Using the Trivy Operator addon in microk8s
Using the Trivy Operator through Microk8s
Microk8s is a lightweight Kubernetes distribution that can be used on your personal machine, Raspberry Pi cluster, in data centres or edge devices; just to name a few use cases.
One of the benefits of using microk8s is its add-on ecosystem. Once you have microk8s installed, you can spin up a variety of cloud native projects directly in your cluster through merely one command:
microk8s enable <name of the addon>
A list of addons is provided below.
dashboard-ingress # (community) Ingress definition for Kubernetes dashboard jaeger # (community) Kubernetes Jaeger operator with its simple config knative # (community) Knative Serverless and Event Driven Applications linkerd # (community) Linkerd is a service mesh for Kubernetes and other frameworks multus # (community) Multus CNI enables attaching multiple network interfaces to pods openebs # (community) OpenEBS is the open-source storage solution for Kubernetes osm-edge # (community) osm-edge is a lightweight SMI compatible service mesh for the edge-computing. portainer # (community) Portainer UI for your Kubernetes cluster starboard # (community) Kubernetes-native security toolkit traefik # (community) traefik Ingress controller for external access dns # (core) CoreDNS ha-cluster # (core) Configure high availability on the current node helm # (core) Helm - the package manager for Kubernetes helm3 # (core) Helm 3 - the package manager for Kubernetes trivy # (core) Kubernetes-native security scanner cert-manager # (core) Cloud native certificate management dashboard # (core) The Kubernetes dashboard host-access # (core) Allow Pods connecting to Host services smoothly hostpath-storage # (core) Storage class; allocates storage from host directory ingress # (core) Ingress controller for external access kube-ovn # (core) An advanced network fabric for Kubernetes mayastor # (core) OpenEBS MayaStor metallb # (core) Loadbalancer for your Kubernetes cluster metrics-server # (core) K8s Metrics Server for API access to service metrics observability # (core) A lightweight observability stack for logs, traces and metrics prometheus # (core) Prometheus operator for monitoring and logging rbac # (core) Role-Based Access Control for authorisation registry # (core) Private image registry exposed on localhost:32000 storage # (core) Alias to hostpath-storage add-on, deprecated
This tutorial will showcase how to install and then remove the Trivy Operator addon.
You need to have microk8s installed. In our case, we have set up kubectl to use the microk8s cluster. You can find different guides, depending on your operating system, on the microk8s website.
Install the Trivy Operator
To install the Trivy Operator, simply run the following command:
microk8s enable trivy
The confirmation should be similar to the following output:
Infer repository core for addon trivy Infer repository core for addon helm3 Addon core/helm3 is already enabled Infer repository core for addon dns Addon core/dns is already enabled Installing Trivy "aqua" already exists with the same configuration, skipping Release "trivy-operator" does not exist. Installing it now. NAME: trivy-operator LAST DEPLOYED: Sat Oct 8 16:39:59 2022 NAMESPACE: trivy-system STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: You have installed Trivy Operator in the trivy-system namespace. It is configured to discover Kubernetes workloads and resources in all namespace(s). Inspect created VulnerabilityReports by: kubectl get vulnerabilityreports --all-namespaces -o wide Inspect created ConfigAuditReports by: kubectl get configauditreports --all-namespaces -o wide Inspect the work log of trivy-operator by: kubectl logs -n trivy-system deployment/trivy-operator Trivy is installed
You should now see the Trivy Operator pod running inside of the
kubectl get all -n trivy-system NAME READY STATUS RESTARTS AGE pod/trivy-operator-57c44575c4-ml2hw 1/1 Running 0 29s pod/scan-vulnerabilityreport-5d55f55cd7-7l6kn 1/1 Running 0 27s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/trivy-operator ClusterIP None <none> 80/TCP 29s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/trivy-operator 1/1 1 1 29s NAME DESIRED CURRENT READY AGE replicaset.apps/trivy-operator-57c44575c4 1 1 1 29s NAME COMPLETIONS DURATION AGE job.batch/scan-vulnerabilityreport-5d55f55cd7 0/1 27s 27s
If you have any container images running in your microk8s cluster, Trivy will start a vulnerability scan on those right away.
Removing the Trivy Operator from your cluster is as easy as installing it. Simply run:
microk8s disable trivy
You should see an output similar to the following:
Infer repository core for addon trivy Disabling Trivy release "trivy-operator" uninstalled Trivy disabled