202 lines
5.6 KiB
YAML
202 lines
5.6 KiB
YAML
trivy-operator:
|
|
targetNamespaces: authentik,ghost,matrix-synapse,element-web,outline,freshrss,code-server,vikunja,cops,gitea
|
|
excludeNamespaces: ""
|
|
targetWorkloads: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job"
|
|
operator:
|
|
replicas: 2
|
|
leaderElectionId: "trivyoperator-lock"
|
|
scanJobTTL: ""
|
|
scanSecretTTL: ""
|
|
scanJobTimeout: 15m
|
|
scanJobsConcurrentLimit: 1
|
|
scanNodeCollectorLimit: 1
|
|
scanJobsRetryDelay: 300s
|
|
scannerReportTTL: "24h"
|
|
cacheReportTTL: "120h"
|
|
batchDeleteLimit: 10
|
|
vulnerabilityScannerScanOnlyCurrentRevisions: true
|
|
configAuditScannerScanOnlyCurrentRevisions: true
|
|
batchDeleteDelay: 10s
|
|
accessGlobalSecretsAndServiceAccount: true
|
|
builtInTrivyServer: false
|
|
builtInServerRegistryInsecure: false
|
|
controllerCacheSyncTimeout: "15m"
|
|
trivyServerHealthCheckCacheExpiration: 10h
|
|
metricsFindingsEnabled: true
|
|
metricsVulnIdEnabled: false
|
|
metricsExposedSecretInfo: false
|
|
metricsConfigAuditInfo: false
|
|
metricsRbacAssessmentInfo: false
|
|
metricsInfraAssessmentInfo: false
|
|
metricsImageInfo: false
|
|
metricsClusterComplianceInfo: false
|
|
serverAdditionalAnnotations: {}
|
|
webhookBroadcastURL: ""
|
|
webhookBroadcastTimeout: 30s
|
|
webhookBroadcastCustomHeaders: ""
|
|
webhookSendDeletedReports: false
|
|
privateRegistryScanSecretsNames: {}
|
|
mergeRbacFindingWithConfigAudit: false
|
|
httpProxy: ~
|
|
httpsProxy: ~
|
|
noProxy: ~
|
|
valuesFromConfigMap: ""
|
|
valuesFromSecret: ""
|
|
sbomGenerationEnabled: true
|
|
clusterSbomCacheEnabled: true
|
|
clusterComplianceEnabled: false
|
|
configAuditScannerEnabled: false
|
|
exposedSecretScannerEnabled: true
|
|
infraAssessmentScannerEnabled: false
|
|
rbacAssessmentScannerEnabled: true
|
|
vulnerabilityScannerEnabled: false
|
|
service:
|
|
headless: true
|
|
metricsPort: 80
|
|
metricsAppProtocol: TCP
|
|
type: ClusterIP
|
|
serviceMonitor:
|
|
enabled: true
|
|
namespace: trivy
|
|
interval: 30s
|
|
honorLabels: true
|
|
trivyOperator:
|
|
vulnerabilityReportsPlugin: "Trivy"
|
|
configAuditReportsPlugin: "Trivy"
|
|
scanJobCompressLogs: true
|
|
useGCRServiceAccount: true
|
|
scanJobAutomountServiceAccountToken: true
|
|
skipInitContainers: false
|
|
metricsResourceLabelsPrefix: "k8s_label_"
|
|
trivy:
|
|
createConfig: true
|
|
image:
|
|
registry: ghcr.io
|
|
repository: aquasecurity/trivy
|
|
tag: 0.53.0
|
|
mode: Standalone
|
|
sbomSources: ""
|
|
includeDevDeps: false
|
|
storageClassEnabled: true
|
|
storageClassName: ceph-block
|
|
storageSize: 5Gi
|
|
additionalVulnerabilityReportFields: "Description,Links,CVSS,PackagePath,PackageType"
|
|
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
|
|
slow: true
|
|
ignoreUnfixed: false
|
|
offlineScan: false
|
|
timeout: "15m0s"
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 128M
|
|
limits:
|
|
cpu: 1000m
|
|
memory: 1Gi
|
|
skipJavaDBUpdate: false
|
|
serverInsecure: false
|
|
dbRegistry: "ghcr.io"
|
|
dbRepository: "aquasecurity/trivy-db"
|
|
dbRepositoryUsername: ~
|
|
dbRepositoryPassword: ~
|
|
javaDbRegistry: "ghcr.io"
|
|
javaDbRepository: "aquasecurity/trivy-java-db"
|
|
dbRepositoryInsecure: "false"
|
|
useBuiltinRegoPolicies: "true"
|
|
externalRegoPoliciesEnabled: false
|
|
useEmbeddedRegoPolicies: "false"
|
|
supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
|
|
command: image
|
|
imageScanCacheDir: "/tmp/trivy/.cache"
|
|
filesystemScanCacheDir: "/var/trivyoperator/trivy-db"
|
|
serverUser: ""
|
|
serverPassword: ""
|
|
serverServiceName: "trivy-service"
|
|
server:
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 512Mi
|
|
limits:
|
|
cpu: 1000m
|
|
memory: 1Gi
|
|
valuesFromSecret: ""
|
|
compliance:
|
|
failEntriesLimit: 10
|
|
reportType: summary
|
|
cron: 0 */6 * * *
|
|
specs:
|
|
- k8s-cis-1.23
|
|
- k8s-nsa-1.0
|
|
- k8s-pss-baseline-0.1
|
|
- k8s-pss-restricted-0.1
|
|
rbac:
|
|
create: true
|
|
serviceAccount:
|
|
create: true
|
|
volumeMounts:
|
|
- mountPath: /tmp
|
|
name: cache-policies
|
|
readOnly: false
|
|
volumes:
|
|
- name: cache-policies
|
|
emptyDir: {}
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
limits:
|
|
cpu: 1000m
|
|
memory: 1Gi
|
|
policiesBundle:
|
|
registry: ghcr.io
|
|
repository: aquasecurity/trivy-checks
|
|
tag: 0
|
|
registryUser: ~
|
|
registryPassword: ~
|
|
existingSecret: false
|
|
insecure: false
|
|
nodeCollector:
|
|
useNodeSelector: true
|
|
registry: ghcr.io
|
|
repository: aquasecurity/node-collector
|
|
tag: 0.3.1
|
|
volumeMounts:
|
|
- name: var-lib-etcd
|
|
mountPath: /var/lib/etcd
|
|
readOnly: true
|
|
- name: var-lib-kubelet
|
|
mountPath: /var/lib/kubelet
|
|
readOnly: true
|
|
- name: var-lib-kube-scheduler
|
|
mountPath: /var/lib/kube-scheduler
|
|
readOnly: true
|
|
- name: var-lib-kube-controller-manager
|
|
mountPath: /var/lib/kube-controller-manager
|
|
readOnly: true
|
|
- name: etc-kubernetes
|
|
mountPath: /etc/kubernetes
|
|
readOnly: true
|
|
- name: etc-cni-netd
|
|
mountPath: /etc/cni/net.d/
|
|
readOnly: true
|
|
volumes:
|
|
- name: var-lib-etcd
|
|
hostPath:
|
|
path: /var/lib/etcd
|
|
- name: var-lib-kubelet
|
|
hostPath:
|
|
path: /var/lib/kubelet
|
|
- name: var-lib-kube-scheduler
|
|
hostPath:
|
|
path: /var/lib/kube-scheduler
|
|
- name: var-lib-kube-controller-manager
|
|
hostPath:
|
|
path: /var/lib/kube-controller-manager
|
|
- name: etc-kubernetes
|
|
hostPath:
|
|
path: /etc/kubernetes
|
|
- name: etc-cni-netd
|
|
hostPath:
|
|
path: /etc/cni/net.d/
|