alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 3 Actions Activity
Files
845605bf55e2006988b45083ca4dd3d9a936d212
infrastructure/clusters/cl01tl/manifests/trivy/trivy.yaml

5223 lines
180 KiB
YAML
Raw Blame History

---
# Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_clustercompliancereports.yaml
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: clustercompliancereports.aquasecurity.github.io
spec:
group: aquasecurity.github.io
names:
kind: ClusterComplianceReport
listKind: ClusterComplianceReportList
plural: clustercompliancereports
shortNames:
- compliance
singular: clustercompliancereport
scope: Cluster
versions:
- additionalPrinterColumns:
- description: The age of the report
jsonPath: .metadata.creationTimestamp
name: Age
type: date
- description: The number of checks that failed
jsonPath: .status.summary.failCount
name: Fail
priority: 1
type: integer
- description: The number of checks that passed
jsonPath: .status.summary.passCount
name: Pass
priority: 1
type: integer
name: v1alpha1
schema:
openAPIV3Schema:
description: ClusterComplianceReport is a specification for the ClusterComplianceReport
resource.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ReportSpec represent the compliance specification
properties:
compliance:
properties:
controls:
description: Control represent the cps controls data and mapping
checks
items:
description: Control represent the cps controls data and mapping
checks
properties:
checks:
items:
description: SpecCheck represent the scanner who perform
the control check
properties:
id:
description: id define the check id as produced by
scanner
type: string
required:
- id
type: object
type: array
commands:
items:
description: Commands represent the commands to be executed
by the node-collector
properties:
id:
description: id define the commands id
type: string
required:
- id
type: object
type: array
defaultStatus:
description: define the default value for check status in
case resource not found
enum:
- PASS
- WARN
- FAIL
type: string
description:
type: string
id:
description: id define the control check id
type: string
name:
type: string
severity:
description: define the severity of the control
enum:
- CRITICAL
- HIGH
- MEDIUM
- LOW
- UNKNOWN
type: string
required:
- id
- name
- severity
type: object
type: array
description:
type: string
id:
type: string
platform:
type: string
relatedResources:
items:
type: string
type: array
title:
type: string
type:
type: string
version:
type: string
required:
- controls
- description
- id
- platform
- relatedResources
- title
- type
- version
type: object
cron:
description: cron define the intervals for report generation
pattern: ^(((([\*]{1}){1})|((\*\/){0,1}(([0-9]{1}){1}|(([1-5]{1}){1}([0-9]{1}){1}){1})))
((([\*]{1}){1})|((\*\/){0,1}(([0-9]{1}){1}|(([1]{1}){1}([0-9]{1}){1}){1}|([2]{1}){1}([0-3]{1}){1})))
((([\*]{1}){1})|((\*\/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1})))
((([\*]{1}){1})|((\*\/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))|(jan|feb|mar|apr|may|jun|jul|aug|sep|okt|nov|dec))
((([\*]{1}){1})|((\*\/){0,1}(([0-7]{1}){1}))|(sun|mon|tue|wed|thu|fri|sat)))$
type: string
reportType:
enum:
- summary
- all
type: string
required:
- compliance
- cron
- reportType
type: object
status:
properties:
detailReport:
description: ComplianceReport represents a kubernetes scan report
properties:
description:
type: string
id:
type: string
relatedVersion:
items:
type: string
type: array
results:
items:
properties:
checks:
items:
description: ComplianceCheck provides the result of conducting
a single compliance step.
properties:
category:
type: string
checkID:
type: string
description:
type: string
messages:
items:
type: string
type: array
remediation:
description: Remediation provides description or links
to external resources to remediate failing check.
type: string
severity:
description: Severity level of a vulnerability or
a configuration audit check.
type: string
success:
type: boolean
target:
type: string
title:
type: string
required:
- checkID
- severity
- success
type: object
type: array
description:
type: string
id:
type: string
name:
type: string
severity:
type: string
status:
type: string
required:
- checks
type: object
type: array
title:
type: string
version:
type: string
type: object
x-kubernetes-preserve-unknown-fields: true
summary:
properties:
failCount:
type: integer
passCount:
type: integer
type: object
summaryReport:
description: SummaryReport represents a kubernetes scan report with
consolidated findings
properties:
controlCheck:
items:
properties:
id:
type: string
name:
type: string
severity:
type: string
totalFail:
type: integer
type: object
type: array
id:
type: string
title:
type: string
type: object
x-kubernetes-preserve-unknown-fields: true
updateTimestamp:
format: date-time
type: string
required:
- updateTimestamp
type: object
type: object
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
subresources:
status: {}
---
# Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_clusterconfigauditreports.yaml
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: clusterconfigauditreports.aquasecurity.github.io
spec:
group: aquasecurity.github.io
names:
kind: ClusterConfigAuditReport
listKind: ClusterConfigAuditReportList
plural: clusterconfigauditreports
shortNames:
- clusterconfigaudit
singular: clusterconfigauditreport
scope: Cluster
versions:
- additionalPrinterColumns:
- description: The name of the config audit scanner
jsonPath: .report.scanner.name
name: Scanner
type: string
- description: The age of the report
jsonPath: .metadata.creationTimestamp
name: Age
type: date
- description: The number of failed checks with critical severity
jsonPath: .report.summary.criticalCount
name: Critical
priority: 1
type: integer
- description: The number of failed checks with high severity
jsonPath: .report.summary.highCount
name: High
priority: 1
type: integer
- description: The number of failed checks with medium severity
jsonPath: .report.summary.mediumCount
name: Medium
priority: 1
type: integer
- description: The number of failed checks with low severity
jsonPath: .report.summary.lowCount
name: Low
priority: 1
type: integer
name: v1alpha1
schema:
openAPIV3Schema:
description: ClusterConfigAuditReport is a specification for the ClusterConfigAuditReport
resource.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
report:
properties:
checks:
description: Checks provides results of conducting audit steps.
items:
description: Check provides the result of conducting a single audit
step.
properties:
category:
type: string
checkID:
type: string
description:
type: string
messages:
items:
type: string
type: array
remediation:
description: Remediation provides description or links to external
resources to remediate failing check.
type: string
scope:
description: Scope indicates the section of config that was
audited.
properties:
type:
description: Type indicates type of this scope, e.g. Container,
ConfigMapKey or JSONPath.
type: string
value:
description: Value indicates value of this scope that depends
on Type, e.g. container name, ConfigMap key or JSONPath
expression
type: string
required:
- type
- value
type: object
severity:
description: Severity level of a vulnerability or a configuration
audit check.
type: string
success:
type: boolean
title:
type: string
required:
- checkID
- severity
- success
type: object
type: array
scanner:
description: Scanner is the spec for a scanner generating a security
assessment report.
properties:
name:
description: Name the name of the scanner.
type: string
vendor:
description: Vendor the name of the vendor providing the scanner.
type: string
version:
description: Version the version of the scanner.
type: string
required:
- name
- vendor
- version
type: object
summary:
description: ConfigAuditSummary counts failed checks by severity.
properties:
criticalCount:
description: CriticalCount is the number of failed checks with
critical severity.
type: integer
highCount:
description: HighCount is the number of failed checks with high
severity.
type: integer
lowCount:
description: LowCount is the number of failed check with low severity.
type: integer
mediumCount:
description: MediumCount is the number of failed checks with medium
severity.
type: integer
required:
- criticalCount
- highCount
- lowCount
- mediumCount
type: object
updateTimestamp:
format: date-time
type: string
required:
- checks
type: object
required:
- report
type: object
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
subresources: {}
---
# Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_clusterinfraassessmentreports.yaml
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: clusterinfraassessmentreports.aquasecurity.github.io
spec:
group: aquasecurity.github.io
names:
kind: ClusterInfraAssessmentReport
listKind: ClusterInfraAssessmentReportList
plural: clusterinfraassessmentreports
shortNames:
- clusterinfraassessment
singular: clusterinfraassessmentreport
scope: Cluster
versions:
- additionalPrinterColumns:
- description: The name of the infra assessement scanner
jsonPath: .report.scanner.name
name: Scanner
type: string
- description: The age of the report
jsonPath: .metadata.creationTimestamp
name: Age
type: date
- description: The number of failed checks with critical severity
jsonPath: .report.summary.criticalCount
name: Critical
priority: 1
type: integer
- description: The number of failed checks with high severity
jsonPath: .report.summary.highCount
name: High
priority: 1
type: integer
- description: The number of failed checks with medium severity
jsonPath: .report.summary.mediumCount
name: Medium
priority: 1
type: integer
- description: The number of failed checks with low severity
jsonPath: .report.summary.lowCount
name: Low
priority: 1
type: integer
name: v1alpha1
schema:
openAPIV3Schema:
description: ClusterInfraAssessmentReport is a specification for the ClusterInfraAssessmentReport
resource.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
report:
properties:
checks:
description: Checks provides results of conducting audit steps.
items:
description: Check provides the result of conducting a single audit
step.
properties:
category:
type: string
checkID:
type: string
description:
type: string
messages:
items:
type: string
type: array
remediation:
description: Remediation provides description or links to external
resources to remediate failing check.
type: string
scope:
description: Scope indicates the section of config that was
audited.
properties:
type:
description: Type indicates type of this scope, e.g. Container,
ConfigMapKey or JSONPath.
type: string
value:
description: Value indicates value of this scope that depends
on Type, e.g. container name, ConfigMap key or JSONPath
expression
type: string
required:
- type
- value
type: object
severity:
description: Severity level of a vulnerability or a configuration
audit check.
type: string
success:
type: boolean
title:
type: string
required:
- checkID
- severity
- success
type: object
type: array
scanner:
description: Scanner is the spec for a scanner generating a security
assessment report.
properties:
name:
description: Name the name of the scanner.
type: string
vendor:
description: Vendor the name of the vendor providing the scanner.
type: string
version:
description: Version the version of the scanner.
type: string
required:
- name
- vendor
- version
type: object
summary:
description: InfraAssessmentSummary counts failed checks by severity.
properties:
criticalCount:
description: CriticalCount is the number of failed checks with
critical severity.
type: integer
highCount:
description: HighCount is the number of failed checks with high
severity.
type: integer
lowCount:
description: LowCount is the number of failed check with low severity.
type: integer
mediumCount:
description: MediumCount is the number of failed checks with medium
severity.
type: integer
required:
- criticalCount
- highCount
- lowCount
- mediumCount
type: object
required:
- checks
- scanner
- summary
type: object
required:
- report
type: object
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
subresources: {}
---
# Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_clusterrbacassessmentreports.yaml
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: clusterrbacassessmentreports.aquasecurity.github.io
spec:
group: aquasecurity.github.io
names:
kind: ClusterRbacAssessmentReport
listKind: ClusterRbacAssessmentReportList
plural: clusterrbacassessmentreports
shortNames:
- clusterrbacassessmentreport
singular: clusterrbacassessmentreport
scope: Cluster
versions:
- additionalPrinterColumns:
- description: The name of the rbac assessment scanner
jsonPath: .report.scanner.name
name: Scanner
type: string
- description: The age of the report
jsonPath: .metadata.creationTimestamp
name: Age
type: date
- description: The number of failed checks with critical severity
jsonPath: .report.summary.criticalCount
name: Critical
priority: 1
type: integer
- description: The number of failed checks with high severity
jsonPath: .report.summary.highCount
name: High
priority: 1
type: integer
- description: The number of failed checks with medium severity
jsonPath: .report.summary.mediumCount
name: Medium
priority: 1
type: integer
- description: The number of failed checks with low severity
jsonPath: .report.summary.lowCount
name: Low
priority: 1
type: integer
name: v1alpha1
schema:
openAPIV3Schema:
description: ClusterRbacAssessmentReport is a specification for the ClusterRbacAssessmentReport
resource.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
report:
properties:
checks:
description: Checks provides results of conducting audit steps.
items:
description: Check provides the result of conducting a single audit
step.
properties:
category:
type: string
checkID:
type: string
description:
type: string
messages:
items:
type: string
type: array
remediation:
description: Remediation provides description or links to external
resources to remediate failing check.
type: string
scope:
description: Scope indicates the section of config that was
audited.
properties:
type:
description: Type indicates type of this scope, e.g. Container,
ConfigMapKey or JSONPath.
type: string
value:
description: Value indicates value of this scope that depends
on Type, e.g. container name, ConfigMap key or JSONPath
expression
type: string
required:
- type
- value
type: object
severity:
description: Severity level of a vulnerability or a configuration
audit check.
type: string
success:
type: boolean
title:
type: string
required:
- checkID
- severity
- success
type: object
type: array
scanner:
description: Scanner is the spec for a scanner generating a security
assessment report.
properties:
name:
description: Name the name of the scanner.
type: string
vendor:
description: Vendor the name of the vendor providing the scanner.
type: string
version:
description: Version the version of the scanner.
type: string
required:
- name
- vendor
- version
type: object
summary:
description: RbacAssessmentSummary counts failed checks by severity.
properties:
criticalCount:
description: CriticalCount is the number of failed checks with
critical severity.
type: integer
highCount:
description: HighCount is the number of failed checks with high
severity.
type: integer
lowCount:
description: LowCount is the number of failed check with low severity.
type: integer
mediumCount:
description: MediumCount is the number of failed checks with medium
severity.
type: integer
required:
- criticalCount
- highCount
- lowCount
- mediumCount
type: object
required:
- checks
- scanner
- summary
type: object
required:
- report
type: object
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
subresources: {}
---
# Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_clustersbomreports.yaml
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: clustersbomreports.aquasecurity.github.io
spec:
group: aquasecurity.github.io
names:
kind: ClusterSbomReport
listKind: ClusterSbomReportList
plural: clustersbomreports
shortNames:
- clustersbom
singular: clustersbomreport
scope: Cluster
versions:
- additionalPrinterColumns:
- description: The name of image repository
jsonPath: .report.artifact.repository
name: Repository
type: string
- description: The name of image tag
jsonPath: .report.artifact.tag
name: Tag
type: string
- description: The name of the sbom generation scanner
jsonPath: .report.scanner.name
name: Scanner
type: string
- description: The age of the report
jsonPath: .metadata.creationTimestamp
name: Age
type: date
- description: The number of dependencies in bom
jsonPath: .report.summary.componentsCount
name: Components
priority: 1
type: integer
- description: The the number of components in bom
jsonPath: .report.summary.dependenciesCount
name: Dependencies
priority: 1
type: integer
name: v1alpha1
schema:
openAPIV3Schema:
description: ClusterSbomReport summarizes components and dependencies found
in container image
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
report:
description: Report is the actual sbom report data.
properties:
artifact:
description: |-
Artifact represents a standalone, executable package of software that includes everything needed to
run an application.
properties:
digest:
description: Digest is a unique and immutable identifier of an
Artifact.
type: string
mimeType:
description: MimeType represents a type and format of an Artifact.
type: string
repository:
description: Repository is the name of the repository in the Artifact
registry.
type: string
tag:
description: Tag is a mutable, human-readable string used to identify
an Artifact.
type: string
type: object
components:
description: Bom is artifact bill of materials.
properties:
bomFormat:
type: string
components:
items:
properties:
bom-ref:
type: string
group:
type: string
hashes:
items:
properties:
alg:
type: string
content:
type: string
type: object
type: array
licenses:
items:
properties:
expression:
type: string
license:
properties:
id:
type: string
name:
type: string
url:
type: string
type: object
type: object
type: array
name:
type: string
properties:
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
purl:
type: string
supplier:
properties:
contact:
items:
properties:
email:
type: string
name:
type: string
phone:
type: string
type: object
type: array
name:
type: string
url:
items:
type: string
type: array
type: object
type:
type: string
version:
type: string
type: object
type: array
dependencies:
items:
properties:
dependsOn:
items:
type: string
type: array
ref:
type: string
type: object
type: array
metadata:
properties:
component:
properties:
bom-ref:
type: string
group:
type: string
hashes:
items:
properties:
alg:
type: string
content:
type: string
type: object
type: array
licenses:
items:
properties:
expression:
type: string
license:
properties:
id:
type: string
name:
type: string
url:
type: string
type: object
type: object
type: array
name:
type: string
properties:
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
purl:
type: string
supplier:
properties:
contact:
items:
properties:
email:
type: string
name:
type: string
phone:
type: string
type: object
type: array
name:
type: string
url:
items:
type: string
type: array
type: object
type:
type: string
version:
type: string
type: object
timestamp:
type: string
tools:
properties:
components:
items:
properties:
bom-ref:
type: string
group:
type: string
hashes:
items:
properties:
alg:
type: string
content:
type: string
type: object
type: array
licenses:
items:
properties:
expression:
type: string
license:
properties:
id:
type: string
name:
type: string
url:
type: string
type: object
type: object
type: array
name:
type: string
properties:
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
purl:
type: string
supplier:
properties:
contact:
items:
properties:
email:
type: string
name:
type: string
phone:
type: string
type: object
type: array
name:
type: string
url:
items:
type: string
type: array
type: object
type:
type: string
version:
type: string
type: object
type: array
type: object
type: object
serialNumber:
type: string
specVersion:
type: string
version:
type: integer
required:
- bomFormat
- specVersion
type: object
registry:
description: Registry is the registry the Artifact was pulled from.
properties:
server:
description: Server the FQDN of registry server.
type: string
type: object
scanner:
description: Scanner is the scanner that generated this report.
properties:
name:
description: Name the name of the scanner.
type: string
vendor:
description: Vendor the name of the vendor providing the scanner.
type: string
version:
description: Version the version of the scanner.
type: string
required:
- name
- vendor
- version
type: object
summary:
description: Summary is a summary of sbom report.
properties:
componentsCount:
description: ComponentsCount is the number of components in bom.
minimum: 0
type: integer
dependenciesCount:
description: DependenciesCount is the number of dependencies in
bom.
minimum: 0
type: integer
required:
- componentsCount
- dependenciesCount
type: object
updateTimestamp:
description: UpdateTimestamp is a timestamp representing the server
time in UTC when this report was updated.
format: date-time
type: string
required:
- artifact
- components
- scanner
- summary
- updateTimestamp
type: object
required:
- report
type: object
served: true
storage: true
subresources: {}
---
# Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_clustervulnerabilityreports.yaml
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: clustervulnerabilityreports.aquasecurity.github.io
spec:
group: aquasecurity.github.io
names:
kind: ClusterVulnerabilityReport
listKind: ClusterVulnerabilityReportList
plural: clustervulnerabilityreports
shortNames:
- clustervuln
singular: clustervulnerabilityreport
scope: Cluster
versions:
- additionalPrinterColumns:
- description: The name of image repository
jsonPath: .report.artifact.repository
name: Repository
type: string
- description: The name of image tag
jsonPath: .report.artifact.tag
name: Tag
type: string
- description: The name of the vulnerability scanner
jsonPath: .report.scanner.name
name: Scanner
type: string
- description: The age of the report
jsonPath: .metadata.creationTimestamp
name: Age
type: date
- description: The number of critical vulnerabilities
jsonPath: .report.summary.criticalCount
name: Critical
priority: 1
type: integer
- description: The number of high vulnerabilities
jsonPath: .report.summary.highCount
name: High
priority: 1
type: integer
- description: The number of medium vulnerabilities
jsonPath: .report.summary.mediumCount
name: Medium
priority: 1
type: integer
- description: The number of low vulnerabilities
jsonPath: .report.summary.lowCount
name: Low
priority: 1
type: integer
- description: The number of unknown vulnerabilities
jsonPath: .report.summary.unknownCount
name: Unknown
priority: 1
type: integer
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
ClusterVulnerabilityReport summarizes vulnerabilities in application dependencies and operating system packages
built into container images.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
report:
description: Report is the actual vulnerability report data.
properties:
artifact:
description: |-
Artifact represents a standalone, executable package of software that includes everything needed to
run an application.
properties:
digest:
description: Digest is a unique and immutable identifier of an
Artifact.
type: string
mimeType:
description: MimeType represents a type and format of an Artifact.
type: string
repository:
description: Repository is the name of the repository in the Artifact
registry.
type: string
tag:
description: Tag is a mutable, human-readable string used to identify
an Artifact.
type: string
type: object
os:
description: OS information of the artifact
properties:
eosl:
description: Eosl is true if OS version has reached end of service
life
type: boolean
family:
description: Operating System Family
type: string
name:
description: Name or version of the OS
type: string
type: object
registry:
description: Registry is the registry the Artifact was pulled from.
properties:
server:
description: Server the FQDN of registry server.
type: string
type: object
scanner:
description: Scanner is the scanner that generated this report.
properties:
name:
description: Name the name of the scanner.
type: string
vendor:
description: Vendor the name of the vendor providing the scanner.
type: string
version:
description: Version the version of the scanner.
type: string
required:
- name
- vendor
- version
type: object
summary:
description: Summary is a summary of Vulnerability counts grouped
by Severity.
properties:
criticalCount:
description: CriticalCount is the number of vulnerabilities with
Critical Severity.
minimum: 0
type: integer
highCount:
description: HighCount is the number of vulnerabilities with High
Severity.
minimum: 0
type: integer
lowCount:
description: LowCount is the number of vulnerabilities with Low
Severity.
minimum: 0
type: integer
mediumCount:
description: MediumCount is the number of vulnerabilities with
Medium Severity.
minimum: 0
type: integer
noneCount:
description: NoneCount is the number of packages without any vulnerability.
minimum: 0
type: integer
unknownCount:
description: UnknownCount is the number of vulnerabilities with
unknown severity.
minimum: 0
type: integer
required:
- criticalCount
- highCount
- lowCount
- mediumCount
- unknownCount
type: object
updateTimestamp:
description: UpdateTimestamp is a timestamp representing the server
time in UTC when this report was updated.
format: date-time
type: string
vulnerabilities:
description: Vulnerabilities is a list of operating system (OS) or
application software Vulnerability items found in the Artifact.
items:
description: Vulnerability is the spec for a vulnerability record.
properties:
class:
type: string
cvss:
additionalProperties:
properties:
V2Score:
type: number
V2Vector:
type: string
V3Score:
type: number
V3Vector:
type: string
V40Score:
type: number
V40Vector:
type: string
type: object
type: object
cvsssource:
type: string
description:
type: string
fixedVersion:
description: FixedVersion indicates the version of the Resource
in which this vulnerability has been fixed.
type: string
installedVersion:
description: InstalledVersion indicates the installed version
of the Resource.
type: string
lastModifiedDate:
description: LastModifiedDate indicates the last date CVE has
been modified.
type: string
links:
items:
type: string
type: array
packagePURL:
type: string
packagePath:
type: string
packageType:
type: string
primaryLink:
type: string
publishedDate:
description: PublishedDate indicates the date of published CVE.
type: string
resource:
description: Resource is a vulnerable package, application,
or library.
type: string
score:
type: number
severity:
description: Severity level of a vulnerability or a configuration
audit check.
enum:
- CRITICAL
- HIGH
- MEDIUM
- LOW
- UNKNOWN
type: string
target:
type: string
title:
type: string
vulnerabilityID:
description: VulnerabilityID the vulnerability identifier.
type: string
required:
- fixedVersion
- installedVersion
- lastModifiedDate
- publishedDate
- resource
- severity
- title
- vulnerabilityID
type: object
type: array
required:
- artifact
- os
- scanner
- summary
- updateTimestamp
- vulnerabilities
type: object
required:
- report
type: object
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
subresources: {}
---
# Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_configauditreports.yaml
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: configauditreports.aquasecurity.github.io
spec:
group: aquasecurity.github.io
names:
kind: ConfigAuditReport
listKind: ConfigAuditReportList
plural: configauditreports
shortNames:
- configaudit
- configaudits
singular: configauditreport
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The name of the config audit scanner
jsonPath: .report.scanner.name
name: Scanner
type: string
- description: The age of the report
jsonPath: .metadata.creationTimestamp
name: Age
type: date
- description: The number of failed checks with critical severity
jsonPath: .report.summary.criticalCount
name: Critical
priority: 1
type: integer
- description: The number of failed checks with high severity
jsonPath: .report.summary.highCount
name: High
priority: 1
type: integer
- description: The number of failed checks with medium severity
jsonPath: .report.summary.mediumCount
name: Medium
priority: 1
type: integer
- description: The number of failed checks with low severity
jsonPath: .report.summary.lowCount
name: Low
priority: 1
type: integer
name: v1alpha1
schema:
openAPIV3Schema:
description: ConfigAuditReport is a specification for the ConfigAuditReport
resource.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
report:
properties:
checks:
description: Checks provides results of conducting audit steps.
items:
description: Check provides the result of conducting a single audit
step.
properties:
category:
type: string
checkID:
type: string
description:
type: string
messages:
items:
type: string
type: array
remediation:
description: Remediation provides description or links to external
resources to remediate failing check.
type: string
scope:
description: Scope indicates the section of config that was
audited.
properties:
type:
description: Type indicates type of this scope, e.g. Container,
ConfigMapKey or JSONPath.
type: string
value:
description: Value indicates value of this scope that depends
on Type, e.g. container name, ConfigMap key or JSONPath
expression
type: string
required:
- type
- value
type: object
severity:
description: Severity level of a vulnerability or a configuration
audit check.
type: string
success:
type: boolean
title:
type: string
required:
- checkID
- severity
- success
type: object
type: array
scanner:
description: Scanner is the spec for a scanner generating a security
assessment report.
properties:
name:
description: Name the name of the scanner.
type: string
vendor:
description: Vendor the name of the vendor providing the scanner.
type: string
version:
description: Version the version of the scanner.
type: string
required:
- name
- vendor
- version
type: object
summary:
description: ConfigAuditSummary counts failed checks by severity.
properties:
criticalCount:
description: CriticalCount is the number of failed checks with
critical severity.
type: integer
highCount:
description: HighCount is the number of failed checks with high
severity.
type: integer
lowCount:
description: LowCount is the number of failed check with low severity.
type: integer
mediumCount:
description: MediumCount is the number of failed checks with medium
severity.
type: integer
required:
- criticalCount
- highCount
- lowCount
- mediumCount
type: object
updateTimestamp:
format: date-time
type: string
required:
- checks
type: object
required:
- report
type: object
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
subresources: {}
---
# Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_exposedsecretreports.yaml
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: exposedsecretreports.aquasecurity.github.io
spec:
group: aquasecurity.github.io
names:
kind: ExposedSecretReport
listKind: ExposedSecretReportList
plural: exposedsecretreports
shortNames:
- exposedsecret
- exposedsecrets
singular: exposedsecretreport
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The name of image repository
jsonPath: .report.artifact.repository
name: Repository
type: string
- description: The name of image tag
jsonPath: .report.artifact.tag
name: Tag
type: string
- description: The name of the exposed secret scanner
jsonPath: .report.scanner.name
name: Scanner
type: string
- description: The age of the report
jsonPath: .metadata.creationTimestamp
name: Age
type: date
- description: The number of critical exposed secrets
jsonPath: .report.summary.criticalCount
name: Critical
priority: 1
type: integer
- description: The number of high exposed secrets
jsonPath: .report.summary.highCount
name: High
priority: 1
type: integer
- description: The number of medium exposed secrets
jsonPath: .report.summary.mediumCount
name: Medium
priority: 1
type: integer
- description: The number of low exposed secrets
jsonPath: .report.summary.lowCount
name: Low
priority: 1
type: integer
name: v1alpha1
schema:
openAPIV3Schema:
description: ExposedSecretReport summarizes exposed secrets in plaintext files
built into container images.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
report:
description: Report is the actual exposed secret report data.
properties:
artifact:
description: |-
Artifact represents a standalone, executable package of software that includes everything needed to
run an application.
properties:
digest:
description: Digest is a unique and immutable identifier of an
Artifact.
type: string
mimeType:
description: MimeType represents a type and format of an Artifact.
type: string
repository:
description: Repository is the name of the repository in the Artifact
registry.
type: string
tag:
description: Tag is a mutable, human-readable string used to identify
an Artifact.
type: string
type: object
registry:
description: Registry is the registry the Artifact was pulled from.
properties:
server:
description: Server the FQDN of registry server.
type: string
type: object
scanner:
description: Scanner is the scanner that generated this report.
properties:
name:
description: Name the name of the scanner.
type: string
vendor:
description: Vendor the name of the vendor providing the scanner.
type: string
version:
description: Version the version of the scanner.
type: string
required:
- name
- vendor
- version
type: object
secrets:
description: Exposed secrets is a list of passwords, api keys, tokens
and others items found in the Artifact.
items:
description: ExposedSecret is the spec for a exposed secret record.
properties:
category:
type: string
match:
description: Match where the exposed rule matched.
type: string
ruleID:
description: RuleID is rule the identifier.
type: string
severity:
description: Severity level of a vulnerability or a configuration
audit check.
enum:
- CRITICAL
- HIGH
- MEDIUM
- LOW
type: string
target:
description: Target is where the exposed secret was found.
type: string
title:
type: string
required:
- category
- match
- ruleID
- severity
- target
- title
type: object
type: array
summary:
description: Summary is the exposed secrets counts grouped by Severity.
properties:
criticalCount:
description: CriticalCount is the number of exposed secrets with
Critical Severity.
minimum: 0
type: integer
highCount:
description: HighCount is the number of exposed secrets with High
Severity.
minimum: 0
type: integer
lowCount:
description: LowCount is the number of exposed secrets with Low
Severity.
minimum: 0
type: integer
mediumCount:
description: MediumCount is the number of exposed secrets with
Medium Severity.
minimum: 0
type: integer
required:
- criticalCount
- highCount
- lowCount
- mediumCount
type: object
updateTimestamp:
description: UpdateTimestamp is a timestamp representing the server
time in UTC when this report was updated.
format: date-time
type: string
required:
- artifact
- scanner
- secrets
- summary
- updateTimestamp
type: object
required:
- report
type: object
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
subresources: {}
---
# Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_infraassessmentreports.yaml
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: infraassessmentreports.aquasecurity.github.io
spec:
group: aquasecurity.github.io
names:
kind: InfraAssessmentReport
listKind: InfraAssessmentReportList
plural: infraassessmentreports
shortNames:
- infraassessment
- infraassessments
singular: infraassessmentreport
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The name of the infra assessment scanner
jsonPath: .report.scanner.name
name: Scanner
type: string
- description: The age of the report
jsonPath: .metadata.creationTimestamp
name: Age
type: date
- description: The number of failed checks with critical severity
jsonPath: .report.summary.criticalCount
name: Critical
priority: 1
type: integer
- description: The number of failed checks with high severity
jsonPath: .report.summary.highCount
name: High
priority: 1
type: integer
- description: The number of failed checks with medium severity
jsonPath: .report.summary.mediumCount
name: Medium
priority: 1
type: integer
- description: The number of failed checks with low severity
jsonPath: .report.summary.lowCount
name: Low
priority: 1
type: integer
name: v1alpha1
schema:
openAPIV3Schema:
description: InfraAssessmentReport is a specification for the InfraAssessmentReport
resource.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
report:
properties:
checks:
description: Checks provides results of conducting audit steps.
items:
description: Check provides the result of conducting a single audit
step.
properties:
category:
type: string
checkID:
type: string
description:
type: string
messages:
items:
type: string
type: array
remediation:
description: Remediation provides description or links to external
resources to remediate failing check.
type: string
scope:
description: Scope indicates the section of config that was
audited.
properties:
type:
description: Type indicates type of this scope, e.g. Container,
ConfigMapKey or JSONPath.
type: string
value:
description: Value indicates value of this scope that depends
on Type, e.g. container name, ConfigMap key or JSONPath
expression
type: string
required:
- type
- value
type: object
severity:
description: Severity level of a vulnerability or a configuration
audit check.
type: string
success:
type: boolean
title:
type: string
required:
- checkID
- severity
- success
type: object
type: array
scanner:
description: Scanner is the spec for a scanner generating a security
assessment report.
properties:
name:
description: Name the name of the scanner.
type: string
vendor:
description: Vendor the name of the vendor providing the scanner.
type: string
version:
description: Version the version of the scanner.
type: string
required:
- name
- vendor
- version
type: object
summary:
description: InfraAssessmentSummary counts failed checks by severity.
properties:
criticalCount:
description: CriticalCount is the number of failed checks with
critical severity.
type: integer
highCount:
description: HighCount is the number of failed checks with high
severity.
type: integer
lowCount:
description: LowCount is the number of failed check with low severity.
type: integer
mediumCount:
description: MediumCount is the number of failed checks with medium
severity.
type: integer
required:
- criticalCount
- highCount
- lowCount
- mediumCount
type: object
required:
- checks
- scanner
- summary
type: object
required:
- report
type: object
served: true
storage: true
subresources: {}
---
# Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_rbacassessmentreports.yaml
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: rbacassessmentreports.aquasecurity.github.io
spec:
group: aquasecurity.github.io
names:
kind: RbacAssessmentReport
listKind: RbacAssessmentReportList
plural: rbacassessmentreports
shortNames:
- rbacassessment
- rbacassessments
singular: rbacassessmentreport
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The name of the rbac assessment scanner
jsonPath: .report.scanner.name
name: Scanner
type: string
- description: The age of the report
jsonPath: .metadata.creationTimestamp
name: Age
type: date
- description: The number of failed checks with critical severity
jsonPath: .report.summary.criticalCount
name: Critical
priority: 1
type: integer
- description: The number of failed checks with high severity
jsonPath: .report.summary.highCount
name: High
priority: 1
type: integer
- description: The number of failed checks with medium severity
jsonPath: .report.summary.mediumCount
name: Medium
priority: 1
type: integer
- description: The number of failed checks with low severity
jsonPath: .report.summary.lowCount
name: Low
priority: 1
type: integer
name: v1alpha1
schema:
openAPIV3Schema:
description: RbacAssessmentReport is a specification for the RbacAssessmentReport
resource.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
report:
properties:
checks:
description: Checks provides results of conducting audit steps.
items:
description: Check provides the result of conducting a single audit
step.
properties:
category:
type: string
checkID:
type: string
description:
type: string
messages:
items:
type: string
type: array
remediation:
description: Remediation provides description or links to external
resources to remediate failing check.
type: string
scope:
description: Scope indicates the section of config that was
audited.
properties:
type:
description: Type indicates type of this scope, e.g. Container,
ConfigMapKey or JSONPath.
type: string
value:
description: Value indicates value of this scope that depends
on Type, e.g. container name, ConfigMap key or JSONPath
expression
type: string
required:
- type
- value
type: object
severity:
description: Severity level of a vulnerability or a configuration
audit check.
type: string
success:
type: boolean
title:
type: string
required:
- checkID
- severity
- success
type: object
type: array
scanner:
description: Scanner is the spec for a scanner generating a security
assessment report.
properties:
name:
description: Name the name of the scanner.
type: string
vendor:
description: Vendor the name of the vendor providing the scanner.
type: string
version:
description: Version the version of the scanner.
type: string
required:
- name
- vendor
- version
type: object
summary:
description: RbacAssessmentSummary counts failed checks by severity.
properties:
criticalCount:
description: CriticalCount is the number of failed checks with
critical severity.
type: integer
highCount:
description: HighCount is the number of failed checks with high
severity.
type: integer
lowCount:
description: LowCount is the number of failed check with low severity.
type: integer
mediumCount:
description: MediumCount is the number of failed checks with medium
severity.
type: integer
required:
- criticalCount
- highCount
- lowCount
- mediumCount
type: object
required:
- checks
- scanner
- summary
type: object
required:
- report
type: object
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
subresources: {}
---
# Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_sbomreports.yaml
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: sbomreports.aquasecurity.github.io
spec:
group: aquasecurity.github.io
names:
kind: SbomReport
listKind: SbomReportList
plural: sbomreports
shortNames:
- sbom
- sboms
singular: sbomreport
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The name of image repository
jsonPath: .report.artifact.repository
name: Repository
type: string
- description: The name of image tag
jsonPath: .report.artifact.tag
name: Tag
type: string
- description: The name of the sbom generation scanner
jsonPath: .report.scanner.name
name: Scanner
type: string
- description: The age of the report
jsonPath: .metadata.creationTimestamp
name: Age
type: date
- description: The number of dependencies in bom
jsonPath: .report.summary.componentsCount
name: Components
priority: 1
type: integer
- description: The the number of components in bom
jsonPath: .report.summary.dependenciesCount
name: Dependencies
priority: 1
type: integer
name: v1alpha1
schema:
openAPIV3Schema:
description: SbomReport summarizes components and dependencies found in container
image
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
report:
description: Report is the actual sbom report data.
properties:
artifact:
description: |-
Artifact represents a standalone, executable package of software that includes everything needed to
run an application.
properties:
digest:
description: Digest is a unique and immutable identifier of an
Artifact.
type: string
mimeType:
description: MimeType represents a type and format of an Artifact.
type: string
repository:
description: Repository is the name of the repository in the Artifact
registry.
type: string
tag:
description: Tag is a mutable, human-readable string used to identify
an Artifact.
type: string
type: object
components:
description: Bom is artifact bill of materials.
properties:
bomFormat:
type: string
components:
items:
properties:
bom-ref:
type: string
group:
type: string
hashes:
items:
properties:
alg:
type: string
content:
type: string
type: object
type: array
licenses:
items:
properties:
expression:
type: string
license:
properties:
id:
type: string
name:
type: string
url:
type: string
type: object
type: object
type: array
name:
type: string
properties:
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
purl:
type: string
supplier:
properties:
contact:
items:
properties:
email:
type: string
name:
type: string
phone:
type: string
type: object
type: array
name:
type: string
url:
items:
type: string
type: array
type: object
type:
type: string
version:
type: string
type: object
type: array
dependencies:
items:
properties:
dependsOn:
items:
type: string
type: array
ref:
type: string
type: object
type: array
metadata:
properties:
component:
properties:
bom-ref:
type: string
group:
type: string
hashes:
items:
properties:
alg:
type: string
content:
type: string
type: object
type: array
licenses:
items:
properties:
expression:
type: string
license:
properties:
id:
type: string
name:
type: string
url:
type: string
type: object
type: object
type: array
name:
type: string
properties:
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
purl:
type: string
supplier:
properties:
contact:
items:
properties:
email:
type: string
name:
type: string
phone:
type: string
type: object
type: array
name:
type: string
url:
items:
type: string
type: array
type: object
type:
type: string
version:
type: string
type: object
timestamp:
type: string
tools:
properties:
components:
items:
properties:
bom-ref:
type: string
group:
type: string
hashes:
items:
properties:
alg:
type: string
content:
type: string
type: object
type: array
licenses:
items:
properties:
expression:
type: string
license:
properties:
id:
type: string
name:
type: string
url:
type: string
type: object
type: object
type: array
name:
type: string
properties:
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
purl:
type: string
supplier:
properties:
contact:
items:
properties:
email:
type: string
name:
type: string
phone:
type: string
type: object
type: array
name:
type: string
url:
items:
type: string
type: array
type: object
type:
type: string
version:
type: string
type: object
type: array
type: object
type: object
serialNumber:
type: string
specVersion:
type: string
version:
type: integer
required:
- bomFormat
- specVersion
type: object
registry:
description: Registry is the registry the Artifact was pulled from.
properties:
server:
description: Server the FQDN of registry server.
type: string
type: object
scanner:
description: Scanner is the scanner that generated this report.
properties:
name:
description: Name the name of the scanner.
type: string
vendor:
description: Vendor the name of the vendor providing the scanner.
type: string
version:
description: Version the version of the scanner.
type: string
required:
- name
- vendor
- version
type: object
summary:
description: Summary is a summary of sbom report.
properties:
componentsCount:
description: ComponentsCount is the number of components in bom.
minimum: 0
type: integer
dependenciesCount:
description: DependenciesCount is the number of dependencies in
bom.
minimum: 0
type: integer
required:
- componentsCount
- dependenciesCount
type: object
updateTimestamp:
description: UpdateTimestamp is a timestamp representing the server
time in UTC when this report was updated.
format: date-time
type: string
required:
- artifact
- components
- scanner
- summary
- updateTimestamp
type: object
required:
- report
type: object
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
subresources: {}
---
# Source: trivy/charts/trivy-operator/crds/aquasecurity.github.io_vulnerabilityreports.yaml
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: vulnerabilityreports.aquasecurity.github.io
spec:
group: aquasecurity.github.io
names:
kind: VulnerabilityReport
listKind: VulnerabilityReportList
plural: vulnerabilityreports
shortNames:
- vuln
- vulns
singular: vulnerabilityreport
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: The name of image repository
jsonPath: .report.artifact.repository
name: Repository
type: string
- description: The name of image tag
jsonPath: .report.artifact.tag
name: Tag
type: string
- description: The name of the vulnerability scanner
jsonPath: .report.scanner.name
name: Scanner
type: string
- description: The age of the report
jsonPath: .metadata.creationTimestamp
name: Age
type: date
- description: The number of critical vulnerabilities
jsonPath: .report.summary.criticalCount
name: Critical
priority: 1
type: integer
- description: The number of high vulnerabilities
jsonPath: .report.summary.highCount
name: High
priority: 1
type: integer
- description: The number of medium vulnerabilities
jsonPath: .report.summary.mediumCount
name: Medium
priority: 1
type: integer
- description: The number of low vulnerabilities
jsonPath: .report.summary.lowCount
name: Low
priority: 1
type: integer
- description: The number of unknown vulnerabilities
jsonPath: .report.summary.unknownCount
name: Unknown
priority: 1
type: integer
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
VulnerabilityReport summarizes vulnerabilities in application dependencies and operating system packages
built into container images.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
report:
description: Report is the actual vulnerability report data.
properties:
artifact:
description: |-
Artifact represents a standalone, executable package of software that includes everything needed to
run an application.
properties:
digest:
description: Digest is a unique and immutable identifier of an
Artifact.
type: string
mimeType:
description: MimeType represents a type and format of an Artifact.
type: string
repository:
description: Repository is the name of the repository in the Artifact
registry.
type: string
tag:
description: Tag is a mutable, human-readable string used to identify
an Artifact.
type: string
type: object
os:
description: OS information of the artifact
properties:
eosl:
description: Eosl is true if OS version has reached end of service
life
type: boolean
family:
description: Operating System Family
type: string
name:
description: Name or version of the OS
type: string
type: object
registry:
description: Registry is the registry the Artifact was pulled from.
properties:
server:
description: Server the FQDN of registry server.
type: string
type: object
scanner:
description: Scanner is the scanner that generated this report.
properties:
name:
description: Name the name of the scanner.
type: string
vendor:
description: Vendor the name of the vendor providing the scanner.
type: string
version:
description: Version the version of the scanner.
type: string
required:
- name
- vendor
- version
type: object
summary:
description: Summary is a summary of Vulnerability counts grouped
by Severity.
properties:
criticalCount:
description: CriticalCount is the number of vulnerabilities with
Critical Severity.
minimum: 0
type: integer
highCount:
description: HighCount is the number of vulnerabilities with High
Severity.
minimum: 0
type: integer
lowCount:
description: LowCount is the number of vulnerabilities with Low
Severity.
minimum: 0
type: integer
mediumCount:
description: MediumCount is the number of vulnerabilities with
Medium Severity.
minimum: 0
type: integer
noneCount:
description: NoneCount is the number of packages without any vulnerability.
minimum: 0
type: integer
unknownCount:
description: UnknownCount is the number of vulnerabilities with
unknown severity.
minimum: 0
type: integer
required:
- criticalCount
- highCount
- lowCount
- mediumCount
- unknownCount
type: object
updateTimestamp:
description: UpdateTimestamp is a timestamp representing the server
time in UTC when this report was updated.
format: date-time
type: string
vulnerabilities:
description: Vulnerabilities is a list of operating system (OS) or
application software Vulnerability items found in the Artifact.
items:
description: Vulnerability is the spec for a vulnerability record.
properties:
class:
type: string
cvss:
additionalProperties:
properties:
V2Score:
type: number
V2Vector:
type: string
V3Score:
type: number
V3Vector:
type: string
V40Score:
type: number
V40Vector:
type: string
type: object
type: object
cvsssource:
type: string
description:
type: string
fixedVersion:
description: FixedVersion indicates the version of the Resource
in which this vulnerability has been fixed.
type: string
installedVersion:
description: InstalledVersion indicates the installed version
of the Resource.
type: string
lastModifiedDate:
description: LastModifiedDate indicates the last date CVE has
been modified.
type: string
links:
items:
type: string
type: array
packagePURL:
type: string
packagePath:
type: string
packageType:
type: string
primaryLink:
type: string
publishedDate:
description: PublishedDate indicates the date of published CVE.
type: string
resource:
description: Resource is a vulnerable package, application,
or library.
type: string
score:
type: number
severity:
description: Severity level of a vulnerability or a configuration
audit check.
enum:
- CRITICAL
- HIGH
- MEDIUM
- LOW
- UNKNOWN
type: string
target:
type: string
title:
type: string
vulnerabilityID:
description: VulnerabilityID the vulnerability identifier.
type: string
required:
- fixedVersion
- installedVersion
- lastModifiedDate
- publishedDate
- resource
- severity
- title
- vulnerabilityID
type: object
type: array
required:
- artifact
- os
- scanner
- summary
- updateTimestamp
- vulnerabilities
type: object
required:
- report
type: object
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
subresources: {}
---
# Source: trivy/templates/namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: trivy
labels:
app.kubernetes.io/name: trivy
app.kubernetes.io/instance: trivy
app.kubernetes.io/part-of: trivy
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged
---
# Source: trivy/charts/trivy-operator/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: trivy-trivy-operator
namespace: trivy
labels:
helm.sh/chart: trivy-operator-0.31.0
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy
app.kubernetes.io/version: "0.29.0"
app.kubernetes.io/managed-by: Helm
---
# Source: trivy/charts/trivy-operator/templates/secrets/operator.yaml
apiVersion: v1
kind: Secret
metadata:
name: trivy-operator
namespace: trivy
labels:
helm.sh/chart: trivy-operator-0.31.0
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy
app.kubernetes.io/version: "0.29.0"
app.kubernetes.io/managed-by: Helm
data:
---
# Source: trivy/charts/trivy-operator/templates/secrets/trivy.yaml
apiVersion: v1
kind: Secret
metadata:
name: trivy-operator-trivy-config
namespace: trivy
labels:
helm.sh/chart: trivy-operator-0.31.0
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy
app.kubernetes.io/version: "0.29.0"
app.kubernetes.io/managed-by: Helm
data:
---
# Source: trivy/charts/trivy-operator/templates/configmaps/operator.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: trivy-operator
namespace: trivy
labels:
helm.sh/chart: trivy-operator-0.31.0
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy
app.kubernetes.io/version: "0.29.0"
app.kubernetes.io/managed-by: Helm
data:
nodeCollector.tolerations: "[{\"effect\":\"NoSchedule\",\"key\":\"node-role.kubernetes.io/control-plane\",\"operator\":\"Exists\"}]"
nodeCollector.volumes: "[{\"hostPath\":{\"path\":\"/var/lib/etcd\"},\"name\":\"var-lib-etcd\"},{\"hostPath\":{\"path\":\"/var/lib/kubelet\"},\"name\":\"var-lib-kubelet\"},{\"hostPath\":{\"path\":\"/var/lib/kube-scheduler\"},\"name\":\"var-lib-kube-scheduler\"},{\"hostPath\":{\"path\":\"/var/lib/kube-controller-manager\"},\"name\":\"var-lib-kube-controller-manager\"},{\"hostPath\":{\"path\":\"/etc/kubernetes\"},\"name\":\"etc-kubernetes\"},{\"hostPath\":{\"path\":\"/etc/cni/net.d/\"},\"name\":\"etc-cni-netd\"}]"
nodeCollector.volumeMounts: "[{\"mountPath\":\"/var/lib/etcd\",\"name\":\"var-lib-etcd\",\"readOnly\":true},{\"mountPath\":\"/var/lib/kubelet\",\"name\":\"var-lib-kubelet\",\"readOnly\":true},{\"mountPath\":\"/var/lib/kube-scheduler\",\"name\":\"var-lib-kube-scheduler\",\"readOnly\":true},{\"mountPath\":\"/var/lib/kube-controller-manager\",\"name\":\"var-lib-kube-controller-manager\",\"readOnly\":true},{\"mountPath\":\"/etc/kubernetes\",\"name\":\"etc-kubernetes\",\"readOnly\":true},{\"mountPath\":\"/etc/cni/net.d/\",\"name\":\"etc-cni-netd\",\"readOnly\":true}]"
scanJob.useGCRServiceAccount: "true"
scanJob.podTemplateContainerSecurityContext: "{\"allowPrivilegeEscalation\":false,\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"readOnlyRootFilesystem\":true}"
scanJob.compressLogs: "true"
vulnerabilityReports.scanner: "Trivy"
vulnerabilityReports.scanJobsInSameNamespace: "false"
configAuditReports.scanner: "Trivy"
report.recordFailedChecksOnly: "true"
node.collector.imageRef: "ghcr.io/aquasecurity/node-collector:0.3.1"
policies.bundle.oci.ref: "mirror.gcr.io/aquasec/trivy-checks:1"
policies.bundle.insecure: "false"
node.collector.nodeSelector: "true"
---
# Source: trivy/charts/trivy-operator/templates/configmaps/trivy-operator-config.yaml
kind: ConfigMap
apiVersion: v1
metadata:
name: trivy-operator-config
namespace: trivy
labels:
helm.sh/chart: trivy-operator-0.31.0
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy
app.kubernetes.io/version: "0.29.0"
app.kubernetes.io/managed-by: Helm
data:
OPERATOR_LOG_DEV_MODE: "false"
OPERATOR_SCAN_JOB_TTL: ""
OPERATOR_SCAN_JOB_TIMEOUT: "5m"
OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT: "10"
OPERATOR_CONCURRENT_NODE_COLLECTOR_LIMIT: "1"
OPERATOR_SCAN_JOB_RETRY_AFTER: "30s"
OPERATOR_BATCH_DELETE_LIMIT: "10"
OPERATOR_BATCH_DELETE_DELAY: "10s"
OPERATOR_METRICS_BIND_ADDRESS: ":8080"
OPERATOR_METRICS_FINDINGS_ENABLED: "true"
OPERATOR_METRICS_VULN_ID_ENABLED: "false"
OPERATOR_HEALTH_PROBE_BIND_ADDRESS: ":9090"
OPERATOR_PPROF_BIND_ADDRESS: ""
OPERATOR_VULNERABILITY_SCANNER_ENABLED: "false"
OPERATOR_SBOM_GENERATION_ENABLED: "false"
OPERATOR_CLUSTER_SBOM_CACHE_ENABLED: "false"
OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS: "true"
OPERATOR_SCANNER_REPORT_TTL: "24h"
OPERATOR_CACHE_REPORT_TTL: "120h"
CONTROLLER_CACHE_SYNC_TIMEOUT: "5m"
OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED: "true"
OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED: "true"
OPERATOR_INFRA_ASSESSMENT_SCANNER_ENABLED: "false"
OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS: "true"
OPERATOR_EXPOSED_SECRET_SCANNER_ENABLED: "true"
OPERATOR_METRICS_EXPOSED_SECRET_INFO_ENABLED: "false"
OPERATOR_METRICS_CONFIG_AUDIT_INFO_ENABLED: "false"
OPERATOR_METRICS_RBAC_ASSESSMENT_INFO_ENABLED: "false"
OPERATOR_METRICS_INFRA_ASSESSMENT_INFO_ENABLED: "false"
OPERATOR_METRICS_IMAGE_INFO_ENABLED: "false"
OPERATOR_METRICS_CLUSTER_COMPLIANCE_INFO_ENABLED: "false"
OPERATOR_WEBHOOK_BROADCAST_URL: ""
OPERATOR_WEBHOOK_BROADCAST_TIMEOUT: "30s"
OPERATOR_WEBHOOK_BROADCAST_CUSTOM_HEADERS: ""
OPERATOR_SEND_DELETED_REPORTS: "false"
OPERATOR_PRIVATE_REGISTRY_SCAN_SECRETS_NAMES: "{}"
OPERATOR_ACCESS_GLOBAL_SECRETS_SERVICE_ACCOUNTS: "true"
OPERATOR_BUILT_IN_TRIVY_SERVER: "false"
TRIVY_SERVER_HEALTH_CHECK_CACHE_EXPIRATION: "10h"
OPERATOR_MERGE_RBAC_FINDING_WITH_CONFIG_AUDIT: "false"
OPERATOR_CLUSTER_COMPLIANCE_ENABLED: "false"
---
# Source: trivy/charts/trivy-operator/templates/configmaps/trivy.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: trivy-operator-trivy-config
namespace: trivy
labels:
helm.sh/chart: trivy-operator-0.31.0
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy
app.kubernetes.io/version: "0.29.0"
app.kubernetes.io/managed-by: Helm
data:
trivy.repository: "mirror.gcr.io/aquasec/trivy"
trivy.tag: "0.67.2"
trivy.imagePullPolicy: "IfNotPresent"
trivy.additionalVulnerabilityReportFields: ""
trivy.registry.mirror.gcr.io: "proxy-gcr.io"
trivy.registry.mirror.ghcr.io: "proxy-ghcr.io"
trivy.registry.mirror.hub.docker: "proxy-hub.docker"
trivy.registry.mirror.quay.io: "proxy-quay.io"
trivy.registry.mirror.registry-1.docker.io: "proxy-registry-1.docker.io"
trivy.registry.mirror.registry.k8s.io: "proxy-registry.k8s"
trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
trivy.slow: "true"
trivy.skipJavaDBUpdate: "false"
trivy.includeDevDeps: "false"
trivy.imageScanCacheDir: "/tmp/trivy/.cache"
trivy.filesystemScanCacheDir: "/var/trivyoperator/trivy-db"
trivy.dbRepository: "mirror.gcr.io/aquasec/trivy-db"
trivy.javaDbRepository: "mirror.gcr.io/aquasec/trivy-java-db"
trivy.command: "image"
trivy.sbomSources: ""
trivy.dbRepositoryInsecure: "false"
trivy.useBuiltinRegoPolicies: "false"
trivy.useEmbeddedRegoPolicies: "true"
trivy.supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
trivy.timeout: "5m0s"
trivy.mode: "Standalone"
trivy.resources.requests.cpu: "100m"
trivy.resources.requests.memory: "128M"
trivy.resources.limits.cpu: "500m"
trivy.resources.limits.memory: "500M"
---
# Source: trivy/charts/trivy-operator/templates/rbac/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: trivy-operator
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- limitranges
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- list
- apiGroups:
- ""
resources:
- replicationcontrollers
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- resourcequotas
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- replicasets
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- apps.openshift.io
resources:
- deploymentconfigs
verbs:
- get
- list
- watch
- apiGroups:
- aquasecurity.github.io
resources:
- clustercompliancedetailreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- aquasecurity.github.io
resources:
- clustercompliancereports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- aquasecurity.github.io
resources:
- clustercompliancereports/status
verbs:
- get
- patch
- update
- apiGroups:
- aquasecurity.github.io
resources:
- clusterconfigauditreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- aquasecurity.github.io
resources:
- clusterinfraassessmentreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- aquasecurity.github.io
resources:
- clusterrbacassessmentreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- aquasecurity.github.io
resources:
- clustersbomreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- aquasecurity.github.io
resources:
- clustervulnerabilityreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- aquasecurity.github.io
resources:
- configauditreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- aquasecurity.github.io
resources:
- exposedsecretreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- aquasecurity.github.io
resources:
- infraassessmentreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- aquasecurity.github.io
resources:
- rbacassessmentreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- aquasecurity.github.io
resources:
- sbomreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- aquasecurity.github.io
resources:
- vulnerabilityreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- batch
resources:
- cronjobs
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- jobs
verbs:
- create
- delete
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- get
- update
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
- apiGroups:
- ""
resources:
- nodes/proxy
verbs:
- get
---
# Source: trivy/charts/trivy-operator/templates/rbac/view-configauditreports-clusterrole.yaml
# permissions for end users to view configauditreports
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: aggregate-config-audit-reports-view
labels:
helm.sh/chart: trivy-operator-0.31.0
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy
app.kubernetes.io/version: "0.29.0"
app.kubernetes.io/managed-by: Helm
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
rules:
- apiGroups:
- aquasecurity.github.io
resources:
- configauditreports
verbs:
- get
- list
- watch
---
# Source: trivy/charts/trivy-operator/templates/rbac/view-exposedsecretreports-clusterrole.yaml
# permissions for end users to view exposedsecretreports
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: aggregate-exposed-secret-reports-view
labels:
helm.sh/chart: trivy-operator-0.31.0
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy
app.kubernetes.io/version: "0.29.0"
app.kubernetes.io/managed-by: Helm
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
rules:
- apiGroups:
- aquasecurity.github.io
resources:
- exposedsecretreports
verbs:
- get
- list
- watch
---
# Source: trivy/charts/trivy-operator/templates/rbac/view-vulnerabilityreports-clusterrole.yaml
# permissions for end users to view vulnerabilityreports
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: aggregate-vulnerability-reports-view
labels:
helm.sh/chart: trivy-operator-0.31.0
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy
app.kubernetes.io/version: "0.29.0"
app.kubernetes.io/managed-by: Helm
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
rules:
- apiGroups:
- aquasecurity.github.io
resources:
- vulnerabilityreports
verbs:
- get
- list
- watch
---
# Source: trivy/charts/trivy-operator/templates/rbac/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: trivy-trivy-operator
labels:
helm.sh/chart: trivy-operator-0.31.0
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy
app.kubernetes.io/version: "0.29.0"
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: trivy-operator
subjects:
- kind: ServiceAccount
name: trivy-trivy-operator
namespace: trivy
---
# Source: trivy/charts/trivy-operator/templates/rbac/leader-election-role.yaml
# permissions to do leader election.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: trivy-trivy-operator-leader-election
namespace: trivy
labels:
helm.sh/chart: trivy-operator-0.31.0
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy
app.kubernetes.io/version: "0.29.0"
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
---
# Source: trivy/charts/trivy-operator/templates/rbac/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: trivy-trivy-operator
namespace: trivy
labels:
helm.sh/chart: trivy-operator-0.31.0
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy
app.kubernetes.io/version: "0.29.0"
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- get
- delete
- update
---
# Source: trivy/charts/trivy-operator/templates/rbac/leader-election-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: trivy-trivy-operator-leader-election
namespace: trivy
labels:
helm.sh/chart: trivy-operator-0.31.0
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy
app.kubernetes.io/version: "0.29.0"
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: trivy-trivy-operator-leader-election
subjects:
- kind: ServiceAccount
name: trivy-trivy-operator
namespace: trivy
---
# Source: trivy/charts/trivy-operator/templates/rbac/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: trivy-trivy-operator
namespace: trivy
labels:
helm.sh/chart: trivy-operator-0.31.0
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy
app.kubernetes.io/version: "0.29.0"
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: trivy-trivy-operator
subjects:
- kind: ServiceAccount
name: trivy-trivy-operator
namespace: trivy
---
# Source: trivy/charts/trivy-operator/templates/monitor/service.yaml
apiVersion: v1
kind: Service
metadata:
name: trivy-trivy-operator
namespace: trivy
labels:
helm.sh/chart: trivy-operator-0.31.0
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy
app.kubernetes.io/version: "0.29.0"
app.kubernetes.io/managed-by: Helm
spec:
clusterIP: None
ports:
- name: metrics
port: 80
targetPort: metrics
protocol: TCP
appProtocol: TCP
selector:
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy
type: ClusterIP
---
# Source: trivy/charts/trivy-operator/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: trivy-trivy-operator
namespace: trivy
labels:
helm.sh/chart: trivy-operator-0.31.0
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy
app.kubernetes.io/version: "0.29.0"
app.kubernetes.io/managed-by: Helm
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy
template:
metadata:
labels:
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy
spec:
serviceAccountName: trivy-trivy-operator
automountServiceAccountToken: true
containers:
- name: "trivy-operator"
image: "mirror.gcr.io/aquasec/trivy-operator:0.29.0"
imagePullPolicy: IfNotPresent
env:
- name: OPERATOR_NAMESPACE
value: trivy
- name: OPERATOR_TARGET_NAMESPACES
value: ""
- name: OPERATOR_EXCLUDE_NAMESPACES
value: ""
- name: OPERATOR_TARGET_WORKLOADS
value: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job"
- name: OPERATOR_SERVICE_ACCOUNT
value: "trivy-trivy-operator"
envFrom:
- configMapRef:
name: trivy-operator-config
ports:
- name: metrics
containerPort: 8080
- name: probes
containerPort: 9090
readinessProbe:
httpGet:
path: /readyz/
port: probes
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
livenessProbe:
httpGet:
path: /healthz/
port: probes
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 10
resources:
requests:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /tmp
name: cache-policies
readOnly: false
volumes:
- emptyDir: {}
name: cache-policies
---
# Source: trivy/charts/trivy-operator/templates/specs/k8s-cis-1.23.yaml
apiVersion: aquasecurity.github.io/v1alpha1
kind: ClusterComplianceReport
metadata:
name: k8s-cis-1.23
labels:
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy-operator
app.kubernetes.io/version: 0.29.0
app.kubernetes.io/managed-by: kubectl
spec:
cron: "0 5 * * *"
reportType: "summary"
compliance:
id: k8s-cis-1.23
title: CIS Kubernetes Benchmarks v1.23
description: CIS Kubernetes Benchmarks
platform: k8s
type: cis
relatedResources:
- https://www.cisecurity.org/benchmark/kubernetes
version: "1.23"
controls:
- id: 1.1.1
name: Ensure that the API server pod specification file permissions are set to
600 or more restrictive
description: Ensure that the API server pod specification file has permissions
of 600 or more restrictive
checks:
- id: AVD-KCV-0048
commands:
- id: CMD-0001
severity: HIGH
- id: 1.1.2
name: Ensure that the API server pod specification file ownership is set to
root:root
description: Ensure that the API server pod specification file ownership is set
to root:root
checks:
- id: AVD-KCV-0049
commands:
- id: CMD-0002
severity: HIGH
- id: 1.1.3
name: Ensure that the controller manager pod specification file permissions are
set to 600 or more restrictive
description: Ensure that the controller manager pod specification file has
permissions of 600 or more restrictive
checks:
- id: AVD-KCV-0050
commands:
- id: CMD-0003
severity: HIGH
- id: 1.1.4
name: Ensure that the controller manager pod specification file ownership is set
to root:root
description: Ensure that the controller manager pod specification file ownership
is set to root:root
checks:
- id: AVD-KCV-0051
commands:
- id: CMD-0004
severity: HIGH
- id: 1.1.5
name: Ensure that the scheduler pod specification file permissions are set to
600 or more restrictive
description: Ensure that the scheduler pod specification file has permissions of
600 or more restrictive
checks:
- id: AVD-KCV-0052
commands:
- id: CMD-0005
severity: HIGH
- id: 1.1.6
name: Ensure that the scheduler pod specification file ownership is set to
root:root
description: Ensure that the scheduler pod specification file ownership is set
to root:root
checks:
- id: AVD-KCV-0053
commands:
- id: CMD-0006
severity: HIGH
- id: 1.1.7
name: Ensure that the etcd pod specification file permissions are set to 600 or
more restrictive
description: Ensure that the etcd pod specification file has permissions of 600
or more restrictive
checks:
- id: AVD-KCV-0054
commands:
- id: CMD-0007
severity: HIGH
- id: 1.1.8
name: Ensure that the etcd pod specification file ownership is set to root:root
description: Ensure that the etcd pod specification file ownership is set to
root:root.
checks:
- id: AVD-KCV-0055
commands:
- id: CMD-0008
severity: HIGH
- id: 1.1.9
name: Ensure that the Container Network Interface file permissions are set to
600 or more restrictive
description: Ensure that the Container Network Interface files have permissions
of 600 or more restrictive
checks:
- id: AVD-KCV-0056
commands:
- id: CMD-0009
severity: HIGH
- id: 1.1.10
name: Ensure that the Container Network Interface file ownership is set to
root:root
description: Ensure that the Container Network Interface files have ownership
set to root:root
checks:
- id: AVD-KCV-0057
commands:
- id: CMD-0010
severity: HIGH
- id: 1.1.11
name: Ensure that the etcd data directory permissions are set to 700 or more
restrictive
description: Ensure that the etcd data directory has permissions of 700 or more
restrictive
checks:
- id: AVD-KCV-0058
commands:
- id: CMD-0011
severity: HIGH
- id: 1.1.12
name: Ensure that the etcd data directory ownership is set to etcd:etcd
description: Ensure that the etcd data directory ownership is set to etcd:etcd
checks:
- id: AVD-KCV-0059
commands:
- id: CMD-0012
severity: LOW
- id: 1.1.13
name: Ensure that the admin.conf file permissions are set to 600
description: Ensure that the admin.conf file has permissions of 600
checks:
- id: AVD-KCV-0060
commands:
- id: CMD-0013
severity: CRITICAL
- id: 1.1.14
name: Ensure that the admin.conf file ownership is set to root:root
description: Ensure that the admin.conf file ownership is set to root:root
checks:
- id: AVD-KCV-0061
commands:
- id: CMD-0014
severity: CRITICAL
- id: 1.1.15
name: Ensure that the scheduler.conf file permissions are set to 600 or more
restrictive
description: Ensure that the scheduler.conf file has permissions of 600 or more
restrictive
checks:
- id: AVD-KCV-0062
commands:
- id: CMD-0015
severity: HIGH
- id: 1.1.16
name: Ensure that the scheduler.conf file ownership is set to root:root
description: Ensure that the scheduler.conf file ownership is set to root:root
checks:
- id: AVD-KCV-0063
commands:
- id: CMD-0016
severity: HIGH
- id: 1.1.17
name: Ensure that the controller-manager.conf file permissions are set to 600 or
more restrictive
description: Ensure that the controller-manager.conf file has permissions of 600
or more restrictive
checks:
- id: AVD-KCV-0064
commands:
- id: CMD-0017
severity: HIGH
- id: 1.1.18
name: Ensure that the controller-manager.conf file ownership is set to root:root
description: Ensure that the controller-manager.conf file ownership is set to
root:root.
checks:
- id: AVD-KCV-0065
commands:
- id: CMD-0018
severity: HIGH
- id: 1.1.19
name: Ensure that the Kubernetes PKI directory and file ownership is set to
root:root
description: Ensure that the Kubernetes PKI directory and file ownership is set
to root:root
checks:
- id: AVD-KCV-0066
commands:
- id: CMD-0019
severity: CRITICAL
- id: 1.1.20
name: Ensure that the Kubernetes PKI certificate file permissions are set to 600
or more restrictive
description: Ensure that Kubernetes PKI certificate files have permissions of
600 or more restrictive
checks:
- id: AVD-KCV-0068
commands:
- id: CMD-0020
severity: CRITICAL
- id: 1.1.21
name: Ensure that the Kubernetes PKI key file permissions are set to 600
description: Ensure that Kubernetes PKI key files have permissions of 600
checks:
- id: AVD-KCV-0067
commands:
- id: CMD-0021
severity: CRITICAL
- id: 1.2.1
name: Ensure that the --anonymous-auth argument is set to false
description: Disable anonymous requests to the API server
checks:
- id: AVD-KCV-0001
severity: MEDIUM
- id: 1.2.2
name: Ensure that the --token-auth-file parameter is not set
description: Do not use token based authentication
checks:
- id: AVD-KCV-0002
severity: LOW
- id: 1.2.3
name: Ensure that the --DenyServiceExternalIPs is not set
description: This admission controller rejects all net-new usage of the Service
field externalIPs
checks:
- id: AVD-KCV-0003
severity: LOW
- id: 1.2.4
name: Ensure that the --kubelet-https argument is set to true
description: Use https for kubelet connections
checks:
- id: AVD-KCV-0004
severity: LOW
- id: 1.2.5
name: Ensure that the --kubelet-client-certificate and --kubelet-client-key
arguments are set as appropriate
description: Enable certificate based kubelet authentication
checks:
- id: AVD-KCV-0005
severity: HIGH
- id: 1.2.6
name: Ensure that the --kubelet-certificate-authority argument is set as
appropriate
description: Verify kubelets certificate before establishing connection
checks:
- id: AVD-KCV-0006
severity: HIGH
- id: 1.2.7
name: Ensure that the --authorization-mode argument is not set to AlwaysAllow
description: Do not always authorize all requests
checks:
- id: AVD-KCV-0007
severity: LOW
- id: 1.2.8
name: Ensure that the --authorization-mode argument includes Node
description: Restrict kubelet nodes to reading only objects associated with them
checks:
- id: AVD-KCV-0008
severity: HIGH
- id: 1.2.9
name: Ensure that the --authorization-mode argument includes RBAC
description: Turn on Role Based Access Control
checks:
- id: AVD-KCV-0009
severity: HIGH
- id: 1.2.10
name: Ensure that the admission control plugin EventRateLimit is set
description: Limit the rate at which the API server accepts requests
checks:
- id: AVD-KCV-0010
severity: HIGH
- id: 1.2.11
name: Ensure that the admission control plugin AlwaysAdmit is not set
description: Do not allow all requests
checks:
- id: AVD-KCV-0011
severity: LOW
- id: 1.2.12
name: Ensure that the admission control plugin AlwaysPullImages is set
description: Always pull images
checks:
- id: AVD-KCV-0012
severity: MEDIUM
- id: 1.2.13
name: Ensure that the admission control plugin SecurityContextDeny is set if
PodSecurityPolicy is not used
description: The SecurityContextDeny admission controller can be used to deny
pods which make use of some SecurityContext fields which could allow for
privilege escalation in the cluster. This should be used where
PodSecurityPolicy is not in place within the cluster
checks:
- id: AVD-KCV-0013
severity: MEDIUM
- id: 1.2.14
name: Ensure that the admission control plugin ServiceAccount is set
description: Automate service accounts management
checks:
- id: AVD-KCV-0014
severity: LOW
- id: 1.2.15
name: Ensure that the admission control plugin NamespaceLifecycle is set
description: Reject creating objects in a namespace that is undergoing termination
checks:
- id: AVD-KCV-0015
severity: LOW
- id: 1.2.16
name: Ensure that the admission control plugin NodeRestriction is set
description: Limit the Node and Pod objects that a kubelet could modify
checks:
- id: AVD-KCV-0016
severity: LOW
- id: 1.2.17
name: Ensure that the --secure-port argument is not set to 0
description: Do not disable the secure port
checks:
- id: AVD-KCV-0017
severity: HIGH
- id: 1.2.18
name: Ensure that the --profiling argument is set to false
description: Disable profiling, if not needed
checks:
- id: AVD-KCV-0018
severity: LOW
- id: 1.2.19
name: Ensure that the --audit-log-path argument is set
description: Enable auditing on the Kubernetes API Server and set the desired
audit log path.
checks:
- id: AVD-KCV-0019
severity: LOW
- id: 1.2.20
name: Ensure that the --audit-log-maxage argument is set to 30 or as appropriate
description: Retain the logs for at least 30 days or as appropriate
checks:
- id: AVD-KCV-0020
severity: LOW
- id: 1.2.21
name: Ensure that the --audit-log-maxbackup argument is set to 10 or as
appropriate
description: Retain 10 or an appropriate number of old log file
checks:
- id: AVD-KCV-0021
severity: LOW
- id: 1.2.22
name: Ensure that the --audit-log-maxsize argument is set to 100 or as
appropriate
description: Rotate log files on reaching 100 MB or as appropriate
checks:
- id: AVD-KCV-0022
severity: LOW
- id: 1.2.24
name: Ensure that the --service-account-lookup argument is set to true
description: Validate service account before validating token
checks:
- id: AVD-KCV-0024
severity: LOW
- id: 1.2.25
name: Ensure that the --service-account-key-file argument is set as appropriate
description: Explicitly set a service account public key file for service
accounts on the apiserver
checks:
- id: AVD-KCV-0025
severity: LOW
- id: 1.2.26
name: Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as
appropriate
description: etcd should be configured to make use of TLS encryption for client
connections
checks:
- id: AVD-KCV-0026
severity: LOW
- id: 1.2.27
name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are
set as appropriate
description: Setup TLS connection on the API server
checks:
- id: AVD-KCV-0027
severity: MEDIUM
- id: 1.2.28
name: Ensure that the --client-ca-file argument is set appropriate
description: Setup TLS connection on the API server
checks:
- id: AVD-KCV-0028
severity: LOW
- id: 1.2.29
name: Ensure that the --etcd-cafile argument is set as appropriate
description: etcd should be configured to make use of TLS encryption for client
connections.
checks:
- id: AVD-KCV-0029
severity: LOW
- id: 1.2.30
name: Ensure that the --encryption-provider-config argument is set as
appropriate
description: Encrypt etcd key-value store
checks:
- id: AVD-KCV-0030
severity: LOW
- id: 1.3.1
name: Ensure that the --terminated-pod-gc-threshold argument is set as
appropriate
description: Activate garbage collector on pod termination, as appropriate
checks:
- id: AVD-KCV-0033
severity: MEDIUM
- id: 1.3.3
name: Ensure that the --use-service-account-credentials argument is set to true
description: Use individual service account credentials for each controller
checks:
- id: AVD-KCV-0035
severity: MEDIUM
- id: 1.3.4
name: Ensure that the --service-account-private-key-file argument is set as
appropriate
description: Explicitly set a service account private key file for service
accounts on the controller manager
checks:
- id: AVD-KCV-0036
severity: MEDIUM
- id: 1.3.5
name: Ensure that the --root-ca-file argument is set as appropriate
description: Allow pods to verify the API servers serving certificate before
establishing connections
checks:
- id: AVD-KCV-0037
severity: MEDIUM
- id: 1.3.6
name: Ensure that the RotateKubeletServerCertificate argument is set to true
description: Enable kubelet server certificate rotation on controller-manager
checks:
- id: AVD-KCV-0038
severity: MEDIUM
- id: 1.3.7
name: Ensure that the --bind-address argument is set to 127.0.0.1
description: Do not bind the scheduler service to non-loopback insecure addresses
checks:
- id: AVD-KCV-0039
severity: LOW
- id: 1.4.1
name: Ensure that the --profiling argument is set to false
description: Disable profiling, if not needed
checks:
- id: AVD-KCV-0034
severity: MEDIUM
- id: 1.4.2
name: Ensure that the --bind-address argument is set to 127.0.0.1
description: Do not bind the scheduler service to non-loopback insecure addresses
checks:
- id: AVD-KCV-0041
severity: CRITICAL
- id: "2.1"
name: Ensure that the --cert-file and --key-file arguments are set as
appropriate
description: Configure TLS encryption for the etcd service
checks:
- id: AVD-KCV-0042
severity: MEDIUM
- id: "2.2"
name: Ensure that the --client-cert-auth argument is set to true
description: Enable client authentication on etcd service
checks:
- id: AVD-KCV-0043
severity: CRITICAL
- id: "2.3"
name: Ensure that the --auto-tls argument is not set to true
description: Do not use self-signed certificates for TLS
checks:
- id: AVD-KCV-0044
severity: CRITICAL
- id: "2.4"
name: Ensure that the --peer-cert-file and --peer-key-file arguments are set as
appropriate
description: etcd should be configured to make use of TLS encryption for peer
connections.
checks:
- id: AVD-KCV-0045
severity: CRITICAL
- id: "2.5"
name: Ensure that the --peer-client-cert-auth argument is set to true
description: etcd should be configured for peer authentication
checks:
- id: AVD-KCV-0046
severity: CRITICAL
- id: "2.6"
name: Ensure that the --peer-auto-tls argument is not set to true
description: Do not use self-signed certificates for TLS
checks:
- id: AVD-KCV-0047
severity: HIGH
- id: 3.1.1
name: Client certificate authentication should not be used for users (Manual)
description: Kubernetes provides the option to use client certificates for user
authentication. However as there is no way to revoke these certificates
when a user leaves an organization or loses their credential, they are
not suitable for this purpose
severity: HIGH
- id: 3.2.1
name: Ensure that a minimal audit policy is created (Manual)
description: Kubernetes can audit the details of requests made to the API
server. The --audit- policy-file flag must be set for this logging to be
enabled.
severity: HIGH
- id: 3.2.2
name: Ensure that the audit policy covers key security concerns (Manual)
description: Ensure that the audit policy created for the cluster covers key
security concerns
severity: HIGH
- id: 4.1.1
name: Ensure that the kubelet service file permissions are set to 600 or more
restrictive
description: Ensure that the kubelet service file has permissions of 600 or more
restrictive.
checks:
- id: AVD-KCV-0069
commands:
- id: CMD-0022
severity: HIGH
- id: 4.1.2
name: Ensure that the kubelet service file ownership is set to root:root
description: Ensure that the kubelet service file ownership is set to root:root
checks:
- id: AVD-KCV-0070
commands:
- id: CMD-0023
severity: HIGH
- id: 4.1.3
name: If proxy kubeconfig file exists ensure permissions are set to 600 or more
restrictive
description: If kube-proxy is running, and if it is using a file-based
kubeconfig file, ensure that the proxy kubeconfig file has permissions
of 600 or more restrictive
checks:
- id: AVD-KCV-0071
commands:
- id: CMD-0024
severity: HIGH
- id: 4.1.4
name: If proxy kubeconfig file exists ensure ownership is set to root:root
description: If kube-proxy is running, ensure that the file ownership of its
kubeconfig file is set to root:root
checks:
- id: AVD-KCV-0072
commands:
- id: CMD-0025
severity: HIGH
- id: 4.1.5
name: Ensure that the --kubeconfig kubelet.conf file permissions are set to 600
or more restrictive
description: Ensure that the kubelet.conf file has permissions of 600 or more
restrictive
checks:
- id: AVD-KCV-0073
commands:
- id: CMD-0026
severity: HIGH
- id: 4.1.6
name: Ensure that the --kubeconfig kubelet.conf file ownership is set to
root:root
description: Ensure that the kubelet.conf file ownership is set to root:root
checks:
- id: AVD-KCV-0074
commands:
- id: CMD-0027
severity: HIGH
- id: 4.1.7
name: Ensure that the certificate authorities file permissions are set to 600 or
more restrictive
description: Ensure that the certificate authorities file has permissions of 600
or more restrictive
checks:
- id: AVD-KCV-0075
commands:
- id: CMD-0028
severity: CRITICAL
- id: 4.1.8
name: Ensure that the client certificate authorities file ownership is set to
root:root
description: Ensure that the certificate authorities file ownership is set to
root:root
checks:
- id: AVD-KCV-0076
commands:
- id: CMD-0029
severity: CRITICAL
- id: 4.1.9
name: If the kubelet config.yaml configuration file is being used validate
permissions set to 600 or more restrictive
description: Ensure that if the kubelet refers to a configuration file with the
--config argument, that file has permissions of 600 or more restrictive
checks:
- id: AVD-KCV-0077
commands:
- id: CMD-0030
severity: HIGH
- id: 4.1.10
name: If the kubelet config.yaml configuration file is being used validate file
ownership is set to root:root
description: Ensure that if the kubelet refers to a configuration file with the
--config argument, that file is owned by root:root
checks:
- id: AVD-KCV-0078
commands:
- id: CMD-0031
severity: HIGH
- id: 4.2.1
name: Ensure that the --anonymous-auth argument is set to false
description: Disable anonymous requests to the Kubelet server
checks:
- id: AVD-KCV-0079
commands:
- id: CMD-0032
severity: CRITICAL
- id: 4.2.2
name: Ensure that the --authorization-mode argument is not set to AlwaysAllow
description: Do not allow all requests. Enable explicit authorization
checks:
- id: AVD-KCV-0080
commands:
- id: CMD-0033
severity: CRITICAL
- id: 4.2.3
name: Ensure that the --client-ca-file argument is set as appropriate
description: Enable Kubelet authentication using certificates
checks:
- id: AVD-KCV-0081
commands:
- id: CMD-0034
severity: CRITICAL
- id: 4.2.4
name: Verify that the --read-only-port argument is set to 0
description: Disable the read-only port
checks:
- id: AVD-KCV-0082
commands:
- id: CMD-0035
severity: HIGH
- id: 4.2.5
name: Ensure that the --streaming-connection-idle-timeout argument is not set to
0
description: Do not disable timeouts on streaming connections
checks:
- id: AVD-KCV-0085
commands:
- id: CMD-0036
severity: HIGH
- id: 4.2.6
name: Ensure that the --protect-kernel-defaults argument is set to true
description: Protect tuned kernel parameters from overriding kubelet default
kernel parameter values
checks:
- id: AVD-KCV-0083
commands:
- id: CMD-0037
severity: HIGH
- id: 4.2.7
name: Ensure that the --make-iptables-util-chains argument is set to true
description: Allow Kubelet to manage iptables
checks:
- id: AVD-KCV-0084
commands:
- id: CMD-0038
severity: HIGH
- id: 4.2.8
name: Ensure that the --hostname-override argument is not set
description: Do not override node hostnames
checks:
- id: AVD-KCV-0086
commands:
- id: CMD-0039
severity: HIGH
- id: 4.2.9
name: Ensure that the --event-qps argument is set to 0 or a level which ensures
appropriate event capture
description: Security relevant information should be captured. The --event-qps
flag on the Kubelet can be used to limit the rate at which events are
gathered
checks:
- id: AVD-KCV-0087
commands:
- id: CMD-0040
severity: HIGH
- id: 4.2.10
name: Ensure that the --tls-cert-file and --tls-private-key-file arguments are
set as appropriate
description: Setup TLS connection on the Kubelets
checks:
- id: AVD-KCV-0088
- id: AVD-KCV-0089
commands:
- id: CMD-0041
- id: CMD-0042
severity: CRITICAL
- id: 4.2.11
name: Ensure that the --rotate-certificates argument is not set to false
description: Enable kubelet client certificate rotation
checks:
- id: AVD-KCV-0090
commands:
- id: CMD-0043
severity: CRITICAL
- id: 4.2.12
name: Verify that the RotateKubeletServerCertificate argument is set to true
description: Enable kubelet server certificate rotation
checks:
- id: AVD-KCV-0091
commands:
- id: CMD-0044
severity: CRITICAL
- id: 4.2.13
name: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
description: Ensure that the Kubelet is configured to only use strong
cryptographic ciphers
checks:
- id: AVD-KCV-0092
commands:
- id: CMD-0045
severity: CRITICAL
- id: 5.1.1
name: Ensure that the cluster-admin role is only used where required
description: The RBAC role cluster-admin provides wide-ranging powers over the
environment and should be used only where and when needed
checks:
- id: AVD-KSV-0111
severity: HIGH
- id: 5.1.2
name: Minimize access to secrets
description: The Kubernetes API stores secrets, which may be service account
tokens for the Kubernetes API or credentials used by workloads in the
cluster
checks:
- id: AVD-KSV-0041
severity: HIGH
- id: 5.1.3
name: Minimize wildcard use in Roles and ClusterRoles
description: Kubernetes Roles and ClusterRoles provide access to resources based
on sets of objects and actions that can be taken on those objects. It is
possible to set either of these to be the wildcard "*" which matches all
items
checks:
- id: AVD-KSV-0044
- id: AVD-KSV-0045
- id: AVD-KSV-0046
severity: HIGH
- id: 5.1.6
name: Ensure that Service Account Tokens are only mounted where necessary
description: Service accounts tokens should not be mounted in pods except where
the workload running in the pod explicitly needs to communicate with the
API server
checks:
- id: AVD-KSV-0036
severity: HIGH
- id: 5.1.8
name: Limit use of the Bind, Impersonate and Escalate permissions in the
Kubernetes cluster
description: Cluster roles and roles with the impersonate, bind or escalate
permissions should not be granted unless strictly required
checks:
- id: AVD-KSV-0043
severity: HIGH
- id: 5.2.2
name: Minimize the admission of privileged containers
description: Do not generally permit containers to be run with the
securityContext.privileged flag set to true
checks:
- id: AVD-KSV-0017
severity: HIGH
- id: 5.2.3
name: Minimize the admission of containers wishing to share the host process ID
namespace
description: Do not generally permit containers to be run with the hostPID flag
set to true.
checks:
- id: AVD-KSV-0010
severity: HIGH
- id: 5.2.4
name: Minimize the admission of containers wishing to share the host IPC
namespace
description: Do not generally permit containers to be run with the hostIPC flag
set to true
checks:
- id: AVD-KSV-0008
severity: HIGH
- id: 5.2.5
name: Minimize the admission of containers wishing to share the host network
namespace
description: Do not generally permit containers to be run with the hostNetwork
flag set to true
checks:
- id: AVD-KSV-0009
severity: HIGH
- id: 5.2.6
name: Minimize the admission of containers with allowPrivilegeEscalation
description: Do not generally permit containers to be run with the
allowPrivilegeEscalation flag set to true
checks:
- id: AVD-KSV-0001
severity: HIGH
- id: 5.2.7
name: Minimize the admission of root containers
description: Do not generally permit containers to be run as the root user
checks:
- id: AVD-KSV-0012
severity: MEDIUM
- id: 5.2.8
name: Minimize the admission of containers with the NET_RAW capability
description: Do not generally permit containers with the potentially dangerous
NET_RAW capability
checks:
- id: AVD-KSV-0022
severity: MEDIUM
- id: 5.2.9
name: Minimize the admission of containers with added capabilities
description: Do not generally permit containers with capabilities assigned
beyond the default set
checks:
- id: AVD-KSV-0004
severity: LOW
- id: 5.2.10
name: Minimize the admission of containers with capabilities assigned
description: Do not generally permit containers with capabilities
checks:
- id: AVD-KSV-0003
severity: LOW
- id: 5.2.11
name: Minimize the admission of containers with capabilities assigned
description: Do not generally permit containers with capabilities
checks:
- id: AVD-KSV-0103
severity: MEDIUM
- id: 5.2.12
name: Minimize the admission of HostPath volumes
description: Do not generally admit containers which make use of hostPath volumes
checks:
- id: AVD-KSV-0023
severity: MEDIUM
- id: 5.2.13
name: Minimize the admission of containers which use HostPorts
description: Do not generally permit containers which require the use of HostPorts
checks:
- id: AVD-KSV-0024
severity: MEDIUM
- id: 5.3.1
name: Ensure that the CNI in use supports Network Policies (Manual)
description: There are a variety of CNI plugins available for Kubernetes. If the
CNI in use does not support Network Policies it may not be possible to
effectively restrict traffic in the cluster
severity: MEDIUM
- id: 5.3.2
name: Ensure that all Namespaces have Network Policies defined
description: Use network policies to isolate traffic in your cluster network
checks:
- id: AVD-KSV-0038
severity: MEDIUM
- id: 5.4.1
name: Prefer using secrets as files over secrets as environment variables
(Manual)
description: Kubernetes supports mounting secrets as data volumes or as
environment variables. Minimize the use of environment variable secrets
severity: MEDIUM
- id: 5.4.2
name: Consider external secret storage (Manual)
description: Consider the use of an external secrets storage and management
system, instead of using Kubernetes Secrets directly, if you have more
complex secret management needs
severity: MEDIUM
- id: 5.5.1
name: Configure Image Provenance using ImagePolicyWebhook admission controller
(Manual)
description: Configure Image Provenance for your deployment
severity: MEDIUM
- id: 5.7.1
name: Create administrative boundaries between resources using namespaces
(Manual)
description: Use namespaces to isolate your Kubernetes objects
severity: MEDIUM
- id: 5.7.2
name: Ensure that the seccomp profile is set to docker/default in your pod
definitions
description: Enable docker/default seccomp profile in your pod definitions
checks:
- id: AVD-KSV-0104
severity: MEDIUM
- id: 5.7.3
name: Apply Security Context to Your Pods and Containers
description: Apply Security Context to Your Pods and Containers
checks:
- id: AVD-KSV-0021
- id: AVD-KSV-0020
- id: AVD-KSV-0005
- id: AVD-KSV-0025
- id: AVD-KSV-0104
- id: AVD-KSV-0030
severity: HIGH
- id: 5.7.4
name: The default namespace should not be used
description: Kubernetes provides a default namespace, where objects are placed
if no namespace is specified for them
checks:
- id: AVD-KSV-0110
severity: MEDIUM
---
# Source: trivy/charts/trivy-operator/templates/specs/k8s-nsa-1.0.yaml
apiVersion: aquasecurity.github.io/v1alpha1
kind: ClusterComplianceReport
metadata:
name: k8s-nsa-1.0
labels:
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy-operator
app.kubernetes.io/version: 0.29.0
app.kubernetes.io/managed-by: kubectl
spec:
cron: "0 5 * * *"
reportType: "summary"
compliance:
id: k8s-nsa-1.0
platform: k8s
type: nsa
title: National Security Agency - Kubernetes Hardening Guidance v1.0
description: National Security Agency - Kubernetes Hardening Guidance
relatedResources:
- https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/
version: "1.0"
controls:
- name: Non-root containers
description: Check that container is not running as root
id: "1.0"
checks:
- id: AVD-KSV-0012
severity: MEDIUM
- name: Immutable container file systems
description: Check that container root file system is immutable
id: "1.1"
checks:
- id: AVD-KSV-0014
severity: LOW
- name: Preventing privileged containers
description: Controls whether Pods can run privileged containers
id: "1.2"
checks:
- id: AVD-KSV-0017
severity: HIGH
- name: Share containers process namespaces
description: Controls whether containers can share process namespaces
id: "1.3"
checks:
- id: AVD-KSV-0008
severity: HIGH
- name: Share host process namespaces
description: Controls whether share host process namespaces
id: "1.4"
checks:
- id: AVD-KSV-0009
severity: HIGH
- name: Use the host network
description: Controls whether containers can use the host network
id: "1.5"
checks:
- id: AVD-KSV-0010
severity: HIGH
- name: Run with root privileges or with root group membership
description: Controls whether container applications can run with root
privileges or with root group membership
id: "1.6"
checks:
- id: AVD-KSV-0029
severity: LOW
- name: Restricts escalation to root privileges
description: Control check restrictions escalation to root privileges
id: "1.7"
checks:
- id: AVD-KSV-0001
severity: MEDIUM
- name: Sets the SELinux context of the container
description: Control checks if pod sets the SELinux context of the container
id: "1.8"
checks:
- id: AVD-KSV-0002
severity: MEDIUM
- name: Restrict a container's access to resources with AppArmor
description: Control checks the restriction of containers access to resources
with AppArmor
id: "1.9"
checks:
- id: AVD-KSV-0030
severity: MEDIUM
- name: Sets the seccomp profile used to sandbox containers.
description: Control checks the sets the seccomp profile used to sandbox containers
id: "1.10"
checks:
- id: AVD-KSV-0030
severity: LOW
- name: Protecting Pod service account tokens
description: "Control check whether disable secret token been mount
,automountServiceAccountToken: false"
id: "1.11"
checks:
- id: AVD-KSV-0036
severity: MEDIUM
- name: Namespace kube-system should not be used by users
description: Control check whether Namespace kube-system is not be used by users
id: "1.12"
defaultStatus: FAIL
checks:
- id: AVD-KSV-0037
severity: MEDIUM
- name: Pod and/or namespace Selectors usage
description: Control check validate the pod and/or namespace Selectors usage
id: "2.0"
defaultStatus: FAIL
checks:
- id: AVD-KSV-0038
severity: MEDIUM
- name: Use CNI plugin that supports NetworkPolicy API (Manual)
description: Control check whether check cni plugin installed
id: "3.0"
defaultStatus: FAIL
severity: CRITICAL
- name: Use ResourceQuota policies to limit resources
description: Control check the use of ResourceQuota policy to limit aggregate
resource usage within namespace
id: "4.0"
defaultStatus: FAIL
checks:
- id: AVD-KSV-0040
severity: MEDIUM
- name: Use LimitRange policies to limit resources
description: Control check the use of LimitRange policy limit resource usage for
namespaces or nodes
id: "4.1"
defaultStatus: FAIL
checks:
- id: AVD-KSV-0039
severity: MEDIUM
- name: Control plan disable insecure port (Manual)
description: Control check whether control plan disable insecure port
id: "5.0"
defaultStatus: FAIL
severity: CRITICAL
- name: Encrypt etcd communication
description: Control check whether etcd communication is encrypted
id: "5.1"
checks:
- id: AVD-KCV-0030
severity: CRITICAL
- name: Ensure kube config file permission (Manual)
description: Control check whether kube config file permissions
id: "6.0"
defaultStatus: FAIL
severity: CRITICAL
- name: Check that encryption resource has been set
description: Control checks whether encryption resource has been set
id: "6.1"
checks:
- id: AVD-KCV-0029
severity: CRITICAL
- name: Check encryption provider
description: Control checks whether encryption provider has been set
id: "6.2"
checks:
- id: AVD-KCV-0004
severity: CRITICAL
- name: Make sure anonymous-auth is unset
description: Control checks whether anonymous-auth is unset
id: "7.0"
checks:
- id: AVD-KCV-0001
severity: CRITICAL
- name: Make sure -authorization-mode=RBAC
description: Control check whether RBAC permission is in use
id: "7.1"
checks:
- id: AVD-KCV-0008
severity: CRITICAL
- name: Audit policy is configure (Manual)
description: Control check whether audit policy is configure
id: "8.0"
defaultStatus: FAIL
severity: HIGH
- name: Audit log path is configure
description: Control check whether audit log path is configure
id: "8.1"
checks:
- id: AVD-KCV-0019
severity: MEDIUM
- name: Audit log aging
description: Control check whether audit log aging is configure
id: "8.2"
checks:
- id: AVD-KCV-0020
severity: MEDIUM
---
# Source: trivy/charts/trivy-operator/templates/specs/k8s-pss-baseline-0.1.yaml
apiVersion: aquasecurity.github.io/v1alpha1
kind: ClusterComplianceReport
metadata:
name: k8s-pss-baseline-0.1
labels:
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy-operator
app.kubernetes.io/version: 0.29.0
app.kubernetes.io/managed-by: kubectl
spec:
cron: "0 5 * * *"
reportType: "summary"
compliance:
id: k8s-pss-baseline-0.1
platform: eks
type: pss-baseline
title: Kubernetes Pod Security Standards - Baseline
description: Kubernetes Pod Security Standards - Baseline
relatedResources:
- https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
version: "0.1"
controls:
- name: HostProcess
description: Windows pods offer the ability to run HostProcess containers which
enables privileged access to the Windows node. Privileged access to
the host is disallowed in the baseline policy
id: "1"
checks:
- id: AVD-KSV-0103
severity: HIGH
- name: Host Namespaces
description: Sharing the host namespaces must be disallowed.
id: "2"
checks:
- id: AVD-KSV-0008
severity: HIGH
- name: Privileged Containers
description: Privileged Pods disable most security mechanisms and must be
disallowed.
id: "3"
checks:
- id: AVD-KSV-0017
severity: HIGH
- name: Capabilities
description: Adding additional capabilities beyond those listed below must be
disallowed.
id: "4"
checks:
- id: AVD-KSV-0022
severity: MEDIUM
- name: HostPath Volumes
description: HostPath volumes must be forbidden.
id: "5"
checks:
- id: AVD-KSV-0023
severity: MEDIUM
- name: host ports
description: hostports should be disallowed, or at minimum restricted to a known
list.
id: "6"
checks:
- id: avd-ksv-0024
severity: HIGH
- name: AppArmor
description: On supported hosts, the runtime/default AppArmor profile is applied
by default. The baseline policy should prevent overriding or disabling
the default AppArmor profile, or restrict overrides to an allowed set
of profiles.
id: "7"
checks:
- id: avd-ksv-0002
severity: HIGH
- name: SELinux
description: Setting the SELinux type is restricted, and setting a custom
SELinux user or role option is forbidden.
id: "8"
checks:
- id: avd-ksv-0025
severity: MEDIUM
- name: /proc Mount Type
description: The default /proc masks are set up to reduce attack surface, and
should be required.
id: "9"
checks:
- id: avd-ksv-0027
severity: MEDIUM
- name: Seccomp
description: Seccomp profile must not be explicitly set to Unconfined.
id: "10"
checks:
- id: avd-ksv-0104
severity: MEDIUM
- name: Sysctls
description: Sysctls can disable security mechanisms or affect all containers on
a host, and should be disallowed except for an allowed 'safe' subset.
A sysctl is considered safe if it is namespaced in the container or
the Pod, and it is isolated from other Pods or processes on the same
Node.
id: "11"
checks:
- id: avd-ksv-0026
severity: MEDIUM
---
# Source: trivy/charts/trivy-operator/templates/specs/k8s-pss-restricted-0.1.yaml
apiVersion: aquasecurity.github.io/v1alpha1
kind: ClusterComplianceReport
metadata:
name: k8s-pss-restricted-0.1
labels:
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy-operator
app.kubernetes.io/version: 0.29.0
app.kubernetes.io/managed-by: kubectl
spec:
cron: "0 5 * * *"
reportType: "summary"
compliance:
id: k8s-pss-restricted-0.1
platform: k8s
type: pss-restricted
title: Kubernetes Pod Security Standards - Restricted
description: Kubernetes Pod Security Standards - Restricted
relatedResources:
- https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
version: "0.1"
controls:
- name: HostProcess
description: Windows pods offer the ability to run HostProcess containers which
enables privileged access to the Windows node. Privileged access to
the host is disallowed in the baseline policy
id: "1"
checks:
- id: AVD-KSV-0103
severity: HIGH
- name: Host Namespaces
description: Sharing the host namespaces must be disallowed.
id: "2"
checks:
- id: AVD-KSV-0008
severity: HIGH
- name: Privileged Containers
description: Privileged Pods disable most security mechanisms and must be
disallowed.
id: "3"
checks:
- id: AVD-KSV-0017
severity: HIGH
- name: Capabilities
description: Adding additional capabilities beyond those listed below must be
disallowed.
id: "4"
checks:
- id: AVD-KSV-0022
severity: MEDIUM
- name: HostPath Volumes
description: HostPath volumes must be forbidden.
id: "5"
checks:
- id: AVD-KSV-0023
severity: MEDIUM
- name: host ports
description: hostports should be disallowed, or at minimum restricted to a known
list.
id: "6"
checks:
- id: avd-ksv-0024
severity: HIGH
- name: AppArmor
description: On supported hosts, the runtime/default AppArmor profile is applied
by default. The baseline policy should prevent overriding or disabling
the default AppArmor profile, or restrict overrides to an allowed set
of profiles.
id: "7"
checks:
- id: avd-ksv-0002
severity: HIGH
- name: SELinux
description: Setting the SELinux type is restricted, and setting a custom
SELinux user or role option is forbidden.
id: "8"
checks:
- id: avd-ksv-0025
severity: MEDIUM
- name: /proc Mount Type
description: The default /proc masks are set up to reduce attack surface, and
should be required.
id: "9"
checks:
- id: avd-ksv-0027
severity: MEDIUM
- name: Seccomp
description: Seccomp profile must not be explicitly set to Unconfined.
id: "10"
checks:
- id: avd-ksv-0104
severity: MEDIUM
- name: Sysctls
description: Sysctls can disable security mechanisms or affect all containers on
a host, and should be disallowed except for an allowed 'safe' subset.
A sysctl is considered safe if it is namespaced in the container or
the Pod, and it is isolated from other Pods or processes on the same
Node.
id: "11"
checks:
- id: avd-ksv-0026
severity: MEDIUM
- name: Volume Types
description: The restricted policy only permits specific volume types.
id: "12"
checks:
- id: avd-ksv-0028
severity: LOW
- name: Privilege Escalation
description: Privilege escalation (such as via set-user-ID or set-group-ID file
mode) should not be allowed.
id: "13"
checks:
- id: avd-ksv-0001
severity: MEDIUM
- name: Running as Non-root
description: Containers must be required to run as non-root users.
id: "14"
checks:
- id: avd-ksv-0012
severity: MEDIUM
- name: Running as Non-root user
description: Containers must not set runAsUser to 0
id: "15"
checks:
- id: avd-ksv-0105
severity: LOW
- name: Seccomp
description: Seccomp profile must be explicitly set to one of the allowed
values. Both the Unconfined profile and the absence of a profile are
prohibited
id: "16"
checks:
- id: avd-ksv-0030
severity: LOW
- name: Capabilities
description: Containers must drop ALL capabilities, and are only permitted to
add back the NET_BIND_SERVICE capability.
id: "17"
checks:
- id: avd-ksv-0106
severity: LOW
---
# Source: trivy/charts/trivy-operator/templates/monitor/servicemonitor.yaml
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: trivy-trivy-operator
namespace: trivy
labels:
helm.sh/chart: trivy-operator-0.31.0
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy
app.kubernetes.io/version: "0.29.0"
app.kubernetes.io/managed-by: Helm
spec:
selector:
matchLabels:
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy
endpoints:
- honorLabels: true
port: metrics
scheme: http
Reference in New Issue View Git Blame Copy Permalink