kubectl¶
You can use static YAML manifests to install the operator in the trivy-system
namespace and configure it to select
all namespaces, except kube-system
and trivy-system
.
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/trivy-operator/v0.0.1/deploy/static/trivy-operator.yaml
To confirm that the operator is running, check that the trivy-operator
Deployment in the trivy-system
namespace is available and all its containers are ready:
$ kubectl get deployment -n trivy-system
NAME READY UP-TO-DATE AVAILABLE AGE
trivy-operator 1/1 1 1 11m
If for some reason it's not ready yet, check the logs of the trivy-operator
Deployment for errors:
kubectl logs deployment/trivy-operator -n trivy-system
Trivy-Operator ensures the default Settings stored in ConfigMaps and Secrets created in the trivy-system
namespace.
You can always change these settings by editing configuration objects. For example, you can use Trivy in ClientServer
mode, which is more efficient that the Standalone mode, or switch to Aqua Enterprise as an alternative vulnerability
scanner.
You can further adjust the Configuration of the operator with environment variables. For
example, to change the target namespace from all namespaces to the default
namespace edit the trivy-operator
Deployment and change the value of the OPERATOR_TARGET_NAMESPACES
environment variable from the blank string
(""
) to the default
value.
Trivy-Operator can generate the compliance report based on the NSA, CISA Kubernetes Hardening Guidance v1.0. In order to do
that you must install the nsa
ClusterComplianceReport resource:
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/trivy-operator/v0.0.1/deploy/specs/nsa-1.0.yaml
Static YAML manifests with fixed values have shortcomings. For example, if you want to change the container image or modify default configuration settings, you have to edit existing manifests or customize them with tools such as Kustomize. Thus, we also provide Helm chart as an alternative installation option.
Uninstall¶
Danger
Uninstalling the operator and deleting custom resource definitions will also delete all generated security reports.
You can uninstall the operator with the following command:
kubectl delete -f https://raw.githubusercontent.com/aquasecurity/trivy-operator/v0.0.1/deploy/static/trivy-operator.yaml