This operator simply watched for VulnerabilityReport
CRDs (already created by the trivy
operator) and uploads all reports to an S3 bucket.
Because this relies on CRDs already provided by Aqua Security, no need to define/install them here. You need to first install the trivy-operator
, which can be found here. Once the trivy-operator
is installed, you can install this operator.
You’ll need a Kubernetes cluster to run against. You can use KIND to get a local cluster for testing, or run against a remote cluster.
Note: Your controller will automatically use the current context in your kubeconfig file (i.e. whatever cluster kubectl cluster-info
shows).
-
Follow instructions for installing CRDs from
trivy-operator
. -
Please take a look at the
build-and-deploy.sh
shell script and modify the variables as needed:IMAGE_NAME
- the name of the image to be built and deployedIMAGE_TAG
- the tag to use for the imageNAMESPACE
- the namespace to deploy the operator toS3_BUCKET
- the S3 bucket to upload reports to- The below are optional, if not specified will default to environment variables
AWS_ACCESS_KEY_ID
- the AWS access key ID to useAWS_SECRET_ACCESS_KEY
- the AWS secret access key to useAWS_REGION
- the AWS region to use
-
This script will automate all steps for you, including building the image, pushing it to a registry, and deploying the operator to the cluster. You can run it with the following command:
./build-and-deploy.sh
- If using ECR, please uncomment
make ecr-login
line in the script.
This project aims to follow the Kubernetes Operator pattern
It uses Controllers which provides a reconcile function responsible for synchronizing resources untile the desired state is reached on the cluster
If you are editing the API definitions, generate the manifests such as CRs or CRDs using:
make manifests
You must add the processed
boolean to the VulnerabilityReport
CRD. This is used to determine if the report has already been processed or not.
additionalPrinterColumns:
...
- description: Has report been processed
name: processed
jsonPath: .report.processed
priority: 1
type: boolean
schema.properties.report:
...
processed:
description: Whether the report been processed and uploaded to S3
type: boolean
For this either perform:
kubectl edit crd/vulnerabilityreports.aquasecurity.github.io
kubectl patch
- Kustomize:
- Edit
config/crd/bases/aquasecurity.github.io_vulnerabilityreports.yaml
- Run
make manifests
kubectl apply -f config/crd/aquasecurity.github.io_vulnerabilityreports.yaml
.
- Edit
NOTE: Run make --help
for more information on all potential make
targets
More information can be found via the Kubebuilder Documentation
Copyright 2022.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.