infrastructure/clusters/cl01tl/monitoring/trivy/values.yaml

trivy-operator:
  targetWorkloads: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job"
  operator:
    replicas: 1
    vulnerabilityScannerEnabled: false
    sbomGenerationEnabled: false
    clusterSbomCacheEnabled: false
    configAuditScannerEnabled: true
    rbacAssessmentScannerEnabled: true
    infraAssessmentScannerEnabled: false
    clusterComplianceEnabled: false
  serviceMonitor:
    enabled: true
  trivy:
    createConfig: true
    image:
      registry: mirror.gcr.io
      repository: aquasec/trivy
      tag: 0.67.0
    storageClassEnabled: true
    storageClassName: ceph-block
    storageSize: "5Gi"
    registry:
      mirror:
        "registry-1.docker.io": proxy-registry-1.docker.io
        "quay.io": proxy-quay.io
        "registry.k8s.io": proxy-registry.k8s
        "gcr.io": proxy-gcr.io
        "ghcr.io": proxy-ghcr.io
        "hub.docker": proxy-hub.docker
    severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
    slow: true
    resources:
      requests:
        cpu: 100m
        memory: 128M
    supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
    server:
      resources:
        requests:
          cpu: 200m
          memory: 512Mi
      replicas: 1
  compliance:
    reportType: summary
    cron: 0 5 * * *
    specs:
      - k8s-cis-1.23
      - k8s-nsa-1.0
      - k8s-pss-baseline-0.1
      - k8s-pss-restricted-0.1
  volumeMounts:
    - mountPath: /tmp
      name: cache-policies
      readOnly: false
  volumes:
    - name: cache-policies
      emptyDir: {}
  resources:
    requests:
      cpu: 100m
      memory: 128Mi
  nodeCollector:
    tolerations:
      - key: node-role.kubernetes.io/control-plane
        operator: Exists
        effect: NoSchedule
    volumeMounts:
      - name: var-lib-etcd
        mountPath: /var/lib/etcd
        readOnly: true
      - name: var-lib-kubelet
        mountPath: /var/lib/kubelet
        readOnly: true
      - name: var-lib-kube-scheduler
        mountPath: /var/lib/kube-scheduler
        readOnly: true
      - name: var-lib-kube-controller-manager
        mountPath: /var/lib/kube-controller-manager
        readOnly: true
      - name: etc-kubernetes
        mountPath: /etc/kubernetes
        readOnly: true
      - name: etc-cni-netd
        mountPath: /etc/cni/net.d/
        readOnly: true
    volumes:
      - name: var-lib-etcd
        hostPath:
          path: /var/lib/etcd
      - name: var-lib-kubelet
        hostPath:
          path: /var/lib/kubelet
      - name: var-lib-kube-scheduler
        hostPath:
          path: /var/lib/kube-scheduler
      - name: var-lib-kube-controller-manager
        hostPath:
          path: /var/lib/kube-controller-manager
      - name: etc-kubernetes
        hostPath:
          path: /etc/kubernetes
      - name: etc-cni-netd
        hostPath:
          path: /etc/cni/net.d/