From 4c83f8e7cbee2b57f01a470656af21f35d99d138 Mon Sep 17 00:00:00 2001 From: chenk Date: Tue, 11 Jul 2023 08:04:52 +0300 Subject: [PATCH] release: prepare v0.15.0-rc (#1354) Signed-off-by: chenk --- RELEASING.md | 10 ++-- deploy/helm/Chart.yaml | 4 +- deploy/helm/README.md | 2 +- deploy/helm/templates/specs/cis-1.23.yaml | 2 +- deploy/helm/templates/specs/nsa-1.0.yaml | 2 +- deploy/helm/templates/specs/pss-baseline.yaml | 2 +- .../helm/templates/specs/pss-restricted.yaml | 2 +- deploy/static/namespace.yaml | 2 +- deploy/static/trivy-operator.yaml | 36 +++++------ docs/docs/crds/clustercompliance-report.md | 2 +- docs/docs/crds/configaudit-report.md | 2 +- docs/docs/crds/exposedsecret-report.md | 2 +- docs/docs/crds/rbacassessment-report.md | 2 +- .../caching_scan_results_by_repo_digest.md | 4 +- docs/docs/design/design_compliance_report.md | 60 +++++++++++-------- ..._scan_job_in_same_namespace_of_workload.md | 2 +- .../managed-registries.md | 2 +- docs/tutorials/grafana-dashboard.md | 2 +- docs/tutorials/private-registries.md | 10 ++-- mkdocs.yml | 4 +- 20 files changed, 83 insertions(+), 71 deletions(-) diff --git a/RELEASING.md b/RELEASING.md index d748689e7..5497205b5 100644 --- a/RELEASING.md +++ b/RELEASING.md @@ -46,17 +46,17 @@ 5. Create an annotated git tag and push it to the `upstream`. This will trigger the [`.github/workflows/release.yaml`] workflow ``` - git tag -v0.14.1 -m 'Release v0.14.1' - git push upstream v0.14.1 + git tag -v0.15.0-rc -m 'Release v0.15.0-rc' + git push upstream v0.15.0-rc ``` 6. Verify that the `release` workflow has built and published the following artifacts 1. Trivy-operator container images published to DockerHub - `docker.io/aquasec/trivy-operator:0.14.1` + `docker.io/aquasec/trivy-operator:0.15.0-rc` 2. Trivy-operator container images published to Amazon ECR Public Gallery - `public.ecr.aws/aquasecurity/trivy-operator:0.14.1` + `public.ecr.aws/aquasecurity/trivy-operator:0.15.0-rc` 2. Trivy-operator container images published to GitHub Container Registry - `ghcr.io/aquasecurity/trivy-operator:0.14.1` + `ghcr.io/aquasecurity/trivy-operator:0.15.0-rc` 7. Publish the Helm chart by manually triggering the [`.github/workflows/publish-helm-chart.yaml`] workflow 8. Publish docs on by manually triggering the [`.github/workflows/publish-docs.yaml`] workflow 9. Submit trivy-operator Operator to OperatorHub and ArtifactHUB by opening the PR to the repository. diff --git a/deploy/helm/Chart.yaml b/deploy/helm/Chart.yaml index 3da49f25f..18138a7b7 100644 --- a/deploy/helm/Chart.yaml +++ b/deploy/helm/Chart.yaml @@ -6,12 +6,12 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.14.1 +version: 0.15.0-rc # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.14.1 +appVersion: 0.15.0-rc # kubeVersion: A SemVer range of compatible Kubernetes versions (optional) diff --git a/deploy/helm/README.md b/deploy/helm/README.md index cb70a8a80..cff21fe0a 100644 --- a/deploy/helm/README.md +++ b/deploy/helm/README.md @@ -1,6 +1,6 @@ # trivy-operator -![Version: 0.14.1](https://img.shields.io/badge/Version-0.14.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.14.1](https://img.shields.io/badge/AppVersion-0.14.1-informational?style=flat-square) +![Version: 0.15.0-rc](https://img.shields.io/badge/Version-0.15.0--rc-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.15.0-rc](https://img.shields.io/badge/AppVersion-0.15.0--rc-informational?style=flat-square) Keeps security report resources updated diff --git a/deploy/helm/templates/specs/cis-1.23.yaml b/deploy/helm/templates/specs/cis-1.23.yaml index 8c1b0680e..040a18316 100644 --- a/deploy/helm/templates/specs/cis-1.23.yaml +++ b/deploy/helm/templates/specs/cis-1.23.yaml @@ -6,7 +6,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.14.1 + app.kubernetes.io/version: 0.15.0-rc app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote}} diff --git a/deploy/helm/templates/specs/nsa-1.0.yaml b/deploy/helm/templates/specs/nsa-1.0.yaml index 92b49d093..c5e28a04b 100644 --- a/deploy/helm/templates/specs/nsa-1.0.yaml +++ b/deploy/helm/templates/specs/nsa-1.0.yaml @@ -6,7 +6,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.14.1" + app.kubernetes.io/version: "0.15.0-rc" app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote }} diff --git a/deploy/helm/templates/specs/pss-baseline.yaml b/deploy/helm/templates/specs/pss-baseline.yaml index f4ca0cde8..ff7a110e6 100644 --- a/deploy/helm/templates/specs/pss-baseline.yaml +++ b/deploy/helm/templates/specs/pss-baseline.yaml @@ -6,7 +6,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.14.1 + app.kubernetes.io/version: 0.15.0-rc app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote }} diff --git a/deploy/helm/templates/specs/pss-restricted.yaml b/deploy/helm/templates/specs/pss-restricted.yaml index d39a7505b..ec44936ac 100644 --- a/deploy/helm/templates/specs/pss-restricted.yaml +++ b/deploy/helm/templates/specs/pss-restricted.yaml @@ -6,7 +6,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: 0.14.1 + app.kubernetes.io/version: 0.15.0-rc app.kubernetes.io/managed-by: kubectl spec: cron: {{ .Values.compliance.cron | quote }} diff --git a/deploy/static/namespace.yaml b/deploy/static/namespace.yaml index 1f5aab023..9f259314a 100644 --- a/deploy/static/namespace.yaml +++ b/deploy/static/namespace.yaml @@ -6,5 +6,5 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.14.1" + app.kubernetes.io/version: "0.15.0-rc" app.kubernetes.io/managed-by: kubectl diff --git a/deploy/static/trivy-operator.yaml b/deploy/static/trivy-operator.yaml index 8df496ff6..578b04a2b 100644 --- a/deploy/static/trivy-operator.yaml +++ b/deploy/static/trivy-operator.yaml @@ -2094,7 +2094,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.14.1" + app.kubernetes.io/version: "0.15.0-rc" app.kubernetes.io/managed-by: kubectl --- # Source: trivy-operator/templates/config.yaml @@ -2106,7 +2106,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.14.1" + app.kubernetes.io/version: "0.15.0-rc" app.kubernetes.io/managed-by: kubectl --- # Source: trivy-operator/templates/config.yaml @@ -2118,7 +2118,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.14.1" + app.kubernetes.io/version: "0.15.0-rc" app.kubernetes.io/managed-by: kubectl data: --- @@ -2131,7 +2131,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.14.1" + app.kubernetes.io/version: "0.15.0-rc" app.kubernetes.io/managed-by: kubectl data: nodeCollector.volumes: "[{\"hostPath\":{\"path\":\"/var/lib/etcd\"},\"name\":\"var-lib-etcd\"},{\"hostPath\":{\"path\":\"/var/lib/kubelet\"},\"name\":\"var-lib-kubelet\"},{\"hostPath\":{\"path\":\"/var/lib/kube-scheduler\"},\"name\":\"var-lib-kube-scheduler\"},{\"hostPath\":{\"path\":\"/var/lib/kube-controller-manager\"},\"name\":\"var-lib-kube-controller-manager\"},{\"hostPath\":{\"path\":\"/etc/systemd\"},\"name\":\"etc-systemd\"},{\"hostPath\":{\"path\":\"/lib/systemd\"},\"name\":\"lib-systemd\"},{\"hostPath\":{\"path\":\"/etc/kubernetes\"},\"name\":\"etc-kubernetes\"},{\"hostPath\":{\"path\":\"/etc/cni/net.d/\"},\"name\":\"etc-cni-netd\"}]" @@ -2153,7 +2153,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.14.1" + app.kubernetes.io/version: "0.15.0-rc" app.kubernetes.io/managed-by: kubectl data: trivy.repository: "ghcr.io/aquasecurity/trivy" @@ -2183,7 +2183,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.14.1" + app.kubernetes.io/version: "0.15.0-rc" app.kubernetes.io/managed-by: kubectl spec: replicas: 1 @@ -2203,7 +2203,7 @@ spec: automountServiceAccountToken: true containers: - name: "trivy-operator" - image: "ghcr.io/aquasecurity/trivy-operator:0.14.1" + image: "ghcr.io/aquasecurity/trivy-operator:0.15.0-rc" imagePullPolicy: IfNotPresent env: - name: OPERATOR_NAMESPACE @@ -2327,7 +2327,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.14.1" + app.kubernetes.io/version: "0.15.0-rc" app.kubernetes.io/managed-by: kubectl rules: - apiGroups: @@ -2354,7 +2354,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.14.1" + app.kubernetes.io/version: "0.15.0-rc" app.kubernetes.io/managed-by: kubectl roleRef: apiGroup: rbac.authorization.k8s.io @@ -2374,7 +2374,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.14.1" + app.kubernetes.io/version: "0.15.0-rc" app.kubernetes.io/managed-by: kubectl data: # example @@ -2424,7 +2424,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.14.1" + app.kubernetes.io/version: "0.15.0-rc" app.kubernetes.io/managed-by: kubectl --- # Source: trivy-operator/templates/rbac.yaml @@ -2775,7 +2775,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.14.1" + app.kubernetes.io/version: "0.15.0-rc" app.kubernetes.io/managed-by: kubectl rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -2800,7 +2800,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.14.1" + app.kubernetes.io/version: "0.15.0-rc" app.kubernetes.io/managed-by: kubectl rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -2825,7 +2825,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.14.1" + app.kubernetes.io/version: "0.15.0-rc" app.kubernetes.io/managed-by: kubectl rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" @@ -2849,7 +2849,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.14.1" + app.kubernetes.io/version: "0.15.0-rc" app.kubernetes.io/managed-by: kubectl roleRef: apiGroup: rbac.authorization.k8s.io @@ -2869,7 +2869,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.14.1" + app.kubernetes.io/version: "0.15.0-rc" app.kubernetes.io/managed-by: kubectl rules: - apiGroups: @@ -2899,7 +2899,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.14.1" + app.kubernetes.io/version: "0.15.0-rc" app.kubernetes.io/managed-by: kubectl roleRef: apiGroup: rbac.authorization.k8s.io @@ -2919,7 +2919,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.14.1" + app.kubernetes.io/version: "0.15.0-rc" app.kubernetes.io/managed-by: kubectl spec: clusterIP: None diff --git a/docs/docs/crds/clustercompliance-report.md b/docs/docs/crds/clustercompliance-report.md index 1dcfe48aa..54de95a8f 100644 --- a/docs/docs/crds/clustercompliance-report.md +++ b/docs/docs/crds/clustercompliance-report.md @@ -1346,7 +1346,7 @@ status: "app.kubernetes.io/instance": "trivy-operator", "app.kubernetes.io/managed-by": "kubectl", "app.kubernetes.io/name": "trivy-operator", - "app.kubernetes.io/version": "0.14.1" + "app.kubernetes.io/version": "0.15.0-rc" }, "name": "cis", "resourceVersion": "8985", diff --git a/docs/docs/crds/configaudit-report.md b/docs/docs/crds/configaudit-report.md index 7dda33f6a..8442091c2 100644 --- a/docs/docs/crds/configaudit-report.md +++ b/docs/docs/crds/configaudit-report.md @@ -36,7 +36,7 @@ report: scanner: name: Trivy vendor: Aqua Security - version: '0.14.1' + version: '0.15.0-rc' summary: criticalCount: 2 highCount: 0 diff --git a/docs/docs/crds/exposedsecret-report.md b/docs/docs/crds/exposedsecret-report.md index 9aa36c734..2abb87c3e 100644 --- a/docs/docs/crds/exposedsecret-report.md +++ b/docs/docs/crds/exposedsecret-report.md @@ -34,7 +34,7 @@ metadata: report: artifact: repository: myimagewithsecret - tag: v0.14.1 + tag: v0.15.0-rc registry: server: index.docker.io scanner: diff --git a/docs/docs/crds/rbacassessment-report.md b/docs/docs/crds/rbacassessment-report.md index 66eed834f..e525b4e0a 100644 --- a/docs/docs/crds/rbacassessment-report.md +++ b/docs/docs/crds/rbacassessment-report.md @@ -177,7 +177,7 @@ report: scanner: name: Trivy vendor: Aqua Security - version: '0.14.1' + version: '0.15.0-rc' summary: criticalCount: 1 highCount: 0 diff --git a/docs/docs/design/caching_scan_results_by_repo_digest.md b/docs/docs/design/caching_scan_results_by_repo_digest.md index bec866f1d..5f8baa045 100644 --- a/docs/docs/design/caching_scan_results_by_repo_digest.md +++ b/docs/docs/design/caching_scan_results_by_repo_digest.md @@ -129,5 +129,5 @@ We can't use something like ownerReference since it would delete all vulnerabili a gate. * Both Trivy-Operator CLI and Trivy-Operator Operator can read and leverage ClusterVulnerabilityReports. -[Standalone]: https://aquasecurity.github.io/trivy-operator/v0.14.1/integrations/vulnerability-scanners/trivy/#standalone -[ClientServer]: https://aquasecurity.github.io/trivy-operator/v0.14.1/integrations/vulnerability-scanners/trivy/#clientserver +[Standalone]: https://aquasecurity.github.io/trivy-operator/v0.15.0-rc/integrations/vulnerability-scanners/trivy/#standalone +[ClientServer]: https://aquasecurity.github.io/trivy-operator/v0.15.0-rc/integrations/vulnerability-scanners/trivy/#clientserver diff --git a/docs/docs/design/design_compliance_report.md b/docs/docs/design/design_compliance_report.md index e678c5eb9..47fbaef00 100644 --- a/docs/docs/design/design_compliance_report.md +++ b/docs/docs/design/design_compliance_report.md @@ -7,23 +7,24 @@ example : NSA - Kubernetes Hardening Guidance ## Solution -### TL;DR; +### TL;DR - A cluster compliance resource ,nsa-1.0.yaml (example below), with spec definition only will be deployed to kubernetes cluster upon startup - the spec definition will include the control check , cron expression for periodical generation, and it's mapping to scanners (kube-bench and audit-config) -- a new cluster compliance reconcile loop will be introduced to track this cluster compliance resource +- a new cluster compliance reconcile loop will be introduced to track this cluster compliance resource - when the cluster spec is reconcile it check if cron expression match current time , if so it generates a compliance report and update the status section with report data -- if cron expression do not match the event will be requeue until next generation time +- if cron expression do not match the event will be requeue until next generation time - Two new CRDs will be introduced : - - `ClusterComplianceReport` to provide summary of the compliance per control - - `ClusterComplianceDetailReport` to provide more detail compliance report for further investigation + - `ClusterComplianceReport` to provide summary of the compliance per control + - `ClusterComplianceDetailReport` to provide more detail compliance report for further investigation - It is assumed that all scanners (kube-bench / config-audit) are running by default all the time and producing raw data -### The Spec file : +### The Spec file + - The spec will include the mapping (based on Ids) between the compliance report and tools(kube-bench and config-audit) which generate the raw data - The spec file will be loaded from the file system -#### Example for spec : +#### Example for spec ```yaml --- @@ -178,7 +179,7 @@ spec: - id: KSV038 severity: 'MEDIUM' - name: Use CNI plugin that supports NetworkPolicy API - description: 'Control check whether check cni plugin installed ' + description: 'Control check whether check cni plugin installed ' id: '3.0' kinds: - Node @@ -311,15 +312,20 @@ spec: - id: "" severity: 'MEDIUM' .... - ``` -### The logic : -Upon trivy-operator start cluster compliance reconcile loop will track the deployed spec file ,nsa-1.0 spec and evaluation the cron expression in spec file, + ``` + +### The logic + +Upon trivy-operator start cluster compliance reconcile loop will track the deployed spec file ,nsa-1.0 spec and evaluation the cron expression in spec file, if the cron interval matches , trivy-operator will generate the compliance and compliance detail reports : - - `ClusterComplianceReport` status section will be updated with report data - - `ClusterComplianceDetailReport` will be generated by and saved to etcd + +- `ClusterComplianceReport` status section will be updated with report data +- `ClusterComplianceDetailReport` will be generated by and saved to etcd ### The mapping + Once it is determined that a report need to be generated: + - all reports (cis-benchmark and audit config) raw data will be fetched by `tool` and `resource` types - trivy-operator will iterate all fetched raw data and find a match by `ID` - once the data has been mapped and aggregated 2 type of reports will be generated to present summary @@ -327,9 +333,10 @@ Once it is determined that a report need to be generated: ### Note: once the report has been generated again to reconcile loop start again the process describe in logic -### The Reports: +### The Reports #### Example: Compliance spec and status section (report data) + ```json { "kind": "ClusterComplianceReport", @@ -400,6 +407,7 @@ Once it is determined that a report need to be generated: ``` #### Compliance details report + ```json { "kind": "ClusterComplianceDetailReport", @@ -522,7 +530,9 @@ Once it is determined that a report need to be generated: ``` ### The CRDs -#### ClusterComplianceReport CRD : + +#### ClusterComplianceReport CRD + - a new CRD `clustercompliancereports.crd.yaml` will be added to include compliance check report ```yaml @@ -532,7 +542,7 @@ metadata: name: clustercompliancereports.aquasecurity.github.io labels: app.kubernetes.io/managed-by: trivy-operator - app.kubernetes.io/version: "0.14.1" + app.kubernetes.io/version: "0.15.0-rc" spec: group: aquasecurity.github.io scope: Cluster @@ -657,7 +667,8 @@ spec: - compliance ``` -#### ClusterComplianceDetailReport CRD : +#### ClusterComplianceDetailReport CRD + - a new CRD `clustercompliancedetailreports.crd.yaml` will be added to include compliance detail check report ```yaml @@ -667,7 +678,7 @@ metadata: name: clustercompliancedetailreports.aquasecurity.github.io labels: app.kubernetes.io/managed-by: trivy-operator - app.kubernetes.io/version: "0.14.1" + app.kubernetes.io/version: "0.15.0-rc" spec: group: aquasecurity.github.io versions: @@ -704,7 +715,7 @@ spec: - compliancedetail ``` -### Permission changes: +### Permission changes it is required to update `02-trivy-operator.rbac.yaml` rules to include new permissions to support the following tracked resources kind by NSA plugin with (get,list and watch): @@ -729,6 +740,7 @@ to support the following tracked resources kind by NSA plugin with (get,list and - list - watch ``` + ### NSA Tool Analysis | Test | Description | Kind | Tool | Test | @@ -740,7 +752,7 @@ to support the following tracked resources kind by NSA plugin with (get,list and | hostIPC | Controls whether containers can share
host process namespaces | Pod,ReplicationController,ReplicaSet,
StatefulSet,DaemonSet,Job,CronJob | Conftest | appshield: kubernetes/policies/pss/baseline/1_host_ipc.rego | | hostPID | Controls whether containers can share host process namespaces. | Pod,ReplicationController,ReplicaSet,
StatefulSet,DaemonSet,Job,CronJob | Conftest | appshield: kubernetes/policies/pss/baseline/1_host_pid.rego | | hostNetwork | Controls whether containers can use the host network. | Pod,ReplicationController,ReplicaSet,
StatefulSet,DaemonSet,Job,CronJob | Conftest | appshield: kubernetes/policies/pss/baseline/1_host_network.rego | -| allowedHostPaths | Limits containers to specific paths of the host file system. | Pod,ReplicationController,ReplicaSet,
StatefulSet,DaemonSet,Job,CronJob | Conftest | Need to be added to appshield :
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems | +| allowedHostPaths | Limits containers to specific paths of the host file system. | Pod,ReplicationController,ReplicaSet,
StatefulSet,DaemonSet,Job,CronJob | Conftest | Need to be added to appshield :
| | runAsUser , runAsGroup
and supplementalGroups | Controls whether container applications can run
with root privileges or with root group membership | Pod,ReplicationController,ReplicaSet,
StatefulSet,DaemonSet,Job,CronJob | Conftest | appshield: kubernetes/policies/pss/restricted/4_runs_with_a_root_gid.rego | | allowPrivilegeEscalation | Restricts escalation to root privileges. | Pod,ReplicationController,ReplicaSet,
StatefulSet,DaemonSet,Job,CronJob | Conftest | appshield: kubernetes/policies/pss/restricted/2_can_elevate_its_own_privileges.rego | | seLinux | Sets the SELinux context of the container. | Pod,ReplicationController,ReplicaSet,
StatefulSet,DaemonSet,Job,CronJob | Conftest | appshield: kubernetes/policies/pss/baseline/7_selinux_custom_options_set.rego | @@ -750,13 +762,13 @@ to support the following tracked resources kind by NSA plugin with (get,list and | kube-system or kube-public | namespace kube-system should should not be used by users | Pod,ReplicationController,ReplicaSet,
StatefulSet,DaemonSet,Job,CronJob | Conftest | appshield: kubernetes/policies/advance/protect_core_components_namespace.rego | | Use CNI plugin that supports NetworkPolicy API | check cni plugin installed | Node | Kube-bench | 5.3.1 Ensure that the CNI in use supports Network Policies (need to be fixed) | | Create policies that select
Pods using podSelector and/or the namespaceSelector | Create policies that select Pods using podSelector
and/or the namespaceSelector | Pod,ReplicationController,ReplicaSet,
StatefulSet,DaemonSet,Job,CronJob | Conftest | appshield: kubernetes/policies/advance/selector_usage_in_network_policies.rego | -| use a default policy to deny all ingress and egress traffic | check that network policy deny all exist | NetworkPolicy | Kube-bench | Add logic to kube-bench
https://kubernetes.io/docs/concepts/services-networking/network-policies/ | -| Use LimitRange and ResourceQuota
policies to limit resources on a namespace or Pod level | check the resource quota resource has been define | ResourceQuota | Kube-bench | Add Logic to kube-bench
https://kubernetes.io/docs/concepts/policy/limit-range/ | +| use a default policy to deny all ingress and egress traffic | check that network policy deny all exist | NetworkPolicy | Kube-bench | Add logic to kube-bench
| +| Use LimitRange and ResourceQuota
policies to limit resources on a namespace or Pod level | check the resource quota resource has been define | ResourceQuota | Kube-bench | Add Logic to kube-bench
| | TLS encryption | control plan disable insecure port | Node | Kube-bench | 1.2.19 Ensure that the --insecure-port argument is set to 0 | | Etcd encryption | encrypt etcd communication | Node | Kube-bench | 2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate | | Kubeconfig files | ensure file permission | Node | Kube-bench | 4.1.3, 4.1.4 | | Worker node segmentation | node segmentation | Node | Kube-bench | Note sure can be tested | -| Encryption | check that encryption resource has been set | EncryptionConfiguration | Kube-bench | Add Logic to kube-bench https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ | +| Encryption | check that encryption resource has been set | EncryptionConfiguration | Kube-bench | Add Logic to kube-bench | | Encryption / secrets | check encryption provider | Node | Kube-bench | 1.2.3 Ensure that the --encryption-provider-config argument is set as | | authentication | make sure anonymous-auth is unset | Node | Kube-bench | 1.2.1 Ensure that the --anonymous-auth argument is set to false |~~ | Role-based access control | make sure -authorization-mode=RBAC | Node | Kube-bench | 1.2.7/1.2.8 Ensure that the --authorization-mode argument is not set to AlwaysAllow | @@ -765,6 +777,6 @@ to support the following tracked resources kind by NSA plugin with (get,list and | Audit log max age | check audit log aging | Node | Kube-bench | 1.2.23 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate |~~ | service mesh usage | check service mesh is used in cluster | Node | Kube-bench | Add Logic to kube-bench check service mesh existence | - ## Open Items + - compliance support for CLI diff --git a/docs/docs/design/design_vuln_scan_job_in_same_namespace_of_workload.md b/docs/docs/design/design_vuln_scan_job_in_same_namespace_of_workload.md index 578725c43..397c6ea5a 100644 --- a/docs/docs/design/design_vuln_scan_job_in_same_namespace_of_workload.md +++ b/docs/docs/design/design_vuln_scan_job_in_same_namespace_of_workload.md @@ -219,6 +219,6 @@ With this approach trivy operator will not have to worry about managing(create/d - As we will run scan job with service account of workload and if there are some very strict PSP defined in the cluster then scan job will be blocked due to the PSP. -[ECR registry configuration]: https://aquasecurity.github.io/trivy-operator/v0.14.1/integrations/managed-registries/#amazon-elastic-container-registry-ecr +[ECR registry configuration]: https://aquasecurity.github.io/trivy-operator/v0.15.0-rc/integrations/managed-registries/#amazon-elastic-container-registry-ecr [IAM role to service account]: https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html [Trivy fs command]: https://github.com/aquasecurity/trivy-operator/blob/main/docs/design/design_trivy_file_system_scanner.md diff --git a/docs/docs/vulnerability-scanning/managed-registries.md b/docs/docs/vulnerability-scanning/managed-registries.md index ee7ff0a54..b9f522f76 100644 --- a/docs/docs/vulnerability-scanning/managed-registries.md +++ b/docs/docs/vulnerability-scanning/managed-registries.md @@ -40,7 +40,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.14.1" + app.kubernetes.io/version: "0.15.0-rc" app.kubernetes.io/managed-by: kubectl azure.workload.identity/use: "true" annotations: diff --git a/docs/tutorials/grafana-dashboard.md b/docs/tutorials/grafana-dashboard.md index 66e57bae3..3e665f025 100644 --- a/docs/tutorials/grafana-dashboard.md +++ b/docs/tutorials/grafana-dashboard.md @@ -92,7 +92,7 @@ Next, we can install the operator with the following command: helm install trivy-operator aqua/trivy-operator \ --namespace trivy-system \ --create-namespace \ - --version 0.14.1 \ + --version 0.15.0-rc \ --values trivy-values.yaml ``` diff --git a/docs/tutorials/private-registries.md b/docs/tutorials/private-registries.md index 4b1d2040a..84b4c47fa 100644 --- a/docs/tutorials/private-registries.md +++ b/docs/tutorials/private-registries.md @@ -47,7 +47,7 @@ Lastly, we can deploy the operator inside our cluster with referencing our new ` helm upgrade --install trivy-operator aqua/trivy-operator \ --namespace trivy-system \ --create-namespace \ - --version 0.14.1 + --version 0.15.0-rc --values ./values.yaml ``` @@ -57,7 +57,7 @@ Alternatively, it is possible to set the values directly through Helm instead of helm upgrade --install trivy-operator aqua/trivy-operator \ --namespace trivy-system \ --create-namespace \ - --version 0.14.1 + --version 0.15.0-rc --set="trivy.command=fs" --set="trivyOperator.scanJobPodTemplateContainerSecurityContext.runAsUser=0" ``` @@ -230,7 +230,7 @@ Lastly, we can deploy the operator inside our cluster with referencing our new ` helm upgrade --install trivy-operator aqua/trivy-operator \ --namespace trivy-system \ --create-namespace \ - --version 0.14.1 + --version 0.15.0-rc --values ./values.yaml ``` @@ -240,7 +240,7 @@ Alternatively, it is possible to set the values directly through Helm instead of helm upgrade --install trivy-operator aqua/trivy-operator \ --namespace trivy-system \ --create-namespace \ - --version 0.14.1 + --version 0.15.0-rc --set-json='operator.privateRegistryScanSecretsNames={"app":"dockerconfigjson-github-com"}' ``` @@ -262,4 +262,4 @@ trivy-operator 1/1 1 1 99s The last way that you could give the Trivy operator access to your private container registry is through managed registries. In this case, the container registry and your Kubernetes cluster would have to be on the same cloud provider; then you can define access to your container namespace as part of the IAM account. Once defined, trivy will already have the permissions for the registry. -For additional information, please refer to the [documentation on managed registries.](https://aquasecurity.github.io/trivy-operator/v0.14.1/docs/vulnerability-scanning/managed-registries/) +For additional information, please refer to the [documentation on managed registries.](https://aquasecurity.github.io/trivy-operator/v0.15.0-rc/docs/vulnerability-scanning/managed-registries/) diff --git a/mkdocs.yml b/mkdocs.yml index eb57916c7..dc652a6a3 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -86,8 +86,8 @@ extra: method: mike provider: mike var: - prev_git_tag: "v0.14.0" - chart_version: "0.14.1" + prev_git_tag: "v0.14.1" + chart_version: "0.15.0-rc" plugins: - search