Trivy
Trivy is an open-source vulnerability scanner for containers that can detect vulnerabilities in OS packages and application dependencies. The Trivy Operator is a Kubernetes operator that automates the process of scanning container images for vulnerabilities using Trivy.
This integration utilizes the logzio-trivy Helm Chart to deploy:
- Trivy-Operator Helm Chart that scans the cluster and creates Trivy reports.
- A deployment that looks for the Trivy reports in the cluster, processes them, and sends them to Logz.io
At present, only vulnerability reports are being collected.
This integration is presently in its beta phase and may be subject to modifications.
Deployment
Before you begin, you'll need:
- An active Logz.io account
- Kubernetes cluster to send reports from
Add logzio-helm
repo
helm repo add logzio-helm https://logzio.github.io/logzio-helm
helm repo update
Run the Helm deployment code
helm install -n monitoring --create-namespace \
--set env_id="<<ENV-ID>>" \
--set secrets.logzioShippingToken="<<LOG-SHIPPING-TOKEN>>" \
--set secrets.logzioListener="<<LISTENER-HOST>>" \
logzio-trivy logzio-helm/logzio-trivy
With this command, we instruct Helm to create the monitoring namespace if it does not already exist.
Parameter | Description |
---|---|
<<ENV-ID>> | A unique name assigned to your environment's identifier, to differentiate telemetry data across various environments. If you're collecting metrics, this should match the env-id/p8s_logzio_name you used for the metrics. |
<<LOG-SHIPPING-TOKEN>> | Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to. |
<<LISTENER-HOST>> | Replace <<LISTENER-HOST>> with the host for your region, without the http/https prefix. |
Trivy Metrics
By default the trivy-operator
exposes a metrics endpoint. As a result, if the chart is run alongside the Logz.io Telemetry chart to collect metrics from the cluster, the Trivy metrics will also be collected.
The Logz.io Telemetry chart is sending metrics of the entire cluster and not only of trivy.
helm install -n monitoring --create-namespace \
--set metricsOrTraces.enabled=true \
--set logzio-k8s-telemetry.metrics.enabled=true \
--set logzio-k8s-telemetry.secrets.MetricsToken="<<METRICS-SHIPPING-TOKEN>>" \
--set logzio-k8s-telemetry.secrets.ListenerHost="https://<<LISTENER-HOST>>:8053" \
--set logzio-k8s-telemetry.secrets.p8s_logzio_name="<<ENV-ID>>" \
--set logzio-k8s-telemetry.secrets.env_id="<<ENV-ID>>" \
--set securityReport.enabled=true \
--set logzio-trivy.env_id="<<ENV-ID>>" \
--set logzio-trivy.secrets.logzioShippingToken="<<LOG-SHIPPING-TOKEN>>" \
--set logzio-trivy.secrets.logzioListener="<<LISTENER-HOST>>" \
logzio-monitoring logzio-helm/logzio-monitoring
Check Logz.io for your reports
Give your reports some time to get from your system to ours, and then open Open Search Dashboards.
Additional configuration
Customizing Helm chart parameters
Configure customization options
You can use the following options to update the Helm chart parameters:
Specify parameters using the
--set key=value[,key=value]
argument tohelm install
Edit the
values.yaml
Override default values with your own
my_values.yaml
and apply it in thehelm install
command.
Custom parameters
Parameter | Description | Default |
---|---|---|
trivy-operator.trivy.ignoreUnfixed | Determines whether to display only fixed vulnerabilities in the reports generated by Trivy. | false |
nameOverride | Overrides the Chart name for resources. | "" |
fullnameOverride | Overrides the full name of the resources. | "" |
schedule | Time for daily scanning for security reports and sending them to Logz.io, in the "HH:MM" format. | "07:00" |
restartPolicy | Container restart policy | OnFailure |
image | Container image | logzio/trivy-to-logzio |
imageTag | Container image tag | 0.1.0 |
env_id | A unique name assigned to your environment's identifier, to differentiate telemetry data across various environments. | "" |
terminationGracePeriodSeconds | Termination period (in seconds) to wait before killing Fluentd pod process on pod shutdown. | 30 |
serviceAccount.create | Specifies whether to create a service account for the cron job. | true |
serviceAccount.name | Name of the service account. | "" |
secrets.enabled | Specifies wheter to create a secret for the deployment | true |
secrets.name | Secret name | "logzio-logs-secret-trivy" |
secrets.logzioShippingToken | Your logz.io log shipping token | "" |
secrets.logzioListener | Your logz.io listener host | "" (defaults to us region) |
scriptLogLevel | Log level of the script that sends security risk to Logz.io. Can be one of: DEBUG , INFO , WARNING , ERROR , CRITICAL . | INFO |
Uninstalling the Chart
The Uninstall command is used to remove all the Kubernetes components associated with the chart and to delete the release.
To uninstall the logzio-trivy
deployment, use the following command:
helm uninstall logzio-trivy -n monitoring
Handling image pull rate limit
In certain cases, such as spot clusters, where pods or nodes are frequently replaced, the pull rate limit for images retrieved from Docker Hub may be reached, resulting in an error:
You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limits.
In these cases we can use the following --set
command to use an alternative image repository:
--set image=public.ecr.aws/logzio/trivy-to-logzio