docs(design): Scan Container Images with Trivy Filesystem Scanne #830
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
danielpacak
added
the
🎨 design
deven0t
force-pushed
the
deven-trivy-fs-scan-design
branch
from
b79a6dd to
613014f
Compare
deven0t
added a commit
to deven0t/starboard
that referenced
this pull request
Dec 23, 2021
``trivy.command: fs`` will change the trivy scan option to pick up vulnerability scans using trivy fs scan command This is the implementation of first approach suggested here aquasecurity#830
deven0t
added a commit
to deven0t/starboard
that referenced
this pull request
Dec 23, 2021
``trivy.command: fs`` will change the trivy scan option to pick up vulnerability scans using trivy fs scan command This is the implementation of first approach suggested here aquasecurity#830
deven0t
force-pushed
the
deven-trivy-fs-scan-design
branch
from
613014f to
b1326c6
Compare
deven0t
added a commit
to deven0t/starboard
that referenced
this pull request
Jan 4, 2022
``trivy.command: fs`` will change the trivy scan option to pick up vulnerability scans using trivy fs scan command This is the implementation of first approach suggested here aquasecurity#830
deven0t
added a commit
to deven0t/starboard
that referenced
this pull request
Jan 5, 2022
``trivy.command: fs`` will change the trivy scan option to pick up vulnerability scans using trivy fs scan command This is the implementation of first approach suggested here aquasecurity#830
deven0t
added a commit
to deven0t/starboard
that referenced
this pull request
Jan 6, 2022
``trivy.command: fs`` will change the trivy scan option to pick up vulnerability scans using trivy fs scan command This is the implementation of first approach suggested here aquasecurity#830
danielpacak
suggested changes
Jan 6, 2022
There was a problem hiding this comment.
Hey @deven0t Overall LGTM. I left a few comments to clarify the proposal.
| With this approach we have following problem: | ||
| 1. When image pulled from private registry without ImagePullSecret or service account | ||
| (https://kubernetes.io/docs/concepts/containers/images/#configuring-nodes-to-authenticate-to-a-private-registry) | ||
| 2. When image pulled from managed registry of managed cluster |
There was a problem hiding this comment.
It would be nice to clarify that in this case typically a service account or cluster node is authorized to pull images from registries and users are not supposed to create imagePullSecrets.
deven0t
force-pushed
the
deven-trivy-fs-scan-design
branch
from
b1326c6 to
ce04af3
Compare
danielpacak
force-pushed
the
deven-trivy-fs-scan-design
branch
2 times, most recently
from
425a646 to
8f5e702
Compare
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
danielpacak
force-pushed
the
deven-trivy-fs-scan-design
branch
from
8f5e702 to
3687cb5
Compare
danielpacak
changed the title
danielpacak
approved these changes
Jan 11, 2022
There was a problem hiding this comment.
Great work @deven0t I just pushed a few edits to your branch to cleanup duplicates and some of the implementations details.
kfox1111
reviewed
Jan 11, 2022
| To scan a container image of a given K8s workload Starboard will create a corresponding container of a scan Job and | ||
| override its entrypoint to invoke Trivy filesystem scanner. | ||
|
|
||
| This approach requires Trivy executable to be downloaded and made available to the entrypoint. We'll do that by adding |
There was a problem hiding this comment.
This could maybe be done with a csi driver as well.
There was a problem hiding this comment.
I'm not sure that I understood this comment. Could you elaborate on how we can use csi driver in this case?
There was a problem hiding this comment.
just thinking, instead of copying the file from an init container to an emtpydir, a csi driver in ephemeral mode could mount the file into the container.
There was a problem hiding this comment.
May not be worth the effort. but could be like:
kind: Pod
apiVersion: v1
metadata:
name: my-csi-app-inline-volume
spec:
containers:
- name: my-frontend
image: busybox
command: [ "sleep", "100000" ]
volumeMounts:
- mountPath: "/trivy"
name: my-csi-volume
volumes:
- name: my-csi-volume
csi:
driver: trivy| the init container to the scan Job. Such init container will use the Trivy container image to copy Trivy executable out | ||
| to the emptyDir volume, which will be shared with the other containers. | ||
|
|
||
| Another init container is required to download Trivy vulnerability database and save it to the mounted shared volume. |
deven0t
added a commit
to deven0t/starboard
that referenced
this pull request
Jan 17, 2022
``trivy.command: fs`` will change the trivy scan option to pick up vulnerability scans using trivy fs scan command This is the implementation of approach suggested here aquasecurity#830
deven0t
added a commit
to deven0t/starboard
that referenced
this pull request
Jan 17, 2022
``trivy.command: fs`` will change the trivy scan option to pick up vulnerability scans using trivy fs scan command This is the implementation of approach suggested here aquasecurity#830
deven0t
added a commit
to deven0t/starboard
that referenced
this pull request
Jan 17, 2022
``trivy.command: fs`` will change the trivy scan option to pick up vulnerability scans using trivy fs scan command This is the implementation of approach suggested here aquasecurity#830
deven0t
added a commit
to deven0t/starboard
that referenced
this pull request
Jan 19, 2022
``trivy.command: fs`` will change the trivy scan option to pick up vulnerability scans using trivy fs scan command This is the implementation of approach suggested here aquasecurity#830
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
resolves: #818