gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 15:50:15 -08:00
Code Issues Packages Projects Releases Wiki Activity

feat(k8s): improve artifact selections for specific namespaces (#8248)

Browse Source 
Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com>
This commit is contained in:
afdesk
2025-01-29 14:11:19 +06:00
committed by GitHub
parent da7bba970b
commit db9e57a34e
9 changed files with 234 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
docs/docs/target/kubernetes.md
View File

@@ -49,10 +49,41 @@ You can also specify a `kubeconfig` using the `--kubeconfig` flag:
trivy k8s --kubeconfig ~/.kube/config2
```
By default, all cluster resource images will be downloaded and scanned.
## Required roles
To successfully scan a Kubernetes cluster, `trivy kubernetes` subcommand must be executed under a role or a cluster role that has some specific permissions.
The role must have `list` verb for all resources (`"*"`) inside the following API groups: core (`""`), `"apps"`, `"batch"`,`"networking.k8s.io"`, `"rbac.authorization.k8s.io"`:
```yaml
- apiGroups: [""]
resources: ["*"]
verbs: ["list"]
- apiGroups: ["apps", "batch", "networking.k8s.io", "rbac.authorization.k8s.io"]
resources: ["*"]
verbs: ["list"]
```
If `node collector` is enabled (default: enabled), Trivy needs a cluster role with some additional permissions to run and track the jobs:
```yaml
- apiGroups: [""]
resources: ["nodes/proxy", "pods/log"]
verbs: ["get"]
- apiGroups: [""]
resources: ["events"]
verbs: ["watch"]
- apiGroups: ["batch"]
resources: ["jobs", "cronjobs"]
verbs: ["list", "get"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["create","delete", "watch"]
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["create"]
```
### Skip-images
By default, all cluster resource images will be downloaded and scanned.
You can control whether Trivy will scan and download the cluster resource images. To disable this feature, add the --skip-images flag.
- `--skip-images` flag will prevent the downloading and scanning of images (including vulnerabilities and secrets) in the cluster resources.
@@ -91,6 +122,9 @@ You can control which namespaces will be discovered using the `--include-namespa
By default, all namespaces will be included in cluster scanning.
!!! note "using `--exclude-namespaces`"
Trivy requires a complete list of namespaces to exclude specific ones. Therefore, `--exclude-namespaces` option is only available for cluster roles now.
Example:
```sh