diff --git a/kustomization.yaml b/kustomization.yaml index 3abd398..8bca325 100644 --- a/kustomization.yaml +++ b/kustomization.yaml @@ -7,4 +7,3 @@ resources: - vault/argocd.yaml - external-secrets/argocd.yaml - falco/argocd.yaml - - trivy/argocd.yaml diff --git a/trivy/argocd.yaml b/trivy/argocd.yaml deleted file mode 100644 index 919cf09..0000000 --- a/trivy/argocd.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: trivy - namespace: argocd - finalizers: - - resources-finalizer.argocd.argoproj.io -spec: - project: default - sources: - - repoURL: https://aquasecurity.github.io/helm-charts - chart: trivy-operator - targetRevision: 0.31.0 - helm: - valueFiles: - - $values/trivy/helm-values.yaml - - repoURL: https://github.com/K3S-HOME/security.git - targetRevision: main - ref: values - - repoURL: https://github.com/K3S-HOME/security.git - targetRevision: main - path: trivy - destination: - server: https://kubernetes.default.svc - namespace: trivy-system - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true - - PrunePropagationPolicy=foreground - - PruneLast=true - retry: - limit: 5 - backoff: - duration: 5s - factor: 2 - maxDuration: 3m - managedNamespaceMetadata: - labels: - goldilocks.fairwinds.com/enabled: 'true' - revisionHistoryLimit: 10 diff --git a/trivy/helm-values.yaml b/trivy/helm-values.yaml deleted file mode 100644 index c775f4f..0000000 --- a/trivy/helm-values.yaml +++ /dev/null @@ -1,93 +0,0 @@ -# Trivy Operator Helm Values -# Chart: https://github.com/aquasecurity/trivy-operator - -# Namespace 설정 -targetNamespaces: "" -excludeNamespaces: "kube-system,kube-public,kube-node-lease" - -# Operator 설정 -operator: - replicas: 1 - - # Operator 리소스 - resources: - requests: - cpu: 50m - memory: 256Mi - limits: - cpu: null # Disable chart default - memory: 384Mi - - # 스캔 설정 - scanJobTimeout: 10m - scanJobsConcurrentLimit: 2 # Reduced from 3 to save resources - scannerReportTTL: "24h" - - # 스캐너 활성화 - vulnerabilityScannerEnabled: true - sbomGenerationEnabled: true - configAuditScannerEnabled: true - rbacAssessmentScannerEnabled: true - infraAssessmentScannerEnabled: true - clusterComplianceEnabled: true - exposedSecretScannerEnabled: true - - # 메트릭 설정 - metricsFindingsEnabled: true - metricsVulnIdEnabled: false # 카디널리티 증가 방지 - -# Trivy 스캐너 설정 -trivy: - # Standalone 모드 (ClientServer보다 간단) - mode: Standalone - - # 취약점 심각도 - severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL - - # 리소스 절약 모드 - slow: true - - # 스캔 타임아웃 - timeout: "10m0s" - - # 스토리지 설정 (Longhorn 사용) - storageClassEnabled: true - storageClassName: "longhorn" - storageSize: "2Gi" - - # 스캔 작업 리소스 제한 - resources: - requests: - cpu: 50m - memory: 256Mi - limits: - cpu: null # Disable chart default (500m) - memory: 384Mi - -# 스캔 작업 설정 -trivyOperator: - scanJobCompressLogs: true - reportRecordFailedChecksOnly: true - - # 스캔 작업 보안 컨텍스트 - scanJobPodTemplateContainerSecurityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - -# ServiceMonitor 설정 (Prometheus 연동) -serviceMonitor: - enabled: true - namespace: prometheus - interval: 60s - labels: - release: prometheus - honorLabels: true - -# 서비스 설정 -service: - headless: true - metricsPort: 80 diff --git a/trivy/kustomization.yaml b/trivy/kustomization.yaml deleted file mode 100644 index b83b23e..0000000 --- a/trivy/kustomization.yaml +++ /dev/null @@ -1,3 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: []