FEAT(trivy): add trivy operator

- for container vulnerability scanning - Add Trivy Operator Helm chart (v0.31.0) - Configure ServiceMonitor for Prometheus integration - Enable vulnerability, config audit, and RBAC scanners - Use Longhorn storage class for Trivy DB - Exclude kube-system namespaces from scanning
2025-12-31 16:04:06 +09:00
parent dc31575f03
commit 8da74949b8
3 changed files with 131 additions and 0 deletions
--- a/trivy/helm-values.yaml
+++ b/trivy/helm-values.yaml
@@ -0,0 +1,84 @@
+# Trivy Operator Helm Values
+# Chart: https://github.com/aquasecurity/trivy-operator
+
+# Namespace 설정
+targetNamespaces: ""
+excludeNamespaces: "kube-system,kube-public,kube-node-lease"
+
+# Operator 설정
+operator:
+  replicas: 1
+
+  # 스캔 설정
+  scanJobTimeout: 10m
+  scanJobsConcurrentLimit: 3  # 리소스 절약을 위해 동시 스캔 제한
+  scannerReportTTL: "24h"
+
+  # 스캐너 활성화
+  vulnerabilityScannerEnabled: true
+  sbomGenerationEnabled: true
+  configAuditScannerEnabled: true
+  rbacAssessmentScannerEnabled: true
+  infraAssessmentScannerEnabled: true
+  clusterComplianceEnabled: true
+  exposedSecretScannerEnabled: true
+
+  # 메트릭 설정
+  metricsFindingsEnabled: true
+  metricsVulnIdEnabled: false  # 카디널리티 증가 방지
+
+# Trivy 스캐너 설정
+trivy:
+  # Standalone 모드 (ClientServer보다 간단)
+  mode: Standalone
+
+  # 취약점 심각도
+  severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+
+  # 리소스 절약 모드
+  slow: true
+
+  # 스캔 타임아웃
+  timeout: "10m0s"
+
+  # 스토리지 설정 (Longhorn 사용)
+  storageClassEnabled: true
+  storageClassName: "longhorn"
+  storageSize: "2Gi"
+
+  # 스캔 작업 리소스 제한
+  resources:
+    requests:
+      cpu: 50m
+      memory: 100M
+    limits:
+      cpu: 500m
+      memory: 500M
+
+# 스캔 작업 설정
+trivyOperator:
+  scanJobCompressLogs: true
+  reportRecordFailedChecksOnly: true
+
+  # 스캔 작업 보안 컨텍스트
+  scanJobPodTemplateContainerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+    privileged: false
+    readOnlyRootFilesystem: true
+
+# ServiceMonitor 설정 (Prometheus 연동)
+serviceMonitor:
+  enabled: true
+  namespace: prometheus
+  interval: 60s
+  labels:
+    release: prometheus
+  honorLabels: true
+
+# 서비스 설정
+service:
+  headless: true
+  metricsPort: 80