From 1b228bb7de307cb3db4daa5da6a35409f72b091f Mon Sep 17 00:00:00 2001 From: Lukasz Zajaczkowski Date: Mon, 18 Nov 2024 11:42:07 +0100 Subject: [PATCH] add VulnerabilityReport Controller tests --- internal/controller/suite_test.go | 4 + .../vulnerabilityreports_controller_test.go | 118 + test/crd/trivy-operator.yaml | 3761 +++++++++++++++++ 3 files changed, 3883 insertions(+) create mode 100644 internal/controller/vulnerabilityreports_controller_test.go create mode 100644 test/crd/trivy-operator.yaml diff --git a/internal/controller/suite_test.go b/internal/controller/suite_test.go index 9a8ec5bd..3cc2a6f6 100644 --- a/internal/controller/suite_test.go +++ b/internal/controller/suite_test.go @@ -22,6 +22,7 @@ import ( "runtime" "testing" + trivy "github.com/aquasecurity/trivy-operator/pkg/apis/aquasecurity/v1alpha1" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" templatesv1 "github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1" @@ -80,6 +81,9 @@ var _ = BeforeSuite(func() { err = templatesv1.AddToScheme(scheme.Scheme) Expect(err).NotTo(HaveOccurred()) + err = trivy.AddToScheme(scheme.Scheme) + Expect(err).NotTo(HaveOccurred()) + kClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}) Expect(err).NotTo(HaveOccurred()) Expect(kClient).NotTo(BeNil()) diff --git a/internal/controller/vulnerabilityreports_controller_test.go b/internal/controller/vulnerabilityreports_controller_test.go new file mode 100644 index 00000000..6814867d --- /dev/null +++ b/internal/controller/vulnerabilityreports_controller_test.go @@ -0,0 +1,118 @@ +package controller + +import ( + "context" + + trivy "github.com/aquasecurity/trivy-operator/pkg/apis/aquasecurity/v1alpha1" + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + cmap "github.com/orcaman/concurrent-map/v2" + console "github.com/pluralsh/console/go/client" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/cli-utils/pkg/inventory" + "sigs.k8s.io/controller-runtime/pkg/reconcile" +) + +var _ = Describe("VulnerabilityReport Controller", Ordered, func() { + Context("When reconciling a resource", func() { + const ( + resourceName = "default" + namespace = "default" + ) + + ctx := context.Background() + + typeNamespacedName := types.NamespacedName{ + Name: resourceName, + Namespace: namespace, + } + + vulnerabilityReport := &trivy.VulnerabilityReport{} + pod := &corev1.Pod{} + BeforeAll(func() { + By("creating the custom resource for the Kind Pod") + err := kClient.Get(ctx, typeNamespacedName, pod) + if err != nil && errors.IsNotFound(err) { + resource := &corev1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: resourceName, + Namespace: namespace, + Annotations: map[string]string{ + inventory.OwningInventoryKey: "abc", + }, + }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + { + Name: "nginx-container", + Image: "nginx:1.21", + Ports: []corev1.ContainerPort{ + { + ContainerPort: 80, + }, + }, + }, + }, + }, + } + Expect(kClient.Create(ctx, resource)).To(Succeed()) + } + By("creating the custom resource for the Kind VulnerabilityReport") + err = kClient.Get(ctx, typeNamespacedName, vulnerabilityReport) + if err != nil && errors.IsNotFound(err) { + err = kClient.Get(ctx, typeNamespacedName, pod) + Expect(err).NotTo(HaveOccurred()) + + resource := &trivy.VulnerabilityReport{ + ObjectMeta: metav1.ObjectMeta{ + Name: resourceName, + Namespace: namespace, + OwnerReferences: []metav1.OwnerReference{ + *metav1.NewControllerRef(pod, schema.GroupVersionKind{ + Group: "", + Version: "v1", + Kind: "Pod", + }), + }, + }, + Report: trivy.VulnerabilityReportData{ + UpdateTimestamp: metav1.Now(), + Vulnerabilities: []trivy.Vulnerability{}, + }, + } + Expect(kClient.Create(ctx, resource)).To(Succeed()) + } + }) + + AfterAll(func() { + resource := &trivy.VulnerabilityReport{} + err := kClient.Get(ctx, typeNamespacedName, resource) + Expect(err).NotTo(HaveOccurred()) + + By("Cleanup the specific resource instance VulnerabilityReport") + Expect(kClient.Delete(ctx, resource)).To(Succeed()) + }) + + It("should successfully reconcile resource", func() { + reconciler := &VulnerabilityReportReconciler{ + Client: kClient, + Scheme: kClient.Scheme(), + Ctx: ctx, + reports: cmap.New[console.VulnerabilityReportAttributes](), + } + _, err := reconciler.Reconcile(ctx, reconcile.Request{ + NamespacedName: typeNamespacedName, + }) + Expect(err).NotTo(HaveOccurred()) + items := reconciler.reports.Items() + Expect(items).To(HaveLen(1)) + Expect(items["default/default"].Services).To(HaveLen(1)) + Expect(items["default/default"].Namespaces).To(HaveLen(1)) + }) + }) + +}) diff --git a/test/crd/trivy-operator.yaml b/test/crd/trivy-operator.yaml new file mode 100644 index 00000000..a233696a --- /dev/null +++ b/test/crd/trivy-operator.yaml @@ -0,0 +1,3761 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: clustercompliancereports.aquasecurity.github.io +spec: + group: aquasecurity.github.io + names: + kind: ClusterComplianceReport + listKind: ClusterComplianceReportList + plural: clustercompliancereports + shortNames: + - compliance + singular: clustercompliancereport + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The age of the report + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The number of checks that failed + jsonPath: .status.summary.failCount + name: Fail + priority: 1 + type: integer + - description: The number of checks that passed + jsonPath: .status.summary.passCount + name: Pass + priority: 1 + type: integer + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterComplianceReport is a specification for the ClusterComplianceReport + resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: ReportSpec represent the compliance specification + properties: + compliance: + properties: + controls: + description: Control represent the cps controls data and mapping + checks + items: + description: Control represent the cps controls data and mapping + checks + properties: + checks: + items: + description: SpecCheck represent the scanner who perform + the control check + properties: + id: + description: id define the check id as produced by + scanner + type: string + required: + - id + type: object + type: array + commands: + items: + description: Commands represent the commands to be executed + by the node-collector + properties: + id: + description: id define the commands id + type: string + required: + - id + type: object + type: array + defaultStatus: + description: define the default value for check status in + case resource not found + enum: + - PASS + - WARN + - FAIL + type: string + description: + type: string + id: + description: id define the control check id + type: string + name: + type: string + severity: + description: define the severity of the control + enum: + - CRITICAL + - HIGH + - MEDIUM + - LOW + - UNKNOWN + type: string + required: + - id + - name + - severity + type: object + type: array + description: + type: string + id: + type: string + platform: + type: string + relatedResources: + items: + type: string + type: array + title: + type: string + type: + type: string + version: + type: string + required: + - controls + - description + - id + - platform + - relatedResources + - title + - type + - version + type: object + cron: + description: cron define the intervals for report generation + pattern: ^(((([\*]{1}){1})|((\*\/){0,1}(([0-9]{1}){1}|(([1-5]{1}){1}([0-9]{1}){1}){1}))) + ((([\*]{1}){1})|((\*\/){0,1}(([0-9]{1}){1}|(([1]{1}){1}([0-9]{1}){1}){1}|([2]{1}){1}([0-3]{1}){1}))) + ((([\*]{1}){1})|((\*\/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))) + ((([\*]{1}){1})|((\*\/){0,1}(([1-9]{1}){1}|(([1-2]{1}){1}([0-9]{1}){1}){1}|([3]{1}){1}([0-1]{1}){1}))|(jan|feb|mar|apr|may|jun|jul|aug|sep|okt|nov|dec)) + ((([\*]{1}){1})|((\*\/){0,1}(([0-7]{1}){1}))|(sun|mon|tue|wed|thu|fri|sat)))$ + type: string + reportType: + enum: + - summary + - all + type: string + required: + - compliance + - cron + - reportType + type: object + status: + properties: + detailReport: + description: ComplianceReport represents a kubernetes scan report + properties: + description: + type: string + id: + type: string + relatedVersion: + items: + type: string + type: array + results: + items: + properties: + checks: + items: + description: ComplianceCheck provides the result of conducting + a single compliance step. + properties: + category: + type: string + checkID: + type: string + description: + type: string + messages: + items: + type: string + type: array + remediation: + description: Remediation provides description or links + to external resources to remediate failing check. + type: string + severity: + description: Severity level of a vulnerability or + a configuration audit check. + type: string + success: + type: boolean + target: + type: string + title: + type: string + required: + - checkID + - severity + - success + type: object + type: array + description: + type: string + id: + type: string + name: + type: string + severity: + type: string + status: + type: string + required: + - checks + type: object + type: array + title: + type: string + version: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + summary: + properties: + failCount: + type: integer + passCount: + type: integer + type: object + summaryReport: + description: SummaryReport represents a kubernetes scan report with + consolidated findings + properties: + controlCheck: + items: + properties: + id: + type: string + name: + type: string + severity: + type: string + totalFail: + type: integer + type: object + type: array + id: + type: string + title: + type: string + type: object + x-kubernetes-preserve-unknown-fields: true + updateTimestamp: + format: date-time + type: string + required: + - updateTimestamp + type: object + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: clusterconfigauditreports.aquasecurity.github.io +spec: + group: aquasecurity.github.io + names: + kind: ClusterConfigAuditReport + listKind: ClusterConfigAuditReportList + plural: clusterconfigauditreports + shortNames: + - clusterconfigaudit + singular: clusterconfigauditreport + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The name of the config audit scanner + jsonPath: .report.scanner.name + name: Scanner + type: string + - description: The age of the report + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The number of failed checks with critical severity + jsonPath: .report.summary.criticalCount + name: Critical + priority: 1 + type: integer + - description: The number of failed checks with high severity + jsonPath: .report.summary.highCount + name: High + priority: 1 + type: integer + - description: The number of failed checks with medium severity + jsonPath: .report.summary.mediumCount + name: Medium + priority: 1 + type: integer + - description: The number of failed checks with low severity + jsonPath: .report.summary.lowCount + name: Low + priority: 1 + type: integer + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterConfigAuditReport is a specification for the ClusterConfigAuditReport + resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + report: + properties: + checks: + description: Checks provides results of conducting audit steps. + items: + description: Check provides the result of conducting a single audit + step. + properties: + category: + type: string + checkID: + type: string + description: + type: string + messages: + items: + type: string + type: array + remediation: + description: Remediation provides description or links to external + resources to remediate failing check. + type: string + scope: + description: Scope indicates the section of config that was + audited. + properties: + type: + description: Type indicates type of this scope, e.g. Container, + ConfigMapKey or JSONPath. + type: string + value: + description: Value indicates value of this scope that depends + on Type, e.g. container name, ConfigMap key or JSONPath + expression + type: string + required: + - type + - value + type: object + severity: + description: Severity level of a vulnerability or a configuration + audit check. + type: string + success: + type: boolean + title: + type: string + required: + - checkID + - severity + - success + type: object + type: array + scanner: + description: Scanner is the spec for a scanner generating a security + assessment report. + properties: + name: + description: Name the name of the scanner. + type: string + vendor: + description: Vendor the name of the vendor providing the scanner. + type: string + version: + description: Version the version of the scanner. + type: string + required: + - name + - vendor + - version + type: object + summary: + description: ConfigAuditSummary counts failed checks by severity. + properties: + criticalCount: + description: CriticalCount is the number of failed checks with + critical severity. + type: integer + highCount: + description: HighCount is the number of failed checks with high + severity. + type: integer + lowCount: + description: LowCount is the number of failed check with low severity. + type: integer + mediumCount: + description: MediumCount is the number of failed checks with medium + severity. + type: integer + required: + - criticalCount + - highCount + - lowCount + - mediumCount + type: object + updateTimestamp: + format: date-time + type: string + required: + - checks + type: object + required: + - report + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: clusterinfraassessmentreports.aquasecurity.github.io +spec: + group: aquasecurity.github.io + names: + kind: ClusterInfraAssessmentReport + listKind: ClusterInfraAssessmentReportList + plural: clusterinfraassessmentreports + shortNames: + - clusterinfraassessment + singular: clusterinfraassessmentreport + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The name of the infra assessement scanner + jsonPath: .report.scanner.name + name: Scanner + type: string + - description: The age of the report + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The number of failed checks with critical severity + jsonPath: .report.summary.criticalCount + name: Critical + priority: 1 + type: integer + - description: The number of failed checks with high severity + jsonPath: .report.summary.highCount + name: High + priority: 1 + type: integer + - description: The number of failed checks with medium severity + jsonPath: .report.summary.mediumCount + name: Medium + priority: 1 + type: integer + - description: The number of failed checks with low severity + jsonPath: .report.summary.lowCount + name: Low + priority: 1 + type: integer + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterInfraAssessmentReport is a specification for the ClusterInfraAssessmentReport + resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + report: + properties: + checks: + description: Checks provides results of conducting audit steps. + items: + description: Check provides the result of conducting a single audit + step. + properties: + category: + type: string + checkID: + type: string + description: + type: string + messages: + items: + type: string + type: array + remediation: + description: Remediation provides description or links to external + resources to remediate failing check. + type: string + scope: + description: Scope indicates the section of config that was + audited. + properties: + type: + description: Type indicates type of this scope, e.g. Container, + ConfigMapKey or JSONPath. + type: string + value: + description: Value indicates value of this scope that depends + on Type, e.g. container name, ConfigMap key or JSONPath + expression + type: string + required: + - type + - value + type: object + severity: + description: Severity level of a vulnerability or a configuration + audit check. + type: string + success: + type: boolean + title: + type: string + required: + - checkID + - severity + - success + type: object + type: array + scanner: + description: Scanner is the spec for a scanner generating a security + assessment report. + properties: + name: + description: Name the name of the scanner. + type: string + vendor: + description: Vendor the name of the vendor providing the scanner. + type: string + version: + description: Version the version of the scanner. + type: string + required: + - name + - vendor + - version + type: object + summary: + description: InfraAssessmentSummary counts failed checks by severity. + properties: + criticalCount: + description: CriticalCount is the number of failed checks with + critical severity. + type: integer + highCount: + description: HighCount is the number of failed checks with high + severity. + type: integer + lowCount: + description: LowCount is the number of failed check with low severity. + type: integer + mediumCount: + description: MediumCount is the number of failed checks with medium + severity. + type: integer + required: + - criticalCount + - highCount + - lowCount + - mediumCount + type: object + required: + - checks + - scanner + - summary + type: object + required: + - report + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: clusterrbacassessmentreports.aquasecurity.github.io +spec: + group: aquasecurity.github.io + names: + kind: ClusterRbacAssessmentReport + listKind: ClusterRbacAssessmentReportList + plural: clusterrbacassessmentreports + shortNames: + - clusterrbacassessmentreport + singular: clusterrbacassessmentreport + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The name of the rbac assessment scanner + jsonPath: .report.scanner.name + name: Scanner + type: string + - description: The age of the report + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The number of failed checks with critical severity + jsonPath: .report.summary.criticalCount + name: Critical + priority: 1 + type: integer + - description: The number of failed checks with high severity + jsonPath: .report.summary.highCount + name: High + priority: 1 + type: integer + - description: The number of failed checks with medium severity + jsonPath: .report.summary.mediumCount + name: Medium + priority: 1 + type: integer + - description: The number of failed checks with low severity + jsonPath: .report.summary.lowCount + name: Low + priority: 1 + type: integer + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterRbacAssessmentReport is a specification for the ClusterRbacAssessmentReport + resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + report: + properties: + checks: + description: Checks provides results of conducting audit steps. + items: + description: Check provides the result of conducting a single audit + step. + properties: + category: + type: string + checkID: + type: string + description: + type: string + messages: + items: + type: string + type: array + remediation: + description: Remediation provides description or links to external + resources to remediate failing check. + type: string + scope: + description: Scope indicates the section of config that was + audited. + properties: + type: + description: Type indicates type of this scope, e.g. Container, + ConfigMapKey or JSONPath. + type: string + value: + description: Value indicates value of this scope that depends + on Type, e.g. container name, ConfigMap key or JSONPath + expression + type: string + required: + - type + - value + type: object + severity: + description: Severity level of a vulnerability or a configuration + audit check. + type: string + success: + type: boolean + title: + type: string + required: + - checkID + - severity + - success + type: object + type: array + scanner: + description: Scanner is the spec for a scanner generating a security + assessment report. + properties: + name: + description: Name the name of the scanner. + type: string + vendor: + description: Vendor the name of the vendor providing the scanner. + type: string + version: + description: Version the version of the scanner. + type: string + required: + - name + - vendor + - version + type: object + summary: + description: RbacAssessmentSummary counts failed checks by severity. + properties: + criticalCount: + description: CriticalCount is the number of failed checks with + critical severity. + type: integer + highCount: + description: HighCount is the number of failed checks with high + severity. + type: integer + lowCount: + description: LowCount is the number of failed check with low severity. + type: integer + mediumCount: + description: MediumCount is the number of failed checks with medium + severity. + type: integer + required: + - criticalCount + - highCount + - lowCount + - mediumCount + type: object + required: + - checks + - scanner + - summary + type: object + required: + - report + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: clustersbomreports.aquasecurity.github.io +spec: + group: aquasecurity.github.io + names: + kind: ClusterSbomReport + listKind: ClusterSbomReportList + plural: clustersbomreports + shortNames: + - clustersbom + singular: clustersbomreport + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The name of image repository + jsonPath: .report.artifact.repository + name: Repository + type: string + - description: The name of image tag + jsonPath: .report.artifact.tag + name: Tag + type: string + - description: The name of the sbom generation scanner + jsonPath: .report.scanner.name + name: Scanner + type: string + - description: The age of the report + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The number of dependencies in bom + jsonPath: .report.summary.componentsCount + name: Components + priority: 1 + type: integer + - description: The the number of components in bom + jsonPath: .report.summary.dependenciesCount + name: Dependencies + priority: 1 + type: integer + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterSbomReport summarizes components and dependencies found + in container image + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + report: + description: Report is the actual sbom report data. + properties: + artifact: + description: |- + Artifact represents a standalone, executable package of software that includes everything needed to + run an application. + properties: + digest: + description: Digest is a unique and immutable identifier of an + Artifact. + type: string + mimeType: + description: MimeType represents a type and format of an Artifact. + type: string + repository: + description: Repository is the name of the repository in the Artifact + registry. + type: string + tag: + description: Tag is a mutable, human-readable string used to identify + an Artifact. + type: string + type: object + components: + description: Bom is artifact bill of materials. + properties: + bomFormat: + type: string + components: + items: + properties: + bom-ref: + type: string + group: + type: string + hashes: + items: + properties: + alg: + type: string + content: + type: string + type: object + type: array + licenses: + items: + properties: + expression: + type: string + license: + properties: + id: + type: string + name: + type: string + url: + type: string + type: object + type: object + type: array + name: + type: string + properties: + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + purl: + type: string + supplier: + properties: + contact: + items: + properties: + email: + type: string + name: + type: string + phone: + type: string + type: object + type: array + name: + type: string + url: + items: + type: string + type: array + type: object + type: + type: string + version: + type: string + type: object + type: array + dependencies: + items: + properties: + dependsOn: + items: + type: string + type: array + ref: + type: string + type: object + type: array + metadata: + properties: + component: + properties: + bom-ref: + type: string + group: + type: string + hashes: + items: + properties: + alg: + type: string + content: + type: string + type: object + type: array + licenses: + items: + properties: + expression: + type: string + license: + properties: + id: + type: string + name: + type: string + url: + type: string + type: object + type: object + type: array + name: + type: string + properties: + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + purl: + type: string + supplier: + properties: + contact: + items: + properties: + email: + type: string + name: + type: string + phone: + type: string + type: object + type: array + name: + type: string + url: + items: + type: string + type: array + type: object + type: + type: string + version: + type: string + type: object + timestamp: + type: string + tools: + properties: + components: + items: + properties: + bom-ref: + type: string + group: + type: string + hashes: + items: + properties: + alg: + type: string + content: + type: string + type: object + type: array + licenses: + items: + properties: + expression: + type: string + license: + properties: + id: + type: string + name: + type: string + url: + type: string + type: object + type: object + type: array + name: + type: string + properties: + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + purl: + type: string + supplier: + properties: + contact: + items: + properties: + email: + type: string + name: + type: string + phone: + type: string + type: object + type: array + name: + type: string + url: + items: + type: string + type: array + type: object + type: + type: string + version: + type: string + type: object + type: array + type: object + type: object + serialNumber: + type: string + specVersion: + type: string + version: + type: integer + required: + - bomFormat + - specVersion + type: object + registry: + description: Registry is the registry the Artifact was pulled from. + properties: + server: + description: Server the FQDN of registry server. + type: string + type: object + scanner: + description: Scanner is the scanner that generated this report. + properties: + name: + description: Name the name of the scanner. + type: string + vendor: + description: Vendor the name of the vendor providing the scanner. + type: string + version: + description: Version the version of the scanner. + type: string + required: + - name + - vendor + - version + type: object + summary: + description: Summary is a summary of sbom report. + properties: + componentsCount: + description: ComponentsCount is the number of components in bom. + minimum: 0 + type: integer + dependenciesCount: + description: DependenciesCount is the number of dependencies in + bom. + minimum: 0 + type: integer + required: + - componentsCount + - dependenciesCount + type: object + updateTimestamp: + description: UpdateTimestamp is a timestamp representing the server + time in UTC when this report was updated. + format: date-time + type: string + required: + - artifact + - components + - scanner + - summary + - updateTimestamp + type: object + required: + - report + type: object + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: clustervulnerabilityreports.aquasecurity.github.io +spec: + group: aquasecurity.github.io + names: + kind: ClusterVulnerabilityReport + listKind: ClusterVulnerabilityReportList + plural: clustervulnerabilityreports + shortNames: + - clustervuln + singular: clustervulnerabilityreport + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The name of image repository + jsonPath: .report.artifact.repository + name: Repository + type: string + - description: The name of image tag + jsonPath: .report.artifact.tag + name: Tag + type: string + - description: The name of the vulnerability scanner + jsonPath: .report.scanner.name + name: Scanner + type: string + - description: The age of the report + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The number of critical vulnerabilities + jsonPath: .report.summary.criticalCount + name: Critical + priority: 1 + type: integer + - description: The number of high vulnerabilities + jsonPath: .report.summary.highCount + name: High + priority: 1 + type: integer + - description: The number of medium vulnerabilities + jsonPath: .report.summary.mediumCount + name: Medium + priority: 1 + type: integer + - description: The number of low vulnerabilities + jsonPath: .report.summary.lowCount + name: Low + priority: 1 + type: integer + - description: The number of unknown vulnerabilities + jsonPath: .report.summary.unknownCount + name: Unknown + priority: 1 + type: integer + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + ClusterVulnerabilityReport summarizes vulnerabilities in application dependencies and operating system packages + built into container images. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + report: + description: Report is the actual vulnerability report data. + properties: + artifact: + description: |- + Artifact represents a standalone, executable package of software that includes everything needed to + run an application. + properties: + digest: + description: Digest is a unique and immutable identifier of an + Artifact. + type: string + mimeType: + description: MimeType represents a type and format of an Artifact. + type: string + repository: + description: Repository is the name of the repository in the Artifact + registry. + type: string + tag: + description: Tag is a mutable, human-readable string used to identify + an Artifact. + type: string + type: object + os: + description: OS information of the artifact + properties: + eosl: + description: Eosl is true if OS version has reached end of service + life + type: boolean + family: + description: Operating System Family + type: string + name: + description: Name or version of the OS + type: string + type: object + registry: + description: Registry is the registry the Artifact was pulled from. + properties: + server: + description: Server the FQDN of registry server. + type: string + type: object + scanner: + description: Scanner is the scanner that generated this report. + properties: + name: + description: Name the name of the scanner. + type: string + vendor: + description: Vendor the name of the vendor providing the scanner. + type: string + version: + description: Version the version of the scanner. + type: string + required: + - name + - vendor + - version + type: object + summary: + description: Summary is a summary of Vulnerability counts grouped + by Severity. + properties: + criticalCount: + description: CriticalCount is the number of vulnerabilities with + Critical Severity. + minimum: 0 + type: integer + highCount: + description: HighCount is the number of vulnerabilities with High + Severity. + minimum: 0 + type: integer + lowCount: + description: LowCount is the number of vulnerabilities with Low + Severity. + minimum: 0 + type: integer + mediumCount: + description: MediumCount is the number of vulnerabilities with + Medium Severity. + minimum: 0 + type: integer + noneCount: + description: NoneCount is the number of packages without any vulnerability. + minimum: 0 + type: integer + unknownCount: + description: UnknownCount is the number of vulnerabilities with + unknown severity. + minimum: 0 + type: integer + required: + - criticalCount + - highCount + - lowCount + - mediumCount + - unknownCount + type: object + updateTimestamp: + description: UpdateTimestamp is a timestamp representing the server + time in UTC when this report was updated. + format: date-time + type: string + vulnerabilities: + description: Vulnerabilities is a list of operating system (OS) or + application software Vulnerability items found in the Artifact. + items: + description: Vulnerability is the spec for a vulnerability record. + properties: + class: + type: string + cvss: + additionalProperties: + properties: + V2Score: + type: number + V2Vector: + type: string + V3Score: + type: number + V3Vector: + type: string + type: object + type: object + cvsssource: + type: string + description: + type: string + fixedVersion: + description: FixedVersion indicates the version of the Resource + in which this vulnerability has been fixed. + type: string + installedVersion: + description: InstalledVersion indicates the installed version + of the Resource. + type: string + lastModifiedDate: + description: LastModifiedDate indicates the last date CVE has + been modified. + type: string + links: + items: + type: string + type: array + packagePath: + type: string + packageType: + type: string + primaryLink: + type: string + publishedDate: + description: PublishedDate indicates the date of published CVE. + type: string + resource: + description: Resource is a vulnerable package, application, + or library. + type: string + score: + type: number + severity: + description: Severity level of a vulnerability or a configuration + audit check. + enum: + - CRITICAL + - HIGH + - MEDIUM + - LOW + - UNKNOWN + type: string + target: + type: string + title: + type: string + vulnerabilityID: + description: VulnerabilityID the vulnerability identifier. + type: string + required: + - fixedVersion + - installedVersion + - lastModifiedDate + - publishedDate + - resource + - severity + - title + - vulnerabilityID + type: object + type: array + required: + - artifact + - os + - scanner + - summary + - updateTimestamp + - vulnerabilities + type: object + required: + - report + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: configauditreports.aquasecurity.github.io +spec: + group: aquasecurity.github.io + names: + kind: ConfigAuditReport + listKind: ConfigAuditReportList + plural: configauditreports + shortNames: + - configaudit + - configaudits + singular: configauditreport + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The name of the config audit scanner + jsonPath: .report.scanner.name + name: Scanner + type: string + - description: The age of the report + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The number of failed checks with critical severity + jsonPath: .report.summary.criticalCount + name: Critical + priority: 1 + type: integer + - description: The number of failed checks with high severity + jsonPath: .report.summary.highCount + name: High + priority: 1 + type: integer + - description: The number of failed checks with medium severity + jsonPath: .report.summary.mediumCount + name: Medium + priority: 1 + type: integer + - description: The number of failed checks with low severity + jsonPath: .report.summary.lowCount + name: Low + priority: 1 + type: integer + name: v1alpha1 + schema: + openAPIV3Schema: + description: ConfigAuditReport is a specification for the ConfigAuditReport + resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + report: + properties: + checks: + description: Checks provides results of conducting audit steps. + items: + description: Check provides the result of conducting a single audit + step. + properties: + category: + type: string + checkID: + type: string + description: + type: string + messages: + items: + type: string + type: array + remediation: + description: Remediation provides description or links to external + resources to remediate failing check. + type: string + scope: + description: Scope indicates the section of config that was + audited. + properties: + type: + description: Type indicates type of this scope, e.g. Container, + ConfigMapKey or JSONPath. + type: string + value: + description: Value indicates value of this scope that depends + on Type, e.g. container name, ConfigMap key or JSONPath + expression + type: string + required: + - type + - value + type: object + severity: + description: Severity level of a vulnerability or a configuration + audit check. + type: string + success: + type: boolean + title: + type: string + required: + - checkID + - severity + - success + type: object + type: array + scanner: + description: Scanner is the spec for a scanner generating a security + assessment report. + properties: + name: + description: Name the name of the scanner. + type: string + vendor: + description: Vendor the name of the vendor providing the scanner. + type: string + version: + description: Version the version of the scanner. + type: string + required: + - name + - vendor + - version + type: object + summary: + description: ConfigAuditSummary counts failed checks by severity. + properties: + criticalCount: + description: CriticalCount is the number of failed checks with + critical severity. + type: integer + highCount: + description: HighCount is the number of failed checks with high + severity. + type: integer + lowCount: + description: LowCount is the number of failed check with low severity. + type: integer + mediumCount: + description: MediumCount is the number of failed checks with medium + severity. + type: integer + required: + - criticalCount + - highCount + - lowCount + - mediumCount + type: object + updateTimestamp: + format: date-time + type: string + required: + - checks + type: object + required: + - report + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: exposedsecretreports.aquasecurity.github.io +spec: + group: aquasecurity.github.io + names: + kind: ExposedSecretReport + listKind: ExposedSecretReportList + plural: exposedsecretreports + shortNames: + - exposedsecret + - exposedsecrets + singular: exposedsecretreport + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The name of image repository + jsonPath: .report.artifact.repository + name: Repository + type: string + - description: The name of image tag + jsonPath: .report.artifact.tag + name: Tag + type: string + - description: The name of the exposed secret scanner + jsonPath: .report.scanner.name + name: Scanner + type: string + - description: The age of the report + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The number of critical exposed secrets + jsonPath: .report.summary.criticalCount + name: Critical + priority: 1 + type: integer + - description: The number of high exposed secrets + jsonPath: .report.summary.highCount + name: High + priority: 1 + type: integer + - description: The number of medium exposed secrets + jsonPath: .report.summary.mediumCount + name: Medium + priority: 1 + type: integer + - description: The number of low exposed secrets + jsonPath: .report.summary.lowCount + name: Low + priority: 1 + type: integer + name: v1alpha1 + schema: + openAPIV3Schema: + description: ExposedSecretReport summarizes exposed secrets in plaintext files + built into container images. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + report: + description: Report is the actual exposed secret report data. + properties: + artifact: + description: |- + Artifact represents a standalone, executable package of software that includes everything needed to + run an application. + properties: + digest: + description: Digest is a unique and immutable identifier of an + Artifact. + type: string + mimeType: + description: MimeType represents a type and format of an Artifact. + type: string + repository: + description: Repository is the name of the repository in the Artifact + registry. + type: string + tag: + description: Tag is a mutable, human-readable string used to identify + an Artifact. + type: string + type: object + registry: + description: Registry is the registry the Artifact was pulled from. + properties: + server: + description: Server the FQDN of registry server. + type: string + type: object + scanner: + description: Scanner is the scanner that generated this report. + properties: + name: + description: Name the name of the scanner. + type: string + vendor: + description: Vendor the name of the vendor providing the scanner. + type: string + version: + description: Version the version of the scanner. + type: string + required: + - name + - vendor + - version + type: object + secrets: + description: Exposed secrets is a list of passwords, api keys, tokens + and others items found in the Artifact. + items: + description: ExposedSecret is the spec for a exposed secret record. + properties: + category: + type: string + match: + description: Match where the exposed rule matched. + type: string + ruleID: + description: RuleID is rule the identifier. + type: string + severity: + description: Severity level of a vulnerability or a configuration + audit check. + enum: + - CRITICAL + - HIGH + - MEDIUM + - LOW + type: string + target: + description: Target is where the exposed secret was found. + type: string + title: + type: string + required: + - category + - match + - ruleID + - severity + - target + - title + type: object + type: array + summary: + description: Summary is the exposed secrets counts grouped by Severity. + properties: + criticalCount: + description: CriticalCount is the number of exposed secrets with + Critical Severity. + minimum: 0 + type: integer + highCount: + description: HighCount is the number of exposed secrets with High + Severity. + minimum: 0 + type: integer + lowCount: + description: LowCount is the number of exposed secrets with Low + Severity. + minimum: 0 + type: integer + mediumCount: + description: MediumCount is the number of exposed secrets with + Medium Severity. + minimum: 0 + type: integer + required: + - criticalCount + - highCount + - lowCount + - mediumCount + type: object + updateTimestamp: + description: UpdateTimestamp is a timestamp representing the server + time in UTC when this report was updated. + format: date-time + type: string + required: + - artifact + - scanner + - secrets + - summary + - updateTimestamp + type: object + required: + - report + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: infraassessmentreports.aquasecurity.github.io +spec: + group: aquasecurity.github.io + names: + kind: InfraAssessmentReport + listKind: InfraAssessmentReportList + plural: infraassessmentreports + shortNames: + - infraassessment + - infraassessments + singular: infraassessmentreport + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The name of the infra assessment scanner + jsonPath: .report.scanner.name + name: Scanner + type: string + - description: The age of the report + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The number of failed checks with critical severity + jsonPath: .report.summary.criticalCount + name: Critical + priority: 1 + type: integer + - description: The number of failed checks with high severity + jsonPath: .report.summary.highCount + name: High + priority: 1 + type: integer + - description: The number of failed checks with medium severity + jsonPath: .report.summary.mediumCount + name: Medium + priority: 1 + type: integer + - description: The number of failed checks with low severity + jsonPath: .report.summary.lowCount + name: Low + priority: 1 + type: integer + name: v1alpha1 + schema: + openAPIV3Schema: + description: InfraAssessmentReport is a specification for the InfraAssessmentReport + resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + report: + properties: + checks: + description: Checks provides results of conducting audit steps. + items: + description: Check provides the result of conducting a single audit + step. + properties: + category: + type: string + checkID: + type: string + description: + type: string + messages: + items: + type: string + type: array + remediation: + description: Remediation provides description or links to external + resources to remediate failing check. + type: string + scope: + description: Scope indicates the section of config that was + audited. + properties: + type: + description: Type indicates type of this scope, e.g. Container, + ConfigMapKey or JSONPath. + type: string + value: + description: Value indicates value of this scope that depends + on Type, e.g. container name, ConfigMap key or JSONPath + expression + type: string + required: + - type + - value + type: object + severity: + description: Severity level of a vulnerability or a configuration + audit check. + type: string + success: + type: boolean + title: + type: string + required: + - checkID + - severity + - success + type: object + type: array + scanner: + description: Scanner is the spec for a scanner generating a security + assessment report. + properties: + name: + description: Name the name of the scanner. + type: string + vendor: + description: Vendor the name of the vendor providing the scanner. + type: string + version: + description: Version the version of the scanner. + type: string + required: + - name + - vendor + - version + type: object + summary: + description: InfraAssessmentSummary counts failed checks by severity. + properties: + criticalCount: + description: CriticalCount is the number of failed checks with + critical severity. + type: integer + highCount: + description: HighCount is the number of failed checks with high + severity. + type: integer + lowCount: + description: LowCount is the number of failed check with low severity. + type: integer + mediumCount: + description: MediumCount is the number of failed checks with medium + severity. + type: integer + required: + - criticalCount + - highCount + - lowCount + - mediumCount + type: object + required: + - checks + - scanner + - summary + type: object + required: + - report + type: object + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: rbacassessmentreports.aquasecurity.github.io +spec: + group: aquasecurity.github.io + names: + kind: RbacAssessmentReport + listKind: RbacAssessmentReportList + plural: rbacassessmentreports + shortNames: + - rbacassessment + - rbacassessments + singular: rbacassessmentreport + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The name of the rbac assessment scanner + jsonPath: .report.scanner.name + name: Scanner + type: string + - description: The age of the report + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The number of failed checks with critical severity + jsonPath: .report.summary.criticalCount + name: Critical + priority: 1 + type: integer + - description: The number of failed checks with high severity + jsonPath: .report.summary.highCount + name: High + priority: 1 + type: integer + - description: The number of failed checks with medium severity + jsonPath: .report.summary.mediumCount + name: Medium + priority: 1 + type: integer + - description: The number of failed checks with low severity + jsonPath: .report.summary.lowCount + name: Low + priority: 1 + type: integer + name: v1alpha1 + schema: + openAPIV3Schema: + description: RbacAssessmentReport is a specification for the RbacAssessmentReport + resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + report: + properties: + checks: + description: Checks provides results of conducting audit steps. + items: + description: Check provides the result of conducting a single audit + step. + properties: + category: + type: string + checkID: + type: string + description: + type: string + messages: + items: + type: string + type: array + remediation: + description: Remediation provides description or links to external + resources to remediate failing check. + type: string + scope: + description: Scope indicates the section of config that was + audited. + properties: + type: + description: Type indicates type of this scope, e.g. Container, + ConfigMapKey or JSONPath. + type: string + value: + description: Value indicates value of this scope that depends + on Type, e.g. container name, ConfigMap key or JSONPath + expression + type: string + required: + - type + - value + type: object + severity: + description: Severity level of a vulnerability or a configuration + audit check. + type: string + success: + type: boolean + title: + type: string + required: + - checkID + - severity + - success + type: object + type: array + scanner: + description: Scanner is the spec for a scanner generating a security + assessment report. + properties: + name: + description: Name the name of the scanner. + type: string + vendor: + description: Vendor the name of the vendor providing the scanner. + type: string + version: + description: Version the version of the scanner. + type: string + required: + - name + - vendor + - version + type: object + summary: + description: RbacAssessmentSummary counts failed checks by severity. + properties: + criticalCount: + description: CriticalCount is the number of failed checks with + critical severity. + type: integer + highCount: + description: HighCount is the number of failed checks with high + severity. + type: integer + lowCount: + description: LowCount is the number of failed check with low severity. + type: integer + mediumCount: + description: MediumCount is the number of failed checks with medium + severity. + type: integer + required: + - criticalCount + - highCount + - lowCount + - mediumCount + type: object + required: + - checks + - scanner + - summary + type: object + required: + - report + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: sbomreports.aquasecurity.github.io +spec: + group: aquasecurity.github.io + names: + kind: SbomReport + listKind: SbomReportList + plural: sbomreports + shortNames: + - sbom + - sboms + singular: sbomreport + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The name of image repository + jsonPath: .report.artifact.repository + name: Repository + type: string + - description: The name of image tag + jsonPath: .report.artifact.tag + name: Tag + type: string + - description: The name of the sbom generation scanner + jsonPath: .report.scanner.name + name: Scanner + type: string + - description: The age of the report + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The number of dependencies in bom + jsonPath: .report.summary.componentsCount + name: Components + priority: 1 + type: integer + - description: The the number of components in bom + jsonPath: .report.summary.dependenciesCount + name: Dependencies + priority: 1 + type: integer + name: v1alpha1 + schema: + openAPIV3Schema: + description: SbomReport summarizes components and dependencies found in container + image + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + report: + description: Report is the actual sbom report data. + properties: + artifact: + description: |- + Artifact represents a standalone, executable package of software that includes everything needed to + run an application. + properties: + digest: + description: Digest is a unique and immutable identifier of an + Artifact. + type: string + mimeType: + description: MimeType represents a type and format of an Artifact. + type: string + repository: + description: Repository is the name of the repository in the Artifact + registry. + type: string + tag: + description: Tag is a mutable, human-readable string used to identify + an Artifact. + type: string + type: object + components: + description: Bom is artifact bill of materials. + properties: + bomFormat: + type: string + components: + items: + properties: + bom-ref: + type: string + group: + type: string + hashes: + items: + properties: + alg: + type: string + content: + type: string + type: object + type: array + licenses: + items: + properties: + expression: + type: string + license: + properties: + id: + type: string + name: + type: string + url: + type: string + type: object + type: object + type: array + name: + type: string + properties: + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + purl: + type: string + supplier: + properties: + contact: + items: + properties: + email: + type: string + name: + type: string + phone: + type: string + type: object + type: array + name: + type: string + url: + items: + type: string + type: array + type: object + type: + type: string + version: + type: string + type: object + type: array + dependencies: + items: + properties: + dependsOn: + items: + type: string + type: array + ref: + type: string + type: object + type: array + metadata: + properties: + component: + properties: + bom-ref: + type: string + group: + type: string + hashes: + items: + properties: + alg: + type: string + content: + type: string + type: object + type: array + licenses: + items: + properties: + expression: + type: string + license: + properties: + id: + type: string + name: + type: string + url: + type: string + type: object + type: object + type: array + name: + type: string + properties: + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + purl: + type: string + supplier: + properties: + contact: + items: + properties: + email: + type: string + name: + type: string + phone: + type: string + type: object + type: array + name: + type: string + url: + items: + type: string + type: array + type: object + type: + type: string + version: + type: string + type: object + timestamp: + type: string + tools: + properties: + components: + items: + properties: + bom-ref: + type: string + group: + type: string + hashes: + items: + properties: + alg: + type: string + content: + type: string + type: object + type: array + licenses: + items: + properties: + expression: + type: string + license: + properties: + id: + type: string + name: + type: string + url: + type: string + type: object + type: object + type: array + name: + type: string + properties: + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + purl: + type: string + supplier: + properties: + contact: + items: + properties: + email: + type: string + name: + type: string + phone: + type: string + type: object + type: array + name: + type: string + url: + items: + type: string + type: array + type: object + type: + type: string + version: + type: string + type: object + type: array + type: object + type: object + serialNumber: + type: string + specVersion: + type: string + version: + type: integer + required: + - bomFormat + - specVersion + type: object + registry: + description: Registry is the registry the Artifact was pulled from. + properties: + server: + description: Server the FQDN of registry server. + type: string + type: object + scanner: + description: Scanner is the scanner that generated this report. + properties: + name: + description: Name the name of the scanner. + type: string + vendor: + description: Vendor the name of the vendor providing the scanner. + type: string + version: + description: Version the version of the scanner. + type: string + required: + - name + - vendor + - version + type: object + summary: + description: Summary is a summary of sbom report. + properties: + componentsCount: + description: ComponentsCount is the number of components in bom. + minimum: 0 + type: integer + dependenciesCount: + description: DependenciesCount is the number of dependencies in + bom. + minimum: 0 + type: integer + required: + - componentsCount + - dependenciesCount + type: object + updateTimestamp: + description: UpdateTimestamp is a timestamp representing the server + time in UTC when this report was updated. + format: date-time + type: string + required: + - artifact + - components + - scanner + - summary + - updateTimestamp + type: object + required: + - report + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true + subresources: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: vulnerabilityreports.aquasecurity.github.io +spec: + group: aquasecurity.github.io + names: + kind: VulnerabilityReport + listKind: VulnerabilityReportList + plural: vulnerabilityreports + shortNames: + - vuln + - vulns + singular: vulnerabilityreport + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The name of image repository + jsonPath: .report.artifact.repository + name: Repository + type: string + - description: The name of image tag + jsonPath: .report.artifact.tag + name: Tag + type: string + - description: The name of the vulnerability scanner + jsonPath: .report.scanner.name + name: Scanner + type: string + - description: The age of the report + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: The number of critical vulnerabilities + jsonPath: .report.summary.criticalCount + name: Critical + priority: 1 + type: integer + - description: The number of high vulnerabilities + jsonPath: .report.summary.highCount + name: High + priority: 1 + type: integer + - description: The number of medium vulnerabilities + jsonPath: .report.summary.mediumCount + name: Medium + priority: 1 + type: integer + - description: The number of low vulnerabilities + jsonPath: .report.summary.lowCount + name: Low + priority: 1 + type: integer + - description: The number of unknown vulnerabilities + jsonPath: .report.summary.unknownCount + name: Unknown + priority: 1 + type: integer + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + VulnerabilityReport summarizes vulnerabilities in application dependencies and operating system packages + built into container images. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + report: + description: Report is the actual vulnerability report data. + properties: + artifact: + description: |- + Artifact represents a standalone, executable package of software that includes everything needed to + run an application. + properties: + digest: + description: Digest is a unique and immutable identifier of an + Artifact. + type: string + mimeType: + description: MimeType represents a type and format of an Artifact. + type: string + repository: + description: Repository is the name of the repository in the Artifact + registry. + type: string + tag: + description: Tag is a mutable, human-readable string used to identify + an Artifact. + type: string + type: object + os: + description: OS information of the artifact + properties: + eosl: + description: Eosl is true if OS version has reached end of service + life + type: boolean + family: + description: Operating System Family + type: string + name: + description: Name or version of the OS + type: string + type: object + registry: + description: Registry is the registry the Artifact was pulled from. + properties: + server: + description: Server the FQDN of registry server. + type: string + type: object + scanner: + description: Scanner is the scanner that generated this report. + properties: + name: + description: Name the name of the scanner. + type: string + vendor: + description: Vendor the name of the vendor providing the scanner. + type: string + version: + description: Version the version of the scanner. + type: string + required: + - name + - vendor + - version + type: object + summary: + description: Summary is a summary of Vulnerability counts grouped + by Severity. + properties: + criticalCount: + description: CriticalCount is the number of vulnerabilities with + Critical Severity. + minimum: 0 + type: integer + highCount: + description: HighCount is the number of vulnerabilities with High + Severity. + minimum: 0 + type: integer + lowCount: + description: LowCount is the number of vulnerabilities with Low + Severity. + minimum: 0 + type: integer + mediumCount: + description: MediumCount is the number of vulnerabilities with + Medium Severity. + minimum: 0 + type: integer + noneCount: + description: NoneCount is the number of packages without any vulnerability. + minimum: 0 + type: integer + unknownCount: + description: UnknownCount is the number of vulnerabilities with + unknown severity. + minimum: 0 + type: integer + required: + - criticalCount + - highCount + - lowCount + - mediumCount + - unknownCount + type: object + updateTimestamp: + description: UpdateTimestamp is a timestamp representing the server + time in UTC when this report was updated. + format: date-time + type: string + vulnerabilities: + description: Vulnerabilities is a list of operating system (OS) or + application software Vulnerability items found in the Artifact. + items: + description: Vulnerability is the spec for a vulnerability record. + properties: + class: + type: string + cvss: + additionalProperties: + properties: + V2Score: + type: number + V2Vector: + type: string + V3Score: + type: number + V3Vector: + type: string + type: object + type: object + cvsssource: + type: string + description: + type: string + fixedVersion: + description: FixedVersion indicates the version of the Resource + in which this vulnerability has been fixed. + type: string + installedVersion: + description: InstalledVersion indicates the installed version + of the Resource. + type: string + lastModifiedDate: + description: LastModifiedDate indicates the last date CVE has + been modified. + type: string + links: + items: + type: string + type: array + packagePath: + type: string + packageType: + type: string + primaryLink: + type: string + publishedDate: + description: PublishedDate indicates the date of published CVE. + type: string + resource: + description: Resource is a vulnerable package, application, + or library. + type: string + score: + type: number + severity: + description: Severity level of a vulnerability or a configuration + audit check. + enum: + - CRITICAL + - HIGH + - MEDIUM + - LOW + - UNKNOWN + type: string + target: + type: string + title: + type: string + vulnerabilityID: + description: VulnerabilityID the vulnerability identifier. + type: string + required: + - fixedVersion + - installedVersion + - lastModifiedDate + - publishedDate + - resource + - severity + - title + - vulnerabilityID + type: object + type: array + required: + - artifact + - os + - scanner + - summary + - updateTimestamp + - vulnerabilities + type: object + required: + - report + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true + subresources: {} +--- +apiVersion: v1 +kind: Namespace +metadata: + name: trivy-system + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.22.0" + app.kubernetes.io/managed-by: kubectl +--- +# Source: trivy-operator/templates/configmaps/operator.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: trivy-operator + namespace: trivy-system + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.22.0" + app.kubernetes.io/managed-by: kubectl +data: + nodeCollector.volumes: "[{\"hostPath\":{\"path\":\"/var/lib/etcd\"},\"name\":\"var-lib-etcd\"},{\"hostPath\":{\"path\":\"/var/lib/kubelet\"},\"name\":\"var-lib-kubelet\"},{\"hostPath\":{\"path\":\"/var/lib/kube-scheduler\"},\"name\":\"var-lib-kube-scheduler\"},{\"hostPath\":{\"path\":\"/var/lib/kube-controller-manager\"},\"name\":\"var-lib-kube-controller-manager\"},{\"hostPath\":{\"path\":\"/etc/systemd\"},\"name\":\"etc-systemd\"},{\"hostPath\":{\"path\":\"/lib/systemd\"},\"name\":\"lib-systemd\"},{\"hostPath\":{\"path\":\"/etc/kubernetes\"},\"name\":\"etc-kubernetes\"},{\"hostPath\":{\"path\":\"/etc/cni/net.d/\"},\"name\":\"etc-cni-netd\"}]" + nodeCollector.volumeMounts: "[{\"mountPath\":\"/var/lib/etcd\",\"name\":\"var-lib-etcd\",\"readOnly\":true},{\"mountPath\":\"/var/lib/kubelet\",\"name\":\"var-lib-kubelet\",\"readOnly\":true},{\"mountPath\":\"/var/lib/kube-scheduler\",\"name\":\"var-lib-kube-scheduler\",\"readOnly\":true},{\"mountPath\":\"/var/lib/kube-controller-manager\",\"name\":\"var-lib-kube-controller-manager\",\"readOnly\":true},{\"mountPath\":\"/etc/systemd\",\"name\":\"etc-systemd\",\"readOnly\":true},{\"mountPath\":\"/lib/systemd/\",\"name\":\"lib-systemd\",\"readOnly\":true},{\"mountPath\":\"/etc/kubernetes\",\"name\":\"etc-kubernetes\",\"readOnly\":true},{\"mountPath\":\"/etc/cni/net.d/\",\"name\":\"etc-cni-netd\",\"readOnly\":true}]" + scanJob.useGCRServiceAccount: "true" + scanJob.podTemplateContainerSecurityContext: "{\"allowPrivilegeEscalation\":false,\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"readOnlyRootFilesystem\":true}" + scanJob.compressLogs: "true" + vulnerabilityReports.scanner: "Trivy" + configAuditReports.scanner: "Trivy" + compliance.failEntriesLimit: "10" + report.recordFailedChecksOnly: "true" + node.collector.imageRef: "ghcr.io/aquasecurity/node-collector:0.3.1" + policies.bundle.oci.ref: "ghcr.io/aquasecurity/trivy-checks:0" + policies.bundle.insecure: "false" + + node.collector.nodeSelector: "true" +--- +# Source: trivy-operator/templates/configmaps/trivy-operator-config.yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: trivy-operator-config + namespace: trivy-system + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.22.0" + app.kubernetes.io/managed-by: kubectl +data: + OPERATOR_LOG_DEV_MODE: "false" + OPERATOR_SCAN_JOB_TTL: "" + OPERATOR_SCAN_JOB_TIMEOUT: "5m" + OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT: "10" + OPERATOR_CONCURRENT_NODE_COLLECTOR_LIMIT: "1" + OPERATOR_SCAN_JOB_RETRY_AFTER: "30s" + OPERATOR_BATCH_DELETE_LIMIT: "10" + OPERATOR_BATCH_DELETE_DELAY: "10s" + OPERATOR_METRICS_BIND_ADDRESS: ":8080" + OPERATOR_METRICS_FINDINGS_ENABLED: "true" + OPERATOR_METRICS_VULN_ID_ENABLED: "false" + OPERATOR_HEALTH_PROBE_BIND_ADDRESS: ":9090" + OPERATOR_VULNERABILITY_SCANNER_ENABLED: "true" + OPERATOR_SBOM_GENERATION_ENABLED: "true" + OPERATOR_CLUSTER_SBOM_CACHE_ENABLED: "false" + OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS: "true" + OPERATOR_SCANNER_REPORT_TTL: "24h" + OPERATOR_CACHE_REPORT_TTL: "120h" + CONTROLLER_CACHE_SYNC_TIMEOUT: "5m" + OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED: "true" + OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED: "true" + OPERATOR_INFRA_ASSESSMENT_SCANNER_ENABLED: "true" + OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS: "true" + OPERATOR_EXPOSED_SECRET_SCANNER_ENABLED: "true" + OPERATOR_METRICS_EXPOSED_SECRET_INFO_ENABLED: "false" + OPERATOR_METRICS_CONFIG_AUDIT_INFO_ENABLED: "false" + OPERATOR_METRICS_RBAC_ASSESSMENT_INFO_ENABLED: "false" + OPERATOR_METRICS_INFRA_ASSESSMENT_INFO_ENABLED: "false" + OPERATOR_METRICS_IMAGE_INFO_ENABLED: "false" + OPERATOR_METRICS_CLUSTER_COMPLIANCE_INFO_ENABLED: "false" + OPERATOR_WEBHOOK_BROADCAST_URL: "" + OPERATOR_WEBHOOK_BROADCAST_TIMEOUT: "30s" + OPERATOR_WEBHOOK_BROADCAST_CUSTOM_HEADERS: "" + OPERATOR_SEND_DELETED_REPORTS: "false" + OPERATOR_PRIVATE_REGISTRY_SCAN_SECRETS_NAMES: "{}" + OPERATOR_ACCESS_GLOBAL_SECRETS_SERVICE_ACCOUNTS: "true" + OPERATOR_BUILT_IN_TRIVY_SERVER: "false" + TRIVY_SERVER_HEALTH_CHECK_CACHE_EXPIRATION: "10h" + OPERATOR_MERGE_RBAC_FINDING_WITH_CONFIG_AUDIT: "false" + OPERATOR_CLUSTER_COMPLIANCE_ENABLED: "true" +--- +# Source: trivy-operator/templates/configmaps/trivy.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: trivy-operator-trivy-config + namespace: trivy-system + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.22.0" + app.kubernetes.io/managed-by: kubectl +data: + trivy.repository: "ghcr.io/aquasecurity/trivy" + trivy.tag: "0.53.0" + trivy.imagePullPolicy: "IfNotPresent" + trivy.additionalVulnerabilityReportFields: "" + trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" + trivy.slow: "true" + trivy.skipJavaDBUpdate: "false" + trivy.includeDevDeps: "false" + trivy.imageScanCacheDir: "/tmp/trivy/.cache" + trivy.filesystemScanCacheDir: "/var/trivyoperator/trivy-db" + trivy.dbRepository: "ghcr.io/aquasecurity/trivy-db" + trivy.javaDbRepository: "ghcr.io/aquasecurity/trivy-java-db" + trivy.command: "image" + trivy.sbomSources: "" + trivy.dbRepositoryInsecure: "false" + trivy.useBuiltinRegoPolicies: "true" + trivy.useEmbeddedRegoPolicies: "false" + trivy.supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota" + trivy.timeout: "5m0s" + trivy.mode: "Standalone" + trivy.resources.requests.cpu: "100m" + trivy.resources.requests.memory: "100M" + trivy.resources.limits.cpu: "500m" + trivy.resources.limits.memory: "500M" +--- +# Source: trivy-operator/templates/secrets/operator.yaml +apiVersion: v1 +kind: Secret +metadata: + name: trivy-operator + namespace: trivy-system + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.22.0" + app.kubernetes.io/managed-by: kubectl +data: +--- +# Source: trivy-operator/templates/secrets/trivy.yaml +apiVersion: v1 +kind: Secret +metadata: + name: trivy-operator-trivy-config + namespace: trivy-system + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.22.0" + app.kubernetes.io/managed-by: kubectl +data: +--- +# Source: trivy-operator/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: trivy-operator + namespace: trivy-system + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.22.0" + app.kubernetes.io/managed-by: kubectl +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + template: + metadata: + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + spec: + serviceAccountName: trivy-operator + automountServiceAccountToken: true + containers: + - name: "trivy-operator" + image: "ghcr.io/aquasecurity/trivy-operator:0.22.0" + imagePullPolicy: IfNotPresent + env: + - name: OPERATOR_NAMESPACE + value: trivy-system + - name: OPERATOR_TARGET_NAMESPACES + value: "" + - name: OPERATOR_EXCLUDE_NAMESPACES + value: "" + - name: OPERATOR_TARGET_WORKLOADS + value: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job" + - name: OPERATOR_SERVICE_ACCOUNT + value: "trivy-operator" + envFrom: + - configMapRef: + name: trivy-operator-config + ports: + - name: metrics + containerPort: 8080 + - name: probes + containerPort: 9090 + readinessProbe: + httpGet: + path: /readyz/ + port: probes + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + livenessProbe: + httpGet: + path: /healthz/ + port: probes + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 10 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /tmp + name: cache-policies + readOnly: false + volumes: + - emptyDir: {} + name: cache-policies +--- +# Source: trivy-operator/templates/monitor/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: trivy-operator + namespace: trivy-system + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.22.0" + app.kubernetes.io/managed-by: kubectl +spec: + clusterIP: None + ports: + - name: metrics + port: 80 + targetPort: metrics + protocol: TCP + appProtocol: TCP + selector: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + type: ClusterIP +--- +# Source: trivy-operator/templates/rbac/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: trivy-operator +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - limitranges + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list +- apiGroups: + - "" + resources: + - replicationcontrollers + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - resourcequotas + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: + - apps.openshift.io + resources: + - deploymentconfigs + verbs: + - get + - list + - watch +- apiGroups: + - aquasecurity.github.io + resources: + - clustercompliancedetailreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - aquasecurity.github.io + resources: + - clustercompliancereports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - aquasecurity.github.io + resources: + - clustercompliancereports/status + verbs: + - get + - patch + - update +- apiGroups: + - aquasecurity.github.io + resources: + - clusterconfigauditreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - aquasecurity.github.io + resources: + - clusterinfraassessmentreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - aquasecurity.github.io + resources: + - clusterrbacassessmentreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - aquasecurity.github.io + resources: + - clustersbomreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - aquasecurity.github.io + resources: + - clustervulnerabilityreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - aquasecurity.github.io + resources: + - configauditreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - aquasecurity.github.io + resources: + - exposedsecretreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - aquasecurity.github.io + resources: + - infraassessmentreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - aquasecurity.github.io + resources: + - rbacassessmentreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - aquasecurity.github.io + resources: + - sbomreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - aquasecurity.github.io + resources: + - vulnerabilityreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch + resources: + - cronjobs + verbs: + - get + - list + - watch +- apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + verbs: + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + verbs: + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + verbs: + - get + - list + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - update +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get +- apiGroups: + - "" + resources: + - nodes/proxy + verbs: + - get +--- +# Source: trivy-operator/templates/rbac/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: trivy-operator + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.22.0" + app.kubernetes.io/managed-by: kubectl +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: trivy-operator +subjects: + - kind: ServiceAccount + name: trivy-operator + namespace: trivy-system +--- +# Source: trivy-operator/templates/rbac/leader-election-role.yaml +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: trivy-operator-leader-election + namespace: trivy-system + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.22.0" + app.kubernetes.io/managed-by: kubectl +rules: + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update + - apiGroups: + - "" + resources: + - events + verbs: + - create +--- +# Source: trivy-operator/templates/rbac/leader-election-rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: trivy-operator-leader-election + namespace: trivy-system + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.22.0" + app.kubernetes.io/managed-by: kubectl +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: trivy-operator-leader-election +subjects: + - kind: ServiceAccount + name: trivy-operator + namespace: trivy-system +--- +# Source: trivy-operator/templates/rbac/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: trivy-operator + namespace: trivy-system + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.22.0" + app.kubernetes.io/managed-by: kubectl +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - get + - list + - watch + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - get + - delete +--- +# Source: trivy-operator/templates/rbac/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: trivy-operator + namespace: trivy-system + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.22.0" + app.kubernetes.io/managed-by: kubectl +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: trivy-operator +subjects: + - kind: ServiceAccount + name: trivy-operator + namespace: trivy-system +--- +# Source: trivy-operator/templates/rbac/view-configauditreports-clusterrole.yaml +# permissions for end users to view configauditreports +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aggregate-config-audit-reports-view + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.22.0" + app.kubernetes.io/managed-by: kubectl + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" +rules: + - apiGroups: + - aquasecurity.github.io + resources: + - configauditreports + verbs: + - get + - list + - watch +--- +# Source: trivy-operator/templates/rbac/view-exposedsecretreports-clusterrole.yaml +# permissions for end users to view exposedsecretreports +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aggregate-exposed-secret-reports-view + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.22.0" + app.kubernetes.io/managed-by: kubectl + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" +rules: + - apiGroups: + - aquasecurity.github.io + resources: + - exposedsecretreports + verbs: + - get + - list + - watch +--- +# Source: trivy-operator/templates/rbac/view-vulnerabilityreports-clusterrole.yaml +# permissions for end users to view vulnerabilityreports +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aggregate-vulnerability-reports-view + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.22.0" + app.kubernetes.io/managed-by: kubectl + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true" +rules: + - apiGroups: + - aquasecurity.github.io + resources: + - vulnerabilityreports + verbs: + - get + - list + - watch +--- +# Source: trivy-operator/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: trivy-operator + namespace: trivy-system + labels: + app.kubernetes.io/name: trivy-operator + app.kubernetes.io/instance: trivy-operator + app.kubernetes.io/version: "0.22.0" + app.kubernetes.io/managed-by: kubectl