Helm
Helm, which is the de facto standard package manager for Kubernetes, allows installing applications from parameterized YAML manifests called Helm charts.
To address shortcomings of static YAML manifests we provide the Helm chart to deploy the Trivy-Operator. The Helm chart supports all Install Modes.
As an example, let's install the operator in the trivy-system
namespace and configure it to select all namespaces,
except kube-system
and trivy-system
:
- Clone the chart directory:
git clone --depth 1 --branch v0.23.0 https://github.com/aquasecurity/trivy-operator.git
cd trivy-operator
Or add Aqua chart repository:
helm repo add aqua https://aquasecurity.github.io/helm-charts/
helm repo update
- Install the chart from a local directory:
helm install trivy-operator ./deploy/helm \
--namespace trivy-system \
--create-namespace
Or install the chart from the Aqua chart repository:
helm install trivy-operator aqua/trivy-operator \
--namespace trivy-system \
--create-namespace \
--version 0.25.0
Or install the chart from the Aqua chart repository using the OCI registry:
helm install trivy-operator oci://ghcr.io/aquasecurity/helm-charts/trivy-operator \
--namespace trivy-system \
--create-namespace \
--version 0.25.0
Configuration options can be passed using the --set
parameter. To list only the fixed vulnerabilities in the cluster, one can use the following command.
helm install trivy-operator ./deploy/helm \
--namespace trivy-system \
--create-namespace \
--set="trivy.ignoreUnfixed=true"
There are many values in the chart that can be set to configure Trivy-Operator. See the customising section for more details.
- Check that the
trivy-operator
Helm release is created in thetrivy-system
namespace, and it has statusdeployed
:
$ helm list -n trivy-system
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
trivy-operator trivy-system 1 2021-01-27 20:09:53.158961 +0100 CET deployed trivy-operator-0.25.0 0.23.0
To confirm that the operator is running, check that the trivy-operator
Deployment in the trivy-system
namespace is available and all its containers are ready:
$ kubectl get deployment -n trivy-system
NAME READY UP-TO-DATE AVAILABLE AGE
trivy-operator 1/1 1 1 11m
If for some reason it's not ready yet, check the logs of the Deployment for errors:
kubectl logs deployment/trivy-operator -n trivy-system
Install as Helm dependency
There are cases, when potential chart developers want to add the operator as a dependency. An example would be the creation of an umbrella chart for an application, which depends on 3d-party charts.
In this case, it maybe not suitable to install the Trivy Operator in the same namespace as the main application. Instead, we can use the Helm value operator.namespace
to define a namespace where only the operator will be installed. The Operator chart will then either create a new namespace if not existing or use the existing one.
Uninstall
You can uninstall the operator with the following command:
helm uninstall trivy-operator -n trivy-system
You have to manually delete custom resource definitions created by the helm install
command:
Danger
Deleting custom resource definitions will also delete all security reports generated by the operator.
kubectl delete crd vulnerabilityreports.aquasecurity.github.io
kubectl delete crd exposedsecretreports.aquasecurity.github.io
kubectl delete crd configauditreports.aquasecurity.github.io
kubectl delete crd clusterconfigauditreports.aquasecurity.github.io
kubectl delete crd rbacassessmentreports.aquasecurity.github.io
kubectl delete crd infraassessmentreports.aquasecurity.github.io
kubectl delete crd clusterrbacassessmentreports.aquasecurity.github.io
kubectl delete crd clustercompliancereports.aquasecurity.github.io
kubectl delete crd clusterinfraassessmentreports.aquasecurity.github.io
kubectl delete crd sbomreports.aquasecurity.github.io
kubectl delete crd clustersbomreports.aquasecurity.github.io
kubectl delete crd clustervulnerabilityreports.aquasecurity.github.io
Customising the Helm Chart
The Trivy Operator Helm Chart can be customised in the same way as other Helm Charts, by overwriting values in the values.yaml
files.
You can find all the values that can be customised in the README of the Helm Chart on GitHub.
There are two ways to overwrite values in a Helm chart upon installation:
Create a custom values.yaml file with your changes and give Helm the file upon installation
e.g. to specfy that Trivy should ignore all unfixed vulnerabilities:
trivy:
ignoreUnfixed: true
The file can be passed into Trivy with the --values
flag in Helm:
helm install trivy-operator aqua/trivy-operator \
--namespace trivy-system \
--create-namespace \
--values values.yaml
Set the values that you want to customise in the installation command
This is done with the --set
command in Helm:
helm install trivy-operator aqua/trivy-operator \
--namespace trivy-system \
--create-namespace \
--set="trivy.ignoreUnfixed=true" \