Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add Persistent Volume resources #2451

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

feat: add Persistent Volume resources #2451

wants to merge 1 commit into from

Conversation

afdesk
Copy link
Contributor

@afdesk afdesk commented Feb 21, 2025

Description

This PR is a small PoC for adding new resources with minimum changes.

$ kubectl get clusterconfigauditreports.aquasecurity.github.io -A -o wide
NAME                       SCANNER   AGE   CRITICAL   HIGH   MEDIUM   LOW
persistentvolume-demo-pv   Trivy     41m   0          0      0        1

$ kubectl describe clusterconfigauditreports.aquasecurity.github.io persistentvolume-demo-pv
Name:         persistentvolume-demo-pv
Namespace:
Labels:       plugin-config-hash=6ddf87c668
              resource-spec-hash=579589976
              trivy-operator.resource.kind=PersistentVolume
              trivy-operator.resource.name=demo-pv
              trivy-operator.resource.namespace=
Annotations:  <none>
API Version:  aquasecurity.github.io/v1alpha1
Kind:         ClusterConfigAuditReport
Metadata:
  Creation Timestamp:  2025-02-21T10:20:56Z
  Generation:          1
  Owner References:
    API Version:           v1
    Block Owner Deletion:  false
    Controller:            true
    Kind:                  PersistentVolume
    Name:                  demo-pv
    UID:                   3edb48c5-109b-4896-8d98-4c1487769869
  Resource Version:        4485
  UID:                     630647c7-4395-44d3-8db3-a60baba58d90
Report:
  Checks:
    Category:     Kubernetes Security Check
    Check ID:     PVC_CHECK
    Description:  A common set of labels allows tools to work interoperably, describing objects in a common manner that all tools can understand.
    Messages:
      the check should always fail
    Remediation:  Take full advantage of using recommended labels and apply them on every resource object.
    Severity:     LOW
    Success:      false
    Title:        PVC labels
  Scanner:
    Name:     Trivy
    Vendor:   Aqua Security
    Version:  dev
  Summary:
    Critical Count:  0
    High Count:      0
    Low Count:       1
    Medium Count:    0
  Update Timestamp:  2025-02-21T10:20:56Z
custom REGO check 
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: trivy-operator-policies-config
  namespace: trivy-operator
  labels:
    app.kubernetes.io/name: trivy-operator
    app.kubernetes.io/instance: trivy-operator
    app.kubernetes.io/version: "0.23.0"
    app.kubernetes.io/managed-by: kubectl
data:
  policy.recommended_labels.kinds: "PersistentVolume"
  policy.recommended_labels.rego: |
   package builtin.policy.k8s.custom

   __rego_metadata__ := {
      "id": "PVC_CHECK",
      "title": "PVC labels",
      "severity": "LOW",
      "type": "Kubernetes Security Check",
      "description": "A common set of labels allows tools to work interoperably, describing objects in a common manner that all tools can understand.",
      "recommended_actions": "Take full advantage of using recommended labels and apply them on every resource object.",
      "url": "https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/",
   }

   alwaysTrue {
      1 == 1
   }

   deny[res] {
        alwaysTrue
        res := {
           "msg": "the check should always fail",
        }
   }
pv.yaml 
apiVersion: v1
kind: PersistentVolume
metadata:
  name: demo-pv
spec:
  accessModes:
    - ReadWriteOnce
  capacity:
    storage: 1Gi
  storageClassName: standard
  hostPath:
    path: /tmp/demo-pv

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@simar7
Copy link
Member

simar7 commented Feb 21, 2025

I think @itaysk's original question was would setting the supportedConfigAuditKinds type be enough for a new resource to be picked up, rather than us adding an additional resource within the operator code to be scanned.

I would assume that would work based on the logic I see in the operator but could you verify that behavior?

As for adding new resources to scan within the operator codebase by default, we have to be mindful of what the defaults are. That's why I feel leaving the door open for the user to specify what they want to scan is better rather than us scanning it by default. This is crucial as if we scan too many resources by default, it could lead to a slow (negative) user experience for those that are just getting started with trivy-operator and are unaware of all the knobs they can tune.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@afdesk @simar7