aquasecurity / trivy-operator

Kubernetes-native security toolkit
https://aquasecurity.github.io/trivy-operator/latest
Apache License 2.0
1.29k stars 214 forks source link

Operator to remove image duplicates before scheduling a scan job #2268

Open kchestnov opened 2 months ago

kchestnov commented 2 months ago

Current behavior of operator is to read target pod specs and for each container inside the pod a new container is created to scan target container image.

Consider the following situation:

This behavior, combined with https://github.com/aquasecurity/trivy-operator/issues/2267 might explode resources required to scan a pod, e.g. by setting requests 200M and limits 2G (to include all possibilities of images in a cluster) you'll schedule a pod with 2G request and 20G limit which might OOM the whole node.

github-actions[bot] commented 2 days ago

This issue is stale because it has been labeled with inactivity.