From dc97a44653264dfe8bf1b379f9aa7a42eee65e34 Mon Sep 17 00:00:00 2001 From: Denis Patrakeev Date: Tue, 25 Feb 2025 11:36:54 +0300 Subject: [PATCH] [DO-1600] Deploy trivy-operator to new k8s (!39) [DO-1600] Co-authored-by: denis.patrakeev Reviewed-on: https://git.avroid.tech/K8s/k8s-configs/pulls/39 --- .../argocd-apps-trivy-operator-app.yaml | 63 ++++++++++++++ ...cd-apps-trivy-operator-network-policy.yaml | 42 +++++++++ .../trivy-operator/values-ovveride.yaml | 85 +++++++++++++++++++ .../argocd-apps-trivy-network-policy.yaml | 3 + 4 files changed, 193 insertions(+) create mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/security/trivy-operator/argocd-apps-trivy-operator-app.yaml create mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/security/trivy-operator/argocd-apps-trivy-operator-network-policy.yaml create mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/security/trivy-operator/values-ovveride.yaml diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/security/trivy-operator/argocd-apps-trivy-operator-app.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/security/trivy-operator/argocd-apps-trivy-operator-app.yaml new file mode 100644 index 0000000..e16e605 --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/security/trivy-operator/argocd-apps-trivy-operator-app.yaml @@ -0,0 +1,63 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: trivy-operator + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: trivy-operator + destination: + server: https://kubernetes.default.svc + namespace: avroid-prod + sources: + - repoURL: https://git.avroid.tech/K8s/k8s-configs.git + targetRevision: master + ref: values + - repoURL: https://nexus.avroid.tech/repository/devops-helm-proxy-helm/ + chart: "aquasecurity/trivy-operator" + targetRevision: 0.26.1 + helm: + valueFiles: + - $values/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/security/trivy-operator/values-ovveride.yaml + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - ApplyOutOfSyncOnly=true + - CreateNamespace=true +--- +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: trivy-operator + namespace: argocd + # Finalizer that ensures that project is not deleted until it is not referenced by any application + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + sourceRepos: + - https://git.avroid.tech/K8s/k8s-configs.git + - https://nexus.avroid.tech/repository/devops-helm-proxy-helm/ + # Only permit applications to deploy to the guestbook namespace in the same cluster + destinations: + - namespace: avroid-prod + server: https://kubernetes.default.svc + # Deny all cluster-scoped resources from being created, except for Namespace + clusterResourceWhitelist: + - group: '' + kind: Namespace + - group: '*' + kind: Role + - group: '*' + kind: RoleBinding + - group: '*' + kind: ClusterRole + - group: '*' + kind: ClusterRoleBinding + - group: '*' + kind: ClusterComplianceReport + - group: '*' + kind: CustomResourceDefinition diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/security/trivy-operator/argocd-apps-trivy-operator-network-policy.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/security/trivy-operator/argocd-apps-trivy-operator-network-policy.yaml new file mode 100644 index 0000000..8608948 --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/security/trivy-operator/argocd-apps-trivy-operator-network-policy.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: trivy-operator-in + namespace: avroid-prod + labels: + app.kubernetes.io/managed-by: argocd +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: trivy-operator + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: ingress-nginx +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: trivy-operator-out + namespace: avroid-prod + labels: + app.kubernetes.io/managed-by: argocd +spec: + podSelector: {} + policyTypes: + - Egress + ingress: [] + egress: + - ports: + - port: 443 + protocol: TCP + - port: 80 + protocol: TCP + - to: + - podSelector: + matchLabels: + app.kubernetes.io/name: trivy diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/security/trivy-operator/values-ovveride.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/security/trivy-operator/values-ovveride.yaml new file mode 100644 index 0000000..8616ccd --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/security/trivy-operator/values-ovveride.yaml @@ -0,0 +1,85 @@ +# Default values for the trivy-operator Helm chart, these are used to render +# the templates into valid k8s Resources. + +# -- global values provide a centralized configuration for 'image.registry', reducing the potential for errors. +# If left blank, the chart will default to the individually set 'image.registry' values +global: + image: + registry: "harbor.avroid.tech/docker-hub-proxy" + +# -- managedBy is similar to .Release.Service but allows to overwrite the value +managedBy: argocd + +operator: + # -- replicas the number of replicas of the operator's pod + replicas: 2 + +image: + registry: "harbor.avroid.tech/docker-hub-proxy" + repository: "aquasec/trivy-operator" + +# -- Prometheus ServiceMonitor configuration -- to install the trivy operator with the ServiceMonitor +# you must have Prometheus already installed and running. If you do not have Prometheus installed, enabling this will +# have no effect. +serviceMonitor: + # -- enabled determines whether a serviceMonitor should be deployed + enabled: true + +trivyOperator: + # -- scanJobNodeSelector nodeSelector to be applied to the scanner pods so that they can run on nodes with matching labels + scanJobNodeSelector: + node-role.kubernetes.io/worker: "" + +trivy: + image: + # -- registry of the Trivy image + registry: harbor.avroid.tech/docker-hub-proxy + + # -- mode is the Trivy client mode. Either Standalone or ClientServer. Depending + # on the active mode other settings might be applicable or required. + mode: ClientServer + + # -- resources resource requests and limits for scan job containers + resources: + requests: + cpu: 100m + memory: 100M + # ephemeralStorage: "2Gi" + limits: + cpu: 1 + memory: 3Gi + # ephemeralStorage: "2Gi" + + # -- serverURL is the endpoint URL of the Trivy server. Required in ClientServer mode. + # + serverURL: "http://trivy:4954" + + # -- serverInsecure is the flag to enable insecure connection to the Trivy server. + serverInsecure: true + +compliance: + cron: 0 */5 * * * + +resources: {} +# -- We usually recommend not to specify default resources and to leave this as a conscious +# choice for the user. This also increases chances charts run on environments with little +# resources, such as Minikube. If you do want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +# limits: +# cpu: 100m +# memory: 128Mi +# requests: +# cpu: 100m +# memory: 128Mi + +# -- nodeSelector set the operator nodeSelector +nodeSelector: + node-role.kubernetes.io/worker: "" + +policiesBundle: + # -- registry of the policies bundle + registry: harbor.avroid.tech/docker-hub-proxy + +nodeCollector: + # -- useNodeSelector determine if to use nodeSelector (by auto detecting node name) with node-collector scan job + useNodeSelector: false diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/security/trivy/argocd-apps-trivy-network-policy.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/security/trivy/argocd-apps-trivy-network-policy.yaml index 7b1dbd2..f07696d 100644 --- a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/security/trivy/argocd-apps-trivy-network-policy.yaml +++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-prod/security/trivy/argocd-apps-trivy-network-policy.yaml @@ -17,6 +17,9 @@ spec: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: ingress-nginx + - ports: + - port: 4954 + protocol: TCP --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy