Current behavior of operator is to read target pod specs and for each container inside the pod a new container is created to scan target container image.
Consider the following situation:
Target pod has multiple containers sharing similar images , e.g. cilium
Operator creates a pod with 10 containers each of them runs the same command and creates same report.
There is an option to overcome this situation in case of initContainers, but in a more generic case it would be nice to use a set instead of list of images
This behavior, combined with https://github.com/aquasecurity/trivy-operator/issues/2267 might explode resources required to scan a pod, e.g. by setting requests 200M and limits 2G (to include all possibilities of images in a cluster) you'll schedule a pod with 2G request and 20G limit which might OOM the whole node.
Current behavior of operator is to read target pod specs and for each container inside the pod a new container is created to scan target container image.
Consider the following situation:
This behavior, combined with https://github.com/aquasecurity/trivy-operator/issues/2267 might explode resources required to scan a pod, e.g. by setting requests 200M and limits 2G (to include all possibilities of images in a cluster) you'll schedule a pod with 2G request and 20G limit which might OOM the whole node.