendor the name of the vendor providing the scanner. type: string version: description: Version the version of the scanner. type: string required: - name - vendor - version type: object summary: description: ConfigAuditSummary counts failed checks by severity. properties: criticalCount: description: CriticalCount is the number of failed checks with critical severity. type: integer highCount: description: HighCount is the number of failed checks with high severity. type: integer lowCount: description: LowCount is the number of failed check with low severity. type: integer mediumCount: description: MediumCount is the number of failed checks with medium severity. type: integer required: - criticalCount - highCount - lowCount - mediumCount type: object updateTimestamp: format: date-time type: string required: - checks type: object required: - report type: object x-kubernetes-preserve-unknown-fields: true served: true storage: true subresources: {} --- # Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_clusterinfraassessmentreports.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 name: clusterinfraassessmentreports.aquasecurity.github.io spec: group: aquasecurity.github.io names: kind: ClusterInfraAssessmentReport listKind: ClusterInfraAssessmentReportList plural: clusterinfraassessmentreports shortNames: - clusterinfraassessment singular: clusterinfraassessmentreport scope: Cluster versions: - additionalPrinterColumns: - description: The name of the infra assessement scanner jsonPath: .report.scanner.name name: Scanner type: string - description: The age of the report jsonPath: .metadata.creationTimestamp name: Age type: date - description: The number of failed checks with critical severity jsonPath: .report.summary.criticalCount name: Critical priority: 1 type: integer - description: The number of failed checks with high severity jsonPath: .report.summary.highCount name: High priority: 1 type: integer - description: The number of failed checks with medium severity jsonPath: .report.summary.mediumCount name: Medium priority: 1 type: integer - description: The number of failed checks with low severity jsonPath: .report.summary.lowCount name: Low priority: 1 type: integer name: v1alpha1 schema: openAPIV3Schema: description: ClusterInfraAssessmentReport is a specification for the ClusterInfraAssessmentReport resource. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object report: properties: checks: description: Checks provides results of conducting audit steps. items: description: Check provides the result of conducting a single audit step. properties: category: type: string checkID: type: string description: type: string messages: items: type: string type: array remediation: description: Remediation provides description or links to external resources to remediate failing check. type: string scope: description: Scope indicates the section of config that was audited. properties: type: description: Type indicates type of this scope, e.g. Container, ConfigMapKey or JSONPath. type: string value: description: Value indicates value of this scope that depends on Type, e.g. container name, ConfigMap key or JSONPath expression type: string required: - type - value type: object severity: description: Severity level of a vulnerability or a configuration audit check. type: string success: type: boolean title: type: string required: - checkID - severity - success type: object type: array scanner: description: Scanner is the spec for a scanner generating a security assessment report. properties: name: description: Name the name of the scanner. type: string vendor: description: Vendor the name of the vendor providing the scanner. type: string version: description: Version the version of the scanner. type: string required: - name - vendor - version type: object summary: description: InfraAssessmentSummary counts failed checks by severity. properties: criticalCount: description: CriticalCount is the number of failed checks with critical severity. type: integer highCount: description: HighCount is the number of failed checks with high severity. type: integer lowCount: description: LowCount is the number of failed check with low severity. type: integer mediumCount: description: MediumCount is the number of failed checks with medium severity. type: integer required: - criticalCount - highCount - lowCount - mediumCount type: object required: - checks - scanner - summary type: object required: - report type: object x-kubernetes-preserve-unknown-fields: true served: true storage: true subresources: {} --- # Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_clusterrbacassessmentreports.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 name: clusterrbacassessmentreports.aquasecurity.github.io spec: group: aquasecurity.github.io names: kind: ClusterRbacAssessmentReport listKind: ClusterRbacAssessmentReportList plural: clusterrbacassessmentreports shortNames: - clusterrbacassessmentreport singular: clusterrbacassessmentreport scope: Cluster versions: - additionalPrinterColumns: - description: The name of the rbac assessment scanner jsonPath: .report.scanner.name name: Scanner type: string - description: The age of the report jsonPath: .metadata.creationTimestamp name: Age type: date - description: The number of failed checks with critical severity jsonPath: .report.summary.criticalCount name: Critical priority: 1 type: integer - description: The number of failed checks with high severity jsonPath: .report.summary.highCount name: High priority: 1 type: integer - description: The number of failed checks with medium severity jsonPath: .report.summary.mediumCount name: Medium priority: 1 type: integer - description: The number of failed checks with low severity jsonPath: .report.summary.lowCount name: Low priority: 1 type: integer name: v1alpha1 schema: openAPIV3Schema: description: ClusterRbacAssessmentReport is a specification for the ClusterRbacAssessmentReport resource. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object report: properties: checks: description: Checks provides results of conducting audit steps. items: description: Check provides the result of conducting a single audit step. properties: category: type: string checkID: type: string description: type: string messages: items: type: string type: array remediation: description: Remediation provides description or links to external resources to remediate failing check. type: string scope: description: Scope indicates the section of config that was audited. properties: type: description: Type indicates type of this scope, e.g. Container, ConfigMapKey or JSONPath. type: string value: description: Value indicates value of this scope that depends on Type, e.g. container name, ConfigMap key or JSONPath expression type: string required: - type - value type: object severity: description: Severity level of a vulnerability or a configuration audit check. type: string success: type: boolean title: type: string required: - checkID - severity - success type: object type: array scanner: description: Scanner is the spec for a scanner generating a security assessment report. properties: name: description: Name the name of the scanner. type: string vendor: description: Vendor the name of the vendor providing the scanner. type: string version: description: Version the version of the scanner. type: string required: - name - vendor - version type: object summary: description: RbacAssessmentSummary counts failed checks by severity. properties: criticalCount: description: CriticalCount is the number of failed checks with critical severity. type: integer highCount: description: HighCount is the number of failed checks with high severity. type: integer lowCount: description: LowCount is the number of failed check with low severity. type: integer mediumCount: description: MediumCount is the number of failed checks with medium severity. type: integer required: - criticalCount - highCount - lowCount - mediumCount type: object required: - checks - scanner - summary type: object required: - report type: object x-kubernetes-preserve-unknown-fields: true served: true storage: true subresources: {} --- # Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_clustersbomreports.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 name: clustersbomreports.aquasecurity.github.io spec: group: aquasecurity.github.io names: kind: ClusterSbomReport listKind: ClusterSbomReportList plural: clustersbomreports shortNames: - clustersbom singular: clustersbomreport scope: Cluster versions: - additionalPrinterColumns: - description: The name of image repository jsonPath: .report.artifact.repository name: Repository type: string - description: The name of image tag jsonPath: .report.artifact.tag name: Tag type: string - description: The name of the sbom generation scanner jsonPath: .report.scanner.name name: Scanner type: string - description: The age of the report jsonPath: .metadata.creationTimestamp name: Age type: date - description: The number of dependencies in bom jsonPath: .report.summary.componentsCount name: Components priority: 1 type: integer - description: The the number of components in bom jsonPath: .report.summary.dependenciesCount name: Dependencies priority: 1 type: integer name: v1alpha1 schema: openAPIV3Schema: description: ClusterSbomReport summarizes components and dependencies found in container image properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object report: description: Report is the actual sbom report data. properties: artifact: description: |- Artifact represents a standalone, executable package of software that includes everything needed to run an application. properties: digest: description: Digest is a unique and immutable identifier of an Artifact. type: string mimeType: description: MimeType represents a type and format of an Artifact. type: string repository: description: Repository is the name of the repository in the Artifact registry. type: string tag: description: Tag is a mutable, human-readable string used to identify an Artifact. type: string type: object components: description: Bom is artifact bill of materials. properties: bomFormat: type: string components: items: properties: bom-ref: type: string group: type: string hashes: items: properties: alg: type: string content: type: string type: object type: array licenses: items: properties: expression: type: string license: properties: id: type: string name: type: string url: type: string type: object type: object type: array name: type: string properties: items: properties: name: type: string value: type: string type: object type: array purl: type: string supplier: properties: contact: items: properties: email: type: string name: type: string phone: type: string type: object type: array name: type: string url: items: type: string type: array type: object type: type: string version: type: string type: object type: array dependencies: items: properties: dependsOn: items: type: string type: array ref: type: string type: object type: array metadata: properties: component: properties: bom-ref: type: string group: type: string hashes: items: properties: alg: type: string content: type: string type: object type: array licenses: items: properties: expression: type: string license: properties: id: type: string name: type: string url: type: string type: object type: object type: array name: type: string properties: items: properties: name: type: string value: type: string type: object type: array purl: type: string supplier: properties: contact: items: properties: email: type: string name: type: string phone: type: string type: object type: array name: type: string url: items: type: string type: array type: object type: type: string version: type: string type: object timestamp: type: string tools: properties: components: items: properties: bom-ref: type: string group: type: string hashes: items: properties: alg: type: string content: type: string type: object type: array licenses: items: properties: expression: type: string license: properties: id: type: string name: type: string url: type: string type: object type: object type: array name: type: string properties: items: properties: name: type: string value: type: string type: object type: array purl: type: string supplier: properties: contact: items: properties: email: type: string name: type: string phone: type: string type: object type: array name: type: string url: items: type: string type: array type: object type: type: string version: type: string type: object type: array type: object type: object serialNumber: type: string specVersion: type: string version: type: integer required: - bomFormat - specVersion type: object registry: description: Registry is the registry the Artifact was pulled from. properties: server: description: Server the FQDN of registry server. type: string type: object scanner: description: Scanner is the scanner that generated this report. properties: name: description: Name the name of the scanner. type: string vendor: description: Vendor the name of the vendor providing the scanner. type: string version: description: Version the version of the scanner. type: string required: - name - vendor - version type: object summary: description: Summary is a summary of sbom report. properties: componentsCount: description: ComponentsCount is the number of components in bom. minimum: 0 type: integer dependenciesCount: description: DependenciesCount is the number of dependencies in bom. minimum: 0 type: integer required: - componentsCount - dependenciesCount type: object updateTimestamp: description: UpdateTimestamp is a timestamp representing the server time in UTC when this report was updated. format: date-time type: string required: - artifact - components - scanner - summary - updateTimestamp type: object required: - report type: object served: true storage: true subresources: {} --- # Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_clustervulnerabilityreports.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 name: clustervulnerabilityreports.aquasecurity.github.io spec: group: aquasecurity.github.io names: kind: ClusterVulnerabilityReport listKind: ClusterVulnerabilityReportList plural: clustervulnerabilityreports shortNames: - clustervuln singular: clustervulnerabilityreport scope: Cluster versions: - additionalPrinterColumns: - description: The name of image repository jsonPath: .report.artifact.repository name: Repository type: string - description: The name of image tag jsonPath: .report.artifact.tag name: Tag type: string - description: The name of the vulnerability scanner jsonPath: .report.scanner.name name: Scanner type: string - description: The age of the report jsonPath: .metadata.creationTimestamp name: Age type: date - description: The number of critical vulnerabilities jsonPath: .report.summary.criticalCount name: Critical priority: 1 type: integer - description: The number of high vulnerabilities jsonPath: .report.summary.highCount name: High priority: 1 type: integer - description: The number of medium vulnerabilities jsonPath: .report.summary.mediumCount name: Medium priority: 1 type: integer - description: The number of low vulnerabilities jsonPath: .report.summary.lowCount name: Low priority: 1 type: integer - description: The number of unknown vulnerabilities jsonPath: .report.summary.unknownCount name: Unknown priority: 1 type: integer name: v1alpha1 schema: openAPIV3Schema: description: |- ClusterVulnerabilityReport summarizes vulnerabilities in application dependencies and operating system packages built into container images. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object report: description: Report is the actual vulnerability report data. properties: artifact: description: |- Artifact represents a standalone, executable package of software that includes everything needed to run an application. properties: digest: description: Digest is a unique and immutable identifier of an Artifact. type: string mimeType: description: MimeType represents a type and format of an Artifact. type: string repository: description: Repository is the name of the repository in the Artifact registry. type: string tag: description: Tag is a mutable, human-readable string used to identify an Artifact. type: string type: object os: description: OS information of the artifact properties: eosl: description: Eosl is true if OS version has reached end of service life type: boolean family: description: Operating System Family type: string name: description: Name or version of the OS type: string type: object registry: description: Registry is the registry the Artifact was pulled from. properties: server: description: Server the FQDN of registry server. type: string type: object scanner: description: Scanner is the scanner that generated this report. properties: name: description: Name the name of the scanner. type: string vendor: description: Vendor the name of the vendor providing the scanner. type: string version: description: Version the version of the scanner. type: string required: - name - vendor - version type: object summary: description: Summary is a summary of Vulnerability counts grouped by Severity. properties: criticalCount: description: CriticalCount is the number of vulnerabilities with Critical Severity. minimum: 0 type: integer highCount: description: HighCount is the number of vulnerabilities with High Severity. minimum: 0 type: integer lowCount: description: LowCount is the number of vulnerabilities with Low Severity. minimum: 0 type: integer mediumCount: description: MediumCount is the number of vulnerabilities with Medium Severity. minimum: 0 type: integer noneCount: description: NoneCount is the number of packages without any vulnerability. minimum: 0 type: integer unknownCount: description: UnknownCount is the number of vulnerabilities with unknown severity. minimum: 0 type: integer required: - criticalCount - highCount - lowCount - mediumCount - unknownCount type: object updateTimestamp: description: UpdateTimestamp is a timestamp representing the server time in UTC when this report was updated. format: date-time type: string vulnerabilities: description: Vulnerabilities is a list of operating system (OS) or application software Vulnerability items found in the Artifact. items: description: Vulnerability is the spec for a vulnerability record. properties: class: type: string cvss: additionalProperties: properties: V2Score: type: number V2Vector: type: string V3Score: type: number V3Vector: type: string V40Score: type: number V40Vector: type: string type: object type: object cvsssource: type: string description: type: string fixedVersion: description: FixedVersion indicates the version of the Resource in which this vulnerability has been fixed. type: string installedVersion: description: InstalledVersion indicates the installed version of the Resource. type: string lastModifiedDate: description: LastModifiedDate indicates the last date CVE has been modified. type: string links: items: type: string type: array packagePURL: type: string packagePath: type: string packageType: type: string primaryLink: type: string publishedDate: description: PublishedDate indicates the date of published CVE. type: string resource: description: Resource is a vulnerable package, application, or library. type: string score: type: number severity: description: Severity level of a vulnerability or a configuration audit check. enum: - CRITICAL - HIGH - MEDIUM - LOW - UNKNOWN type: string target: type: string title: type: string vulnerabilityID: description: VulnerabilityID the vulnerability identifier. type: string required: - fixedVersion - installedVersion - lastModifiedDate - publishedDate - resource - severity - title - vulnerabilityID type: object type: array required: - artifact - os - scanner - summary - updateTimestamp - vulnerabilities type: object required: - report type: object x-kubernetes-preserve-unknown-fields: true served: true storage: true subresources: {} --- # Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_configauditreports.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 name: configauditreports.aquasecurity.github.io spec: group: aquasecurity.github.io names: kind: ConfigAuditReport listKind: ConfigAuditReportList plural: configauditreports shortNames: - configaudit - configaudits singular: configauditreport scope: Namespaced versions: - additionalPrinterColumns: - description: The name of the config audit scanner jsonPath: .report.scanner.name name: Scanner type: string - description: The age of the report jsonPath: .metadata.creationTimestamp name: Age type: date - description: The number of failed checks with critical severity jsonPath: .report.summary.criticalCount name: Critical priority: 1 type: integer - description: The number of failed checks with high severity jsonPath: .report.summary.highCount name: High priority: 1 type: integer - description: The number of failed checks with medium severity jsonPath: .report.summary.mediumCount name: Medium priority: 1 type: integer - description: The number of failed checks with low severity jsonPath: .report.summary.lowCount name: Low priority: 1 type: integer name: v1alpha1 schema: openAPIV3Schema: description: ConfigAuditReport is a specification for the ConfigAuditReport resource. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object report: properties: checks: description: Checks provides results of conducting audit steps. items: description: Check provides the result of conducting a single audit step. properties: category: type: string checkID: type: string description: type: string messages: items: type: string type: array remediation: description: Remediation provides description or links to external resources to remediate failing check. type: string scope: description: Scope indicates the section of config that was audited. properties: type: description: Type indicates type of this scope, e.g. Container, ConfigMapKey or JSONPath. type: string value: description: Value indicates value of this scope that depends on Type, e.g. container name, ConfigMap key or JSONPath expression type: string required: - type - value type: object severity: description: Severity level of a vulnerability or a configuration audit check. type: string success: type: boolean title: type: string required: - checkID - severity - success type: object type: array scanner: description: Scanner is the spec for a scanner generating a security assessment report. properties: name: description: Name the name of the scanner. type: string vendor: description: Vendor the name of the vendor providing the scanner. type: string version: description: Version the version of the scanner. type: string required: - name - vendor - version type: object summary: description: ConfigAuditSummary counts failed checks by severity. properties: criticalCount: description: CriticalCount is the number of failed checks with critical severity. type: integer highCount: description: HighCount is the number of failed checks with high severity. type: integer lowCount: description: LowCount is the number of failed check with low severity. type: integer mediumCount: description: MediumCount is the number of failed checks with medium severity. type: integer required: - criticalCount - highCount - lowCount - mediumCount type: object updateTimestamp: format: date-time type: string required: - checks type: object required: - report type: object x-kubernetes-preserve-unknown-fields: true served: true storage: true subresources: {} --- # Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_exposedsecretreports.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 name: exposedsecretreports.aquasecurity.github.io spec: group: aquasecurity.github.io names: kind: ExposedSecretReport listKind: ExposedSecretReportList plural: exposedsecretreports shortNames: - exposedsecret - exposedsecrets singular: exposedsecretreport scope: Namespaced versions: - additionalPrinterColumns: - description: The name of image repository jsonPath: .report.artifact.repository name: Repository type: string - description: The name of image tag jsonPath: .report.artifact.tag name: Tag type: string - description: The name of the exposed secret scanner jsonPath: .report.scanner.name name: Scanner type: string - description: The age of the report jsonPath: .metadata.creationTimestamp name: Age type: date - description: The number of critical exposed secrets jsonPath: .report.summary.criticalCount name: Critical priority: 1 type: integer - description: The number of high exposed secrets jsonPath: .report.summary.highCount name: High priority: 1 type: integer - description: The number of medium exposed secrets jsonPath: .report.summary.mediumCount name: Medium priority: 1 type: integer - description: The number of low exposed secrets jsonPath: .report.summary.lowCount name: Low priority: 1 type: integer name: v1alpha1 schema: openAPIV3Schema: description: ExposedSecretReport summarizes exposed secrets in plaintext files built into container images. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object report: description: Report is the actual exposed secret report data. properties: artifact: description: |- Artifact represents a standalone, executable package of software that includes everything needed to run an application. properties: digest: description: Digest is a unique and immutable identifier of an Artifact. type: string mimeType: description: MimeType represents a type and format of an Artifact. type: string repository: description: Repository is the name of the repository in the Artifact registry. type: string tag: description: Tag is a mutable, human-readable string used to identify an Artifact. type: string type: object registry: description: Registry is the registry the Artifact was pulled from. properties: server: description: Server the FQDN of registry server. type: string type: object scanner: description: Scanner is the scanner that generated this report. properties: name: description: Name the name of the scanner. type: string vendor: description: Vendor the name of the vendor providing the scanner. type: string version: description: Version the version of the scanner. type: string required: - name - vendor - version type: object secrets: description: Exposed secrets is a list of passwords, api keys, tokens and others items found in the Artifact. items: description: ExposedSecret is the spec for a exposed secret record. properties: category: type: string match: description: Match where the exposed rule matched. type: string ruleID: description: RuleID is rule the identifier. type: string severity: description: Severity level of a vulnerability or a configuration audit check. enum: - CRITICAL - HIGH - MEDIUM - LOW type: string target: description: Target is where the exposed secret was found. type: string title: type: string required: - category - match - ruleID - severity - target - title type: object type: array summary: description: Summary is the exposed secrets counts grouped by Severity. properties: criticalCount: description: CriticalCount is the number of exposed secrets with Critical Severity. minimum: 0 type: integer highCount: description: HighCount is the number of exposed secrets with High Severity. minimum: 0 type: integer lowCount: description: LowCount is the number of exposed secrets with Low Severity. minimum: 0 type: integer mediumCount: description: MediumCount is the number of exposed secrets with Medium Severity. minimum: 0 type: integer required: - criticalCount - highCount - lowCount - mediumCount type: object updateTimestamp: description: UpdateTimestamp is a timestamp representing the server time in UTC when this report was updated. format: date-time type: string required: - artifact - scanner - secrets - summary - updateTimestamp type: object required: - report type: object x-kubernetes-preserve-unknown-fields: true served: true storage: true subresources: {} --- # Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_infraassessmentreports.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 name: infraassessmentreports.aquasecurity.github.io spec: group: aquasecurity.github.io names: kind: InfraAssessmentReport listKind: InfraAssessmentReportList plural: infraassessmentreports shortNames: - infraassessment - infraassessments singular: infraassessmentreport scope: Namespaced versions: - additionalPrinterColumns: - description: The name of the infra assessment scanner jsonPath: .report.scanner.name name: Scanner type: string - description: The age of the report jsonPath: .metadata.creationTimestamp name: Age type: date - description: The number of failed checks with critical severity jsonPath: .report.summary.criticalCount name: Critical priority: 1 type: integer - description: The number of failed checks with high severity jsonPath: .report.summary.highCount name: High priority: 1 type: integer - description: The number of failed checks with medium severity jsonPath: .report.summary.mediumCount name: Medium priority: 1 type: integer - description: The number of failed checks with low severity jsonPath: .report.summary.lowCount name: Low priority: 1 type: integer name: v1alpha1 schema: openAPIV3Schema: description: InfraAssessmentReport is a specification for the InfraAssessmentReport resource. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object report: properties: checks: description: Checks provides results of conducting audit steps. items: description: Check provides the result of conducting a single audit step. properties: category: type: string checkID: type: string description: type: string messages: items: type: string type: array remediation: description: Remediation provides description or links to external resources to remediate failing check. type: string scope: description: Scope indicates the section of config that was audited. properties: type: description: Type indicates type of this scope, e.g. Container, ConfigMapKey or JSONPath. type: string value: description: Value indicates value of this scope that depends on Type, e.g. container name, ConfigMap key or JSONPath expression type: string required: - type - value type: object severity: description: Severity level of a vulnerability or a configuration audit check. type: string success: type: boolean title: type: string required: - checkID - severity - success type: object type: array scanner: description: Scanner is the spec for a scanner generating a security assessment report. properties: name: description: Name the name of the scanner. type: string vendor: description: Vendor the name of the vendor providing the scanner. type: string version: description: Version the version of the scanner. type: string required: - name - vendor - version type: object summary: description: InfraAssessmentSummary counts failed checks by severity. properties: criticalCount: description: CriticalCount is the number of failed checks with critical severity. type: integer highCount: description: HighCount is the number of failed checks with high severity. type: integer lowCount: description: LowCount is the number of failed check with low severity. type: integer mediumCount: description: MediumCount is the number of failed checks with medium severity. type: integer required: - criticalCount - highCount - lowCount - mediumCount type: object required: - checks - scanner - summary type: object required: - report type: object served: true storage: true subresources: {} --- # Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_rbacassessmentreports.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 name: rbacassessmentreports.aquasecurity.github.io spec: group: aquasecurity.github.io names: kind: RbacAssessmentReport listKind: RbacAssessmentReportList plural: rbacassessmentreports shortNames: - rbacassessment - rbacassessments singular: rbacassessmentreport scope: Namespaced versions: - additionalPrinterColumns: - description: The name of the rbac assessment scanner jsonPath: .report.scanner.name name: Scanner type: string - description: The age of the report jsonPath: .metadata.creationTimestamp name: Age type: date - description: The number of failed checks with critical severity jsonPath: .report.summary.criticalCount name: Critical priority: 1 type: integer - description: The number of failed checks with high severity jsonPath: .report.summary.highCount name: High priority: 1 type: integer - description: The number of failed checks with medium severity jsonPath: .report.summary.mediumCount name: Medium priority: 1 type: integer - description: The number of failed checks with low severity jsonPath: .report.summary.lowCount name: Low priority: 1 type: integer name: v1alpha1 schema: openAPIV3Schema: description: RbacAssessmentReport is a specification for the RbacAssessmentReport resource. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object report: properties: checks: description: Checks provides results of conducting audit steps. items: description: Check provides the result of conducting a single audit step. properties: category: type: string checkID: type: string description: type: string messages: items: type: string type: array remediation: description: Remediation provides description or links to external resources to remediate failing check. type: string scope: description: Scope indicates the section of config that was audited. properties: type: description: Type indicates type of this scope, e.g. Container, ConfigMapKey or JSONPath. type: string value: description: Value indicates value of this scope that depends on Type, e.g. container name, ConfigMap key or JSONPath expression type: string required: - type - value type: object severity: description: Severity level of a vulnerability or a configuration audit check. type: string success: type: boolean title: type: string required: - checkID - severity - success type: object type: array scanner: description: Scanner is the spec for a scanner generating a security assessment report. properties: name: description: Name the name of the scanner. type: string vendor: description: Vendor the name of the vendor providing the scanner. type: string version: description: Version the version of the scanner. type: string required: - name - vendor - version type: object summary: description: RbacAssessmentSummary counts failed checks by severity. properties: criticalCount: description: CriticalCount is the number of failed checks with critical severity. type: integer highCount: description: HighCount is the number of failed checks with high severity. type: integer lowCount: description: LowCount is the number of failed check with low severity. type: integer mediumCount: description: MediumCount is the number of failed checks with medium severity. type: integer required: - criticalCount - highCount - lowCount - mediumCount type: object required: - checks - scanner - summary type: object required: - report type: object x-kubernetes-preserve-unknown-fields: true served: true storage: true subresources: {} --- # Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_sbomreports.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 name: sbomreports.aquasecurity.github.io spec: group: aquasecurity.github.io names: kind: SbomReport listKind: SbomReportList plural: sbomreports shortNames: - sbom - sboms singular: sbomreport scope: Namespaced versions: - additionalPrinterColumns: - description: The name of image repository jsonPath: .report.artifact.repository name: Repository type: string - description: The name of image tag jsonPath: .report.artifact.tag name: Tag type: string - description: The name of the sbom generation scanner jsonPath: .report.scanner.name name: Scanner type: string - description: The age of the report jsonPath: .metadata.creationTimestamp name: Age type: date - description: The number of dependencies in bom jsonPath: .report.summary.componentsCount name: Components priority: 1 type: integer - description: The the number of components in bom jsonPath: .report.summary.dependenciesCount name: Dependencies priority: 1 type: integer name: v1alpha1 schema: openAPIV3Schema: description: SbomReport summarizes components and dependencies found in container image properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object report: description: Report is the actual sbom report data. properties: artifact: description: |- Artifact represents a standalone, executable package of software that includes everything needed to run an application. properties: digest: description: Digest is a unique and immutable identifier of an Artifact. type: string mimeType: description: MimeType represents a type and format of an Artifact. type: string repository: description: Repository is the name of the repository in the Artifact registry. type: string tag: description: Tag is a mutable, human-readable string used to identify an Artifact. type: string type: object components: description: Bom is artifact bill of materials. properties: bomFormat: type: string components: items: properties: bom-ref: type: string group: type: string hashes: items: properties: alg: type: string content: type: string type: object type: array licenses: items: properties: expression: type: string license: properties: id: type: string name: type: string url: type: string type: object type: object type: array name: type: string properties: items: properties: name: type: string value: type: string type: object type: array purl: type: string supplier: properties: contact: items: properties: email: type: string name: type: string phone: type: string type: object type: array name: type: string url: items: type: string type: array type: object type: type: string version: type: string type: object type: array dependencies: items: properties: dependsOn: items: type: string type: array ref: type: string type: object type: array metadata: properties: component: properties: bom-ref: type: string group: type: string hashes: items: properties: alg: type: string content: type: string type: object type: array licenses: items: properties: expression: type: string license: properties: id: type: string name: type: string url: type: string type: object type: object type: array name: type: string properties: items: properties: name: type: string value: type: string type: object type: array purl: type: string supplier: properties: contact: items: properties: email: type: string name: type: string phone: type: string type: object type: array name: type: string url: items: type: string type: array type: object type: type: string version: type: string type: object timestamp: type: string tools: properties: components: items: properties: bom-ref: type: string group: type: string hashes: items: properties: alg: type: string content: type: string type: object type: array licenses: items: properties: expression: type: string license: properties: id: type: string name: type: string url: type: string type: object type: object type: array name: type: string properties: items: properties: name: type: string value: type: string type: object type: array purl: type: string supplier: properties: contact: items: properties: email: type: string name: type: string phone: type: string type: object type: array name: type: string url: items: type: string type: array type: object type: type: string version: type: string type: object type: array type: object type: object serialNumber: type: string specVersion: type: string version: type: integer required: - bomFormat - specVersion type: object registry: description: Registry is the registry the Artifact was pulled from. properties: server: description: Server the FQDN of registry server. type: string type: object scanner: description: Scanner is the scanner that generated this report. properties: name: description: Name the name of the scanner. type: string vendor: description: Vendor the name of the vendor providing the scanner. type: string version: description: Version the version of the scanner. type: string required: - name - vendor - version type: object summary: description: Summary is a summary of sbom report. properties: componentsCount: description: ComponentsCount is the number of components in bom. minimum: 0 type: integer dependenciesCount: description: DependenciesCount is the number of dependencies in bom. minimum: 0 type: integer required: - componentsCount - dependenciesCount type: object updateTimestamp: description: UpdateTimestamp is a timestamp representing the server time in UTC when this report was updated. format: date-time type: string required: - artifact - components - scanner - summary - updateTimestamp type: object required: - report type: object x-kubernetes-preserve-unknown-fields: true served: true storage: true subresources: {} --- # Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_vulnerabilityreports.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.14.0 name: vulnerabilityreports.aquasecurity.github.io spec: group: aquasecurity.github.io names: kind: VulnerabilityReport listKind: VulnerabilityReportList plural: vulnerabilityreports shortNames: - vuln - vulns singular: vulnerabilityreport scope: Namespaced versions: - additionalPrinterColumns: - description: The name of image repository jsonPath: .report.artifact.repository name: Repository type: string - description: The name of image tag jsonPath: .report.artifact.tag name: Tag type: string - description: The name of the vulnerability scanner jsonPath: .report.scanner.name name: Scanner type: string - description: The age of the report jsonPath: .metadata.creationTimestamp name: Age type: date - description: The number of critical vulnerabilities jsonPath: .report.summary.criticalCount name: Critical priority: 1 type: integer - description: The number of high vulnerabilities jsonPath: .report.summary.highCount name: High priority: 1 type: integer - description: The number of medium vulnerabilities jsonPath: .report.summary.mediumCount name: Medium priority: 1 type: integer - description: The number of low vulnerabilities jsonPath: .report.summary.lowCount name: Low priority: 1 type: integer - description: The number of unknown vulnerabilities jsonPath: .report.summary.unknownCount name: Unknown priority: 1 type: integer name: v1alpha1 schema: openAPIV3Schema: description: |- VulnerabilityReport summarizes vulnerabilities in application dependencies and operating system packages built into container images. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object report: description: Report is the actual vulnerability report data. properties: artifact: description: |- Artifact represents a standalone, executable package of software that includes everything needed to run an application. properties: digest: description: Digest is a unique and immutable identifier of an Artifact. type: string mimeType: description: MimeType represents a type and format of an Artifact. type: string repository: description: Repository is the name of the repository in the Artifact registry. type: string tag: description: Tag is a mutable, human-readable string used to identify an Artifact. type: string type: object os: description: OS information of the artifact properties: eosl: description: Eosl is true if OS version has reached end of service life type: boolean family: description: Operating System Family type: string name: description: Name or version of the OS type: string type: object registry: description: Registry is the registry the Artifact was pulled from. properties: server: description: Server the FQDN of registry server. type: string type: object scanner: description: Scanner is the scanner that generated this report. properties: name: description: Name the name of the scanner. type: string vendor: description: Vendor the name of the vendor providing the scanner. type: string version: description: Version the version of the scanner. type: string required: - name - vendor - version type: object summary: description: Summary is a summary of Vulnerability counts grouped by Severity. properties: criticalCount: description: CriticalCount is the number of vulnerabilities with Critical Severity. minimum: 0 type: integer highCount: description: HighCount is the number of vulnerabilities with High Severity. minimum: 0 type: integer lowCount: description: LowCount is the number of vulnerabilities with Low Severity. minimum: 0 type: integer mediumCount: description: MediumCount is the number of vulnerabilities with Medium Severity. minimum: 0 type: integer noneCount: description: NoneCount is the number of packages without any vulnerability. minimum: 0 type: integer unknownCount: description: UnknownCount is the number of vulnerabilities with unknown severity. minimum: 0 type: integer required: - criticalCount - highCount - lowCount - mediumCount - unknownCount type: object updateTimestamp: description: UpdateTimestamp is a timestamp representing the server time in UTC when this report was updated. format: date-time type: string vulnerabilities: description: Vulnerabilities is a list of operating system (OS) or application software Vulnerability items found in the Artifact. items: description: Vulnerability is the spec for a vulnerability record. properties: class: type: string cvss: additionalProperties: properties: V2Score: type: number V2Vector: type: string V3Score: type: number V3Vector: type: string V40Score: type: number V40Vector: type: string type: object type: object cvsssource: type: string description: type: string fixedVersion: description: FixedVersion indicates the version of the Resource in which this vulnerability has been fixed. type: string installedVersion: description: InstalledVersion indicates the installed version of the Resource. type: string lastModifiedDate: description: LastModifiedDate indicates the last date CVE has been modified. type: string links: items: type: string type: array packagePURL: type: string packagePath: type: string packageType: type: string primaryLink: type: string publishedDate: description: PublishedDate indicates the date of published CVE. type: string resource: description: Resource is a vulnerable package, application, or library. type: string score: type: number severity: description: Severity level of a vulnerability or a configuration audit check. enum: - CRITICAL - HIGH - MEDIUM - LOW - UNKNOWN type: string target: type: string title: type: string vulnerabilityID: description: VulnerabilityID the vulnerability identifier. type: string required: - fixedVersion - installedVersion - lastModifiedDate - publishedDate - resource - severity - title - vulnerabilityID type: object type: array required: - artifact - os - scanner - summary - updateTimestamp - vulnerabilities type: object required: - report type: object x-kubernetes-preserve-unknown-fields: true served: true storage: true subresources: {} --- # Source: trivy/templates/namespace.yaml apiVersion: v1 kind: Namespace metadata: name: trivy labels: app.kubernetes.io/name: trivy app.kubernetes.io/instance: trivy app.kubernetes.io/part-of: trivy pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/warn: privileged --- # Source: trivy/charts/trivy-operator/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: trivy-trivy-operator namespace: trivy labels: helm.sh/chart: trivy-operator-0.31.0 app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: Helm --- # Source: trivy/charts/trivy-operator/templates/secrets/operator.yaml apiVersion: v1 kind: Secret metadata: name: trivy-operator namespace: trivy labels: helm.sh/chart: trivy-operator-0.31.0 app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: Helm data: --- # Source: trivy/charts/trivy-operator/templates/secrets/trivy.yaml apiVersion: v1 kind: Secret metadata: name: trivy-operator-trivy-config namespace: trivy labels: helm.sh/chart: trivy-operator-0.31.0 app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: Helm data: --- # Source: trivy/charts/trivy-operator/templates/configmaps/operator.yaml apiVersion: v1 kind: ConfigMap metadata: name: trivy-operator namespace: trivy labels: helm.sh/chart: trivy-operator-0.31.0 app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: Helm data: nodeCollector.tolerations: "[{\"effect\":\"NoSchedule\",\"key\":\"node-role.kubernetes.io/control-plane\",\"operator\":\"Exists\"}]" nodeCollector.volumes: "[{\"hostPath\":{\"path\":\"/var/lib/etcd\"},\"name\":\"var-lib-etcd\"},{\"hostPath\":{\"path\":\"/var/lib/kubelet\"},\"name\":\"var-lib-kubelet\"},{\"hostPath\":{\"path\":\"/var/lib/kube-scheduler\"},\"name\":\"var-lib-kube-scheduler\"},{\"hostPath\":{\"path\":\"/var/lib/kube-controller-manager\"},\"name\":\"var-lib-kube-controller-manager\"},{\"hostPath\":{\"path\":\"/etc/kubernetes\"},\"name\":\"etc-kubernetes\"},{\"hostPath\":{\"path\":\"/etc/cni/net.d/\"},\"name\":\"etc-cni-netd\"}]" nodeCollector.volumeMounts: "[{\"mountPath\":\"/var/lib/etcd\",\"name\":\"var-lib-etcd\",\"readOnly\":true},{\"mountPath\":\"/var/lib/kubelet\",\"name\":\"var-lib-kubelet\",\"readOnly\":true},{\"mountPath\":\"/var/lib/kube-scheduler\",\"name\":\"var-lib-kube-scheduler\",\"readOnly\":true},{\"mountPath\":\"/var/lib/kube-controller-manager\",\"name\":\"var-lib-kube-controller-manager\",\"readOnly\":true},{\"mountPath\":\"/etc/kubernetes\",\"name\":\"etc-kubernetes\",\"readOnly\":true},{\"mountPath\":\"/etc/cni/net.d/\",\"name\":\"etc-cni-netd\",\"readOnly\":true}]" scanJob.useGCRServiceAccount: "true" scanJob.podTemplateContainerSecurityContext: "{\"allowPrivilegeEscalation\":false,\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"readOnlyRootFilesystem\":true}" scanJob.compressLogs: "true" vulnerabilityReports.scanner: "Trivy" vulnerabilityReports.scanJobsInSameNamespace: "false" configAuditReports.scanner: "Trivy" report.recordFailedChecksOnly: "true" node.collector.imageRef: "ghcr.io/aquasecurity/node-collector:0.3.1" policies.bundle.oci.ref: "mirror.gcr.io/aquasec/trivy-checks:1" policies.bundle.insecure: "false" node.collector.nodeSelector: "true" --- # Source: trivy/charts/trivy-operator/templates/configmaps/trivy-operator-config.yaml kind: ConfigMap apiVersion: v1 metadata: name: trivy-operator-config namespace: trivy labels: helm.sh/chart: trivy-operator-0.31.0 app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: Helm data: OPERATOR_LOG_DEV_MODE: "false" OPERATOR_SCAN_JOB_TTL: "" OPERATOR_SCAN_JOB_TIMEOUT: "5m" OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT: "10" OPERATOR_CONCURRENT_NODE_COLLECTOR_LIMIT: "1" OPERATOR_SCAN_JOB_RETRY_AFTER: "30s" OPERATOR_BATCH_DELETE_LIMIT: "10" OPERATOR_BATCH_DELETE_DELAY: "10s" OPERATOR_METRICS_BIND_ADDRESS: ":8080" OPERATOR_METRICS_FINDINGS_ENABLED: "true" OPERATOR_METRICS_VULN_ID_ENABLED: "false" OPERATOR_HEALTH_PROBE_BIND_ADDRESS: ":9090" OPERATOR_PPROF_BIND_ADDRESS: "" OPERATOR_VULNERABILITY_SCANNER_ENABLED: "false" OPERATOR_SBOM_GENERATION_ENABLED: "false" OPERATOR_CLUSTER_SBOM_CACHE_ENABLED: "false" OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS: "true" OPERATOR_SCANNER_REPORT_TTL: "24h" OPERATOR_CACHE_REPORT_TTL: "120h" CONTROLLER_CACHE_SYNC_TIMEOUT: "5m" OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED: "true" OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED: "true" OPERATOR_INFRA_ASSESSMENT_SCANNER_ENABLED: "false" OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS: "true" OPERATOR_EXPOSED_SECRET_SCANNER_ENABLED: "true" OPERATOR_METRICS_EXPOSED_SECRET_INFO_ENABLED: "false" OPERATOR_METRICS_CONFIG_AUDIT_INFO_ENABLED: "false" OPERATOR_METRICS_RBAC_ASSESSMENT_INFO_ENABLED: "false" OPERATOR_METRICS_INFRA_ASSESSMENT_INFO_ENABLED: "false" OPERATOR_METRICS_IMAGE_INFO_ENABLED: "false" OPERATOR_METRICS_CLUSTER_COMPLIANCE_INFO_ENABLED: "false" OPERATOR_WEBHOOK_BROADCAST_URL: "" OPERATOR_WEBHOOK_BROADCAST_TIMEOUT: "30s" OPERATOR_WEBHOOK_BROADCAST_CUSTOM_HEADERS: "" OPERATOR_SEND_DELETED_REPORTS: "false" OPERATOR_PRIVATE_REGISTRY_SCAN_SECRETS_NAMES: "{}" OPERATOR_ACCESS_GLOBAL_SECRETS_SERVICE_ACCOUNTS: "true" OPERATOR_BUILT_IN_TRIVY_SERVER: "false" TRIVY_SERVER_HEALTH_CHECK_CACHE_EXPIRATION: "10h" OPERATOR_MERGE_RBAC_FINDING_WITH_CONFIG_AUDIT: "false" OPERATOR_CLUSTER_COMPLIANCE_ENABLED: "false" --- # Source: trivy/charts/trivy-operator/templates/configmaps/trivy.yaml apiVersion: v1 kind: ConfigMap metadata: name: trivy-operator-trivy-config namespace: trivy labels: helm.sh/chart: trivy-operator-0.31.0 app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: Helm data: trivy.repository: "mirror.gcr.io/aquasec/trivy" trivy.tag: "0.67.2" trivy.imagePullPolicy: "IfNotPresent" trivy.additionalVulnerabilityReportFields: "" trivy.registry.mirror.gcr.io: "proxy-gcr.io" trivy.registry.mirror.ghcr.io: "proxy-ghcr.io" trivy.registry.mirror.hub.docker: "proxy-hub.docker" trivy.registry.mirror.quay.io: "proxy-quay.io" trivy.registry.mirror.registry-1.docker.io: "proxy-registry-1.docker.io" trivy.registry.mirror.registry.k8s.io: "proxy-registry.k8s" trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" trivy.slow: "true" trivy.skipJavaDBUpdate: "false" trivy.includeDevDeps: "false" trivy.imageScanCacheDir: "/tmp/trivy/.cache" trivy.filesystemScanCacheDir: "/var/trivyoperator/trivy-db" trivy.dbRepository: "mirror.gcr.io/aquasec/trivy-db" trivy.javaDbRepository: "mirror.gcr.io/aquasec/trivy-java-db" trivy.command: "image" trivy.sbomSources: "" trivy.dbRepositoryInsecure: "false" trivy.useBuiltinRegoPolicies: "false" trivy.useEmbeddedRegoPolicies: "true" trivy.supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota" trivy.timeout: "5m0s" trivy.mode: "Standalone" trivy.resources.requests.cpu: "100m" trivy.resources.requests.memory: "128M" trivy.resources.limits.cpu: "500m" trivy.resources.limits.memory: "500M" --- # Source: trivy/charts/trivy-operator/templates/rbac/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: trivy-operator rules: - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - apiGroups: - "" resources: - limitranges verbs: - get - list - watch - apiGroups: - "" resources: - namespaces verbs: - get - apiGroups: - "" resources: - nodes verbs: - get - list - watch - apiGroups: - "" resources: - pods verbs: - get - list - watch - apiGroups: - "" resources: - pods/log verbs: - get - list - apiGroups: - "" resources: - replicationcontrollers verbs: - get - list - watch - apiGroups: - "" resources: - resourcequotas verbs: - get - list - watch - apiGroups: - "" resources: - services verbs: - get - list - watch - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - list - watch - apiGroups: - apps resources: - daemonsets verbs: - get - list - watch - apiGroups: - apps resources: - deployments verbs: - get - list - watch - apiGroups: - apps resources: - replicasets verbs: - get - list - watch - apiGroups: - apps resources: - statefulsets verbs: - get - list - watch - apiGroups: - apps.openshift.io resources: - deploymentconfigs verbs: - get - list - watch - apiGroups: - aquasecurity.github.io resources: - clustercompliancedetailreports verbs: - create - delete - get - list - patch - update - watch - apiGroups: - aquasecurity.github.io resources: - clustercompliancereports verbs: - create - delete - get - list - patch - update - watch - apiGroups: - aquasecurity.github.io resources: - clustercompliancereports/status verbs: - get - patch - update - apiGroups: - aquasecurity.github.io resources: - clusterconfigauditreports verbs: - create - delete - get - list - patch - update - watch - apiGroups: - aquasecurity.github.io resources: - clusterinfraassessmentreports verbs: - create - delete - get - list - patch - update - watch - apiGroups: - aquasecurity.github.io resources: - clusterrbacassessmentreports verbs: - create - delete - get - list - patch - update - watch - apiGroups: - aquasecurity.github.io resources: - clustersbomreports verbs: - create - delete - get - list - patch - update - watch - apiGroups: - aquasecurity.github.io resources: - clustervulnerabilityreports verbs: - create - delete - get - list - patch - update - watch - apiGroups: - aquasecurity.github.io resources: - configauditreports verbs: - create - delete - get - list - patch - update - watch - apiGroups: - aquasecurity.github.io resources: - exposedsecretreports verbs: - create - delete - get - list - patch - update - watch - apiGroups: - aquasecurity.github.io resources: - infraassessmentreports verbs: - create - delete - get - list - patch - update - watch - apiGroups: - aquasecurity.github.io resources: - rbacassessmentreports verbs: - create - delete - get - list - patch - update - watch - apiGroups: - aquasecurity.github.io resources: - sbomreports verbs: - create - delete - get - list - patch - update - watch - apiGroups: - aquasecurity.github.io resources: - vulnerabilityreports verbs: - create - delete - get - list - patch - update - watch - apiGroups: - batch resources: - cronjobs verbs: - get - list - watch - apiGroups: - batch resources: - jobs verbs: - create - delete - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - get - list - watch - apiGroups: - rbac.authorization.k8s.io resources: - clusterrolebindings verbs: - get - list - watch - apiGroups: - rbac.authorization.k8s.io resources: - clusterroles verbs: - get - list - watch - apiGroups: - rbac.authorization.k8s.io resources: - rolebindings verbs: - get - list - watch - apiGroups: - rbac.authorization.k8s.io resources: - roles verbs: - get - list - watch - apiGroups: - "" resources: - secrets verbs: - create - get - update - apiGroups: - "" resources: - serviceaccounts verbs: - get - apiGroups: - "" resources: - nodes/proxy verbs: - get --- # Source: trivy/charts/trivy-operator/templates/rbac/view-configauditreports-clusterrole.yaml # permissions for end users to view configauditreports apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: aggregate-config-audit-reports-view labels: helm.sh/chart: trivy-operator-0.31.0 app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" rules: - apiGroups: - aquasecurity.github.io resources: - configauditreports verbs: - get - list - watch --- # Source: trivy/charts/trivy-operator/templates/rbac/view-exposedsecretreports-clusterrole.yaml # permissions for end users to view exposedsecretreports apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: aggregate-exposed-secret-reports-view labels: helm.sh/chart: trivy-operator-0.31.0 app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" rules: - apiGroups: - aquasecurity.github.io resources: - exposedsecretreports verbs: - get - list - watch --- # Source: trivy/charts/trivy-operator/templates/rbac/view-vulnerabilityreports-clusterrole.yaml # permissions for end users to view vulnerabilityreports apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: aggregate-vulnerability-reports-view labels: helm.sh/chart: trivy-operator-0.31.0 app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: Helm rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" rules: - apiGroups: - aquasecurity.github.io resources: - vulnerabilityreports verbs: - get - list - watch --- # Source: trivy/charts/trivy-operator/templates/rbac/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: trivy-trivy-operator labels: helm.sh/chart: trivy-operator-0.31.0 app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: trivy-operator subjects: - kind: ServiceAccount name: trivy-trivy-operator namespace: trivy --- # Source: trivy/charts/trivy-operator/templates/rbac/leader-election-role.yaml # permissions to do leader election. apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: trivy-trivy-operator-leader-election namespace: trivy labels: helm.sh/chart: trivy-operator-0.31.0 app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: Helm rules: - apiGroups: - coordination.k8s.io resources: - leases verbs: - create - get - update - apiGroups: - "" resources: - events verbs: - create --- # Source: trivy/charts/trivy-operator/templates/rbac/role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: trivy-trivy-operator namespace: trivy labels: helm.sh/chart: trivy-operator-0.31.0 app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: Helm rules: - apiGroups: - "" resources: - configmaps verbs: - create - get - list - watch - apiGroups: - "" resources: - secrets verbs: - create - get - delete - update --- # Source: trivy/charts/trivy-operator/templates/rbac/leader-election-rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: trivy-trivy-operator-leader-election namespace: trivy labels: helm.sh/chart: trivy-operator-0.31.0 app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: trivy-trivy-operator-leader-election subjects: - kind: ServiceAccount name: trivy-trivy-operator namespace: trivy --- # Source: trivy/charts/trivy-operator/templates/rbac/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: trivy-trivy-operator namespace: trivy labels: helm.sh/chart: trivy-operator-0.31.0 app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: trivy-trivy-operator subjects: - kind: ServiceAccount name: trivy-trivy-operator namespace: trivy --- # Source: trivy/charts/trivy-operator/templates/monitor/service.yaml apiVersion: v1 kind: Service metadata: name: trivy-trivy-operator namespace: trivy labels: helm.sh/chart: trivy-operator-0.31.0 app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: Helm spec: clusterIP: None ports: - name: metrics port: 80 targetPort: metrics protocol: TCP appProtocol: TCP selector: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy type: ClusterIP --- # Source: trivy/charts/trivy-operator/templates/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: trivy-trivy-operator namespace: trivy labels: helm.sh/chart: trivy-operator-0.31.0 app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: Helm spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy template: metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy spec: serviceAccountName: trivy-trivy-operator automountServiceAccountToken: true containers: - name: "trivy-operator" image: "mirror.gcr.io/aquasec/trivy-operator:0.29.0" imagePullPolicy: IfNotPresent env: - name: OPERATOR_NAMESPACE value: trivy - name: OPERATOR_TARGET_NAMESPACES value: "" - name: OPERATOR_EXCLUDE_NAMESPACES value: "" - name: OPERATOR_TARGET_WORKLOADS value: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job" - name: OPERATOR_SERVICE_ACCOUNT value: "trivy-trivy-operator" envFrom: - configMapRef: name: trivy-operator-config ports: - name: metrics containerPort: 8080 - name: probes containerPort: 9090 readinessProbe: httpGet: path: /readyz/ port: probes initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 failureThreshold: 3 livenessProbe: httpGet: path: /healthz/ port: probes initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 failureThreshold: 10 resources: requests: cpu: 100m memory: 128Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true volumeMounts: - mountPath: /tmp name: cache-policies readOnly: false volumes: - emptyDir: {} name: cache-policies --- # Source: trivy/charts/trivy-operator/templates/specs/k8s-cis-1.23.yaml apiVersion: aquasecurity.github.io/v1alpha1 kind: ClusterComplianceReport metadata: name: k8s-cis-1.23 labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator app.kubernetes.io/version: 0.29.0 app.kubernetes.io/managed-by: kubectl spec: cron: "0 5 * * *" reportType: "summary" compliance: id: k8s-cis-1.23 title: CIS Kubernetes Benchmarks v1.23 description: CIS Kubernetes Benchmarks platform: k8s type: cis relatedResources: - https://www.cisecurity.org/benchmark/kubernetes version: "1.23" controls: - id: 1.1.1 name: Ensure that the API server pod specification file permissions are set to 600 or more restrictive description: Ensure that the API server pod specification file has permissions of 600 or more restrictive checks: - id: AVD-KCV-0048 commands: - id: CMD-0001 severity: HIGH - id: 1.1.2 name: Ensure that the API server pod specification file ownership is set to root:root description: Ensure that the API server pod specification file ownership is set to root:root checks: - id: AVD-KCV-0049 commands: - id: CMD-0002 severity: HIGH - id: 1.1.3 name: Ensure that the controller manager pod specification file permissions are set to 600 or more restrictive description: Ensure that the controller manager pod specification file has permissions of 600 or more restrictive checks: - id: AVD-KCV-0050 commands: - id: CMD-0003 severity: HIGH - id: 1.1.4 name: Ensure that the controller manager pod specification file ownership is set to root:root description: Ensure that the controller manager pod specification file ownership is set to root:root checks: - id: AVD-KCV-0051 commands: - id: CMD-0004 severity: HIGH - id: 1.1.5 name: Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive description: Ensure that the scheduler pod specification file has permissions of 600 or more restrictive checks: - id: AVD-KCV-0052 commands: - id: CMD-0005 severity: HIGH - id: 1.1.6 name: Ensure that the scheduler pod specification file ownership is set to root:root description: Ensure that the scheduler pod specification file ownership is set to root:root checks: - id: AVD-KCV-0053 commands: - id: CMD-0006 severity: HIGH - id: 1.1.7 name: Ensure that the etcd pod specification file permissions are set to 600 or more restrictive description: Ensure that the etcd pod specification file has permissions of 600 or more restrictive checks: - id: AVD-KCV-0054 commands: - id: CMD-0007 severity: HIGH - id: 1.1.8 name: Ensure that the etcd pod specification file ownership is set to root:root description: Ensure that the etcd pod specification file ownership is set to root:root. checks: - id: AVD-KCV-0055 commands: - id: CMD-0008 severity: HIGH - id: 1.1.9 name: Ensure that the Container Network Interface file permissions are set to 600 or more restrictive description: Ensure that the Container Network Interface files have permissions of 600 or more restrictive checks: - id: AVD-KCV-0056 commands: - id: CMD-0009 severity: HIGH - id: 1.1.10 name: Ensure that the Container Network Interface file ownership is set to root:root description: Ensure that the Container Network Interface files have ownership set to root:root checks: - id: AVD-KCV-0057 commands: - id: CMD-0010 severity: HIGH - id: 1.1.11 name: Ensure that the etcd data directory permissions are set to 700 or more restrictive description: Ensure that the etcd data directory has permissions of 700 or more restrictive checks: - id: AVD-KCV-0058 commands: - id: CMD-0011 severity: HIGH - id: 1.1.12 name: Ensure that the etcd data directory ownership is set to etcd:etcd description: Ensure that the etcd data directory ownership is set to etcd:etcd checks: - id: AVD-KCV-0059 commands: - id: CMD-0012 severity: LOW - id: 1.1.13 name: Ensure that the admin.conf file permissions are set to 600 description: Ensure that the admin.conf file has permissions of 600 checks: - id: AVD-KCV-0060 commands: - id: CMD-0013 severity: CRITICAL - id: 1.1.14 name: Ensure that the admin.conf file ownership is set to root:root description: Ensure that the admin.conf file ownership is set to root:root checks: - id: AVD-KCV-0061 commands: - id: CMD-0014 severity: CRITICAL - id: 1.1.15 name: Ensure that the scheduler.conf file permissions are set to 600 or more restrictive description: Ensure that the scheduler.conf file has permissions of 600 or more restrictive checks: - id: AVD-KCV-0062 commands: - id: CMD-0015 severity: HIGH - id: 1.1.16 name: Ensure that the scheduler.conf file ownership is set to root:root description: Ensure that the scheduler.conf file ownership is set to root:root checks: - id: AVD-KCV-0063 commands: - id: CMD-0016 severity: HIGH - id: 1.1.17 name: Ensure that the controller-manager.conf file permissions are set to 600 or more restrictive description: Ensure that the controller-manager.conf file has permissions of 600 or more restrictive checks: - id: AVD-KCV-0064 commands: - id: CMD-0017 severity: HIGH - id: 1.1.18 name: Ensure that the controller-manager.conf file ownership is set to root:root description: Ensure that the controller-manager.conf file ownership is set to root:root. checks: - id: AVD-KCV-0065 commands: - id: CMD-0018 severity: HIGH - id: 1.1.19 name: Ensure that the Kubernetes PKI directory and file ownership is set to root:root description: Ensure that the Kubernetes PKI directory and file ownership is set to root:root checks: - id: AVD-KCV-0066 commands: - id: CMD-0019 severity: CRITICAL - id: 1.1.20 name: Ensure that the Kubernetes PKI certificate file permissions are set to 600 or more restrictive description: Ensure that Kubernetes PKI certificate files have permissions of 600 or more restrictive checks: - id: AVD-KCV-0068 commands: - id: CMD-0020 severity: CRITICAL - id: 1.1.21 name: Ensure that the Kubernetes PKI key file permissions are set to 600 description: Ensure that Kubernetes PKI key files have permissions of 600 checks: - id: AVD-KCV-0067 commands: - id: CMD-0021 severity: CRITICAL - id: 1.2.1 name: Ensure that the --anonymous-auth argument is set to false description: Disable anonymous requests to the API server checks: - id: AVD-KCV-0001 severity: MEDIUM - id: 1.2.2 name: Ensure that the --token-auth-file parameter is not set description: Do not use token based authentication checks: - id: AVD-KCV-0002 severity: LOW - id: 1.2.3 name: Ensure that the --DenyServiceExternalIPs is not set description: This admission controller rejects all net-new usage of the Service field externalIPs checks: - id: AVD-KCV-0003 severity: LOW - id: 1.2.4 name: Ensure that the --kubelet-https argument is set to true description: Use https for kubelet connections checks: - id: AVD-KCV-0004 severity: LOW - id: 1.2.5 name: Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate description: Enable certificate based kubelet authentication checks: - id: AVD-KCV-0005 severity: HIGH - id: 1.2.6 name: Ensure that the --kubelet-certificate-authority argument is set as appropriate description: Verify kubelets certificate before establishing connection checks: - id: AVD-KCV-0006 severity: HIGH - id: 1.2.7 name: Ensure that the --authorization-mode argument is not set to AlwaysAllow description: Do not always authorize all requests checks: - id: AVD-KCV-0007 severity: LOW - id: 1.2.8 name: Ensure that the --authorization-mode argument includes Node description: Restrict kubelet nodes to reading only objects associated with them checks: - id: AVD-KCV-0008 severity: HIGH - id: 1.2.9 name: Ensure that the --authorization-mode argument includes RBAC description: Turn on Role Based Access Control checks: - id: AVD-KCV-0009 severity: HIGH - id: 1.2.10 name: Ensure that the admission control plugin EventRateLimit is set description: Limit the rate at which the API server accepts requests checks: - id: AVD-KCV-0010 severity: HIGH - id: 1.2.11 name: Ensure that the admission control plugin AlwaysAdmit is not set description: Do not allow all requests checks: - id: AVD-KCV-0011 severity: LOW - id: 1.2.12 name: Ensure that the admission control plugin AlwaysPullImages is set description: Always pull images checks: - id: AVD-KCV-0012 severity: MEDIUM - id: 1.2.13 name: Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used description: The SecurityContextDeny admission controller can be used to deny pods which make use of some SecurityContext fields which could allow for privilege escalation in the cluster. This should be used where PodSecurityPolicy is not in place within the cluster checks: - id: AVD-KCV-0013 severity: MEDIUM - id: 1.2.14 name: Ensure that the admission control plugin ServiceAccount is set description: Automate service accounts management checks: - id: AVD-KCV-0014 severity: LOW - id: 1.2.15 name: Ensure that the admission control plugin NamespaceLifecycle is set description: Reject creating objects in a namespace that is undergoing termination checks: - id: AVD-KCV-0015 severity: LOW - id: 1.2.16 name: Ensure that the admission control plugin NodeRestriction is set description: Limit the Node and Pod objects that a kubelet could modify checks: - id: AVD-KCV-0016 severity: LOW - id: 1.2.17 name: Ensure that the --secure-port argument is not set to 0 description: Do not disable the secure port checks: - id: AVD-KCV-0017 severity: HIGH - id: 1.2.18 name: Ensure that the --profiling argument is set to false description: Disable profiling, if not needed checks: - id: AVD-KCV-0018 severity: LOW - id: 1.2.19 name: Ensure that the --audit-log-path argument is set description: Enable auditing on the Kubernetes API Server and set the desired audit log path. checks: - id: AVD-KCV-0019 severity: LOW - id: 1.2.20 name: Ensure that the --audit-log-maxage argument is set to 30 or as appropriate description: Retain the logs for at least 30 days or as appropriate checks: - id: AVD-KCV-0020 severity: LOW - id: 1.2.21 name: Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate description: Retain 10 or an appropriate number of old log file checks: - id: AVD-KCV-0021 severity: LOW - id: 1.2.22 name: Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate description: Rotate log files on reaching 100 MB or as appropriate checks: - id: AVD-KCV-0022 severity: LOW - id: 1.2.24 name: Ensure that the --service-account-lookup argument is set to true description: Validate service account before validating token checks: - id: AVD-KCV-0024 severity: LOW - id: 1.2.25 name: Ensure that the --service-account-key-file argument is set as appropriate description: Explicitly set a service account public key file for service accounts on the apiserver checks: - id: AVD-KCV-0025 severity: LOW - id: 1.2.26 name: Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate description: etcd should be configured to make use of TLS encryption for client connections checks: - id: AVD-KCV-0026 severity: LOW - id: 1.2.27 name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate description: Setup TLS connection on the API server checks: - id: AVD-KCV-0027 severity: MEDIUM - id: 1.2.28 name: Ensure that the --client-ca-file argument is set appropriate description: Setup TLS connection on the API server checks: - id: AVD-KCV-0028 severity: LOW - id: 1.2.29 name: Ensure that the --etcd-cafile argument is set as appropriate description: etcd should be configured to make use of TLS encryption for client connections. checks: - id: AVD-KCV-0029 severity: LOW - id: 1.2.30 name: Ensure that the --encryption-provider-config argument is set as appropriate description: Encrypt etcd key-value store checks: - id: AVD-KCV-0030 severity: LOW - id: 1.3.1 name: Ensure that the --terminated-pod-gc-threshold argument is set as appropriate description: Activate garbage collector on pod termination, as appropriate checks: - id: AVD-KCV-0033 severity: MEDIUM - id: 1.3.3 name: Ensure that the --use-service-account-credentials argument is set to true description: Use individual service account credentials for each controller checks: - id: AVD-KCV-0035 severity: MEDIUM - id: 1.3.4 name: Ensure that the --service-account-private-key-file argument is set as appropriate description: Explicitly set a service account private key file for service accounts on the controller manager checks: - id: AVD-KCV-0036 severity: MEDIUM - id: 1.3.5 name: Ensure that the --root-ca-file argument is set as appropriate description: Allow pods to verify the API servers serving certificate before establishing connections checks: - id: AVD-KCV-0037 severity: MEDIUM - id: 1.3.6 name: Ensure that the RotateKubeletServerCertificate argument is set to true description: Enable kubelet server certificate rotation on controller-manager checks: - id: AVD-KCV-0038 severity: MEDIUM - id: 1.3.7 name: Ensure that the --bind-address argument is set to 127.0.0.1 description: Do not bind the scheduler service to non-loopback insecure addresses checks: - id: AVD-KCV-0039 severity: LOW - id: 1.4.1 name: Ensure that the --profiling argument is set to false description: Disable profiling, if not needed checks: - id: AVD-KCV-0034 severity: MEDIUM - id: 1.4.2 name: Ensure that the --bind-address argument is set to 127.0.0.1 description: Do not bind the scheduler service to non-loopback insecure addresses checks: - id: AVD-KCV-0041 severity: CRITICAL - id: "2.1" name: Ensure that the --cert-file and --key-file arguments are set as appropriate description: Configure TLS encryption for the etcd service checks: - id: AVD-KCV-0042 severity: MEDIUM - id: "2.2" name: Ensure that the --client-cert-auth argument is set to true description: Enable client authentication on etcd service checks: - id: AVD-KCV-0043 severity: CRITICAL - id: "2.3" name: Ensure that the --auto-tls argument is not set to true description: Do not use self-signed certificates for TLS checks: - id: AVD-KCV-0044 severity: CRITICAL - id: "2.4" name: Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate description: etcd should be configured to make use of TLS encryption for peer connections. checks: - id: AVD-KCV-0045 severity: CRITICAL - id: "2.5" name: Ensure that the --peer-client-cert-auth argument is set to true description: etcd should be configured for peer authentication checks: - id: AVD-KCV-0046 severity: CRITICAL - id: "2.6" name: Ensure that the --peer-auto-tls argument is not set to true description: Do not use self-signed certificates for TLS checks: - id: AVD-KCV-0047 severity: HIGH - id: 3.1.1 name: Client certificate authentication should not be used for users (Manual) description: Kubernetes provides the option to use client certificates for user authentication. However as there is no way to revoke these certificates when a user leaves an organization or loses their credential, they are not suitable for this purpose severity: HIGH - id: 3.2.1 name: Ensure that a minimal audit policy is created (Manual) description: Kubernetes can audit the details of requests made to the API server. The --audit- policy-file flag must be set for this logging to be enabled. severity: HIGH - id: 3.2.2 name: Ensure that the audit policy covers key security concerns (Manual) description: Ensure that the audit policy created for the cluster covers key security concerns severity: HIGH - id: 4.1.1 name: Ensure that the kubelet service file permissions are set to 600 or more restrictive description: Ensure that the kubelet service file has permissions of 600 or more restrictive. checks: - id: AVD-KCV-0069 commands: - id: CMD-0022 severity: HIGH - id: 4.1.2 name: Ensure that the kubelet service file ownership is set to root:root description: Ensure that the kubelet service file ownership is set to root:root checks: - id: AVD-KCV-0070 commands: - id: CMD-0023 severity: HIGH - id: 4.1.3 name: If proxy kubeconfig file exists ensure permissions are set to 600 or more restrictive description: If kube-proxy is running, and if it is using a file-based kubeconfig file, ensure that the proxy kubeconfig file has permissions of 600 or more restrictive checks: - id: AVD-KCV-0071 commands: - id: CMD-0024 severity: HIGH - id: 4.1.4 name: If proxy kubeconfig file exists ensure ownership is set to root:root description: If kube-proxy is running, ensure that the file ownership of its kubeconfig file is set to root:root checks: - id: AVD-KCV-0072 commands: - id: CMD-0025 severity: HIGH - id: 4.1.5 name: Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive description: Ensure that the kubelet.conf file has permissions of 600 or more restrictive checks: - id: AVD-KCV-0073 commands: - id: CMD-0026 severity: HIGH - id: 4.1.6 name: Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root description: Ensure that the kubelet.conf file ownership is set to root:root checks: - id: AVD-KCV-0074 commands: - id: CMD-0027 severity: HIGH - id: 4.1.7 name: Ensure that the certificate authorities file permissions are set to 600 or more restrictive description: Ensure that the certificate authorities file has permissions of 600 or more restrictive checks: - id: AVD-KCV-0075 commands: - id: CMD-0028 severity: CRITICAL - id: 4.1.8 name: Ensure that the client certificate authorities file ownership is set to root:root description: Ensure that the certificate authorities file ownership is set to root:root checks: - id: AVD-KCV-0076 commands: - id: CMD-0029 severity: CRITICAL - id: 4.1.9 name: If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive description: Ensure that if the kubelet refers to a configuration file with the --config argument, that file has permissions of 600 or more restrictive checks: - id: AVD-KCV-0077 commands: - id: CMD-0030 severity: HIGH - id: 4.1.10 name: If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root description: Ensure that if the kubelet refers to a configuration file with the --config argument, that file is owned by root:root checks: - id: AVD-KCV-0078 commands: - id: CMD-0031 severity: HIGH - id: 4.2.1 name: Ensure that the --anonymous-auth argument is set to false description: Disable anonymous requests to the Kubelet server checks: - id: AVD-KCV-0079 commands: - id: CMD-0032 severity: CRITICAL - id: 4.2.2 name: Ensure that the --authorization-mode argument is not set to AlwaysAllow description: Do not allow all requests. Enable explicit authorization checks: - id: AVD-KCV-0080 commands: - id: CMD-0033 severity: CRITICAL - id: 4.2.3 name: Ensure that the --client-ca-file argument is set as appropriate description: Enable Kubelet authentication using certificates checks: - id: AVD-KCV-0081 commands: - id: CMD-0034 severity: CRITICAL - id: 4.2.4 name: Verify that the --read-only-port argument is set to 0 description: Disable the read-only port checks: - id: AVD-KCV-0082 commands: - id: CMD-0035 severity: HIGH - id: 4.2.5 name: Ensure that the --streaming-connection-idle-timeout argument is not set to 0 description: Do not disable timeouts on streaming connections checks: - id: AVD-KCV-0085 commands: - id: CMD-0036 severity: HIGH - id: 4.2.6 name: Ensure that the --protect-kernel-defaults argument is set to true description: Protect tuned kernel parameters from overriding kubelet default kernel parameter values checks: - id: AVD-KCV-0083 commands: - id: CMD-0037 severity: HIGH - id: 4.2.7 name: Ensure that the --make-iptables-util-chains argument is set to true description: Allow Kubelet to manage iptables checks: - id: AVD-KCV-0084 commands: - id: CMD-0038 severity: HIGH - id: 4.2.8 name: Ensure that the --hostname-override argument is not set description: Do not override node hostnames checks: - id: AVD-KCV-0086 commands: - id: CMD-0039 severity: HIGH - id: 4.2.9 name: Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture description: Security relevant information should be captured. The --event-qps flag on the Kubelet can be used to limit the rate at which events are gathered checks: - id: AVD-KCV-0087 commands: - id: CMD-0040 severity: HIGH - id: 4.2.10 name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate description: Setup TLS connection on the Kubelets checks: - id: AVD-KCV-0088 - id: AVD-KCV-0089 commands: - id: CMD-0041 - id: CMD-0042 severity: CRITICAL - id: 4.2.11 name: Ensure that the --rotate-certificates argument is not set to false description: Enable kubelet client certificate rotation checks: - id: AVD-KCV-0090 commands: - id: CMD-0043 severity: CRITICAL - id: 4.2.12 name: Verify that the RotateKubeletServerCertificate argument is set to true description: Enable kubelet server certificate rotation checks: - id: AVD-KCV-0091 commands: - id: CMD-0044 severity: CRITICAL - id: 4.2.13 name: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers description: Ensure that the Kubelet is configured to only use strong cryptographic ciphers checks: - id: AVD-KCV-0092 commands: - id: CMD-0045 severity: CRITICAL - id: 5.1.1 name: Ensure that the cluster-admin role is only used where required description: The RBAC role cluster-admin provides wide-ranging powers over the environment and should be used only where and when needed checks: - id: AVD-KSV-0111 severity: HIGH - id: 5.1.2 name: Minimize access to secrets description: The Kubernetes API stores secrets, which may be service account tokens for the Kubernetes API or credentials used by workloads in the cluster checks: - id: AVD-KSV-0041 severity: HIGH - id: 5.1.3 name: Minimize wildcard use in Roles and ClusterRoles description: Kubernetes Roles and ClusterRoles provide access to resources based on sets of objects and actions that can be taken on those objects. It is possible to set either of these to be the wildcard "*" which matches all items checks: - id: AVD-KSV-0044 - id: AVD-KSV-0045 - id: AVD-KSV-0046 severity: HIGH - id: 5.1.6 name: Ensure that Service Account Tokens are only mounted where necessary description: Service accounts tokens should not be mounted in pods except where the workload running in the pod explicitly needs to communicate with the API server checks: - id: AVD-KSV-0036 severity: HIGH - id: 5.1.8 name: Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster description: Cluster roles and roles with the impersonate, bind or escalate permissions should not be granted unless strictly required checks: - id: AVD-KSV-0043 severity: HIGH - id: 5.2.2 name: Minimize the admission of privileged containers description: Do not generally permit containers to be run with the securityContext.privileged flag set to true checks: - id: AVD-KSV-0017 severity: HIGH - id: 5.2.3 name: Minimize the admission of containers wishing to share the host process ID namespace description: Do not generally permit containers to be run with the hostPID flag set to true. checks: - id: AVD-KSV-0010 severity: HIGH - id: 5.2.4 name: Minimize the admission of containers wishing to share the host IPC namespace description: Do not generally permit containers to be run with the hostIPC flag set to true checks: - id: AVD-KSV-0008 severity: HIGH - id: 5.2.5 name: Minimize the admission of containers wishing to share the host network namespace description: Do not generally permit containers to be run with the hostNetwork flag set to true checks: - id: AVD-KSV-0009 severity: HIGH - id: 5.2.6 name: Minimize the admission of containers with allowPrivilegeEscalation description: Do not generally permit containers to be run with the allowPrivilegeEscalation flag set to true checks: - id: AVD-KSV-0001 severity: HIGH - id: 5.2.7 name: Minimize the admission of root containers description: Do not generally permit containers to be run as the root user checks: - id: AVD-KSV-0012 severity: MEDIUM - id: 5.2.8 name: Minimize the admission of containers with the NET_RAW capability description: Do not generally permit containers with the potentially dangerous NET_RAW capability checks: - id: AVD-KSV-0022 severity: MEDIUM - id: 5.2.9 name: Minimize the admission of containers with added capabilities description: Do not generally permit containers with capabilities assigned beyond the default set checks: - id: AVD-KSV-0004 severity: LOW - id: 5.2.10 name: Minimize the admission of containers with capabilities assigned description: Do not generally permit containers with capabilities checks: - id: AVD-KSV-0003 severity: LOW - id: 5.2.11 name: Minimize the admission of containers with capabilities assigned description: Do not generally permit containers with capabilities checks: - id: AVD-KSV-0103 severity: MEDIUM - id: 5.2.12 name: Minimize the admission of HostPath volumes description: Do not generally admit containers which make use of hostPath volumes checks: - id: AVD-KSV-0023 severity: MEDIUM - id: 5.2.13 name: Minimize the admission of containers which use HostPorts description: Do not generally permit containers which require the use of HostPorts checks: - id: AVD-KSV-0024 severity: MEDIUM - id: 5.3.1 name: Ensure that the CNI in use supports Network Policies (Manual) description: There are a variety of CNI plugins available for Kubernetes. If the CNI in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster severity: MEDIUM - id: 5.3.2 name: Ensure that all Namespaces have Network Policies defined description: Use network policies to isolate traffic in your cluster network checks: - id: AVD-KSV-0038 severity: MEDIUM - id: 5.4.1 name: Prefer using secrets as files over secrets as environment variables (Manual) description: Kubernetes supports mounting secrets as data volumes or as environment variables. Minimize the use of environment variable secrets severity: MEDIUM - id: 5.4.2 name: Consider external secret storage (Manual) description: Consider the use of an external secrets storage and management system, instead of using Kubernetes Secrets directly, if you have more complex secret management needs severity: MEDIUM - id: 5.5.1 name: Configure Image Provenance using ImagePolicyWebhook admission controller (Manual) description: Configure Image Provenance for your deployment severity: MEDIUM - id: 5.7.1 name: Create administrative boundaries between resources using namespaces (Manual) description: Use namespaces to isolate your Kubernetes objects severity: MEDIUM - id: 5.7.2 name: Ensure that the seccomp profile is set to docker/default in your pod definitions description: Enable docker/default seccomp profile in your pod definitions checks: - id: AVD-KSV-0104 severity: MEDIUM - id: 5.7.3 name: Apply Security Context to Your Pods and Containers description: Apply Security Context to Your Pods and Containers checks: - id: AVD-KSV-0021 - id: AVD-KSV-0020 - id: AVD-KSV-0005 - id: AVD-KSV-0025 - id: AVD-KSV-0104 - id: AVD-KSV-0030 severity: HIGH - id: 5.7.4 name: The default namespace should not be used description: Kubernetes provides a default namespace, where objects are placed if no namespace is specified for them checks: - id: AVD-KSV-0110 severity: MEDIUM --- # Source: trivy/charts/trivy-operator/templates/specs/k8s-nsa-1.0.yaml apiVersion: aquasecurity.github.io/v1alpha1 kind: ClusterComplianceReport metadata: name: k8s-nsa-1.0 labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator app.kubernetes.io/version: 0.29.0 app.kubernetes.io/managed-by: kubectl spec: cron: "0 5 * * *" reportType: "summary" compliance: id: k8s-nsa-1.0 platform: k8s type: nsa title: National Security Agency - Kubernetes Hardening Guidance v1.0 description: National Security Agency - Kubernetes Hardening Guidance relatedResources: - https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/ version: "1.0" controls: - name: Non-root containers description: Check that container is not running as root id: "1.0" checks: - id: AVD-KSV-0012 severity: MEDIUM - name: Immutable container file systems description: Check that container root file system is immutable id: "1.1" checks: - id: AVD-KSV-0014 severity: LOW - name: Preventing privileged containers description: Controls whether Pods can run privileged containers id: "1.2" checks: - id: AVD-KSV-0017 severity: HIGH - name: Share containers process namespaces description: Controls whether containers can share process namespaces id: "1.3" checks: - id: AVD-KSV-0008 severity: HIGH - name: Share host process namespaces description: Controls whether share host process namespaces id: "1.4" checks: - id: AVD-KSV-0009 severity: HIGH - name: Use the host network description: Controls whether containers can use the host network id: "1.5" checks: - id: AVD-KSV-0010 severity: HIGH - name: Run with root privileges or with root group membership description: Controls whether container applications can run with root privileges or with root group membership id: "1.6" checks: - id: AVD-KSV-0029 severity: LOW - name: Restricts escalation to root privileges description: Control check restrictions escalation to root privileges id: "1.7" checks: - id: AVD-KSV-0001 severity: MEDIUM - name: Sets the SELinux context of the container description: Control checks if pod sets the SELinux context of the container id: "1.8" checks: - id: AVD-KSV-0002 severity: MEDIUM - name: Restrict a container's access to resources with AppArmor description: Control checks the restriction of containers access to resources with AppArmor id: "1.9" checks: - id: AVD-KSV-0030 severity: MEDIUM - name: Sets the seccomp profile used to sandbox containers. description: Control checks the sets the seccomp profile used to sandbox containers id: "1.10" checks: - id: AVD-KSV-0030 severity: LOW - name: Protecting Pod service account tokens description: "Control check whether disable secret token been mount ,automountServiceAccountToken: false" id: "1.11" checks: - id: AVD-KSV-0036 severity: MEDIUM - name: Namespace kube-system should not be used by users description: Control check whether Namespace kube-system is not be used by users id: "1.12" defaultStatus: FAIL checks: - id: AVD-KSV-0037 severity: MEDIUM - name: Pod and/or namespace Selectors usage description: Control check validate the pod and/or namespace Selectors usage id: "2.0" defaultStatus: FAIL checks: - id: AVD-KSV-0038 severity: MEDIUM - name: Use CNI plugin that supports NetworkPolicy API (Manual) description: Control check whether check cni plugin installed id: "3.0" defaultStatus: FAIL severity: CRITICAL - name: Use ResourceQuota policies to limit resources description: Control check the use of ResourceQuota policy to limit aggregate resource usage within namespace id: "4.0" defaultStatus: FAIL checks: - id: AVD-KSV-0040 severity: MEDIUM - name: Use LimitRange policies to limit resources description: Control check the use of LimitRange policy limit resource usage for namespaces or nodes id: "4.1" defaultStatus: FAIL checks: - id: AVD-KSV-0039 severity: MEDIUM - name: Control plan disable insecure port (Manual) description: Control check whether control plan disable insecure port id: "5.0" defaultStatus: FAIL severity: CRITICAL - name: Encrypt etcd communication description: Control check whether etcd communication is encrypted id: "5.1" checks: - id: AVD-KCV-0030 severity: CRITICAL - name: Ensure kube config file permission (Manual) description: Control check whether kube config file permissions id: "6.0" defaultStatus: FAIL severity: CRITICAL - name: Check that encryption resource has been set description: Control checks whether encryption resource has been set id: "6.1" checks: - id: AVD-KCV-0029 severity: CRITICAL - name: Check encryption provider description: Control checks whether encryption provider has been set id: "6.2" checks: - id: AVD-KCV-0004 severity: CRITICAL - name: Make sure anonymous-auth is unset description: Control checks whether anonymous-auth is unset id: "7.0" checks: - id: AVD-KCV-0001 severity: CRITICAL - name: Make sure -authorization-mode=RBAC description: Control check whether RBAC permission is in use id: "7.1" checks: - id: AVD-KCV-0008 severity: CRITICAL - name: Audit policy is configure (Manual) description: Control check whether audit policy is configure id: "8.0" defaultStatus: FAIL severity: HIGH - name: Audit log path is configure description: Control check whether audit log path is configure id: "8.1" checks: - id: AVD-KCV-0019 severity: MEDIUM - name: Audit log aging description: Control check whether audit log aging is configure id: "8.2" checks: - id: AVD-KCV-0020 severity: MEDIUM --- # Source: trivy/charts/trivy-operator/templates/specs/k8s-pss-baseline-0.1.yaml apiVersion: aquasecurity.github.io/v1alpha1 kind: ClusterComplianceReport metadata: name: k8s-pss-baseline-0.1 labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator app.kubernetes.io/version: 0.29.0 app.kubernetes.io/managed-by: kubectl spec: cron: "0 5 * * *" reportType: "summary" compliance: id: k8s-pss-baseline-0.1 platform: eks type: pss-baseline title: Kubernetes Pod Security Standards - Baseline description: Kubernetes Pod Security Standards - Baseline relatedResources: - https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline version: "0.1" controls: - name: HostProcess description: Windows pods offer the ability to run HostProcess containers which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy id: "1" checks: - id: AVD-KSV-0103 severity: HIGH - name: Host Namespaces description: Sharing the host namespaces must be disallowed. id: "2" checks: - id: AVD-KSV-0008 severity: HIGH - name: Privileged Containers description: Privileged Pods disable most security mechanisms and must be disallowed. id: "3" checks: - id: AVD-KSV-0017 severity: HIGH - name: Capabilities description: Adding additional capabilities beyond those listed below must be disallowed. id: "4" checks: - id: AVD-KSV-0022 severity: MEDIUM - name: HostPath Volumes description: HostPath volumes must be forbidden. id: "5" checks: - id: AVD-KSV-0023 severity: MEDIUM - name: host ports description: hostports should be disallowed, or at minimum restricted to a known list. id: "6" checks: - id: avd-ksv-0024 severity: HIGH - name: AppArmor description: On supported hosts, the runtime/default AppArmor profile is applied by default. The baseline policy should prevent overriding or disabling the default AppArmor profile, or restrict overrides to an allowed set of profiles. id: "7" checks: - id: avd-ksv-0002 severity: HIGH - name: SELinux description: Setting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden. id: "8" checks: - id: avd-ksv-0025 severity: MEDIUM - name: /proc Mount Type description: The default /proc masks are set up to reduce attack surface, and should be required. id: "9" checks: - id: avd-ksv-0027 severity: MEDIUM - name: Seccomp description: Seccomp profile must not be explicitly set to Unconfined. id: "10" checks: - id: avd-ksv-0104 severity: MEDIUM - name: Sysctls description: Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed 'safe' subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node. id: "11" checks: - id: avd-ksv-0026 severity: MEDIUM --- # Source: trivy/charts/trivy-operator/templates/specs/k8s-pss-restricted-0.1.yaml apiVersion: aquasecurity.github.io/v1alpha1 kind: ClusterComplianceReport metadata: name: k8s-pss-restricted-0.1 labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator app.kubernetes.io/version: 0.29.0 app.kubernetes.io/managed-by: kubectl spec: cron: "0 5 * * *" reportType: "summary" compliance: id: k8s-pss-restricted-0.1 platform: k8s type: pss-restricted title: Kubernetes Pod Security Standards - Restricted description: Kubernetes Pod Security Standards - Restricted relatedResources: - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted version: "0.1" controls: - name: HostProcess description: Windows pods offer the ability to run HostProcess containers which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy id: "1" checks: - id: AVD-KSV-0103 severity: HIGH - name: Host Namespaces description: Sharing the host namespaces must be disallowed. id: "2" checks: - id: AVD-KSV-0008 severity: HIGH - name: Privileged Containers description: Privileged Pods disable most security mechanisms and must be disallowed. id: "3" checks: - id: AVD-KSV-0017 severity: HIGH - name: Capabilities description: Adding additional capabilities beyond those listed below must be disallowed. id: "4" checks: - id: AVD-KSV-0022 severity: MEDIUM - name: HostPath Volumes description: HostPath volumes must be forbidden. id: "5" checks: - id: AVD-KSV-0023 severity: MEDIUM - name: host ports description: hostports should be disallowed, or at minimum restricted to a known list. id: "6" checks: - id: avd-ksv-0024 severity: HIGH - name: AppArmor description: On supported hosts, the runtime/default AppArmor profile is applied by default. The baseline policy should prevent overriding or disabling the default AppArmor profile, or restrict overrides to an allowed set of profiles. id: "7" checks: - id: avd-ksv-0002 severity: HIGH - name: SELinux description: Setting the SELinux type is restricted, and setting a custom SELinux user or role option is forbidden. id: "8" checks: - id: avd-ksv-0025 severity: MEDIUM - name: /proc Mount Type description: The default /proc masks are set up to reduce attack surface, and should be required. id: "9" checks: - id: avd-ksv-0027 severity: MEDIUM - name: Seccomp description: Seccomp profile must not be explicitly set to Unconfined. id: "10" checks: - id: avd-ksv-0104 severity: MEDIUM - name: Sysctls description: Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed 'safe' subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node. id: "11" checks: - id: avd-ksv-0026 severity: MEDIUM - name: Volume Types description: The restricted policy only permits specific volume types. id: "12" checks: - id: avd-ksv-0028 severity: LOW - name: Privilege Escalation description: Privilege escalation (such as via set-user-ID or set-group-ID file mode) should not be allowed. id: "13" checks: - id: avd-ksv-0001 severity: MEDIUM - name: Running as Non-root description: Containers must be required to run as non-root users. id: "14" checks: - id: avd-ksv-0012 severity: MEDIUM - name: Running as Non-root user description: Containers must not set runAsUser to 0 id: "15" checks: - id: avd-ksv-0105 severity: LOW - name: Seccomp description: Seccomp profile must be explicitly set to one of the allowed values. Both the Unconfined profile and the absence of a profile are prohibited id: "16" checks: - id: avd-ksv-0030 severity: LOW - name: Capabilities description: Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability. id: "17" checks: - id: avd-ksv-0106 severity: LOW --- # Source: trivy/charts/trivy-operator/templates/monitor/servicemonitor.yaml apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: trivy-trivy-operator namespace: trivy labels: helm.sh/chart: trivy-operator-0.31.0 app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy app.kubernetes.io/version: "0.29.0" app.kubernetes.io/managed-by: Helm spec: selector: matchLabels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy endpoints: - honorLabels: true port: metrics scheme: http