Skip to content

Commit

Permalink
docs: update trivy k8s with new experience (#6465)
Browse files Browse the repository at this point in the history
Signed-off-by: chenk <[email protected]>
  • Loading branch information
chen-keinan authored May 2, 2024
1 parent e739ab8 commit a2a02de
Show file tree
Hide file tree
Showing 3 changed files with 115 additions and 76 deletions.
146 changes: 99 additions & 47 deletions docs/docs/target/kubernetes.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ Trivy can also be installed *inside* your cluster as a Kubernetes Operator, and
When scanning a Kubernetes cluster, Trivy differentiates between the following:

1. Cluster infrastructure (e.g api-server, kubelet, addons)
1. Cluster configuration (e.g Roles, ClusterRoles).
1. Cluster configuration (e.g Roles, ClusterRoles).
1. Application workloads (e.g nginx, postgresql).

When scanning any of the above, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource.
Expand All @@ -30,58 +30,79 @@ Kubernetes resource definition is scanned for:

Trivy follows the behavior of the `kubectl` tool as much as possible.

### Scope

The command expects an argument that selects the scope of the scan (similarly to how `kubectl` expects an argument after `kubectl get`). This argument can be:
1. A Kubernetes Kind. e.g `pod`, `deployment`, etc.
2. A Kubernetes Resource. e.g `pods/mypod`, etc.
3. `all`. Scan common workload kinds, as listed [here](https://github.com/aquasecurity/trivy-kubernetes/blob/bf8cc2a00d9772e0aa271f06d375b936152b54b1/pkg/k8s/k8s.go#L296:L314)
4. `cluster` scan the entire cluster including all namespaced resources and cluster level resources.

Examples:

```
trivy k8s all
trivy k8s pods
trivy k8s deploy myapp
trivy k8s pod/mypod
trivy k8s pods,deploy
trivy k8s cluster
```sh
trivy k8s [flags] [CONTEXT] - if the target name [CONTEXT] is not specified, the default will be used.
```
Note that the scope argument must appear last in the command line, after any other flag.
for example:
### Cluster
```sh
trivy k8s --report summary
```
By default Trivy will look for a [`kubeconfig` configuration file in the default location](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/), and use the default cluster that is specified.
You can also specify a `kubeconfig` using the `--kubeconfig` flag:
```
```sh
trivy k8s --kubeconfig ~/.kube/config2
```
### Namespace
By default, all cluster resource images will be downloaded and scanned.
By default Trivy will scan all namespaces (following `kubectl` behavior). To specify a namespace use the `--namespace` flag:
### Skip-images
You can control whether Trivy will scan and download the cluster resource images. To disable this feature, add the --skip-images flag.
- `--skip-images` flag will prevent the downloading and scanning of images (including vulnerabilities and secrets) in the cluster resources.
Example:
```sh
trivy k8s --report summary --skip-images
```
trivy k8s --kubeconfig ~/.kube/config2 --namespace default
```
### Node
You can exclude specific nodes from the scan using the `--exclude-nodes` flag, which takes a label in the format `label-name:label-value` and excludes all matching nodes:
### Include/Exclude Kinds
You can control which kinds of resources will be discovered using the `--include-kinds` or `--exclude-kinds` comma-separated flags:
***Note:*** Both flags (`--include-kinds` or `--exclude-kinds`) cannot be set in conjunction.
- `--include-kinds` will include the listed kinds in cluster scanning.
- `--exclude-kinds` will exclude the listed kinds from cluster scanning.
By default, all kinds will be included in cluster scanning.
Example:
```sh
trivy k8s --report summary --exclude-kinds node,pod
```
trivy k8s cluster --report summary --exclude-nodes kubernetes.io/arch:arm6
### Include/Exclude Namespaces
You can control which namespaces will be discovered using the `--include-namespaces` or `--exclude-namespaces` comma-separated flags:
***Note:*** Both flags (`--include-namespaces` or `--exclude-namespaces`) cannot be set in conjunction.
- `--include-namespaces` will include the listed namespaces in cluster scanning.
- `--exclude-namespaces` will exclude the listed namespaces from cluster scanning.
By default, all namespaces will be included in cluster scanning.
Example:
```sh
trivy k8s --report summary --exclude-namespace dev-system,staging-system
```
## Control Plane and Node Components Vulnerability Scanning
Trivy is capable of discovering Kubernetes control plane (apiserver, controller-manager and etc) and node components(kubelet, kube-proxy and etc), matching them against the [official Kubernetes vulnerability database feed](https://github.com/aquasecurity/vuln-list-k8s), and reporting any vulnerabilities it finds
Trivy is capable of discovering Kubernetes control plane (apiserver, controller-manager and etc) and node components(kubelet, kube-proxy and etc), matching them against the [official Kubernetes vulnerability database feed](https://github.com/aquasecurity/vuln-list-k8s), and reporting any vulnerabilities it finds.
To read more about KBOM, see the [documentation for Kubernetes scanning](./sbom.md#kbom).
```
trivy k8s cluster --scanners vuln --report all
```sh
trivy k8s --scanners vuln --report all
NodeComponents/kind-control-plane (kubernetes)
Expand All @@ -101,13 +122,43 @@ Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
└────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────┘
```
## Node-Collector
Node-collector is a scan job that collects node configuration parameters and permission information. This information will be evaluated against Kubernetes hardening (e.g. CIS benchmark) and best practices values. The scan results will be output in infrastructure assessment and CIS benchmark compliance reports.
### Disable Node Collector
You can control whether the node scan-job (`node-collector`) will run in the cluster. To disable it, add the `--disable-node-collector` flag
- `--disable-node-collector` This flag will exclude findings related to Node (infra assessment) misconfigurations
By default, the node scan-job (`node-collector`) will run in the cluster.
Example:
```sh
trivy k8s --report summary --disable-node-collector
```
### Taints and Tolerations
### Components types
The node-collector scan-job will run on every node. In case the node has been tainted, it is possible to add toleration to the scan job for it to be scheduled on the tainted node. for more details [see k8s docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
You can control what kinds of components are discovered using the `--components` flag:
- `--components infra` will discover only cluster infrastructure components.
- `--components workload` will discover only application workloads.
- If the flag is omitted: infra, workloads, and RBAC are discovered.
- `--tolerations key1=value1:NoExecute,key2=value2:NoSchedule` this flag wil enable node-collector to be schedule on tainted Node
Example:
```sh
trivy k8s --report summary --tolerations key1=value1:NoExecute,key2=value2:NoSchedule
```
### Exclude Nodes by Label
You can exclude specific nodes from the scan using the `--exclude-nodes` flag, which takes a label in the format `label-name:label-value` and excludes all matching nodes:
```sh
trivy k8s --report summary --exclude-nodes kubernetes.io/arch:arm6
```
## Reporting and filtering
Expand All @@ -117,24 +168,24 @@ You can always choose the report granularity using the `--report summary`/`--rep
Scan a full cluster and generate a simple summary report:
```
$ trivy k8s --report=summary cluster
```sh
trivy k8s --report=summary
```
![k8s Summary Report](../../imgs/trivy-k8s.png)
Filter by severity:
```
trivy k8s --severity=CRITICAL --report=all cluster
trivy k8s --severity=CRITICAL --report=all
```
Filter by scanners (Vulnerabilities, Secrets or Misconfigurations):
```
trivy k8s --scanners=secret --report=summary cluster
trivy k8s --scanners=secret --report=summary
# or
trivy k8s --scanners=misconfig --report=summary cluster
trivy k8s --scanners=misconfig --report=summary
```
The supported output formats are `table`, which is the default, and `json`.
Expand Down Expand Up @@ -300,6 +351,7 @@ trivy k8s --format json -o results.json cluster
</details>
## Compliance
This section describes Kubernetes specific compliance reports.
For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../compliance/compliance.md).
Expand All @@ -318,31 +370,31 @@ Scan the cluster for Kubernetes Pod Security Standards Baseline compliance:
```
$ trivy k8s cluster --compliance=k8s-pss-baseline --report summary
trivy k8s --compliance=k8s-pss-baseline --report summary
```
Get the detailed report for checks:
```
$ trivy k8s cluster --compliance=k8s-cis --report all
trivy k8s --compliance=k8s-cis --report all
```
Get summary report in JSON format:
```
$ trivy k8s cluster --compliance=k8s-cis --report summary --format json
trivy k8s --compliance=k8s-cis --report summary --format json
```
Get detailed report in JSON format:
```
$ trivy k8s cluster --compliance=k8s-cis --report all --format json
trivy k8s --compliance=k8s-cis --report all --format json
```
Expand All @@ -355,15 +407,15 @@ Trivy can generate KBOM in CycloneDX format:
```sh
$ trivy k8s cluster --format cyclonedx --output mykbom.cdx.json
trivy k8s --format cyclonedx --output mykbom.cdx.json
```
Trivy can also scan that generated KBOM (or any SBOM) for vulnerabilities:
```sh
$ trivy sbom mykbom.cdx.json
trivy sbom mykbom.cdx.json
```
Expand Down
Binary file modified docs/imgs/trivy-k8s.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
45 changes: 16 additions & 29 deletions docs/tutorials/kubernetes/cluster-scanning.md
Original file line number Diff line number Diff line change
@@ -1,58 +1,51 @@
# Kubernetes Scanning Tutorial

## Prerequisites
## Prerequisites

To test the following commands yourself, make sure that you’re connected to a Kubernetes cluster. A simple kind, a Docker-Desktop or microk8s cluster will do. In our case, we’ll use a one-node kind cluster.

Pro tip: The output of the commands will be even more interesting if you have some workloads running in your cluster.
Pro tip: The output of the commands will be even more interesting if you have some workloads running in your cluster.

## Cluster Scanning

Trivy K8s is great to get an overview of all the vulnerabilities and misconfiguration issues or to scan specific workloads that are running in your cluster. You would want to use the Trivy K8s command either on your own local cluster or in your CI/CD pipeline post deployments.

The `trivy k8s` command is part of the Trivy CLI.
The `trivy k8s` command is part of the Trivy CLI.

With the following command, we can scan our entire Kubernetes cluster for vulnerabilities and get a summary of the scan:
With the following command, we can scan our entire Kubernetes cluster for vulnerabilities and get a summary of the scan:

```
trivy k8s --report=summary cluster
```sh
trivy k8s --report=summary
```

To get detailed information for all your resources, just replace ‘summary’ with ‘all’:

```
trivy k8s --report=all cluster
```sh
trivy k8s --report=all
```

However, we recommend displaying all information only in case you scan a specific namespace or resource since you can get overwhelmed with additional details.

Furthermore, we can specify the namespace that Trivy is supposed to scan to focus on specific resources in the scan result:

```
trivy k8s -n kube-system --report=summary cluster
```sh
trivy k8s --include-namespaces kube-system --report summary
```

Again, if you’d like to receive additional details, use the ‘--report=all’ flag:

```
trivy k8s -n kube-system --report=all cluster
```sh
trivy k8s --include-namespaces kube-system --report all
```

Like with scanning for vulnerabilities, we can also filter in-cluster security issues by severity of the vulnerabilities:

```
trivy k8s --severity=CRITICAL --report=summary cluster
```sh
trivy k8s --severity=CRITICAL --report=summary
```

Note that you can use any of the Trivy flags on the Trivy K8s command.

With the Trivy K8s command, you can also scan specific workloads that are running within your cluster, such as our deployment:

```
trivy k8s --namespace app --report=summary deployments/react-application
```

## Trivy Operator
## Trivy Operator

The Trivy K8s command is an imperative model to scan resources. We wouldn’t want to manually scan each resource across different environments. The larger the cluster and the more workloads are running in it, the more error-prone this process would become. With the Trivy Operator, we can automate the scanning process after the deployment.

Expand All @@ -66,15 +59,9 @@ This has several benefits:

- The CRDs can be both machine and human-readable depending on which applications consume the CRDs. This allows for more versatile applications of the Trivy operator.


There are several ways that you can install the Trivy Operator in your cluster. In this guide, we’re going to use the Helm installation based on the [following documentation.](../../docs/target/kubernetes.md#trivy-operator)

Please follow the Trivy Operator documentation for further information on:

- [Installation of the Trivy Operator](https://aquasecurity.github.io/trivy-operator/latest/getting-started/installation/)
- [Getting started guide](https://aquasecurity.github.io/trivy-operator/latest/getting-started/quick-start/)





- [Getting started guide](https://aquasecurity.github.io/trivy-operator/latest/getting-started/quick-start/)

0 comments on commit a2a02de

Please sign in to comment.