From 8da74949b8eaf7b0e52ef9353d63ab3d04cd9c97 Mon Sep 17 00:00:00 2001 From: Mayne0213 Date: Wed, 31 Dec 2025 16:04:06 +0900 Subject: [PATCH] FEAT(trivy): add trivy operator - for container vulnerability scanning - Add Trivy Operator Helm chart (v0.31.0) - Configure ServiceMonitor for Prometheus integration - Enable vulnerability, config audit, and RBAC scanners - Use Longhorn storage class for Trivy DB - Exclude kube-system namespaces from scanning --- trivy/argocd.yaml | 44 +++++++++++++++++++++ trivy/helm-values.yaml | 84 ++++++++++++++++++++++++++++++++++++++++ trivy/kustomization.yaml | 3 ++ 3 files changed, 131 insertions(+) create mode 100644 trivy/argocd.yaml create mode 100644 trivy/helm-values.yaml create mode 100644 trivy/kustomization.yaml diff --git a/trivy/argocd.yaml b/trivy/argocd.yaml new file mode 100644 index 0000000..735506f --- /dev/null +++ b/trivy/argocd.yaml @@ -0,0 +1,44 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: trivy + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: https://aquasecurity.github.io/helm-charts + chart: trivy-operator + targetRevision: 0.31.0 + helm: + valueFiles: + - $values/trivy/helm-values.yaml + - repoURL: https://github.com/Mayne0213/monitoring.git + targetRevision: main + ref: values + - repoURL: https://github.com/Mayne0213/monitoring.git + targetRevision: main + path: trivy + destination: + server: https://kubernetes.default.svc + namespace: trivy-system + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: false + syncOptions: + - CreateNamespace=true + - PrunePropagationPolicy=foreground + - PruneLast=true + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m + managedNamespaceMetadata: + labels: + goldilocks.fairwinds.com/enabled: 'true' + revisionHistoryLimit: 10 diff --git a/trivy/helm-values.yaml b/trivy/helm-values.yaml new file mode 100644 index 0000000..8962e9a --- /dev/null +++ b/trivy/helm-values.yaml @@ -0,0 +1,84 @@ +# Trivy Operator Helm Values +# Chart: https://github.com/aquasecurity/trivy-operator + +# Namespace 설정 +targetNamespaces: "" +excludeNamespaces: "kube-system,kube-public,kube-node-lease" + +# Operator 설정 +operator: + replicas: 1 + + # 스캔 설정 + scanJobTimeout: 10m + scanJobsConcurrentLimit: 3 # 리소스 절약을 위해 동시 스캔 제한 + scannerReportTTL: "24h" + + # 스캐너 활성화 + vulnerabilityScannerEnabled: true + sbomGenerationEnabled: true + configAuditScannerEnabled: true + rbacAssessmentScannerEnabled: true + infraAssessmentScannerEnabled: true + clusterComplianceEnabled: true + exposedSecretScannerEnabled: true + + # 메트릭 설정 + metricsFindingsEnabled: true + metricsVulnIdEnabled: false # 카디널리티 증가 방지 + +# Trivy 스캐너 설정 +trivy: + # Standalone 모드 (ClientServer보다 간단) + mode: Standalone + + # 취약점 심각도 + severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL + + # 리소스 절약 모드 + slow: true + + # 스캔 타임아웃 + timeout: "10m0s" + + # 스토리지 설정 (Longhorn 사용) + storageClassEnabled: true + storageClassName: "longhorn" + storageSize: "2Gi" + + # 스캔 작업 리소스 제한 + resources: + requests: + cpu: 50m + memory: 100M + limits: + cpu: 500m + memory: 500M + +# 스캔 작업 설정 +trivyOperator: + scanJobCompressLogs: true + reportRecordFailedChecksOnly: true + + # 스캔 작업 보안 컨텍스트 + scanJobPodTemplateContainerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + +# ServiceMonitor 설정 (Prometheus 연동) +serviceMonitor: + enabled: true + namespace: prometheus + interval: 60s + labels: + release: prometheus + honorLabels: true + +# 서비스 설정 +service: + headless: true + metricsPort: 80 diff --git a/trivy/kustomization.yaml b/trivy/kustomization.yaml new file mode 100644 index 0000000..b83b23e --- /dev/null +++ b/trivy/kustomization.yaml @@ -0,0 +1,3 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: []