search

devopstales / trivy-operator

Kubernetes Operator based on the open-source container vulnerability scanner Trivy.
https://devopstales.github.io/trivy-operator/
Apache License 2.0
47 stars 10 forks source link

Support for using cluster pullsecrets #19

Closed githubcdr closed 2 years ago

githubcdr commented 2 years ago

Hi,

First of all, thanks for trivy-operator :)

Would it be possible to use existing pullsecrets configured for this cluster to do image scanning?

devopstales commented 2 years ago

Hi @githubcdr

At the moment it is not possible to use pull secret for scanning. The pull secrets are used by kubernetes to pull an image, but in my case trivy needs to pull the images. Trivy is running in the operator's pod so for that to work I need to mount all the pull secrets to this pod. Or I can list this secret from the kubernetes api but didn't see how can it find them, and it need permission to all the secret in all the namespaces. This is problematic.

Instead I use the NamespaceScanner CRD for the registry authentication configuration. I see your point. This NamespaceScanner is not stored as secret, but the secrets can be decoded if you have permission for that namespace. The default config is to store the secrets in etcd in plain text so i didn't think this as a huge risk.

I keep this issue open and I will check the possibility some time.

devopstales commented 2 years ago

@githubcdr I intend to work on this in the 2.5 release.

githubcdr commented 2 years ago

I'm currently using trivy-operator by Aqua so closed this issue

devopstales commented 2 years ago

closed by https://github.com/devopstales/trivy-operator/commit/eab13ff3648692f4743962c65f20cd568da9312a