FEAT(trivy): add trivy operator

- for container vulnerability scanning - Add Trivy Operator Helm chart (v0.31.0) - Configure ServiceMonitor for Prometheus integration - Enable vulnerability, config audit, and RBAC scanners - Use Longhorn storage class for Trivy DB - Exclude kube-system namespaces from scanning
2025-12-31 16:04:06 +09:00
parent dc31575f03
commit 8da74949b8
3 changed files with 131 additions and 0 deletions
--- a/trivy/argocd.yaml
+++ b/trivy/argocd.yaml
@@ -0,0 +1,44 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: trivy
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  sources:
  - repoURL: https://aquasecurity.github.io/helm-charts
    chart: trivy-operator
    targetRevision: 0.31.0
    helm:
      valueFiles:
      - $values/trivy/helm-values.yaml
  - repoURL: https://github.com/Mayne0213/monitoring.git
    targetRevision: main
    ref: values
  - repoURL: https://github.com/Mayne0213/monitoring.git
    targetRevision: main
    path: trivy
  destination:
    server: https://kubernetes.default.svc
    namespace: trivy-system
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - PrunePropagationPolicy=foreground
    - PruneLast=true
    retry:
      limit: 5
      backoff:
        duration: 5s
        factor: 2
        maxDuration: 3m
    managedNamespaceMetadata:
      labels:
        goldilocks.fairwinds.com/enabled: 'true'
  revisionHistoryLimit: 10
--- a/trivy/helm-values.yaml
+++ b/trivy/helm-values.yaml
@@ -0,0 +1,84 @@
 # Trivy Operator Helm Values
 # Chart: https://github.com/aquasecurity/trivy-operator
 # Namespace 설정
 targetNamespaces: ""
 excludeNamespaces: "kube-system,kube-public,kube-node-lease"
 # Operator 설정
 operator:
  replicas: 1
  # 스캔 설정
  scanJobTimeout: 10m
  scanJobsConcurrentLimit: 3  # 리소스 절약을 위해 동시 스캔 제한
  scannerReportTTL: "24h"
  # 스캐너 활성화
  vulnerabilityScannerEnabled: true
  sbomGenerationEnabled: true
  configAuditScannerEnabled: true
  rbacAssessmentScannerEnabled: true
  infraAssessmentScannerEnabled: true
  clusterComplianceEnabled: true
  exposedSecretScannerEnabled: true
  # 메트릭 설정
  metricsFindingsEnabled: true
  metricsVulnIdEnabled: false  # 카디널리티 증가 방지
 # Trivy 스캐너 설정
 trivy:
  # Standalone 모드 (ClientServer보다 간단)
  mode: Standalone
  # 취약점 심각도
  severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
  # 리소스 절약 모드
  slow: true
  # 스캔 타임아웃
  timeout: "10m0s"
  # 스토리지 설정 (Longhorn 사용)
  storageClassEnabled: true
  storageClassName: "longhorn"
  storageSize: "2Gi"
  # 스캔 작업 리소스 제한
  resources:
    requests:
      cpu: 50m
      memory: 100M
    limits:
      cpu: 500m
      memory: 500M
 # 스캔 작업 설정
 trivyOperator:
  scanJobCompressLogs: true
  reportRecordFailedChecksOnly: true
  # 스캔 작업 보안 컨텍스트
  scanJobPodTemplateContainerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
    privileged: false
    readOnlyRootFilesystem: true
 # ServiceMonitor 설정 (Prometheus 연동)
 serviceMonitor:
  enabled: true
  namespace: prometheus
  interval: 60s
  labels:
    release: prometheus
  honorLabels: true
 # 서비스 설정
 service:
  headless: true
  metricsPort: 80
--- a/trivy/kustomization.yaml
+++ b/trivy/kustomization.yaml
@@ -0,0 +1,3 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources: []