An instance of the ConfigAuditReport represents checks performed by configuration auditing tools, such as [Trivy], against a Kubernetes object's configuration. For example, check that a given container image runs as non-root user or that a container has resource requests and limits set. Checks might relate to Kubernetes workloads and other namespaced Kubernetes objects such as Services, ConfigMaps, Roles, and RoleBindings.
Each report is owned by the underlying Kubernetes object and is stored in the same namespace, following the
<workload-kind>-<workload-name> naming convention.
The following listing shows a sample ConfigAuditReport associated with the ReplicaSet named
nginx-6d4cf56db6 in the
apiVersion: aquasecurity.github.io/v1alpha1 kind: ConfigAuditReport metadata: name: replicaset-nginx-6d4cf56db6 namespace: default labels: trivy-operator.resource.kind: ReplicaSet trivy-operator.resource.name: nginx-6d4cf56db6 trivy-operator.resource.namespace: default plugin-config-hash: 7f65d98b75 resource-spec-hash: 7cb64cb677 uid: d5cf8847-c96d-4534-beb9-514a34230302 ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: false controller: true kind: ReplicaSet name: nginx-6d4cf56db6 uid: aa345200-cf24-443a-8f11-ddb438ff8659 report: updateTimestamp: '2021-05-20T12:38:10Z' scanner: name: Trivy vendor: Aqua Security version: '0.1.5' summary: criticalCount: 2 highCount: 0 lowCount: 9 mediumCount: 0 checks: - category: Security checkID: hostPIDSet messages: - Host PID is not configured severity: CRITICAL success: true - category: Security checkID: hostIPCSet messages: - Host IPC is not configured severity: CRITICAL success: true - category: Security checkID: hostNetworkSet messages: - Host network is not configured severity: LOW success: true - category: Security checkID: notReadOnlyRootFilesystem messages: - Filesystem should be read only scope: type: Container value: nginx severity: LOW success: false - category: Security checkID: privilegeEscalationAllowed messages: - Privilege escalation should not be allowed scope: type: Container value: nginx severity: CRITICAL success: false
Third party Kubernetes configuration checkers, linters, and sanitizers that are compliant with the ConfigAuditReport schema can be integrated with trivy-operator.
The challenge with onboarding third party configuration checkers is that they tend to have different interfaces to perform scans and vary in output formats for a relatively common goal, which is inspecting deployment descriptors for known configuration pitfalls.