Closed githubcdr closed 2 years ago
Hi @githubcdr
At the moment it is not possible to use pull secret for scanning. The pull secrets are used by kubernetes to pull an image, but in my case trivy needs to pull the images. Trivy is running in the operator's pod so for that to work I need to mount all the pull secrets to this pod. Or I can list this secret from the kubernetes api but didn't see how can it find them, and it need permission to all the secret in all the namespaces. This is problematic.
Instead I use the NamespaceScanner
CRD for the registry authentication configuration. I see your point. This NamespaceScanner
is not stored as secret, but the secrets can be decoded if you have permission for that namespace. The default config is to store the secrets in etcd in plain text so i didn't think this as a huge risk.
I keep this issue open and I will check the possibility some time.
@githubcdr I intend to work on this in the 2.5 release.
I'm currently using trivy-operator by Aqua so closed this issue
Hi,
First of all, thanks for trivy-operator :)
Would it be possible to use existing pullsecrets configured for this cluster to do image scanning?