Maps Trivy Operator CRDs into the unified PolicyReport and ClusterPolicyReport from the Kubernetes Policy Working Group. This makes it possible to use tooling like Policy Reporter for the different kinds of Trivy Reports.
- Trivy Operator with the related CRDs is installed and running
- PolicyReport CRDs are installed in your Cluster, they can be installed via the Helm Chart by setting
crds.install
totrue
.
helm repo add trivy-operator-polr-adapter https://fjogeleit.github.io/trivy-operator-polr-adapter
helm install trivy-operator-polr-adapter trivy-operator-polr-adapter/trivy-operator-polr-adapter -n trivy-adapter --create-namespace
Local usage with ConfigAuditReport and VulnerabilityReports mapping enabled.
./trivy-operator-polr-adapter run --kubeconfig ~/.kube/config --enable-config-audit --enable-vulnerability
Argument | Helm Value | Description | Default Helm Value |
---|---|---|---|
--kubeconfig | Path to the used kubeconfig, mainly for local development | ||
--enable-vulnerability | adapters.vulnerabilityReports.enabled |
Enables the transformation of VulnerabilityReports into PolicyReports | true |
--enable-cluster-vulnerability | adapters.clusterVulnerabilityReports.enabled |
Enables the transformation of ClusterVulnerabilityReports into ClusterPolicyReports | false |
--enable-config-audit | adapters.configAuditReports.enabled |
Enables the transformation of ConfigAuditReports into PolicyReports | true |
--enable-rbac-assessment | adapters.rbacAssessmentReports.enabled |
Enables the transformation of RbacAssessmentReport into PolicyReports and ClusterRbacAssessmentReport into ClusterPolicyReports |
false |
--enable-exposed-secrets | adapters.exposedSecretReports.enabled |
Enables the transformation of ExposedSecretReport into PolicyReports | false |
--enable-compliance | adapters.complianceReports.enabled |
Enables the transformation of ClusterComplianceReport into ClusterPolicyReports | false |
--enable-infra-assessment | adapters.infraAssessmentReports.enabled |
Enables the transformation of InfraAssessmentReports into PolicyReports | false |
--enable-cluster-infra-assessment | adapters.clusterInfraAssessmentReports.enabled |
Enables the transformation of ClusterInfraAssessmentReports into ClusterPolicyReports | false |
--enable-kube-bench | adapters.cisKubeBenchReports.enabled |
Enables the transformation of CISKubeBenchReports into ClusterPolicyReports (Not available in newer version of Trivy Operator) |
false |
Sources of the PolicyReportResults can be used to filter different Reports from metrics, views or notifications in Policy Reporter
Source | TrivyReport Report |
---|---|
Trivy ConfigAudit | ConfigAuditReport |
Trivy Vulnerability | VulnerabilityReport |
Trivy Vulnerability | ClusterVulnerabilityReports |
Trivy ExposedSecrets | ExposedSecretReport |
Trivy RbacAssessment | ClusterRbacAssessmentReport / RbacAssessmentReport |
Trivy Compliance | ClusterComplianceReport |
Trivy InfraAssessment | InfraAssessmentReports |
Trivy ClusterInfraAssessment | ClusterInfraAssessmentReports |
Report CRD | Trivy Operator Polr Adapter | Trivy Opervator |
---|---|---|
CISKubeBenchReport | >= 0.0.1 |
0.0.1 (removed in newer versions) |
VulnerabilityReport | >= 0.0.1 |
>= 0.0.1 |
ConfigAuditReport | >= 0.0.1 |
>= 0.0.1 |
ExposedSecretReport | >= 0.1.0 |
>= 0.1.0 |
RbacAssessmentReport | >= 0.1.0 |
>= 0.1.4 |
InfraAssessmentReports | >= 0.3.1 |
>= 0.7.0 |
ClusterComplianceReport | >= 0.3.1 |
>= 0.9.0 |
ClusterInfraAssessmentReport | >= 0.5.0 |
>= 0.11.0 |
ClusterVulnerabilityReports | >= 0.8.0 |
>= 0.18.0 |
Maps VulnerabilityReports into PolicyReports with the relation 1:1. The PolicyReport is referenced with the scanned resource like the VulnerabilityReport itself.
apiVersion: wgpolicyk8s.io/v1alpha2
kind: PolicyReport
metadata:
labels:
app.kubernetes.io/created-by: trivy-operator-polr-adapter
trivy-operator.source: VulnerabilityReport
name: trivy-vuln-polr-nginx-5fbc65fff
namespace: test
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: false
controller: true
kind: ReplicaSet
name: nginx-5fbc65fff
uid: 710f2142-7613-4cf5-aef7-dc65306626e2
resourceVersion: "122118"
uid: 2ea883ef-c060-4e80-ae34-3f9b527c02bc
scope:
apiVersion: apps/v1
kind: ReplicaSet
name: nginx-5fbc65fff
namespace: test
uid: 710f2142-7613-4cf5-aef7-dc65306626e2
results:
- category: Vulnerability Scan
message: 'apt: integer overflows and underflows while parsing .deb packages'
policy: CVE-2020-27350
properties:
artifact.repository: library/nginx
artifact.tag: "1.17"
fixedVersion: 1.8.2.2
installedVersion: 1.8.2.1
primaryLink: https://avd.aquasec.com/nvd/cve-2020-27350
registry.server: index.docker.io
resource: apt
score: "5.7"
result: warn
severity: medium
source: Trivy Vulnerability
timestamp:
nanos: 0
seconds: 1653395950
summary:
error: 0
fail: 109
pass: 0
skip: 1
warn: 166
Maps ConfigAuditReports into PolicyReports with the relation 1:1. The PolicyReport is referenced with the scanned resource like the ConfigAuditReport itself.
apiVersion: wgpolicyk8s.io/v1alpha2
kind: PolicyReport
metadata:
labels:
app.kubernetes.io/created-by: trivy-operator-polr-adapter
trivy-operator.source: ConfigAuditReport
name: trivy-audit-polr-nginx-5fbc65fff
namespace: test
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: false
controller: true
kind: ReplicaSet
name: nginx-5fbc65fff
uid: 710f2142-7613-4cf5-aef7-dc65306626e2
scope:
apiVersion: apps/v1
kind: ReplicaSet
name: nginx-5fbc65fff
namespace: test
uid: 710f2142-7613-4cf5-aef7-dc65306626e2
results:
- category: Kubernetes Security Check
message: Sysctls can disable security mechanisms or affect all containers on a host,
and should be disallowed except for an allowed 'safe' subset. A sysctl is considered
safe if it is namespaced in the container or the Pod, and it is isolated from
other Pods or processes on the same Node.
policy: Unsafe sysctl options set
result: pass
rule: KSV026
severity: medium
source: Trivy ConfigAudit
timestamp:
nanos: 0
seconds: 1653395950
summary:
error: 0
fail: 26
pass: 42
skip: 0
warn: 0
Maps RbacAssessmentReport into PolicyReports.
apiVersion: wgpolicyk8s.io/v1alpha2
kind: PolicyReport
metadata:
labels:
app.kubernetes.io/created-by: trivy-operator-polr-adapter
trivy-operator.source: RbacAssessmentReport
name: trivy-rbac-polr-role-57d656695f
namespace: kyverno
ownerReferences:
- apiVersion: rbac.authorization.k8s.io/v1
blockOwnerDeletion: false
controller: true
kind: Role
name: kyverno:leaderelection
uid: ea031ce4-9f63-4aa9-a68c-da42b523768d
scope:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
name: kyverno:leaderelection
namespace: kyverno
uid: ea031ce4-9f63-4aa9-a68c-da42b523768d
results:
- category: Kubernetes Security Check
message: Check whether role permits update/create of a malicious pod
policy: Do not allow update/create of a malicious pod
properties:
1. message: Role permits create/update of a malicious pod
resultID: 5d52ad869c9da5e8533ae31a62b8e5a8a2f1838f
result: fail
rule: KSV048
severity: high
source: Trivy RbacAssessment
timestamp:
nanos: 0
seconds: 1661168982
- category: Kubernetes Security Check
message: Check whether role permits allowing users in a rolebinding to add other
users to their rolebindings
policy: Do not allow users in a rolebinding to add other users to their rolebindings
properties:
resultID: 3de0c6a7f01df775fad425283b2cf56771e10902
result: pass
rule: KSV055
severity: low
source: Trivy RbacAssessment
timestamp:
nanos: 0
seconds: 1661168982
summary:
error: 0
fail: 1
pass: 1
skip: 0
warn: 0
Maps ClusterRbacAssessmentReport into PolicyReports.
apiVersion: wgpolicyk8s.io/v1alpha2
kind: ClusterPolicyReport
metadata:
labels:
app.kubernetes.io/created-by: trivy-operator-polr-adapter
trivy-operator.source: ClusterRbacAssessmentReport
name: trivy-rbac-cpolr-clusterrole-5585c7b9ff
ownerReferences:
- apiVersion: rbac.authorization.k8s.io/v1
blockOwnerDeletion: false
controller: true
kind: ClusterRole
name: system:certificates.k8s.io:kubelet-serving-approver
uid: 21449ac8-2f58-4eff-8f3d-c9e4e0024821
resourceVersion: "39436"
uid: 2296a252-b108-4d4a-b705-4b8983babe2b
scope:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
name: system:certificates.k8s.io:kubelet-serving-approver
uid: 21449ac8-2f58-4eff-8f3d-c9e4e0024821
results:
- category: Kubernetes Security Check
message: Some workloads leverage configmaps to store sensitive data or configuration
parameters that affect runtime behavior that can be modified by an attacker or
combined with another issue to potentially lead to compromise.
policy: Do not allow management of configmaps
properties:
resultID: d06e66683ee5de1136d5996ae0f4e1ae9b5d85c7
result: pass
rule: KSV049
severity: medium
source: Trivy RbacAssessment
timestamp:
nanos: 0
seconds: 1661165899
- category: Kubernetes Security Check
message: Check whether role permits privilege escalation from node proxy
policy: Do not allow privilege escalation from node proxy
properties:
resultID: 519454bf1ec35b55d0d8041fb191017bf83519d3
result: pass
rule: KSV047
severity: high
source: Trivy RbacAssessment
timestamp:
nanos: 0
seconds: 1661165899
summary:
error: 0
fail: 0
pass: 2
skip: 0
warn: 0
Maps ClusterComplianceReports in detailed (all) mode into ClusterPolicyReports
apiVersion: wgpolicyk8s.io/v1alpha2
kind: ClusterPolicyReport
metadata:
labels:
app.kubernetes.io/created-by: trivy-operator-polr-adapter
app.kubernetes.io/managed-by: trivy-operator-polr-adapter
trivy-operator.source: ClusterComplianceReport
name: trivy-compliance-cpolr-nsa
ownerReferences:
- apiVersion: aquasecurity.github.io/v1alpha1
kind: ClusterComplianceReport
name: nsa
uid: 9e1b4826-f357-407c-ac41-359a6dd41037
results:
- category: Kubernetes Security Check
message: '''runAsNonRoot'' forces the running image to run as a non-root user to
ensure least privileges.'
policy: 1.0 Non-root containers
properties:
id: AVD-KSV-0012
resultID: 6ee90a6c312e2a96418600e0daad1a2afb8c15e2
resources:
- name: kube-system/pod-kube-apiserver-minikube
result: fail
rule: Runs as root user
severity: medium
source: Trivy Compliance
timestamp:
nanos: 0
seconds: 1671442549
- category: Kubernetes Security Check
message: An immutable root file system prevents applications from writing to their
local disk. This can limit intrusions, as attackers will not be able to tamper
with the file system or write foreign executables to disk.
policy: 1.1 Immutable container file systems
properties:
id: AVD-KSV-0014
resultID: 528a263d5710cde2c9d9db0964b393b30e92a3a9
resources:
- name: kube-system/pod-etcd-minikube
result: fail
rule: Root file system is not read-only
severity: low
source: Trivy Compliance
timestamp:
nanos: 0
seconds: 1671442549
summary:
error: 0
fail: 2
pass: 0
skip: 0
warn: 0
Maps InfraAssessmentReports into PolicyReports.
apiVersion: wgpolicyk8s.io/v1alpha2
kind: PolicyReport
metadata:
labels:
app.kubernetes.io/created-by: trivy-operator-polr-adapter
app.kubernetes.io/managed-by: trivy-operator-polr-adapter
trivy-operator.source: InfraAssessmentReport
name: trivy-infra-polr-pod-kube-apiserver-minikube
namespace: kube-system
ownerReferences:
- apiVersion: aquasecurity.github.io/v1alpha1
kind: InfraAssessmentReport
name: pod-kube-apiserver-minikube
uid: 37266479-d784-4ed9-a4c6-9dda5dff488b
scope:
apiVersion: v1
kind: Pod
name: kube-apiserver-minikube
namespace: kube-system
uid: 5a50c600-4dff-42fd-a0c2-6734bb07ab0e
results:
- category: Kubernetes Security Check
message: Ensure that the admission control plugin SecurityContextDeny is set if
PodSecurityPolicy is not used
policy: KCV0013
properties:
description: The SecurityContextDeny admission controller can be used to deny
pods which make use of some SecurityContext fields which could allow for privilege
escalation in the cluster. This should be used where PodSecurityPolicy is not
in place within the cluster.
result: fail
rule: Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy
is not used
severity: low
source: Trivy InfraAssessment
timestamp:
nanos: 0
seconds: 1671442613
summary:
error: 0
fail: 1
pass: 0
skip: 0
warn: 0