Vulnerability Scanning on Kubernetes

Overview

This article introduces the Trivy Operator, a tool which can be deployed onto a Kubernetes cluster to do vulnerability scanning.

ย The Trivy Operator

The Trivy Operator uses Trivy to continuously scan a Kubernetes cluster for security issues. The operator creates Custom Resource Definitions (CRDs) for each report.

The full overview of in-cluster scans that the operator can do can be found here: https://aquasecurity.github.io/trivy-operator/latest/#in-cluster-security-scans

The operator scans the entire cluster every 24 hours by default and scans any new objects on creation. Some of the reports generated include:

  • Compliance Report

  • Config Audit

  • Vulnerability Reports

  • RBAC Assessment

  • Software Bill of Materials (SBOM)

As well as scanning deployments on the cluster, the operator also scans itself for vulnerabilities. The trivy operator only keeps the reports for 24 hours by default, before replacing them with a report from a new scan.

Installing the Trivy Operator

The operator can be installed using Helm: https://aquasecurity.github.io/trivy-operator/latest/getting-started/installation/helm/

The default values for the Helm chart can be found here: trivy-operator/deploy/helm at main ยท aquasecurity/trivy-operator

RBAC and the Trivy Operator

The trivy operator allows vulnerability reports to be restricted to be visible to certain users using RBAC. Trivy operator has a tutorial for how to use RBAC here: https://aquasecurity.github.io/trivy-operator/latest/tutorials/manage_access_to_security_reports/

The tutorial in the upstream documentation uses a plugin to run the kubectl who-can command. However, you can still test whether a given user can access reports in a given namespace using --as <user>

Uninstalling the Trivy Operator

The Trivy Operator can be uninstalled using helm uninstall -n trivy-system trivy-operator

This does not tidy up the operator completely as the CRDs are left behind. These have to be manually deleted.

To delete the CRDs that the Operator had created, run the following kubectl delete commands:

kubectl delete crd vulnerabilityreports.aquasecurity.github.io kubectl delete crd exposedsecretreports.aquasecurity.github.io kubectl delete crd configauditreports.aquasecurity.github.io kubectl delete crd clusterconfigauditreports.aquasecurity.github.io kubectl delete crd rbacassessmentreports.aquasecurity.github.io kubectl delete crd infraassessmentreports.aquasecurity.github.io kubectl delete crd clusterrbacassessmentreports.aquasecurity.github.io kubectl delete crd clustercompliancereports.aquasecurity.github.io kubectl delete crd clusterinfraassessmentreports.aquasecurity.github.io kubectl delete crd sbomreports.aquasecurity.github.io kubectl delete crd clustersbomreports.aquasecurity.github.io kubectl delete crd clustervulnerabilityreports.aquasecurity.github.io

Warning: Deleting the CRDs will delete all reports associated to them from the cluster.

Upgrading the Trivy Operator

Currently, the Trivy Operator cannot be upgraded automatically using Helm. In order to upgrade to a newer version of the operator, the trivy operator will need to be uninstalled using Helm. Then delete the CRDs which the operator had created, and then update the Helm repository and install the operator.

References

ย Related articles

Filter by label

There are no items with the selected labels at this time.

Reviewer

Review period

Reviewer

Review period

Reviewed by

ย 

ย 

ย