Vulnerability Scanning on Kubernetes
- Megan O'Flynn
Overview
This article introduces the Trivy Operator, a tool which can be deployed onto a Kubernetes cluster to do vulnerability scanning.
The Trivy Operator
The Trivy Operator uses Trivy to continuously scan a Kubernetes cluster for security issues. The operator creates Custom Resource Definitions (CRDs) for each report.
The full overview of in-cluster scans that the operator can do can be found here: https://aquasecurity.github.io/trivy-operator/latest/#in-cluster-security-scans
The operator scans the entire cluster every 24 hours by default and scans any new objects on creation. Some of the reports generated include:
Compliance Report
Config Audit
Vulnerability Reports
RBAC Assessment
Software Bill of Materials (SBOM)
As well as scanning deployments on the cluster, the operator also scans itself for vulnerabilities. The trivy operator only keeps the reports for 24 hours by default, before replacing them with a report from a new scan.
Installing the Trivy Operator
The operator can be installed using Helm: https://aquasecurity.github.io/trivy-operator/latest/getting-started/installation/helm/
The default values for the Helm chart can be found here: https://github.com/aquasecurity/trivy-operator/tree/main/deploy/helm
RBAC and the Trivy Operator
The trivy operator allows vulnerability reports to be restricted to be visible to certain users using RBAC. Trivy operator has a tutorial for how to use RBAC here: https://aquasecurity.github.io/trivy-operator/latest/tutorials/manage_access_to_security_reports/
The tutorial in the upstream documentation uses a plugin to run the kubectl who-can command. However, you can still test whether a given user can access reports in a given namespace using --as <user>
Uninstalling the Trivy Operator
The Trivy Operator can be uninstalled using helm uninstall -n trivy-system trivy-operator
This does not tidy up the operator completely as the CRDs are left behind. These have to be manually deleted.
To delete the CRDs that the Operator had created, run the following kubectl delete commands:
kubectl delete crd vulnerabilityreports.aquasecurity.github.io
kubectl delete crd exposedsecretreports.aquasecurity.github.io
kubectl delete crd configauditreports.aquasecurity.github.io
kubectl delete crd clusterconfigauditreports.aquasecurity.github.io
kubectl delete crd rbacassessmentreports.aquasecurity.github.io
kubectl delete crd infraassessmentreports.aquasecurity.github.io
kubectl delete crd clusterrbacassessmentreports.aquasecurity.github.io
kubectl delete crd clustercompliancereports.aquasecurity.github.io
kubectl delete crd clusterinfraassessmentreports.aquasecurity.github.io
kubectl delete crd sbomreports.aquasecurity.github.io
kubectl delete crd clustersbomreports.aquasecurity.github.io
kubectl delete crd clustervulnerabilityreports.aquasecurity.github.ioWarning: Deleting the CRDs will delete all reports associated to them from the cluster.
Upgrading the Trivy Operator
Currently, the Trivy Operator cannot be upgraded automatically using Helm. In order to upgrade to a newer version of the operator, the trivy operator will need to be uninstalled using Helm. Then delete the CRDs which the operator had created, and then update the Helm repository and install the operator.
References
Related articles
Filter by label
There are no items with the selected labels at this time.
Reviewer | Review period |
|---|---|
Reviewed by | |
|
|