From 2f300ccf6d4164c04e01e2afc7489b3d2c2bce8d Mon Sep 17 00:00:00 2001 From: Maxime Brunet Date: Sun, 17 Mar 2024 12:44:40 -0700 Subject: [PATCH 1/4] fix: support affinity for scan jobs --- deploy/helm/README.md | 1 + .../helm/templates/configmaps/operator.yaml | 5 +- deploy/helm/values.yaml | 2 + .../installation/configuration.md | 2 + docs/settings.md | 1 + go.mod | 2 +- go.sum | 2 + pkg/configauditreport/controller/node.go | 5 ++ pkg/trivyoperator/config.go | 17 ++++- pkg/trivyoperator/config_test.go | 69 +++++++++++++++++++ pkg/vulnerabilityreport/builder.go | 10 +++ .../controller/workload.go | 6 ++ 12 files changed, 119 insertions(+), 3 deletions(-) diff --git a/deploy/helm/README.md b/deploy/helm/README.md index d2d982a79..46f64e60b 100644 --- a/deploy/helm/README.md +++ b/deploy/helm/README.md @@ -185,6 +185,7 @@ Keeps security report resources updated | trivyOperator.scanJobPodTemplateContainerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true}` | scanJobPodTemplateContainerSecurityContext SecurityContext the user wants the scanner and node collector containers (and their initContainers) to be amended with. | | trivyOperator.scanJobPodTemplateLabels | string | `""` | scanJobPodTemplateLabels comma-separated representation of the labels which the user wants the scanner pods to be labeled with. Example: `foo=bar,env=stage` will labeled the scanner pods with the labels `foo: bar` and `env: stage` | | trivyOperator.scanJobPodTemplatePodSecurityContext | object | `{}` | scanJobPodTemplatePodSecurityContext podSecurityContext the user wants the scanner and node collector pods to be amended with. Example: RunAsUser: 10000 RunAsGroup: 10000 RunAsNonRoot: true | +| trivyOperator.scanJobAffinity | object | `{}` | scanJobAffinity affinity to be applied to the scanner pods and node-collector | | trivyOperator.scanJobTolerations | list | `[]` | scanJobTolerations tolerations to be applied to the scanner pods and node-collector so that they can run on nodes with matching taints | | trivyOperator.skipInitContainers | bool | `false` | skipInitContainers when this flag is set to true, the initContainers will be skipped for the scanner and node collector pods | | trivyOperator.skipResourceByLabels | string | `""` | skipResourceByLabels comma-separated labels keys which trivy-operator will skip scanning on resources with matching labels | diff --git a/deploy/helm/templates/configmaps/operator.yaml b/deploy/helm/templates/configmaps/operator.yaml index c4a29746b..13c53c768 100644 --- a/deploy/helm/templates/configmaps/operator.yaml +++ b/deploy/helm/templates/configmaps/operator.yaml @@ -6,6 +6,9 @@ metadata: namespace: {{ include "trivy-operator.namespace" . }} labels: {{- include "trivy-operator.labels" . | nindent 4 }} data: + {{- with .Values.trivyOperator.scanJobAffinity }} + scanJob.affinity: {{ . | toJson | quote }} + {{- end }} {{- with .Values.trivyOperator.scanJobTolerations }} scanJob.tolerations: {{ . | toJson | quote }} {{- end }} @@ -75,4 +78,4 @@ data: {{- with .Values.nodeCollector.imagePullSecret }} node.collector.imagePullSecret: "{{ . }}" {{- end }} - node.collector.nodeSelector: {{ .Values.nodeCollector.useNodeSelector | quote }} \ No newline at end of file + node.collector.nodeSelector: {{ .Values.nodeCollector.useNodeSelector | quote }} diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml index a7c0cf0ae..282f72296 100644 --- a/deploy/helm/values.yaml +++ b/deploy/helm/values.yaml @@ -216,6 +216,8 @@ trivyOperator: configAuditReportsPlugin: "Trivy" # -- scanJobCompressLogs control whether scanjob output should be compressed or plain scanJobCompressLogs: true + # -- scanJobAffinity affinity to be applied to the scanner pods and node-collector + scanJobAffinity: [] # -- scanJobTolerations tolerations to be applied to the scanner pods and node-collector so that they can run on nodes with matching taints scanJobTolerations: [] # -- If you do want to specify tolerations, uncomment the following lines, adjust them as necessary, and remove the diff --git a/docs/getting-started/installation/configuration.md b/docs/getting-started/installation/configuration.md index 59956f09e..99532341c 100644 --- a/docs/getting-started/installation/configuration.md +++ b/docs/getting-started/installation/configuration.md @@ -69,6 +69,7 @@ To change the target namespace from all namespaces to the `default` namespace ed |---|---|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `vulnerabilityReports.scanner`| `Trivy`| The name of the plugin that generates vulnerability reports. Either `Trivy` or `Aqua`. | | `vulnerabilityReports.scanJobsInSameNamespace` | `"false"`| Whether to run vulnerability scan jobs in same namespace of workload. Set `"true"` to enable. | +| `scanJob.affinity` | N/A| JSON representation of the [affinity] to be applied to the scanner pods and node-collector. Example: `'{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]},{"matchExpressions":[{"key":"virtual-kubelet.io/provider","operator":"DoesNotExist"}]}]}}}'` | `scanJob.tolerations`| N/A| JSON representation of the [tolerations] to be applied to the scanner pods and node-collector so that they can run on nodes with matching taints. Example: `'[{"key":"key1", "operator":"Equal", "value":"value1", "effect":"NoSchedule"}]'` | `nodeCollector.volumeMounts`| see helm/values.yaml | node-collector pod volumeMounts definition for collecting config files information | `nodeCollector.volumes`| see helm/values.yaml | node-collector pod volumes definition for collecting config files information | @@ -132,6 +133,7 @@ kubectl patch cm trivy-operator-trivy-config -n trivy-system \ -p '[{"op": "remove", "path": "/data/trivy.httpProxy"}]' ``` +[affinity]: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity [tolerations]: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration [prometheus]: https://github.com/prometheus diff --git a/docs/settings.md b/docs/settings.md index 7f9c720d3..b3ae4da8f 100644 --- a/docs/settings.md +++ b/docs/settings.md @@ -55,6 +55,7 @@ configuration settings for common use cases. For example, switch Trivy from [Sta | `vulnerabilityReports.scanner` | `Trivy` | The name of the plugin that generates vulnerability reports. Either `Trivy` or `Aqua`. | | `vulnerabilityReports.scanJobsInSameNamespace` | `"false"` | Whether to run vulnerability scan jobs in same namespace of workload. Set `"true"` to enable. | | `configAuditReports.scanner` | `Trivy` | The name of the plugin that generates config audit reports. | +| `scanJob.affinity` | N/A | JSON representation of the [affinity] to be applied to the scanner pods and node-collector. Example: `'{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]},{"matchExpressions":[{"key":"virtual-kubelet.io/provider","operator":"DoesNotExist"}]}]}}}'` | | `scanJob.tolerations` | N/A | JSON representation of the [tolerations] to be applied to the scanner pods and node-collector so that they can run on nodes with matching taints. Example: `'[{"key":"key1", "operator":"Equal", "value":"value1", "effect":"NoSchedule"}]'` | | `nodeCollector.volumeMounts`| see helm/values.yaml | node-collector pod volumeMounts definition for collecting config files information | `nodeCollector.volumes`| see helm/values.yaml | node-collector pod volumes definition for collecting config files information diff --git a/go.mod b/go.mod index 26889c661..7d1906f3d 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( github.com/CycloneDX/cyclonedx-go v0.8.0 github.com/aquasecurity/defsec v0.94.1 github.com/aquasecurity/trivy v0.49.1 - github.com/aquasecurity/trivy-kubernetes v0.6.4-0.20240129122346-af2de58a7466 + github.com/aquasecurity/trivy-kubernetes v0.6.4-0.20240311135805-8e927abd008d github.com/bluele/gcache v0.0.2 github.com/caarlos0/env/v6 v6.10.1 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc diff --git a/go.sum b/go.sum index e2dc69353..e84da8350 100644 --- a/go.sum +++ b/go.sum @@ -314,6 +314,8 @@ github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgB github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8= github.com/aquasecurity/trivy-kubernetes v0.6.4-0.20240129122346-af2de58a7466 h1:pM/cncKgNyvCzhOiFL19F4pyebktYBwl9/XyQl44OCI= github.com/aquasecurity/trivy-kubernetes v0.6.4-0.20240129122346-af2de58a7466/go.mod h1:pGWup/B9igRLCuJ0fmI7hft4Ni7l5zCspwtt5dvVNTY= +github.com/aquasecurity/trivy-kubernetes v0.6.4-0.20240311135805-8e927abd008d h1:BWcT4YE8jHMWMIxZCC6sgriRP4xLTOyEe8tFoY4pnXQ= +github.com/aquasecurity/trivy-kubernetes v0.6.4-0.20240311135805-8e927abd008d/go.mod h1:6T6aM0FnBMoNfLiPFPatPXfBpMO9Zgo/G22A5KWGijc= github.com/aquasecurity/trivy-policies v0.8.0 h1:LvmIdw/DfTF72Lc8L+CKLYzfb5BFYzLBGFFR95PKC74= github.com/aquasecurity/trivy-policies v0.8.0/go.mod h1:qF/t59pgK/0JTV6tXaeA3Iw3opzoMgzGCDcTDBmqb30= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= diff --git a/pkg/configauditreport/controller/node.go b/pkg/configauditreport/controller/node.go index 91427cd3b..32eba25e0 100644 --- a/pkg/configauditreport/controller/node.go +++ b/pkg/configauditreport/controller/node.go @@ -121,6 +121,10 @@ func (r *NodeReconciler) reconcileNodes() reconcile.Func { if err != nil { return ctrl.Result{}, fmt.Errorf("preparing job: %w", err) } + jobAffinity, err := r.GetScanJobAffinity() + if err != nil { + return ctrl.Result{}, fmt.Errorf("getting job affinity: %w", err) + } jobTolerations, err := r.GetScanJobTolerations() if err != nil { return ctrl.Result{}, fmt.Errorf("getting job tolerations: %w", err) @@ -168,6 +172,7 @@ func (r *NodeReconciler) reconcileNodes() reconcile.Func { j.WithJobNamespace(on), j.WithServiceAccount(r.ServiceAccount), j.WithCollectorTimeout(r.Config.ScanJobTimeout), + j.WithJobAffinity(jobAffinity), j.WithJobTolerations(jobTolerations), j.WithPodSpecSecurityContext(scanJobSecurityContext), j.WithContainerSecurityContext(scanJobContainerSecurityContext), diff --git a/pkg/trivyoperator/config.go b/pkg/trivyoperator/config.go index fde76eadc..0c418953a 100644 --- a/pkg/trivyoperator/config.go +++ b/pkg/trivyoperator/config.go @@ -59,6 +59,7 @@ const ( keyVulnerabilityReportsScanner = "vulnerabilityReports.scanner" KeyVulnerabilityScansInSameNamespace = "vulnerabilityReports.scanJobsInSameNamespace" keyConfigAuditReportsScanner = "configAuditReports.scanner" + keyScanJobAffinity = "scanJob.affinity" keyScanJobTolerations = "scanJob.tolerations" KeyScanJobcompressLogs = "scanJob.compressLogs" KeyNodeCollectorVolumes = "nodeCollector.volumes" @@ -168,6 +169,20 @@ func (c ConfigData) GetConfigAuditReportsScanner() Scanner { return Scanner(value) } +func (c ConfigData) GetScanJobAffinity() (*corev1.Affinity, error) { + if c[keyScanJobAffinity] == "" { + return nil, nil + } + + scanJobAffinity := &corev1.Affinity{} + err := json.Unmarshal([]byte(c[keyScanJobAffinity]), scanJobAffinity) + if err != nil { + return nil, fmt.Errorf("failed parsing incorrectly formatted custom scan pod template affinity: %s", c[keyScanJobAffinity]) + } + + return scanJobAffinity, nil +} + func (c ConfigData) GetScanJobTolerations() ([]corev1.Toleration, error) { var scanJobTolerations []corev1.Toleration if c[keyScanJobTolerations] == "" { @@ -219,7 +234,7 @@ func (c ConfigData) GetScanJobNodeSelector() (map[string]string, error) { } if err := json.Unmarshal([]byte(c[keyScanJobNodeSelector]), &scanJobNodeSelector); err != nil { - return scanJobNodeSelector, fmt.Errorf("failed to parse incorrect job template nodeSelector %s: %w", c[keyScanJobNodeSelector], err) + return scanJobNodeSelector, fmt.Errorf("failed to parse incorrect pod template nodeSelector %s: %w", c[keyScanJobNodeSelector], err) } return scanJobNodeSelector, nil diff --git a/pkg/trivyoperator/config_test.go b/pkg/trivyoperator/config_test.go index 68d5ec3b7..5f4950aa8 100644 --- a/pkg/trivyoperator/config_test.go +++ b/pkg/trivyoperator/config_test.go @@ -76,6 +76,75 @@ func TestConfigData_GetConfigAuditReportsScanner(t *testing.T) { } } +func TestConfigData_GetScanJobAffinity(t *testing.T) { + testCases := []struct { + name string + config trivyoperator.ConfigData + expected *corev1.Affinity + expectError string + }{ + { + name: "no scanJob.affinity in ConfigData", + config: trivyoperator.ConfigData{}, + expected: nil, + }, + { + name: "scanJob.affinity value is not json", + config: trivyoperator.ConfigData{"scanJob.affinity": `lolwut`}, + expected: nil, + expectError: "invalid character 'l' looking for beginning of value", + }, + { + name: "empty JSON array", + config: trivyoperator.ConfigData{"scanJob.affinity": `{}`}, + expected: &corev1.Affinity{}, + }, + { + name: "valid affinity", + config: trivyoperator.ConfigData{ + "scanJob.affinity": `{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]},{"matchExpressions":[{"key":"virtual-kubelet.io/provider","operator":"DoesNotExist"}]}]}}}`, + }, + expected: &corev1.Affinity{ + NodeAffinity: &corev1.NodeAffinity{ + RequiredDuringSchedulingIgnoredDuringExecution: &corev1.NodeSelector{ + NodeSelectorTerms: []corev1.NodeSelectorTerm{ + { + MatchExpressions: []corev1.NodeSelectorRequirement{ + { + Key: "kubernetes.io/os", + Operator: corev1.NodeSelectorOpIn, + Values: []string{"linux"}, + }, + }, + }, + { + MatchExpressions: []corev1.NodeSelectorRequirement{ + { + Key: "virtual-kubelet.io/provider", + Operator: corev1.NodeSelectorOpDoesNotExist, + }, + }, + }, + }, + }, + }, + }, + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + got, err := tc.config.GetScanJobAffinity() + if tc.expectError != "" { + assert.Error(t, err, "unexpected end of JSON input", tc.name) + } else { + assert.NoError(t, err, tc.name) + } + assert.Equal(t, tc.expected, got, tc.name) + }) + } +} + func TestConfigData_GetScanJobTolerations(t *testing.T) { testCases := []struct { name string diff --git a/pkg/vulnerabilityreport/builder.go b/pkg/vulnerabilityreport/builder.go index 4f75fd58b..c902d6fd6 100644 --- a/pkg/vulnerabilityreport/builder.go +++ b/pkg/vulnerabilityreport/builder.go @@ -29,6 +29,7 @@ type ScanJobBuilder struct { timeout time.Duration object client.Object credentials map[string]docker.Auth + affinity *corev1.Affinity tolerations []corev1.Toleration nodeSelector map[string]string annotations map[string]string @@ -79,6 +80,11 @@ func (s *ScanJobBuilder) WithObject(object client.Object) *ScanJobBuilder { return s } +func (s *ScanJobBuilder) WithAffinity(affinity *corev1.Affinity) *ScanJobBuilder { + s.affinity = affinity + return s +} + func (s *ScanJobBuilder) WithTolerations(tolerations []corev1.Toleration) *ScanJobBuilder { s.tolerations = tolerations return s @@ -135,6 +141,10 @@ func (s *ScanJobBuilder) Get() (*batchv1.Job, []*corev1.Secret, error) { return nil, nil, err } + if s.affinity != nil { + templateSpec.Affinity = s.affinity + } + templateSpec.Tolerations = append(templateSpec.Tolerations, s.tolerations...) if s.podSecurityContext != nil { templateSpec.SecurityContext = s.podSecurityContext diff --git a/pkg/vulnerabilityreport/controller/workload.go b/pkg/vulnerabilityreport/controller/workload.go index 02e4a8821..bbd40e0e1 100644 --- a/pkg/vulnerabilityreport/controller/workload.go +++ b/pkg/vulnerabilityreport/controller/workload.go @@ -268,6 +268,11 @@ func (r *WorkloadController) SubmitScanJob(ctx context.Context, owner client.Obj } } + scanJobAffinity, err := r.GetScanJobAffinity() + if err != nil { + return fmt.Errorf("getting scan job affinity: %w", err) + } + scanJobTolerations, err := r.GetScanJobTolerations() if err != nil { return fmt.Errorf("getting scan job tolerations: %w", err) @@ -310,6 +315,7 @@ func (r *WorkloadController) SubmitScanJob(ctx context.Context, owner client.Obj WithTTL(r.Config.ScanJobTTL). WithScanSecretTTL(r.Config.ScanSecretTTL). WithObject(owner). + WithAffinity(scanJobAffinity). WithTolerations(scanJobTolerations). WithAnnotations(scanJobAnnotations). WithNodeSelector(scanJobNodeSelector). From c68be4dad1a8108e708649690865ee6895e1c390 Mon Sep 17 00:00:00 2001 From: Maxime Brunet Date: Mon, 18 Mar 2024 09:25:16 -0700 Subject: [PATCH 2/4] Minor fixes --- go.sum | 2 -- pkg/trivyoperator/config_test.go | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/go.sum b/go.sum index e84da8350..934d934b7 100644 --- a/go.sum +++ b/go.sum @@ -312,8 +312,6 @@ github.com/aquasecurity/trivy-iac v0.8.0 h1:NKFhk/BTwQ0jIh4t74V8+6UIGUvPlaxO9HPl github.com/aquasecurity/trivy-iac v0.8.0/go.mod h1:ARiMeNqcaVWOXJmp8hmtMnNm/Jd836IOmDBUW5r4KEk= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8= -github.com/aquasecurity/trivy-kubernetes v0.6.4-0.20240129122346-af2de58a7466 h1:pM/cncKgNyvCzhOiFL19F4pyebktYBwl9/XyQl44OCI= -github.com/aquasecurity/trivy-kubernetes v0.6.4-0.20240129122346-af2de58a7466/go.mod h1:pGWup/B9igRLCuJ0fmI7hft4Ni7l5zCspwtt5dvVNTY= github.com/aquasecurity/trivy-kubernetes v0.6.4-0.20240311135805-8e927abd008d h1:BWcT4YE8jHMWMIxZCC6sgriRP4xLTOyEe8tFoY4pnXQ= github.com/aquasecurity/trivy-kubernetes v0.6.4-0.20240311135805-8e927abd008d/go.mod h1:6T6aM0FnBMoNfLiPFPatPXfBpMO9Zgo/G22A5KWGijc= github.com/aquasecurity/trivy-policies v0.8.0 h1:LvmIdw/DfTF72Lc8L+CKLYzfb5BFYzLBGFFR95PKC74= diff --git a/pkg/trivyoperator/config_test.go b/pkg/trivyoperator/config_test.go index 5f4950aa8..9448af433 100644 --- a/pkg/trivyoperator/config_test.go +++ b/pkg/trivyoperator/config_test.go @@ -498,7 +498,7 @@ func TestConfigData_GetScanJobNodeSelector(t *testing.T) { "scanJob.nodeSelector": "{dlzm", }, expected: map[string]string{}, - expectError: "failed to parse incorrect job template nodeSelector {dlzm: invalid character 'd' looking for beginning of object key string", + expectError: "failed to parse incorrect pod template nodeSelector {dlzm: invalid character 'd' looking for beginning of object key string", }, } From 5fb15dc2f3422194bd3877167014c57e78b645ff Mon Sep 17 00:00:00 2001 From: Maxime Brunet Date: Mon, 18 Mar 2024 11:52:19 -0700 Subject: [PATCH 3/4] Re-generate --- deploy/helm/README.md | 2 +- deploy/static/trivy-operator.yaml | 56 +++++++++++++++---------------- 2 files changed, 29 insertions(+), 29 deletions(-) diff --git a/deploy/helm/README.md b/deploy/helm/README.md index 46f64e60b..d80f9d4d0 100644 --- a/deploy/helm/README.md +++ b/deploy/helm/README.md @@ -177,6 +177,7 @@ Keeps security report resources updated | trivyOperator.policiesConfig | string | `""` | policiesConfig Custom Rego Policies to be used by the config audit scanner See https://github.com/aquasecurity/trivy-operator/blob/main/docs/tutorials/writing-custom-configuration-audit-policies.md for more details. | | trivyOperator.reportRecordFailedChecksOnly | bool | `true` | reportRecordFailedChecksOnly flag is to record only failed checks on misconfiguration reports (config-audit and rbac assessment) | | trivyOperator.reportResourceLabels | string | `""` | reportResourceLabels comma-separated scanned resource labels which the user wants to include in the Prometheus metrics report. Example: `owner,app` | +| trivyOperator.scanJobAffinity | list | `[]` | scanJobAffinity affinity to be applied to the scanner pods and node-collector | | trivyOperator.scanJobAnnotations | string | `""` | scanJobAnnotations comma-separated representation of the annotations which the user wants the scanner pods to be annotated with. Example: `foo=bar,env=stage` will annotate the scanner pods with the annotations `foo: bar` and `env: stage` | | trivyOperator.scanJobAutomountServiceAccountToken | bool | `false` | scanJobAutomountServiceAccountToken the flag to enable automount for service account token on scan job | | trivyOperator.scanJobCompressLogs | bool | `true` | scanJobCompressLogs control whether scanjob output should be compressed or plain | @@ -185,7 +186,6 @@ Keeps security report resources updated | trivyOperator.scanJobPodTemplateContainerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true}` | scanJobPodTemplateContainerSecurityContext SecurityContext the user wants the scanner and node collector containers (and their initContainers) to be amended with. | | trivyOperator.scanJobPodTemplateLabels | string | `""` | scanJobPodTemplateLabels comma-separated representation of the labels which the user wants the scanner pods to be labeled with. Example: `foo=bar,env=stage` will labeled the scanner pods with the labels `foo: bar` and `env: stage` | | trivyOperator.scanJobPodTemplatePodSecurityContext | object | `{}` | scanJobPodTemplatePodSecurityContext podSecurityContext the user wants the scanner and node collector pods to be amended with. Example: RunAsUser: 10000 RunAsGroup: 10000 RunAsNonRoot: true | -| trivyOperator.scanJobAffinity | object | `{}` | scanJobAffinity affinity to be applied to the scanner pods and node-collector | | trivyOperator.scanJobTolerations | list | `[]` | scanJobTolerations tolerations to be applied to the scanner pods and node-collector so that they can run on nodes with matching taints | | trivyOperator.skipInitContainers | bool | `false` | skipInitContainers when this flag is set to true, the initContainers will be skipped for the scanner and node collector pods | | trivyOperator.skipResourceByLabels | string | `""` | skipResourceByLabels comma-separated labels keys which trivy-operator will skip scanning on resources with matching labels | diff --git a/deploy/static/trivy-operator.yaml b/deploy/static/trivy-operator.yaml index 8c812f295..b850c2a01 100644 --- a/deploy/static/trivy-operator.yaml +++ b/deploy/static/trivy-operator.yaml @@ -3124,6 +3124,25 @@ spec: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator --- +# Source: trivy-operator/templates/rbac/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: trivy-operator + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.19.0" + app.kubernetes.io/managed-by: kubectl +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: trivy-operator +subjects: + - kind: ServiceAccount + name: trivy-operator + namespace: trivy-system +--- # Source: trivy-operator/templates/rbac/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -3493,11 +3512,12 @@ rules: verbs: - get --- -# Source: trivy-operator/templates/rbac/clusterrolebinding.yaml +# Source: trivy-operator/templates/rbac/leader-election-rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: - name: trivy-operator + name: trivy-operator-leader-election + namespace: trivy-system labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator @@ -3505,8 +3525,8 @@ metadata: app.kubernetes.io/managed-by: kubectl roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: trivy-operator + kind: Role + name: trivy-operator-leader-election subjects: - kind: ServiceAccount name: trivy-operator @@ -3540,11 +3560,11 @@ rules: verbs: - create --- -# Source: trivy-operator/templates/rbac/leader-election-rolebinding.yaml +# Source: trivy-operator/templates/rbac/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: trivy-operator-leader-election + name: trivy-operator namespace: trivy-system labels: app.kubernetes.io/name: trivy-operator @@ -3554,7 +3574,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: trivy-operator-leader-election + name: trivy-operator subjects: - kind: ServiceAccount name: trivy-operator @@ -3590,26 +3610,6 @@ rules: - get - delete --- -# Source: trivy-operator/templates/rbac/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: trivy-operator - namespace: trivy-system - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.19.0" - app.kubernetes.io/managed-by: kubectl -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: trivy-operator -subjects: - - kind: ServiceAccount - name: trivy-operator - namespace: trivy-system ---- # Source: trivy-operator/templates/rbac/view-configauditreports-clusterrole.yaml # permissions for end users to view configauditreports apiVersion: rbac.authorization.k8s.io/v1 From e27a68fd9a0bdb380640ff5c872a400b649305fa Mon Sep 17 00:00:00 2001 From: Maxime Brunet Date: Mon, 18 Mar 2024 12:07:04 -0700 Subject: [PATCH 4/4] Undo static manifest changes --- deploy/static/trivy-operator.yaml | 56 +++++++++++++++---------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/deploy/static/trivy-operator.yaml b/deploy/static/trivy-operator.yaml index b850c2a01..8c812f295 100644 --- a/deploy/static/trivy-operator.yaml +++ b/deploy/static/trivy-operator.yaml @@ -3124,25 +3124,6 @@ spec: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator --- -# Source: trivy-operator/templates/rbac/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: trivy-operator - labels: - app.kubernetes.io/name: trivy-operator - app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.19.0" - app.kubernetes.io/managed-by: kubectl -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: trivy-operator -subjects: - - kind: ServiceAccount - name: trivy-operator - namespace: trivy-system ---- # Source: trivy-operator/templates/rbac/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -3512,12 +3493,11 @@ rules: verbs: - get --- -# Source: trivy-operator/templates/rbac/leader-election-rolebinding.yaml +# Source: trivy-operator/templates/rbac/clusterrolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: - name: trivy-operator-leader-election - namespace: trivy-system + name: trivy-operator labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator @@ -3525,8 +3505,8 @@ metadata: app.kubernetes.io/managed-by: kubectl roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role - name: trivy-operator-leader-election + kind: ClusterRole + name: trivy-operator subjects: - kind: ServiceAccount name: trivy-operator @@ -3560,11 +3540,11 @@ rules: verbs: - create --- -# Source: trivy-operator/templates/rbac/rolebinding.yaml +# Source: trivy-operator/templates/rbac/leader-election-rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: trivy-operator + name: trivy-operator-leader-election namespace: trivy-system labels: app.kubernetes.io/name: trivy-operator @@ -3574,7 +3554,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: trivy-operator + name: trivy-operator-leader-election subjects: - kind: ServiceAccount name: trivy-operator @@ -3610,6 +3590,26 @@ rules: - get - delete --- +# Source: trivy-operator/templates/rbac/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: trivy-operator + namespace: trivy-system + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.19.0" + app.kubernetes.io/managed-by: kubectl +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: trivy-operator +subjects: + - kind: ServiceAccount + name: trivy-operator + namespace: trivy-system +--- # Source: trivy-operator/templates/rbac/view-configauditreports-clusterrole.yaml # permissions for end users to view configauditreports apiVersion: rbac.authorization.k8s.io/v1