Merge branch 'main' of github.com:devopstales/trivy-operator

README.md

@@ -1,9 +1,21 @@
 # Trivy Operator
 
-Trivy Operator is an operator that default every 5 minutes execute a scan script. It will get image list from all namespaces with the label `trivy-scan=true`, and then scan this images with trivy, finally we will get metrics on `http://[pod-ip]:9115/metrics`
-
 Built with [kopf](https://github.com/nolar/kopf)
 
+Main functions:
+
+* Scheduled Image scans on running pods
+* Trivy Image Validator Admission controller
+
+Inspirated by [knqyf263](https://github.com/knqyf263)'s [trivy-enforcer](https://github.com/aquasecurity/trivy-enforcer) and [fleeto](https://github.com/fleeto)'s [trivy-scanner](https://github.com/fleeto/trivy-scanner).
+
+### Schefuled Image scans
+Default every 5 minutes execute a scan script. It will get image list from all namespaces with the label `trivy-scan=true`, and then scan this images with trivy, finally we will get metrics on `http://[pod-ip]:9115/metrics`
+
+### Trivy Image Validator
+The admission controller function can be configured as a ValidatingWebhook in a k8s cluster. Kubernetes will send requests to the admission server when a Pod creation is initiated. The admission controller checks the image using trivy.
+
+
 ## Usage
 
 ```bash
@@ -54,3 +66,51 @@ kubectl logs
 [2021-10-02 09:45:52,227] kopf.objects         [INFO    ] [trivytest/main-config] Scanning Image: docker.io/library/nginx:1.18
 [2021-10-02 09:45:55,556] kopf.objects         [INFO    ] [trivytest/main-config] Scanning Image: docker.io/library/nginx:latest
 ~~~
+
+### Example Deploy:
+You can define policy to the Admission Controller, by adding annotation to the pod trough the deployment:
+
+```yaml
+spec:
+  ...
+  template:
+    metadata:
+      annotations:
+        trivy.security.devopstales.io/medium: "5"
+        trivy.security.devopstales.io/low: "10"
+        trivy.security.devopstales.io/critical: "2"
+...
+```
+
+### Development
+
+Install trivy:
+
+```bash
+nano /etc/yum.repos.d/trivy.repo
+[trivy]
+name=Trivy repository
+baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$releasever/$basearch/
+gpgcheck=0
+enabled=1
+
+sudo yum -y install trivy
+```
+
+To run kopf development you need to install the fallowing packages to the k3s host:
+
+```bash
+yum install -y python3.8
+pip3 install --no-cache-dir kopf kubernetes asyncio pycron prometheus_client certvalidator certbuilder
+pip3 install --no-cache-dir kopf[devel]
+```
+
+The admission webhook try to call the host with the domain name `host.k3d.internal` so I added to the host's `/etc/host` file.
+
+```bash
+echo "172.17.12.10 host.k3d.internal" >> /etc/host
+```
+
+```bash
+kopf run -A ./trivy-operator.py
+```

deploy/10_demo.yaml

@@ -12,6 +12,13 @@ metadata:
   name: nginx
   namespace: trivytest
 spec:
+  initContainers:
+  - name: init
+    image: nginxinc/nginx-unprivileged:latest
+    command: ['sh', '-c', 'echo The app is running! && sleep 10']
+  - name: init2
+    image: nginxinc/nginx-unprivileged:latest
+    command: ['sh', '-c', 'echo The app is running! && sleep 10']
   containers:
   - image: nginx:1.18
     imagePullPolicy: IfNotPresent
@@ -26,4 +33,7 @@ spec:
   containers:
   - image: nginx
     imagePullPolicy: IfNotPresent
-    name: nginx
+    name: nginx
+  - image: nginx
+    imagePullPolicy: IfNotPresent
+    name: nginx2

docker/Dockerfile

@@ -1,18 +1,16 @@
-FROM python:3.8-alpine
+FROM python:3.8.12-slim-buster
 
 ENV TRIVY_CACHE_DIR=/home/trivy-operator/trivy-cache \
     TRIVY_QUIET=true \
     IN_CLUSTER=true
 
-RUN apk add --no-cache gcc musl-dev
-
-RUN pip3 install --no-cache-dir kopf kubernetes asyncio pycron prometheus_client
+RUN pip3 install --no-cache-dir kopf[dev] kubernetes asyncio pycron prometheus_client oscrypto certvalidator certbuilder validators
 
 COPY trivy-operator.py /trivy-operator.py
 COPY trivy /usr/local/bin
 
-RUN addgroup -S -g 10001 trivy-operator && \
-    adduser -S -u 10001 trivy-operator -G trivy-operator && \
+RUN addgroup --gid 10001 trivy-operator && \
+    adduser --uid 10001 trivy-operator --ingroup trivy-operator && \
     mkdir /home/trivy-operator/trivy-cache && \
     chown -R trivy-operator:trivy-operator /home/trivy-operator/trivy-cache