ConfigAuditReport
An instance of the ConfigAuditReport represents checks performed by configuration auditing tools, such as [Trivy], against a Kubernetes object's configuration. For example, check that a given container image runs as non-root user or that a container has resource requests and limits set. Checks might relate to Kubernetes workloads and other namespaced Kubernetes objects such as Services, ConfigMaps, Roles, and RoleBindings.
Each report is owned by the underlying Kubernetes object and is stored in the same namespace, following the
<workload-kind>-<workload-name>
naming convention.
The following listing shows a sample ConfigAuditReport associated with the ReplicaSet named nginx-6d4cf56db6
in the
default
namespace.
apiVersion: aquasecurity.github.io/v1alpha1
kind: ConfigAuditReport
metadata:
name: replicaset-nginx-6d4cf56db6
namespace: default
labels:
trivy-operator.resource.kind: ReplicaSet
trivy-operator.resource.name: nginx-6d4cf56db6
trivy-operator.resource.namespace: default
plugin-config-hash: 7f65d98b75
resource-spec-hash: 7cb64cb677
uid: d5cf8847-c96d-4534-beb9-514a34230302
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: false
controller: true
kind: ReplicaSet
name: nginx-6d4cf56db6
uid: aa345200-cf24-443a-8f11-ddb438ff8659
report:
updateTimestamp: '2021-05-20T12:38:10Z'
scanner:
name: Trivy
vendor: Aqua Security
version: '0.11.0'
summary:
criticalCount: 2
highCount: 0
lowCount: 9
mediumCount: 0
checks:
- category: Security
checkID: hostPIDSet
messages:
- Host PID is not configured
severity: CRITICAL
success: true
- category: Security
checkID: hostIPCSet
messages:
- Host IPC is not configured
severity: CRITICAL
success: true
- category: Security
checkID: hostNetworkSet
messages:
- Host network is not configured
severity: LOW
success: true
- category: Security
checkID: notReadOnlyRootFilesystem
messages:
- Filesystem should be read only
scope:
type: Container
value: nginx
severity: LOW
success: false
- category: Security
checkID: privilegeEscalationAllowed
messages:
- Privilege escalation should not be allowed
scope:
type: Container
value: nginx
severity: CRITICAL
success: false
Third party Kubernetes configuration checkers, linters, and sanitizers that are compliant with the ConfigAuditReport schema can be integrated with trivy-operator.
Note
The challenge with onboarding third party configuration checkers is that they tend to have different interfaces to perform scans and vary in output formats for a relatively common goal, which is inspecting deployment descriptors for known configuration pitfalls.