# Default values for the trivy-operator Helm chart, these are used to render
# the templates into valid k8s Resources.
# -- global values provide a centralized configuration for 'image.registry', reducing the potential for errors.
# If left blank, the chart will default to the individually set 'image.registry' values
global:
image:
registry: ""
# -- managedBy is similar to .Release.Service but allows to overwrite the value
managedBy: Helm
# -- targetNamespace defines where you want trivy-operator to operate. By
# default, it's a blank string to select all namespaces, but you can specify
# another namespace, or a comma separated list of namespaces.
targetNamespaces: ""
# -- excludeNamespaces is a comma separated list of namespaces (or glob patterns)
# to be excluded from scanning. Only applicable in the all namespaces install
# mode, i.e. when the targetNamespaces values is a blank string.
excludeNamespaces: ""
# -- extraEnv is a list of extra environment variables for the trivy-operator.
extraEnv: []
# -- hostAliases for `deployment` (TrivyOperator) and `statefulset` (TrivyServer)
hostAliases: []
# - ip: "127.0.0.1"
# hostnames:
# - "foo.local"
# - "bar.local"
# - ip: "10.1.2.3"
# hostnames:
# - "foo.remote"
# - "bar.remote"
# -- targetWorkloads is a comma seperated list of Kubernetes workload resources
# to be included in the vulnerability and config-audit scans
# if left blank, all workload resources will be scanned
targetWorkloads: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job"
# -- nameOverride override operator name
nameOverride: ""
# -- fullnameOverride override operator full name
fullnameOverride: ""
operator:
# -- namespace to install the operator, defaults to the .Release.Namespace
namespace: ""
# -- replicas the number of replicas of the operator's pod
replicas: 1
# -- number of old history to retain to allow rollback (if not set, default Kubernetes value is set to 10)
revisionHistoryLimit: ~
# -- additional annotations for the operator deployment
annotations: {}
# -- additional labels for the operator deployment
labels: {}
# -- additional labels for the operator pod
podLabels: {}
# -- leaderElectionId determines the name of the resource that leader election
# will use for holding the leader lock.
leaderElectionId: "trivyoperator-lock"
# -- logDevMode the flag to enable development mode (more human-readable output, extra stack traces and logging information, etc)
logDevMode: false
# -- scanJobTTL the set automatic cleanup time after the job is completed
scanJobTTL: ""
# -- scanSecretTTL set an automatic cleanup for scan job secrets
scanSecretTTL: ""
# -- scanJobTimeout the length of time to wait before giving up on a scan job
scanJobTimeout: 5m
# -- scanJobsConcurrentLimit the maximum number of scan jobs create by the operator
scanJobsConcurrentLimit: 10
# -- scanNodeCollectorLimit the maximum number of node collector jobs create by the operator
scanNodeCollectorLimit: 1
# -- scanJobsRetryDelay the duration to wait before retrying a failed scan job
scanJobsRetryDelay: 30s
# -- the flag to enable vulnerability scanner
vulnerabilityScannerEnabled: true
# -- the flag to enable sbom generation, required for enabling ClusterVulnerabilityReports
sbomGenerationEnabled: true
# -- the flag to enable cluster sbom cache generation
clusterSbomCacheEnabled: false
# -- scannerReportTTL the flag to set how long a report should exist. "" means that the ScannerReportTTL feature is disabled
scannerReportTTL: "24h"
# -- cacheReportTTL the flag to set how long a cluster sbom report should exist. "" means that the cacheReportTTL feature is disabled
cacheReportTTL: "120h"
# -- configAuditScannerEnabled the flag to enable configuration audit scanner
configAuditScannerEnabled: true
# -- rbacAssessmentScannerEnabled the flag to enable rbac assessment scanner
rbacAssessmentScannerEnabled: true
# -- infraAssessmentScannerEnabled the flag to enable infra assessment scanner
infraAssessmentScannerEnabled: true
# -- clusterComplianceEnabled the flag to enable cluster compliance scanner
clusterComplianceEnabled: true
# -- batchDeleteLimit the maximum number of config audit reports deleted by the operator when the plugin's config has changed.
batchDeleteLimit: 10
# -- vulnerabilityScannerScanOnlyCurrentRevisions the flag to only create vulnerability scans on the current revision of a deployment.
vulnerabilityScannerScanOnlyCurrentRevisions: true
# -- configAuditScannerScanOnlyCurrentRevisions the flag to only create config audit scans on the current revision of a deployment.
configAuditScannerScanOnlyCurrentRevisions: true
# -- batchDeleteDelay the duration to wait before deleting another batch of config audit reports.
batchDeleteDelay: 10s
# -- accessGlobalSecretsAndServiceAccount The flag to enable access to global secrets/service accounts to allow `vulnerability scan job` to pull images from private registries
accessGlobalSecretsAndServiceAccount: true
# -- builtInTrivyServer The flag enables the usage of built-in trivy server in cluster. It also overrides the following trivy params with built-in values
# trivy.mode = ClientServer and serverURL = http://<serverServiceName>.<trivy operator namespace>:4975
builtInTrivyServer: false
# -- builtInServerRegistryInsecure is the flag to enable insecure connection from the built-in Trivy server to the registry.
builtInServerRegistryInsecure: false
# -- controllerCacheSyncTimeout the duration to wait for controller resources cache sync (default: 5m).
controllerCacheSyncTimeout: "5m"
# -- trivyServerHealthCheckCacheExpiration The flag to set the interval for trivy server health cache before it invalidate
trivyServerHealthCheckCacheExpiration: 10h
# -- metricsFindingsEnabled the flag to enable metrics for findings
metricsFindingsEnabled: true
# -- metricsVulnIdEnabled the flag to enable metrics about cve vulns id
# be aware of metrics cardinality is significantly increased with this feature enabled.
metricsVulnIdEnabled: false
# -- exposedSecretScannerEnabled the flag to enable exposed secret scanner
exposedSecretScannerEnabled: true
# -- MetricsExposedSecretInfo the flag to enable metrics about exposed secrets
# be aware of metrics cardinality is significantly increased with this feature enabled.
metricsExposedSecretInfo: false
# -- MetricsConfigAuditInfo the flag to enable metrics about configuration audits
# be aware of metrics cardinality is significantly increased with this feature enabled.
metricsConfigAuditInfo: false
# -- MetricsRbacAssessmentInfo the flag to enable metrics about Rbac Assessment
# be aware of metrics cardinality is significantly increased with this feature enabled.
metricsRbacAssessmentInfo: false
# -- MetricsInfraAssessmentInfo the flag to enable metrics about Infra Assessment
# be aware of metrics cardinality is significantly increased with this feature enabled.
metricsInfraAssessmentInfo: false
# -- MetricsImageInfo the flag to enable metrics about Image Information of scanned images
# This information has image os information including os family, name/version, and if end of service life has been reached
# be aware of metrics cardinality is significantly increased with this feature enabled.
metricsImageInfo: false
# -- MetricsClusterComplianceInfo the flag to enable metrics about Cluster Compliance
# be aware of metrics cardinality is significantly increased with this feature enabled.
metricsClusterComplianceInfo: false
# -- serverAdditionalAnnotations the flag to set additional annotations for the trivy server pod
serverAdditionalAnnotations: {}
# -- webhookBroadcastURL the flag to set reports should be sent to a webhook endpoint. "" means that the webhookBroadcastURL feature is disabled
webhookBroadcastURL: ""
# -- webhookBroadcastTimeout the flag to set timeout for webhook requests if webhookBroadcastURL is enabled
webhookBroadcastTimeout: 30s
# -- webhookBroadcastCustomHeaders the flag to set webhook endpoint sent with custom defined headers if webhookBroadcastURL is enabled
webhookBroadcastCustomHeaders: ""
# -- webhookSendDeletedReports the flag to enable sending deleted reports if webhookBroadcastURL is enabled
webhookSendDeletedReports: false
# -- privateRegistryScanSecretsNames is map of namespace:secrets, secrets are comma seperated which can be used to authenticate in private registries in case if there no imagePullSecrets provided example : {"mynamespace":"mySecrets,anotherSecret"}
privateRegistryScanSecretsNames: {}
# -- mergeRbacFindingWithConfigAudit the flag to enable merging rbac finding with config-audit report
mergeRbacFindingWithConfigAudit: false
# -- httpProxy is the HTTP proxy used by Trivy operator to download the default policies from GitHub.
httpProxy: ~
# -- httpsProxy is the HTTPS proxy used by Trivy operator to download the default policies from GitHub.
httpsProxy: ~
# -- noProxy is a comma separated list of IPs and domain names that are not subject to proxy settings.
noProxy: ~
# -- vaulesFromConfigMap name of a ConfigMap to apply OPERATOR_* environment variables. Will override Helm values.
valuesFromConfigMap: ""
# -- valuesFromSecret name of a Secret to apply OPERATOR_* environment variables. Will override Helm AND ConfigMap values.
valuesFromSecret: ""
image:
registry: "mirror.gcr.io"
repository: "aquasec/trivy-operator"
# -- tag is an override of the image tag, which is by default set by the
# appVersion field in Chart.yaml.
tag: ""
# -- pullPolicy set the operator pullPolicy
pullPolicy: IfNotPresent
# -- pullSecrets set the operator pullSecrets
pullSecrets: []
# -- service only expose a metrics endpoint for prometheus to scrape,
# trivy-operator does not have a user interface.
service:
# -- if true, the Service doesn't allocate any IP
headless: true
# -- port exposed by the Service
metricsPort: 80
# -- annotations added to the operator's service
annotations: {}
# -- appProtocol of the monitoring service
metricsAppProtocol: TCP
# -- the Service type
type: ClusterIP
# -- the nodeport to use when service type is LoadBalancer or NodePort. If not set, Kubernetes automatically select one.
nodePort:
# -- Prometheus ServiceMonitor configuration -- to install the trivy operator with the ServiceMonitor
# you must have Prometheus already installed and running. If you do not have Prometheus installed, enabling this will
# have no effect.
serviceMonitor:
# -- enabled determines whether a serviceMonitor should be deployed
enabled: false
# -- The namespace where Prometheus expects to find service monitors
namespace: ~
# -- Interval at which metrics should be scraped. If not specified Prometheus’ global scrape interval is used.
interval: ~
# -- Additional annotations for the serviceMonitor
annotations: {}
# -- Additional labels for the serviceMonitor
labels: {}
# -- HonorLabels chooses the metric’s labels on collisions with target labels
honorLabels: true
# -- EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.
endpointAdditionalProperties: {}
trivyOperator:
# -- vulnerabilityReportsPlugin the name of the plugin that generates vulnerability reports `Trivy`
vulnerabilityReportsPlugin: "Trivy"
# -- configAuditReportsPlugin the name of the plugin that generates config audit reports.
configAuditReportsPlugin: "Trivy"
# -- scanJobCompressLogs control whether scanjob output should be compressed or plain
scanJobCompressLogs: true
# -- scanJobAffinity affinity to be applied to the scanner pods and node-collector
scanJobAffinity: {}
# -- scanJobTolerations tolerations to be applied to the scanner pods so that they can run on nodes with matching taints
scanJobTolerations: []
# -- If you do want to specify tolerations, uncomment the following lines, adjust them as necessary, and remove the
# square brackets after 'scanJobTolerations:'.
# - key: "key1"
# operator: "Equal"
# value: "value1"
# effect: "NoSchedule"
# -- scanJobNodeSelector nodeSelector to be applied to the scanner pods so that they can run on nodes with matching labels
scanJobNodeSelector: {}
# -- If you do want to specify nodeSelector, uncomment the following lines, adjust them as necessary, and remove the
# square brackets after 'scanJobNodeSelector:'.
# nodeType: worker
# cpu: sandylake
# teamOwner: operators
# -- scanJobCustomVolumesMount add custom volumes mount to the scan job
scanJobCustomVolumesMount: []
# - name: var-lib-etcd
# mountPath: /var/lib/etcd
# readOnly: true
# -- scanJobCustomVolumes add custom volumes to the scan job
scanJobCustomVolumes: []
# - name: var-lib-etcd
# hostPath:
# path: /var/lib/etcd
# -- useGCRServiceAccount the flag to enable the usage of GCR service account for scanning images in GCR
useGCRServiceAccount: true
# -- scanJobAutomountServiceAccountToken the flag to enable automount for service account token on scan job
scanJobAutomountServiceAccountToken: false
# -- scanJobAnnotations comma-separated representation of the annotations which the user wants the scanner jobs and pods to be
# annotated with. Example: `foo=bar,env=stage` will annotate the scanner jobs and pods with the annotations `foo: bar` and `env: stage`
scanJobAnnotations: ""
# -- scanJobPodTemplateLabels comma-separated representation of the labels which the user wants the scanner pods to be
# labeled with. Example: `foo=bar,env=stage` will labeled the scanner pods with the labels `foo: bar` and `env: stage`
scanJobPodTemplateLabels: ""
# -- skipInitContainers when this flag is set to true, the initContainers will be skipped for the scanner and node collector pods
skipInitContainers: false
# -- scanJobPodTemplatePodSecurityContext podSecurityContext the user wants the scanner and node collector pods to be amended with.
# Example:
# RunAsUser: 10000
# RunAsGroup: 10000
# RunAsNonRoot: true
scanJobPodTemplatePodSecurityContext: {}
# -- scanJobPodTemplateContainerSecurityContext SecurityContext the user wants the scanner and node collector containers (and their
# initContainers) to be amended with.
scanJobPodTemplateContainerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
# -- For filesystem scanning, Trivy needs to run as the root user
# runAsUser: 0
# -- scanJobPodPriorityClassName Priority class name to be set on the pods created by trivy operator jobs. This accepts a string value
scanJobPodPriorityClassName: ""
# -- reportResourceLabels comma-separated scanned resource labels which the user wants to include in the Prometheus
# metrics report. Example: `owner,app`
reportResourceLabels: ""
# -- reportRecordFailedChecksOnly flag is to record only failed checks on misconfiguration reports (config-audit and rbac assessment)
reportRecordFailedChecksOnly: true
# -- skipResourceByLabels comma-separated labels keys which trivy-operator will skip scanning on resources with matching labels
skipResourceByLabels: ""
# -- metricsResourceLabelsPrefix Prefix that will be prepended to the labels names indicated in `reportResourceLabels`
# when including them in the Prometheus metrics
metricsResourceLabelsPrefix: "k8s_label_"
# -- additionalReportLabels comma-separated representation of the labels which the user wants the scanner pods to be
# labeled with. Example: `foo=bar,env=stage` will labeled the reports with the labels `foo: bar` and `env: stage`
additionalReportLabels: ""
# -- policiesConfig Custom Rego Policies to be used by the config audit scanner
# See https://github.com/aquasecurity/trivy-operator/blob/main/docs/tutorials/writing-custom-configuration-audit-policies.md for more details.
policiesConfig: ""
# -- excludeImages is comma separated glob patterns for excluding images from scanning.
# Example: pattern: `k8s.gcr.io/*/*` will exclude image: `k8s.gcr.io/coredns/coredns:v1.8.0`.
excludeImages: ""
trivy:
# -- createConfig indicates whether to create config objects
createConfig: true
image:
# -- registry of the Trivy image
registry: mirror.gcr.io
# -- repository of the Trivy image
repository: aquasec/trivy
# -- tag version of the Trivy image
tag: 0.60.0
# -- imagePullSecret is the secret name to be used when pulling trivy image from private registries example : reg-secret
# It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace
imagePullSecret: ~
# -- pullPolicy is the imge pull policy used for trivy image , valid values are (Always, Never, IfNotPresent)
pullPolicy: IfNotPresent
# -- mode is the Trivy client mode. Either Standalone or ClientServer. Depending
# on the active mode other settings might be applicable or required.
mode: Standalone
# -- sbomSources trivy will try to retrieve SBOM from the specified sources (oci,rekor)
sbomSources: ""
# -- includeDevDeps include development dependencies in the report (supported: npm, yarn) (default: false)
# note: this flag is only applicable when trivy.command is set to filesystem
includeDevDeps: false
# -- whether to use a storage class for trivy server or emptydir (one mey want to use ephemeral storage)
storageClassEnabled: true
# -- storageClassName is the name of the storage class to be used for trivy server PVC. If empty, tries to find default storage class
storageClassName: ""
# -- storageSize is the size of the trivy server PVC
storageSize: "5Gi"
# -- labels is the extra labels to be used for trivy server statefulset
labels: {}
# -- podLabels is the extra pod labels to be used for trivy server
podLabels: {}
# -- priorityClassName is the name of the priority class used for trivy server
priorityClassName: ""
# -- additionalVulnerabilityReportFields is a comma separated list of additional fields which
# can be added to the VulnerabilityReport. Supported parameters: Description, Links, CVSS, Target, Class, PackagePath and PackageType
additionalVulnerabilityReportFields: ""
# -- httpProxy is the HTTP proxy used by Trivy to download the vulnerabilities database from GitHub.
httpProxy: ~
# -- httpsProxy is the HTTPS proxy used by Trivy to download the vulnerabilities database from GitHub.
httpsProxy: ~
# -- noProxy is a comma separated list of IPs and domain names that are not subject to proxy settings.
noProxy: ~
# -- Registries without SSL. There can be multiple registries with different keys.
nonSslRegistries: {}
# pocRegistry: poc.myregistry.harbor.com.pl
# qaRegistry: qa.registry.aquasec.com
# internalRegistry: registry.registry.svc:5000
# -- sslCertDir can be used to override the system default locations for SSL certificate files directory, example: /ssl/certs
sslCertDir: ~
# -- The registry to which insecure connections are allowed. There can be multiple registries with different keys.
insecureRegistries: {}
# pocRegistry: poc.myregistry.harbor.com.pl
# qaRegistry: qa.registry.aquasec.com
# internalRegistry: registry.registry.svc:5000
# -- Mirrored registries. There can be multiple registries with different keys.
# Make sure to quote registries containing dots
registry:
mirror: {}
# "docker.io": docker-mirror.example.com
# -- severity is a comma separated list of severity levels reported by Trivy.
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
# -- slow this flag is to use less CPU/memory for scanning though it takes more time than normal scanning. It fits small-footprint
slow: true
# -- ignoreUnfixed is the flag to show only fixed vulnerabilities in
# vulnerabilities reported by Trivy. Set to true to enable it.
#
ignoreUnfixed: false
# -- a comma separated list of file paths for Trivy to skip
skipFiles:
# -- a comma separated list of directories for Trivy to skip
skipDirs:
# -- offlineScan is the flag to enable the offline scan functionality in Trivy
# This will prevent outgoing HTTP requests, e.g. to search.maven.org
offlineScan: false
# -- timeout is the duration to wait for scan completion.
timeout: "5m0s"
# -- ignoreFile can be used to tell Trivy to ignore vulnerabilities by ID (one per line)
ignoreFile: ~
# ignoreFile:
# - CVE-1970-0001
# - CVE-1970-0002
# -- ignorePolicy can be used to tell Trivy to ignore vulnerabilities by a policy
# If multiple policies would match, then the most specific one has precedence over the others.
# See https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#by-open-policy-agent for more details.
# See https://github.com/aquasecurity/trivy/blob/v0.19.2/contrib/example_policy/basic.rego for more details on ignorePolicy filtering.
#
# ignorePolicy.application.my-app-.: |
# package trivy
# import data.lib.trivy
# default ignore = true
# applies to all workloads in namespace "application" with the name pattern "my-app-*"
# ignorePolicy.kube-system: |
# package trivy
# import data.lib.trivy
# default ignore = true
# applies to all workloads in namespace "kube-system"
# ignorePolicy: |
# package trivy
# import data.lib.trivy
# default ignore = true
# applies to all other workloads
# -- vulnType can be used to tell Trivy to filter vulnerabilities by a pkg-type (library, os)
vulnType: ~
# -- resources resource requests and limits for scan job containers
resources:
requests:
cpu: 100m
memory: 100M
# ephemeralStorage: "2Gi"
limits:
cpu: 500m
memory: 500M
# ephemeralStorage: "2Gi"
# -- githubToken is the GitHub access token used by Trivy to download the vulnerabilities
# database from GitHub. Only applicable in Standalone mode.
githubToken: ~
# -- serverURL is the endpoint URL of the Trivy server. Required in ClientServer mode.
#
# serverURL: "https://trivy.trivy:4975"
# -- clientServerSkipUpdate is the flag to enable skip databases update for Trivy client.
# Only applicable in ClientServer mode.
clientServerSkipUpdate: false
# -- skipJavaDBUpdate is the flag to enable skip Java index databases update for Trivy client.
skipJavaDBUpdate: false
# -- serverInsecure is the flag to enable insecure connection to the Trivy server.
serverInsecure: false
# -- serverToken is the token to authenticate Trivy client with Trivy server. Only
# applicable in ClientServer mode.
serverToken: ~
# -- existingSecret if a secret containing gitHubToken, serverToken or serverCustomHeaders has been created outside the chart (e.g external-secrets, sops, etc...).
# Keys must be at least one of the following: trivy.githubToken, trivy.serverToken, trivy.serverCustomHeaders
# Overrides trivy.gitHubToken, trivy.serverToken, trivy.serverCustomHeaders values.
# Note: The secret has to be named "trivy-operator-trivy-config".
# existingSecret: true
# -- serverTokenHeader is the name of the HTTP header used to send the authentication
# token to Trivy server. Only application in ClientServer mode when
# trivy.serverToken is specified.
serverTokenHeader: "Trivy-Token"
# -- serverCustomHeaders is a comma separated list of custom HTTP headers sent by
# Trivy client to Trivy server. Only applicable in ClientServer mode.
serverCustomHeaders: ~
# serverCustomHeaders: "foo=bar"
dbRegistry: "mirror.gcr.io"
dbRepository: "aquasec/trivy-db"
# -- The username for dbRepository authentication
#
dbRepositoryUsername: ~
# -- The password for dbRepository authentication
#
dbRepositoryPassword: ~
# -- javaDbRegistry is the registry for the Java vulnerability database.
javaDbRegistry: "mirror.gcr.io"
javaDbRepository: "aquasec/trivy-java-db"
# -- The Flag to enable insecure connection for downloading trivy-db via proxy (air-gaped env)
#
dbRepositoryInsecure: "false"
# -- The Flag to enable the usage of builtin rego policies by default, these policies are downloaded by default from mirror.gcr.io/aquasec/trivy-checks
#
useBuiltinRegoPolicies: "false"
# -- The Flag to enable the usage of external rego policies config-map, this should be used when the user wants to use their own rego policies
#
externalRegoPoliciesEnabled: false
# -- To enable the usage of embedded rego policies, set the flag useEmbeddedRegoPolicies. This should serve as a fallback for air-gapped environments.
# When useEmbeddedRegoPolicies is set to true, useBuiltinRegoPolicies should be set to false.
useEmbeddedRegoPolicies: "true"
# -- The Flag is the list of supported kinds separated by comma delimiter to be scanned by the config audit scanner
#
supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
# -- command. One of `image`, `filesystem` or `rootfs` scanning, depending on the target type required for the scan.
# For 'filesystem' and `rootfs` scanning, ensure that the `trivyOperator.scanJobPodTemplateContainerSecurityContext` is configured
# to run as the root user (runAsUser = 0).
command: image
# -- imageScanCacheDir the flag to set custom path for trivy image scan `cache-dir` parameter.
# Only applicable in image scan mode.
imageScanCacheDir: "/tmp/trivy/.cache"
# -- filesystemScanCacheDir the flag to set custom path for trivy filesystem scan `cache-dir` parameter.
# Only applicable in filesystem scan mode.
filesystemScanCacheDir: "/var/trivyoperator/trivy-db"
# -- serverUser this param is the server user to be used to download db from private registry
serverUser: ""
# -- serverPassword this param is the server user to be used to download db from private registry
serverPassword: ""
# -- serverServiceName this param is the server service name to be used in cluster
serverServiceName: "trivy-service"
# -- debug One of `true` or `false`. Enables debug mode.
debug: false
server:
# -- resources set trivy-server resource
resources:
requests:
cpu: 200m
memory: 512Mi
# ephemeral-storage: "2Gi"
limits:
cpu: 1
memory: 1Gi
# ephemeral-storage: "2Gi"
# -- podSecurityContext set trivy-server podSecurityContext
podSecurityContext:
runAsUser: 65534
runAsNonRoot: true
fsGroup: 65534
# -- securityContext set trivy-server securityContext
securityContext:
privileged: false
readOnlyRootFilesystem: true
# -- the number of replicas of the trivy-server
replicas: 1
# -- vaulesFromConfigMap name of a ConfigMap to apply TRIVY_* environment variables. Will override Helm values.
valuesFromConfigMap: ""
# -- valuesFromSecret name of a Secret to apply TRIVY_* environment variables. Will override Helm AND ConfigMap values.
valuesFromSecret: ""
compliance:
# -- failEntriesLimit the flag to limit the number of fail entries per control check in the cluster compliance detail report
# this limit is for preventing the report from being too large per control checks
failEntriesLimit: 10
# -- reportType this flag control the type of report generated (summary or all)
reportType: summary
# -- cron this flag control the cron interval for compliance report generation
cron: 0 */6 * * *
# -- specs is a list of compliance specs to be used by the cluster compliance scanner
# - k8s-cis-1.23
# - k8s-nsa-1.0
# - k8s-pss-baseline-0.1
# - k8s-pss-restricted-0.1
# - eks-cis-1.4
# - rke2-cis-1.24
specs:
- k8s-cis-1.23
- k8s-nsa-1.0
- k8s-pss-baseline-0.1
- k8s-pss-restricted-0.1
rbac:
create: true
serviceAccount:
# -- Specifies whether a service account should be created.
create: true
annotations: {}
# -- name specifies the name of the k8s Service Account. If not set and create is
# true, a name is generated using the fullname template.
name: ""
# -- podAnnotations annotations added to the operator's pod
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
# -- securityContext security context
securityContext:
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
volumeMounts:
# do not remove , required for policies bundle
- mountPath: /tmp
name: cache-policies
readOnly: false
volumes:
# do not remove , required for policies bundle
- name: cache-policies
emptyDir: {}
resources: {}
# -- We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# -- nodeSelector set the operator nodeSelector
nodeSelector: {}
# -- tolerations set the operator tolerations
tolerations: []
# -- affinity set the operator affinity
affinity: {}
# -- priorityClassName set the operator priorityClassName
priorityClassName: ""
# -- automountServiceAccountToken the flag to enable automount for service account token
automountServiceAccountToken: true
policiesBundle:
# -- registry of the policies bundle
registry: mirror.gcr.io
# -- repository of the policies bundle
repository: aquasec/trivy-checks
# -- tag version of the policies bundle
tag: 1
# -- registryUser is the user for the registry
registryUser: ~
# -- registryPassword is the password for the registry
registryPassword: ~
# -- existingSecret if a secret containing registry credentials that have been created outside the chart (e.g external-secrets, sops, etc...).
# Keys must be at least one of the following: policies.bundle.oci.user, policies.bundle.oci.password
# Overrides policiesBundle.registryUser, policiesBundle.registryPassword values.
# Note: The secret has to be named "trivy-operator".
existingSecret: false
# -- insecure is the flag to enable insecure connection to the policy bundle registry
insecure: false
nodeCollector:
# -- useNodeSelector determine if to use nodeSelector (by auto detecting node name) with node-collector scan job
useNodeSelector: true
# -- registry of the node-collector image
registry: ghcr.io
# -- repository of the node-collector image
repository: aquasecurity/node-collector
# -- tag version of the node-collector image
tag: 0.3.1
# -- imagePullSecret is the secret name to be used when pulling node-collector image from private registries example : reg-secret
# It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace
imagePullSecret: ~
# -- excludeNodes comma-separated node labels that the node-collector job should exclude from scanning (example kubernetes.io/arch=arm64,team=dev)
excludeNodes:
# -- tolerations to be applied to the node-collector so that they can run on nodes with matching taints
tolerations: []
# -- If you do want to specify tolerations, uncomment the following lines, adjust them as necessary, and remove the
# square brackets after 'scanJobTolerations:'.
# - key: "key1"
# operator: "Equal"
# value: "value1"
# effect: "NoSchedule"
# -- node-collector pod volume mounts definition for collecting config files information
volumeMounts:
- name: var-lib-etcd
mountPath: /var/lib/etcd
readOnly: true
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
readOnly: true
- name: var-lib-kube-scheduler
mountPath: /var/lib/kube-scheduler
readOnly: true
- name: var-lib-kube-controller-manager
mountPath: /var/lib/kube-controller-manager
readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
readOnly: true
- name: lib-systemd
mountPath: /lib/systemd/
readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
- name: etc-cni-netd
mountPath: /etc/cni/net.d/
readOnly: true
# -- node-collector pod volumes definition for collecting config files information
volumes:
- name: var-lib-etcd
hostPath:
path: /var/lib/etcd
- name: var-lib-kubelet
hostPath:
path: /var/lib/kubelet
- name: var-lib-kube-scheduler
hostPath:
path: /var/lib/kube-scheduler
- name: var-lib-kube-controller-manager
hostPath:
path: /var/lib/kube-controller-manager
- name: etc-systemd
hostPath:
path: /etc/systemd
- name: lib-systemd
hostPath:
path: /lib/systemd
- name: etc-kubernetes
hostPath:
path: /etc/kubernetes
- name: etc-cni-netd
hostPath:
path: /etc/cni/net.d/