I’ve been using Trivy for a while as a security quality gate for container security.
More recently been looking at their Kubernetes cluster scanning offering — the Trivy Operator.
From the docs:
The Trivy Operator leverages Trivy to continuously scan your Kubernetes cluster for security issues. The scans are summarised in security reports as Kubernetes Custom Resource Definitions, which become accessible through the Kubernetes API.
To summarise, the operator runs on your cluster and runs compliance and security scans against your cluster when resource definitions change and on a schedule.
For example if a new pod is launched on the cluster, Trivy will scan the resource for vulnerabilities and produce a report.
How to install using Helm
The installation process for deploying using the helm cli is documented on the Trivy website here.
However, as I’ve covered in other articles (Using Helm Dependencies for third party charts) I like to install third party Helm charts using dependencies to keep the install “GitOps” so I’ll be doing that for the Trivy Operator.
To start off with, in a new repository — Create a new file named
Chart.yaml with the following contents:
description: A helm chart to deploy Trivy operator into Kubernetes
- name: trivy-operator
We’ll now run
helm dependency update to download the third party chart and look at the installation command.
helm install trivy-operator aqua/trivy-operator \
--namespace trivy-system \
Looking at the above, we are specifying the version in our
Chart.yaml file so we can remove that from the install command..
As we’re using a dependency we can replace
. to install from our local directory.