FEAT(trivy): add trivy operator

- for container vulnerability scanning - Add Trivy Operator Helm chart (v0.31.0) - Configure ServiceMonitor for Prometheus integration - Enable vulnerability, config audit, and RBAC scanners - Use Longhorn storage class for Trivy DB - Exclude kube-system namespaces from scanning
2025-12-31 16:04:06 +09:00
parent dc31575f03
commit 8da74949b8
3 changed files with 131 additions and 0 deletions
--- a/trivy/argocd.yaml
+++ b/trivy/argocd.yaml
@@ -0,0 +1,44 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: trivy
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  sources:
+  - repoURL: https://aquasecurity.github.io/helm-charts
+    chart: trivy-operator
+    targetRevision: 0.31.0
+    helm:
+      valueFiles:
+      - $values/trivy/helm-values.yaml
+  - repoURL: https://github.com/Mayne0213/monitoring.git
+    targetRevision: main
+    ref: values
+  - repoURL: https://github.com/Mayne0213/monitoring.git
+    targetRevision: main
+    path: trivy
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: trivy-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - PrunePropagationPolicy=foreground
+    - PruneLast=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+    managedNamespaceMetadata:
+      labels:
+        goldilocks.fairwinds.com/enabled: 'true'
+  revisionHistoryLimit: 10
--- a/trivy/helm-values.yaml
+++ b/trivy/helm-values.yaml
@@ -0,0 +1,84 @@
+# Trivy Operator Helm Values
+# Chart: https://github.com/aquasecurity/trivy-operator
+
+# Namespace 설정
+targetNamespaces: ""
+excludeNamespaces: "kube-system,kube-public,kube-node-lease"
+
+# Operator 설정
+operator:
+  replicas: 1
+
+  # 스캔 설정
+  scanJobTimeout: 10m
+  scanJobsConcurrentLimit: 3  # 리소스 절약을 위해 동시 스캔 제한
+  scannerReportTTL: "24h"
+
+  # 스캐너 활성화
+  vulnerabilityScannerEnabled: true
+  sbomGenerationEnabled: true
+  configAuditScannerEnabled: true
+  rbacAssessmentScannerEnabled: true
+  infraAssessmentScannerEnabled: true
+  clusterComplianceEnabled: true
+  exposedSecretScannerEnabled: true
+
+  # 메트릭 설정
+  metricsFindingsEnabled: true
+  metricsVulnIdEnabled: false  # 카디널리티 증가 방지
+
+# Trivy 스캐너 설정
+trivy:
+  # Standalone 모드 (ClientServer보다 간단)
+  mode: Standalone
+
+  # 취약점 심각도
+  severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+
+  # 리소스 절약 모드
+  slow: true
+
+  # 스캔 타임아웃
+  timeout: "10m0s"
+
+  # 스토리지 설정 (Longhorn 사용)
+  storageClassEnabled: true
+  storageClassName: "longhorn"
+  storageSize: "2Gi"
+
+  # 스캔 작업 리소스 제한
+  resources:
+    requests:
+      cpu: 50m
+      memory: 100M
+    limits:
+      cpu: 500m
+      memory: 500M
+
+# 스캔 작업 설정
+trivyOperator:
+  scanJobCompressLogs: true
+  reportRecordFailedChecksOnly: true
+
+  # 스캔 작업 보안 컨텍스트
+  scanJobPodTemplateContainerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+    privileged: false
+    readOnlyRootFilesystem: true
+
+# ServiceMonitor 설정 (Prometheus 연동)
+serviceMonitor:
+  enabled: true
+  namespace: prometheus
+  interval: 60s
+  labels:
+    release: prometheus
+  honorLabels: true
+
+# 서비스 설정
+service:
+  headless: true
+  metricsPort: 80
--- a/trivy/kustomization.yaml
+++ b/trivy/kustomization.yaml
@@ -0,0 +1,3 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: []