Skip to content

ConfigAuditReport

An instance of the ConfigAuditReport represents checks performed by configuration auditing tools, such as Polaris and Conftest, against a Kubernetes object's configuration. For example, check that a given container image runs as non-root user or that a container has resource requests and limits set. Checks might relate to Kubernetes workloads and other namespaced Kubernetes objects such as Services, ConfigMaps, Roles, and RoleBindings.

Each report is owned by the underlying Kubernetes object and is stored in the same namespace, following the <workload-kind>-<workload-name> naming convention.

The following listing shows a sample ConfigAuditReport associated with the ReplicaSet named nginx-6d4cf56db6 in the default namespace.

apiVersion: aquasecurity.github.io/v1alpha1
kind: ConfigAuditReport
metadata:
  name: replicaset-nginx-6d4cf56db6
  namespace: default
  labels:
    trivy-operator.resource.kind: ReplicaSet
    trivy-operator.resource.name: nginx-6d4cf56db6
    trivy-operator.resource.namespace: default
    plugin-config-hash: 7f65d98b75
    resource-spec-hash: 7cb64cb677
  uid: d5cf8847-c96d-4534-beb9-514a34230302
  ownerReferences:
    - apiVersion: apps/v1
      blockOwnerDeletion: false
      controller: true
      kind: ReplicaSet
      name: nginx-6d4cf56db6
      uid: aa345200-cf24-443a-8f11-ddb438ff8659
report:
  updateTimestamp: '2021-05-20T12:38:10Z'
  scanner:
    name: Polaris
    vendor: Fairwinds Ops
    version: '4.2'
  summary:
    criticalCount: 2
    highCount: 0
    lowCount: 9
    mediumCount: 0
  checks:
    - category: Security
      checkID: hostPIDSet
      messages:
        - Host PID is not configured
      severity: CRITICAL
      success: true
    - category: Security
      checkID: hostIPCSet
      messages:
        - Host IPC is not configured
      severity: CRITICAL
      success: true
    - category: Security
      checkID: hostNetworkSet
      messages:
        - Host network is not configured
      severity: LOW
      success: true
    - category: Security
      checkID: notReadOnlyRootFilesystem
      messages:
        - Filesystem should be read only
      scope:
        type: Container
        value: nginx
      severity: LOW
      success: false
    - category: Security
      checkID: privilegeEscalationAllowed
      messages:
        - Privilege escalation should not be allowed
      scope:
        type: Container
        value: nginx
      severity: CRITICAL
      success: false

Third party Kubernetes configuration checkers, linters, and sanitizers that are compliant with the ConfigAuditReport schema can be integrated with trivy-operator.

Note

The challenge with onboarding third party configuration checkers is that they tend to have different interfaces to perform scans and vary in output formats for a relatively common goal, which is inspecting deployment descriptors for known configuration pitfalls.