Addon: Trivy

General Discussions microk8s
1

1.26
Compatibility: amd64 arm64 classic strict
Source: See Trivy website for details.

Trivy is an all-in-one open source security scanner that can help you identify vulnerabilities and IaC misconfigurations, discover SBOMs, perform cloud scanning, identify Kubernetes security risks, and much more. With Trivy, you have access to a powerful tool that can help you keep your systems secure and your data protected.

Trivy has two components:

  • The Trivy Operator , which scans workloads already running in the cluster. The scan is performed internally to the cluster, running continuously and happening in the background.
  • The Trivy CLI is for manual or CI triggered scanning of the Kubernetes cluster and workloads.

Using a combination of these approaches, scans can be run under any circumstances to ensure security throughout the cluster.

Usage

To enable the addon:

microk8s enable trivy

The addon can be disabled at any time with:

microk8s disable trivy

The Trivy Operator

The Trivy operator automatically updates security reports in response to workload and other changes on a Kubernetes cluster, generating the following reports:

  • Vulnerability Scans: Automated vulnerability scanning for Kubernetes workloads.
  • ConfigAudit Scans: Automated configuration audits for Kubernetes resources with predefined rules or custom Open Policy Agent (OPA) policies.
  • Exposed Secret Scans: Automated secret scans which find and detail the location of exposed Secrets within your cluster.
  • RBAC scans: Role Based Access Control scans provide detailed information on the access rights of the different resources installed.
  • K8s core component infra assessment scan Kubernetes infra core components (etcd,apiserver,scheduler,controller-manager and etc) setting and configuration.
  • k8s outdated api validation - a configaudit check will validate if the resource api has been deprecated and planned for removal
  • Compliance reports
    • NSA, CISA Kubernetes Hardening Guidance v1.1 cybersecurity technical report is produced.
    • CIS Kubernetes Benchmark v1.23 cybersecurity technical report is produced.
    • Kubernetes pss-baseline, Pod Security Standards
    • Kubernetes pss-restricted, Pod Security Standards
  • SBOM (software bill of materials genertations) for Kubernetes workloads.

For more on how to use the Trivy operator (and the Trivy CLI tool), see this how to guide.

Links

To learn more about Trivy visit: