aquasecurity / trivy-operator

Kubernetes-native security toolkit
https://aquasecurity.github.io/trivy-operator/latest
Apache License 2.0
1.27k stars 211 forks source link

Scan for vulnerabilities on nodes #1471

Open sathieu opened 1 year ago

sathieu commented 1 year ago

It would be great to scan the whole rootfs of the node (excluding common CRI directories like /var/lib/containerd).

This would scan for vulns in systemd, kubeadm, kubelet, ... and any binary locally installed.

Those vulnerabilities would go in a new CRD (nodevulnerabilityreports?).

chen-keinan commented 1 year ago

@sathieu can you add more info , have you tried doing testing that with trivy ?

sathieu commented 1 year ago

Here is an example job that does ... the job:

apiVersion: batch/v1
kind: Job
metadata:
  annotations:
  name: scan-node
  namespace: trivy-system
spec:
  template:
    metadata:
      labels:
        app.kubernetes.io/managed-by: trivy-operator
        vulnerabilityReport.scanner: Trivy
    spec:
      automountServiceAccountToken: false
      initContainers:
      - args:
        - --cache-dir
        - /tmp/trivy/.cache
        - image
        - --download-db-only
        - --db-repository
        - gitlab-registry.kube.example.org/external-registries/ghcr.io/aquasecurity/trivy-db
        command:
        - trivy
        env:
        - name: HTTP_PROXY
          valueFrom:
            configMapKeyRef:
              key: trivy.httpProxy
              name: trivy-operator-trivy-config
              optional: true
        - name: HTTPS_PROXY
          valueFrom:
            configMapKeyRef:
              key: trivy.httpsProxy
              name: trivy-operator-trivy-config
              optional: true
        - name: NO_PROXY
          valueFrom:
            configMapKeyRef:
              key: trivy.noProxy
              name: trivy-operator-trivy-config
              optional: true
        - name: GITHUB_TOKEN
          valueFrom:
            secretKeyRef:
              key: trivy.githubToken
              name: trivy-operator-trivy-config
              optional: true
        - name: TRIVY_INSECURE
          value: "true"
        image: ghcr.io/aquasecurity/trivy:0.43.1
        imagePullPolicy: IfNotPresent
        name: download-db
        resources:
          limits:
            cpu: 500m
            memory: 500M
          requests:
            cpu: 100m
            memory: 100M
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          privileged: false
          readOnlyRootFilesystem: true
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: FallbackToLogsOnError
        volumeMounts:
        - mountPath: /tmp
          name: tmp
      containers:
      - args:
        - -c
        - trivy rootfs --slow /tmp/rootfs
          --debug
          --cache-dir /tmp/trivy/.cache
          --skip-dirs /var/lib/containerd --skip-dirs /var/lib/kubelet/pods --skip-dirs /var/log --skip-dirs /run/containerd
          --timeout 20m
          --quiet --skip-db-update --format json > /tmp/scan/result.json
          &&  bzip2 -c /tmp/scan/result.json | base64
        command:
        - /bin/sh
        env:
        - name: TRIVY_SEVERITY
          valueFrom:
            configMapKeyRef:
              key: trivy.severity
              name: trivy-operator-trivy-config
              optional: true
        - name: TRIVY_IGNORE_UNFIXED
          valueFrom:
            configMapKeyRef:
              key: trivy.ignoreUnfixed
              name: trivy-operator-trivy-config
              optional: true
        - name: TRIVY_OFFLINE_SCAN
          valueFrom:
            configMapKeyRef:
              key: trivy.offlineScan
              name: trivy-operator-trivy-config
              optional: true
        - name: TRIVY_JAVA_DB_REPOSITORY
          valueFrom:
            configMapKeyRef:
              key: trivy.javaDbRepository
              name: trivy-operator-trivy-config
              optional: true
        - name: TRIVY_TIMEOUT
          valueFrom:
            configMapKeyRef:
              key: trivy.timeout
              name: trivy-operator-trivy-config
              optional: true
        - name: TRIVY_SKIP_FILES
          valueFrom:
            configMapKeyRef:
              key: trivy.skipFiles
              name: trivy-operator-trivy-config
              optional: true
        - name: TRIVY_SKIP_DIRS
          valueFrom:
            configMapKeyRef:
              key: trivy.skipDirs
              name: trivy-operator-trivy-config
              optional: true
        - name: HTTP_PROXY
          valueFrom:
            configMapKeyRef:
              key: trivy.httpProxy
              name: trivy-operator-trivy-config
              optional: true
        - name: HTTPS_PROXY
          valueFrom:
            configMapKeyRef:
              key: trivy.httpsProxy
              name: trivy-operator-trivy-config
              optional: true
        - name: NO_PROXY
          valueFrom:
            configMapKeyRef:
              key: trivy.noProxy
              name: trivy-operator-trivy-config
              optional: true
        - name: TRIVY_INSECURE
          value: "true"
        image: ghcr.io/aquasecurity/trivy:0.43.1
        imagePullPolicy: IfNotPresent
        name: node-scan
        resources:
          limits:
            cpu: 500m
            memory: 500M
          requests:
            cpu: 100m
            memory: 100M
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          privileged: false
          readOnlyRootFilesystem: true
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: FallbackToLogsOnError
        volumeMounts:
        - mountPath: /tmp
          name: tmp
        - mountPath: /tmp/rootfs
          name: rootfs
          readOnly: true
        - mountPath: /tmp/scan
          name: scanresult
      restartPolicy: Never
      schedulerName: default-scheduler
      securityContext:
        runAsGroup: 10000
        runAsNonRoot: false
        runAsUser: 10000
      serviceAccount: trivy-operator
      serviceAccountName: trivy-operator
      terminationGracePeriodSeconds: 30
      volumes:
      - emptyDir: {}
        name: tmp
      - emptyDir: {}
        name: scanresult
      - name: rootfs
        hostPath:
          path: /

Basically, it is the same as a scan vulnerability report:

Was is missing in my test is using node affinity and create one job per node.

My job run as an non-root user, this should also be configurable I think.

chen-keinan commented 1 year ago

@sathieu look like could be a nice feature , would you like to raise a PR ?

sathieu commented 1 year ago

@chen-keinan I won't have the time to work on this within the next 2-3 months. I don't promise anything after πŸ˜‰ !

I'm also interested with vulnerability scans for non-Kubernetes nodes. I want to have CRDs and metrics for all my managed servers (most are k8s). I need to think a bit more about this.

chen-keinan commented 1 year ago

@chen-keinan I won't have the time to work on this within the next 2-3 months. I don't promise anything after πŸ˜‰ !

I'm also interested with vulnerability scans for non-Kubernetes nodes. I want to have CRDs and metrics for all my managed servers (most are k8s). I need to think a bit more about this.

@sathieu thank for the reply, I'l give you sometime to think on it. if you do not think you'll find time to work on it later on' let me know and I'll pick it up

sathieu commented 1 year ago

@sathieu thank for the reply, I'l give you sometime to think on it. if you do not think you'll find time to work on it later on' let me know and I'll pick it up

@chen-keinan Feel free to pick it up now, if you have the time πŸ₯‡ !

github-actions[bot] commented 1 year ago

This issue is stale because it has been labeled with inactivity.

sathieu commented 1 year ago

Not stale, but I have no time to handle it currently

gerbil commented 10 months ago

@sathieu any ideas how to disable node scan completely?

chen-keinan commented 10 months ago

@sathieu any ideas how to disable node scan completely?

disable this flag

github-actions[bot] commented 8 months ago

This issue is stale because it has been labeled with inactivity.

sathieu commented 8 months ago

not stale

github-actions[bot] commented 6 months ago

This issue is stale because it has been labeled with inactivity.

dkulchinsky commented 6 months ago

hopefully not stale πŸ™πŸΌ

github-actions[bot] commented 4 months ago

This issue is stale because it has been labeled with inactivity.

sathieu commented 4 months ago

We still need this feature 🎁

github-actions[bot] commented 2 months ago

This issue is stale because it has been labeled with inactivity.

mouellet commented 1 month ago

Not stale…