Skip to content

Helm

Helm, which is the de facto standard package manager for Kubernetes, allows installing applications from parameterized YAML manifests called Helm charts.

To address shortcomings of static YAML manifests we provide the Helm chart to deploy the Trivy-Operator. The Helm chart supports all Install Modes.

As an example, let's install the operator in the trivy-system namespace and configure it to select all namespaces, except kube-system and trivy-system:

  1. Clone the chart directory:
   git clone --depth 1 --branch v0.23.0 https://github.com/aquasecurity/trivy-operator.git
   cd trivy-operator

Or add Aqua chart repository:

   helm repo add aqua https://aquasecurity.github.io/helm-charts/
   helm repo update
  1. Install the chart from a local directory:
   helm install trivy-operator ./deploy/helm \
     --namespace trivy-system \
     --create-namespace 

Or install the chart from the Aqua chart repository:

   helm install trivy-operator aqua/trivy-operator \
     --namespace trivy-system \
     --create-namespace \
     --version 0.25.0

Or install the chart from the Aqua chart repository using the OCI registry:

   helm install trivy-operator oci://ghcr.io/aquasecurity/helm-charts/trivy-operator \
     --namespace trivy-system \
     --create-namespace \
     --version 0.25.0

Configuration options can be passed using the --set parameter. To list only the fixed vulnerabilities in the cluster, one can use the following command.

      helm install trivy-operator ./deploy/helm \
     --namespace trivy-system \
     --create-namespace \
     --set="trivy.ignoreUnfixed=true"

There are many values in the chart that can be set to configure Trivy-Operator. See the customising section for more details.

  1. Check that the trivy-operator Helm release is created in the trivy-system namespace, and it has status deployed:
   $ helm list -n trivy-system
   NAME                 NAMESPACE           REVISION    UPDATED                                 STATUS      CHART                       APP VERSION
   trivy-operator   trivy-system    1           2021-01-27 20:09:53.158961 +0100 CET    deployed    trivy-operator-0.25.0   0.23.0

To confirm that the operator is running, check that the trivy-operator Deployment in the trivy-system namespace is available and all its containers are ready:

   $ kubectl get deployment -n trivy-system
   NAME                 READY   UP-TO-DATE   AVAILABLE   AGE
   trivy-operator   1/1     1            1           11m

If for some reason it's not ready yet, check the logs of the Deployment for errors:

   kubectl logs deployment/trivy-operator -n trivy-system

Install as Helm dependency

There are cases, when potential chart developers want to add the operator as a dependency. An example would be the creation of an umbrella chart for an application, which depends on 3d-party charts.

In this case, it maybe not suitable to install the Trivy Operator in the same namespace as the main application. Instead, we can use the Helm value operator.namespace to define a namespace where only the operator will be installed. The Operator chart will then either create a new namespace if not existing or use the existing one.

Uninstall

You can uninstall the operator with the following command:

helm uninstall trivy-operator -n trivy-system

You have to manually delete custom resource definitions created by the helm install command:

Danger

Deleting custom resource definitions will also delete all security reports generated by the operator.

    kubectl delete crd vulnerabilityreports.aquasecurity.github.io
    kubectl delete crd exposedsecretreports.aquasecurity.github.io
    kubectl delete crd configauditreports.aquasecurity.github.io
    kubectl delete crd clusterconfigauditreports.aquasecurity.github.io
    kubectl delete crd rbacassessmentreports.aquasecurity.github.io
    kubectl delete crd infraassessmentreports.aquasecurity.github.io
    kubectl delete crd clusterrbacassessmentreports.aquasecurity.github.io
    kubectl delete crd clustercompliancereports.aquasecurity.github.io
    kubectl delete crd clusterinfraassessmentreports.aquasecurity.github.io
    kubectl delete crd sbomreports.aquasecurity.github.io
    kubectl delete crd clustersbomreports.aquasecurity.github.io
    kubectl delete crd clustervulnerabilityreports.aquasecurity.github.io

Customising the Helm Chart

The Trivy Operator Helm Chart can be customised in the same way as other Helm Charts, by overwriting values in the values.yaml files.

You can find all the values that can be customised in the README of the Helm Chart on GitHub.

There are two ways to overwrite values in a Helm chart upon installation:

Create a custom values.yaml file with your changes and give Helm the file upon installation

e.g. to specfy that Trivy should ignore all unfixed vulnerabilities:

   trivy:
      ignoreUnfixed: true

The file can be passed into Trivy with the --values flag in Helm:

helm install trivy-operator aqua/trivy-operator \
   --namespace trivy-system \
   --create-namespace \
   --values values.yaml

Set the values that you want to customise in the installation command

This is done with the --set command in Helm:

helm install trivy-operator aqua/trivy-operator \
   --namespace trivy-system \
   --create-namespace \
   --set="trivy.ignoreUnfixed=true" \