Replies: 2 comments 4 replies
-
AFAIK With Although having said that, if you're looking to scan custom resources with the |
Beta Was this translation helpful? Give feedback.
-
@tschran sorry about the delayed response. As @itaysk mentioned, scanning is possible without a schema. For instance, take a blue-green deployment strategy for a # This example demonstrates a Rollout using the blue-green update strategy, which contains a manual
# gate before promoting the new stack.
apiVersion: argoproj.io/v1alpha1
kind: Rollout
metadata:
name: rollout-bluegreen
spec:
replicas: 2
revisionHistoryLimit: 2
selector:
matchLabels:
app: rollout-bluegreen
template:
metadata:
labels:
app: rollout-bluegreen
spec:
containers:
- name: rollouts-demo
image: argoproj/rollouts-demo:blue
imagePullPolicy: Always
ports:
- containerPort: 8080
strategy:
blueGreen:
# activeService specifies the service to update with the new template hash at time of promotion.
# This field is mandatory for the blueGreen update strategy.
activeService: rollout-bluegreen-active
# previewService specifies the service to update with the new template hash before promotion.
# This allows the preview stack to be reachable without serving production traffic.
# This field is optional.
previewService: rollout-bluegreen-preview
# autoPromotionEnabled disables automated promotion of the new stack by pausing the rollout
# immediately before the promotion. If omitted, the default behavior is to promote the new
# stack as soon as the ReplicaSet are completely ready/available.
# Rollouts can be resumed using: `kubectl argo rollouts promote ROLLOUT`
autoPromotionEnabled: false
Now you can write a Rego check as such: # METADATA
# title: BlueGreen deployments must have Auto Promotion Enabled
# description: Ensure that BlueGreen deployments have autoPromotionEnabled set to true
# schemas:
# - input: schema["input"]
# custom:
# id: ARGO001
# severity: LOW
package user.argo001
deny[res] {
not input.spec.strategy.blueGreen.autoPromotionEnabled
res := result.new(
sprintf("Auto promotion must be enabled, currently set to: %s", [input.spec.strategy.blueGreen.autoPromotionEnabled]),
input.spec.strategy.blueGreen.autoPromotionEnabled
)
} And finally running this custom check: trivy config --misconfig-scanners=yaml --config-check ./rollout-check.rego --check-namespaces user .
2024-12-06T22:40:20-07:00 INFO [misconfig] Misconfiguration scanning is enabled
2024-12-06T22:40:21-07:00 INFO Detected config files num=1
rollout.yaml (yaml)
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
(LOW): Auto promotion must be enabled, currently set to: false
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensure that BlueGreen deployments have autoPromotionEnabled set to true
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Just as a reminder, scanning arbitrary YAML or JSON files was added as part of Trivy v0.55, so please make sure you have at least that version. You can read more on this here https://trivy.dev/latest/docs/scanner/misconfiguration/#scan-arbitrary-json-and-yaml-configurations - do let us know if you have any other follow up questions. |
Beta Was this translation helpful? Give feedback.
-
Question
Is there a way to configure the Kubernetes scanner to understand custom resources? We're trying to scan some clusters that are running Argo Rollouts and Argo Workflows. Both of those services use Custom Resources that define resources to create. Rollouts is basically a replacement for Deployments, so it will create and manage ReplicaSets, and Argo Workflows creates a bunch of pods. Right now, I'm getting separate reports for hundreds of Argo Workflow related pods, even though they're all coming from the same source. This, in turn, is causing the scan run to get OOMKilled frequently, because the run is producing a report that's over a gigabyte.
For the built-in resources, it looks like you're rolling up and deduping the scan findings. For instance, there may be a hundred pods on a cluster, but they all come from the same Deployment, so Trivy just reports one set of findings against that Deployment. I'd like to do the same thing for these custom resources.
Target
Kubernetes
Scanner
Vulnerability
Output Format
JSON
Mode
Standalone
Operating System
Ubuntu 22.04
Version
Beta Was this translation helpful? Give feedback.
All reactions