114 lines
3.0 KiB
YAML
114 lines
3.0 KiB
YAML
trivy-operator:
|
|
targetWorkloads: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job"
|
|
operator:
|
|
replicas: 1
|
|
vulnerabilityScannerEnabled: true
|
|
sbomGenerationEnabled: false
|
|
clusterSbomCacheEnabled: false
|
|
configAuditScannerEnabled: false
|
|
rbacAssessmentScannerEnabled: false
|
|
infraAssessmentScannerEnabled: false
|
|
clusterComplianceEnabled: false
|
|
serviceMonitor:
|
|
enabled: true
|
|
trivy:
|
|
createConfig: true
|
|
image:
|
|
registry: mirror.gcr.io
|
|
repository: aquasec/trivy
|
|
tag: 0.62.1
|
|
storageClassEnabled: true
|
|
storageClassName: ceph-block
|
|
storageSize: "5Gi"
|
|
registry:
|
|
mirror:
|
|
"registry-1.docker.io": proxy-registry-1.docker.io
|
|
"quay.io": proxy-quay.io
|
|
"registry.k8s.io": proxy-registry.k8s
|
|
"gcr.io": proxy-gcr.io
|
|
"ghcr.io": proxy-ghcr.io
|
|
"hub.docker": proxy-hub.docker
|
|
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
|
|
slow: true
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 128M
|
|
supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
|
|
server:
|
|
resources:
|
|
requests:
|
|
cpu: 200m
|
|
memory: 512Mi
|
|
replicas: 1
|
|
compliance:
|
|
reportType: summary
|
|
cron: 0 5 * * *
|
|
specs:
|
|
- k8s-cis-1.23
|
|
- k8s-nsa-1.0
|
|
- k8s-pss-baseline-0.1
|
|
- k8s-pss-restricted-0.1
|
|
volumeMounts:
|
|
- mountPath: /tmp
|
|
name: cache-policies
|
|
readOnly: false
|
|
volumes:
|
|
- name: cache-policies
|
|
emptyDir: {}
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
nodeCollector:
|
|
volumeMounts:
|
|
- name: var-lib-etcd
|
|
mountPath: /var/lib/etcd
|
|
readOnly: true
|
|
- name: var-lib-kubelet
|
|
mountPath: /var/lib/kubelet
|
|
readOnly: true
|
|
- name: var-lib-kube-scheduler
|
|
mountPath: /var/lib/kube-scheduler
|
|
readOnly: true
|
|
- name: var-lib-kube-controller-manager
|
|
mountPath: /var/lib/kube-controller-manager
|
|
readOnly: true
|
|
- name: etc-systemd
|
|
mountPath: /etc/systemd
|
|
readOnly: true
|
|
- name: lib-systemd
|
|
mountPath: /lib/systemd/
|
|
readOnly: true
|
|
- name: etc-kubernetes
|
|
mountPath: /etc/kubernetes
|
|
readOnly: true
|
|
- name: etc-cni-netd
|
|
mountPath: /etc/cni/net.d/
|
|
readOnly: true
|
|
volumes:
|
|
- name: var-lib-etcd
|
|
hostPath:
|
|
path: /var/lib/etcd
|
|
- name: var-lib-kubelet
|
|
hostPath:
|
|
path: /var/lib/kubelet
|
|
- name: var-lib-kube-scheduler
|
|
hostPath:
|
|
path: /var/lib/kube-scheduler
|
|
- name: var-lib-kube-controller-manager
|
|
hostPath:
|
|
path: /var/lib/kube-controller-manager
|
|
- name: etc-systemd
|
|
hostPath:
|
|
path: /etc/systemd
|
|
- name: lib-systemd
|
|
hostPath:
|
|
path: /lib/systemd
|
|
- name: etc-kubernetes
|
|
hostPath:
|
|
path: /etc/kubernetes
|
|
- name: etc-cni-netd
|
|
hostPath:
|
|
path: /etc/cni/net.d/
|