This setup provide a trivy operator.
This opoerator will scan all images in the cluster and create a report if a vulnerability is found in the image. Reports are are CRD and can be requested by the user.
But for better user experience, all data are also sent to a prometheus instance, so you can create alerts and dashboards and use grafana to visualize the data.
- A kubernetes cluster
- Helm
- If you want grafana dashboards
- A prometheus instance
- A grafana instance
- Add the trivy helm repository
helm repo add aqua https://aquasecurity.github.io/helm-charts/
- Create a
values.yaml
file with the following content:
operator:
metricsVulnIdEnabled: true # Enable or disable the metrics for the vulnerability ID
service:
headless: true # If you want to expose the service as a headless service
serviceMonitor:
enabled: true # If you want to create a service monitor for prometheus
trivy:
ignoreUnfixed: true # If you want to ignore unfixed vulnerabilities
- Install the trivy operator
helm upgrade --install trivy-operator aqua/trivy-operator --namespace trivy-system --values trivy_values.yaml
- Show the vulnerabilities
After few minutes, you should see the vulnerabilities with the following command:
kubectl get vulnerabilityreports --all-namespaces