Draft: Switch from starboard operator to trivy operator
Context
Starboard is deprecated and we need to move to trivy operator. This MR contains the changes to switch from starboard
to trivy operator
. Main Issue.
Steps to setup and test
1. Setup GDK with kas
Follow steps 1 to 3
2. Setup a k3d cluster
- Follow steps 1 to 3 to setup k3d cluster and loopback alias IP
3. Install CRDs needed Trivy Operator packages
This implementation makes use of these components: WorkloadController, ScanJobController and TTLReportReconciler from Trivy Operator
to monitor and run container scans on the workloads in the cluster. These components reference these CRDs within it's code to function properly. As such there's a need to ensure that these CRDs are installed together with agentk to ensure the proper functioning of the scanner.
Install each of the CRDs:
kubectl apply -f internal/module/trivy_vulnerability/agent/ConfigAuditReport.yaml
kubectl apply -f internal/module/trivy_vulnerability/agent/ExposedSecretReport.yaml
kubectl apply -f internal/module/trivy_vulnerability/agent/InfraAssessmentReport.yml
kubectl apply -f internal/module/trivy_vulnerability/agent/RbacAssessmentReport.yml
kubectl apply -f internal/module/trivy_vulnerability/agent/VulnerabilityReport.yaml
kubectl apply -f internal/module/trivy_vulnerability/agent/VulnerabilityReport.yam
kas
and agentk
locally
4. Start You can either follow step 4 and 5 of this setup guide or setup to debug locally which was what I did
- If at this point you encountered some installation issues, I found some of the optional steps here useful in getting kas and agentk setup locally.
5. Start a pod in your cluster
Once the pod starts, it should trigger a vulnerability scan of the pod. You can start a pod like this:
kubectl create deployment nginx --image nginx:alpine
If everything goes as expected, you should see vulnerabilities created in your projects dashboard ie:
Security and Compliance
> Vulnerability Report
> Operational Vulnerabilities
Useful resources
- Trivy Operator follows the kubernetes operator pattern
- It seems to be generated using kubebuilder