feat(find vulnerabilities): Configure HTTP proxy for Trivy (aquasecur…

…ity#154) Some people might run their (dev) clusters behind the proxy. It is possible to set the HTTP_PROXY environment variable when using Trivy directly. This commit makes it possible to use Starboard CLI and pass HTTP proxy config to Trivy by setting the trivy.httpProxy configuration parameter before you run the starboard find vulnerabilities command. $ starboard init $ kubectl patch configmap starboard -n starboard \ --type merge \ -p '{"data": {"trivy.httpProxy":"http://your-proxy:9001"}}' $ starboard find vulnerabilities deploy/my-deployment Resolves: aquasecurity#84 Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
rajkrishnamurthy · Sep 19, 2020 · dd8e497 · dd8e497
1 parent 78ee8c7
commit dd8e497
Show file tree

Hide file tree

Showing 2 changed files with 76 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -19,6 +19,7 @@
   - [From Source (Linux, macOS)](#from-source-linux-macos)
 - [Getting Started](#getting-started)
 - [Next Steps](#next-steps)
+- [Configuration](#configuration)
 - [Custom Security Resources Definitions](#custom-security-resources-definitions)
 - [Starboard CLI](#starboard-cli)
 - [Troubleshooting](#troubleshooting)
@@ -99,11 +100,11 @@ scans. It also sends custom security resources definitions to the Kubernetes API
 
 ```
 $ kubectl api-resources --api-group aquasecurity.github.io
-NAME                  SHORTNAMES   APIGROUP                NAMESPACED  KIND
-ciskubebenchreports   kubebench    aquasecurity.github.io  false       CISKubeBenchReport
-configauditreports    configaudit  aquasecurity.github.io  true        ConfigAuditReport
-kubehunterreports     kubehunter   aquasecurity.github.io  false       KubeHunterReport
-vulnerabilityreports  vulns,vuln   aquasecurity.github.io  true        VulnerabilityReport
+NAME                   SHORTNAMES    APIGROUP                 NAMESPACED   KIND
+ciskubebenchreports    kubebench     aquasecurity.github.io   false        CISKubeBenchReport
+configauditreports     configaudit   aquasecurity.github.io   true         ConfigAuditReport
+kubehunterreports      kubehunter    aquasecurity.github.io   false        KubeHunterReport
+vulnerabilityreports   vulns,vuln    aquasecurity.github.io   true         VulnerabilityReport
 ```
 
 > There's also a `starboard cleanup` subcommand, which can be used to remove all resources created by Starboard.
@@ -197,6 +198,38 @@ vulnerabilities as well as configuration issues that might affect stability, rel
 To learn more about the available Starboard commands and scanners, such as [kube-bench][aqua-kube-bench] or
 [kube-hunter][aqua-kube-hunter], use `starboard help`.
 
+## Configuration
+
+The `starboard init` command creates the `starboard` ConfigMap in the `starboard` namespace, which contains the default
+configuration parameters. You can change the default config values with `kubectl patch` or `kubectl edit` commands.
+
+For example, by default Trivy displays vulnerabilities with all severity levels (`UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`).
+However, you can opt in to display only `HIGH` and `CRITICAL` vulnerabilities by patching the `trivy.severity` value
+in the `starboard` ConfigMap:
+
+```
+$ kubectl patch configmap starboard -n starboard \
+  --type merge \
+  -p '{"data": {"trivy.severity":"HIGH,CRITICAL"}}'
+```
+
+The following table lists available configuration parameters.
+
+| CONFIGMAP KEY         | DEFAULT                                                | DESCRIPTION |
+| --------------------- | ------------------------------------------------------ | ----------- |
+| `trivy.httpProxy`     | N/A                                                    | The HTTP proxy used by Trivy to download the vulnerabilities database from GitHub |
+| `trivy.severity`      | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`                     | A comma separated list of severity levels reported by Trivy |
+| `polaris.config.yaml` | [Check the default value here][default-polaris-config] | Polaris configuration file |
+
+> **Note:** You can find it handy to delete a configuration key, which was not created by default by the
+> `starboard init` command. For example, the following `kubectl patch` command deletes the `trivy.httpProxy` key:
+>
+> ```
+> $ kubectl patch configmap starboard -n starboard \
+>   --type json \
+>   -p '[{"op": "remove", "path": "/data/trivy.httpProxy"}]'
+> ```
+
 ## Custom Security Resources Definitions
 
 This project houses CustomResourceDefinitions (CRDs) related to security and compliance checks along with the code
@@ -311,3 +344,5 @@ This repository is available under the [Apache License 2.0][license].
 [kubectl-plugins]: https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins
 
 [krew]: https://github.com/kubernetes-sigs/krew
+
+[default-polaris-config]: ./kube/init/starboard-cm.yaml
diff --git a/pkg/find/vulnerabilities/trivy/scanner.go b/pkg/find/vulnerabilities/trivy/scanner.go
@@ -139,6 +139,20 @@ func (s *Scanner) PrepareScanJob(_ context.Context, workload kube.Object, spec c
 			Image:                    trivyImageRef,
 			ImagePullPolicy:          core.PullIfNotPresent,
 			TerminationMessagePolicy: core.TerminationMessageFallbackToLogsOnError,
+			Env: []core.EnvVar{
+				{
+					Name: "HTTP_PROXY",
+					ValueFrom: &core.EnvVarSource{
+						ConfigMapKeyRef: &core.ConfigMapKeySelector{
+							LocalObjectReference: core.LocalObjectReference{
+								Name: kube.ConfigMapStarboard,
+							},
+							Key:      "trivy.httpProxy",
+							Optional: pointer.BoolPtr(true),
+						},
+					},
+				},
+			},
 			Command: []string{
 				"trivy",
 			},
@@ -165,18 +179,31 @@ func (s *Scanner) PrepareScanJob(_ context.Context, workload kube.Object, spec c
 
 		var envs []core.EnvVar
 
-		envs = append(envs, core.EnvVar{
-			Name: "TRIVY_SEVERITY",
-			ValueFrom: &core.EnvVarSource{
-				ConfigMapKeyRef: &core.ConfigMapKeySelector{
-					LocalObjectReference: core.LocalObjectReference{
-						Name: kube.ConfigMapStarboard,
+		envs = append(envs,
+			core.EnvVar{
+				Name: "TRIVY_SEVERITY",
+				ValueFrom: &core.EnvVarSource{
+					ConfigMapKeyRef: &core.ConfigMapKeySelector{
+						LocalObjectReference: core.LocalObjectReference{
+							Name: kube.ConfigMapStarboard,
+						},
+						Key:      "trivy.severity",
+						Optional: pointer.BoolPtr(true),
+					},
+				},
+			}, core.EnvVar{
+				Name: "HTTP_PROXY",
+				ValueFrom: &core.EnvVarSource{
+					ConfigMapKeyRef: &core.ConfigMapKeySelector{
+						LocalObjectReference: core.LocalObjectReference{
+							Name: kube.ConfigMapStarboard,
+						},
+						Key:      "trivy.httpProxy",
+						Optional: pointer.BoolPtr(true),
 					},
-					Key:      "trivy.severity",
-					Optional: pointer.BoolPtr(true),
 				},
 			},
-		})
+		)
 
 		if dockerConfig, ok := credentials[c.Image]; ok {
 			registryUsernameKey := fmt.Sprintf("%s.username", c.Name)