Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: update trivy k8s with new experience #6465

Merged
133 changes: 95 additions & 38 deletions docs/docs/target/kubernetes.md
chen-keinan marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ Trivy can also be installed *inside* your cluster as a Kubernetes Operator, and
When scanning a Kubernetes cluster, Trivy differentiates between the following:

1. Cluster infrastructure (e.g api-server, kubelet, addons)
1. Cluster configuration (e.g Roles, ClusterRoles).
1. Cluster configuration (e.g Roles, ClusterRoles).
1. Application workloads (e.g nginx, postgresql).

When scanning any of the above, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource.
Expand All @@ -33,55 +33,45 @@ Trivy follows the behavior of the `kubectl` tool as much as possible.
### Scope
chen-keinan marked this conversation as resolved.
Show resolved Hide resolved

The command expects an argument that selects the scope of the scan (similarly to how `kubectl` expects an argument after `kubectl get`). This argument can be:
1. A Kubernetes Kind. e.g `pod`, `deployment`, etc.

1. A Kubernetes Kind. e.g `pod`, `deployment`, etc.
2. A Kubernetes Resource. e.g `pods/mypod`, etc.
3. `all`. Scan common workload kinds, as listed [here](https://github.com/aquasecurity/trivy-kubernetes/blob/bf8cc2a00d9772e0aa271f06d375b936152b54b1/pkg/k8s/k8s.go#L296:L314)
4. `cluster` scan the entire cluster including all namespaced resources and cluster level resources.

Examples:

```sh
trivy k8s --report summary
```
trivy k8s all
trivy k8s pods
trivy k8s deploy myapp
trivy k8s pod/mypod
trivy k8s pods,deploy
trivy k8s cluster
```

Note that the scope argument must appear last in the command line, after any other flag.

### Cluster

By default Trivy will look for a [`kubeconfig` configuration file in the default location](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/), and use the default cluster that is specified.
You can also specify a `kubeconfig` using the `--kubeconfig` flag:

```
```sh
trivy k8s --kubeconfig ~/.kube/config2
```

### Namespace
chen-keinan marked this conversation as resolved.
Show resolved Hide resolved

By default Trivy will scan all namespaces (following `kubectl` behavior). To specify a namespace use the `--namespace` flag:

```
```sh
trivy k8s --kubeconfig ~/.kube/config2 --namespace default
```

### Node

You can exclude specific nodes from the scan using the `--exclude-nodes` flag, which takes a label in the format `label-name:label-value` and excludes all matching nodes:

```
trivy k8s cluster --report summary --exclude-nodes kubernetes.io/arch:arm6
```sh
trivy k8s --report summary --exclude-nodes kubernetes.io/arch:arm6
```

## Control Plane and Node Components Vulnerability Scanning
chen-keinan marked this conversation as resolved.
Show resolved Hide resolved

Trivy is capable of discovering Kubernetes control plane (apiserver, controller-manager and etc) and node components(kubelet, kube-proxy and etc), matching them against the [official Kubernetes vulnerability database feed](https://github.com/aquasecurity/vuln-list-k8s), and reporting any vulnerabilities it finds


```
trivy k8s cluster --scanners vuln --report all
```sh
trivy k8s --scanners vuln --report all

NodeComponents/kind-control-plane (kubernetes)

Expand All @@ -101,13 +91,79 @@ Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
└────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────┘
```

### Taints and Tolerations

The node-collector scan-job will run on every node. In case the node has been tainted, it is possible to add toleration to the scan job for it to be scheduled on the tainted node. for more details [see k8s docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
chen-keinan marked this conversation as resolved.
Show resolved Hide resolved

- `--tolerations key1=value1:NoExecute,key2=value2:NoSchedule` this flag wil enable node-collector to be schedule on tainted Node

Example:

```sh
trivy k8s --report summary --tolerations key1=value1:NoExecute,key2=value2:NoSchedule
```

### Disable Node Collector

You can control whether the node scan-job (`node-collector`) will run in the cluster. To disable it, add the `--disable-node-collector` flag

- `--disable-node-collector` This flag will exclude findings related to Node (infra assessment) misconfigurations

By default, the node scan-job (`node-collector`) will run in the cluster.

Example:

```sh
trivy k8s --report summary --disable-node-collector
```

### Skip-images

You can control whether Trivy will scan and download the cluster resource images. To disable this feature, add the --skip-images flag.
chen-keinan marked this conversation as resolved.
Show resolved Hide resolved

- `--skip-images` flag will prevent the downloading and scanning of images (including vulnerabilities and secrets) in the cluster resources.

By default, all cluster resource images will be downloaded and scanned.

Example:

```sh
trivy k8s --report summary --skip-images
```

### Include/Exclude Kinds

You can control which kinds of resources will be discovered using the `--include-kinds` or `--exclude-kinds` comma-separated flags:
chen-keinan marked this conversation as resolved.
Show resolved Hide resolved

***Note:*** Both flags (`--include-kinds` or `--exclude-kinds`) cannot be set in conjunction.

- `--include-kinds` will include the listed kinds in cluster scanning.
- `--exclude-kinds` will exclude the listed kinds from cluster scanning.

By default, all kinds will be included in cluster scanning.

Example:

```sh
trivy k8s --report summary --exclude-kinds node,pod
```

### Include/Exclude Namespaces

You can control which namespaces will be discovered using the `--include-namespaces` or `--exclude-namespaces` comma-separated flags:

***Note:*** Both flags (`--include-namespaces` or `--exclude-namespaces`) cannot be set in conjunction.

### Components types
- `--include-namespaces` will include the listed namespaces in cluster scanning.
- `--exclude-namespaces` will exclude the listed namespaces from cluster scanning.

You can control what kinds of components are discovered using the `--components` flag:
- `--components infra` will discover only cluster infrastructure components.
- `--components workload` will discover only application workloads.
- If the flag is omitted: infra, workloads, and RBAC are discovered.
By default, all namespaces will be included in cluster scanning.
chen-keinan marked this conversation as resolved.
Show resolved Hide resolved

Example:

```sh
trivy k8s --report summary --exclude-namespace dev-system,staging-system
```

## Reporting and filtering

Expand All @@ -117,24 +173,24 @@ You can always choose the report granularity using the `--report summary`/`--rep

Scan a full cluster and generate a simple summary report:

```
$ trivy k8s --report=summary cluster
```sh
trivy k8s --report=summary
```

![k8s Summary Report](../../imgs/trivy-k8s.png)

Filter by severity:

```
trivy k8s --severity=CRITICAL --report=all cluster
trivy k8s --severity=CRITICAL --report=all
```

Filter by scanners (Vulnerabilities, Secrets or Misconfigurations):

```
trivy k8s --scanners=secret --report=summary cluster
trivy k8s --scanners=secret --report=summary
# or
trivy k8s --scanners=misconfig --report=summary cluster
trivy k8s --scanners=misconfig --report=summary
```

The supported output formats are `table`, which is the default, and `json`.
Expand Down Expand Up @@ -300,6 +356,7 @@ trivy k8s --format json -o results.json cluster
</details>

## Compliance

This section describes Kubernetes specific compliance reports.
For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../compliance/compliance.md).

Expand All @@ -318,31 +375,31 @@ Scan the cluster for Kubernetes Pod Security Standards Baseline compliance:

```

$ trivy k8s cluster --compliance=k8s-pss-baseline --report summary
trivy k8s --compliance=k8s-pss-baseline --report summary
chen-keinan marked this conversation as resolved.
Show resolved Hide resolved

```

Get the detailed report for checks:

```

$ trivy k8s cluster --compliance=k8s-cis --report all
trivy k8s --compliance=k8s-cis --report all

```

Get summary report in JSON format:

```

$ trivy k8s cluster --compliance=k8s-cis --report summary --format json
trivy k8s --compliance=k8s-cis --report summary --format json

```

Get detailed report in JSON format:

```

$ trivy k8s cluster --compliance=k8s-cis --report all --format json
trivy k8s --compliance=k8s-cis --report all --format json

```

Expand All @@ -355,15 +412,15 @@ Trivy can generate KBOM in CycloneDX format:

```sh

$ trivy k8s cluster --format cyclonedx --output mykbom.cdx.json
trivy k8s --format cyclonedx --output mykbom.cdx.json

```

Trivy can also scan that generated KBOM (or any SBOM) for vulnerabilities:

```sh

$ trivy sbom mykbom.cdx.json
trivy sbom mykbom.cdx.json

```

Expand Down
Binary file modified docs/imgs/trivy-k8s.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
45 changes: 16 additions & 29 deletions docs/tutorials/kubernetes/cluster-scanning.md
chen-keinan marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
@@ -1,58 +1,51 @@
# Kubernetes Scanning Tutorial

## Prerequisites
## Prerequisites

To test the following commands yourself, make sure that you’re connected to a Kubernetes cluster. A simple kind, a Docker-Desktop or microk8s cluster will do. In our case, we’ll use a one-node kind cluster.

Pro tip: The output of the commands will be even more interesting if you have some workloads running in your cluster.
Pro tip: The output of the commands will be even more interesting if you have some workloads running in your cluster.

## Cluster Scanning

Trivy K8s is great to get an overview of all the vulnerabilities and misconfiguration issues or to scan specific workloads that are running in your cluster. You would want to use the Trivy K8s command either on your own local cluster or in your CI/CD pipeline post deployments.

The `trivy k8s` command is part of the Trivy CLI.
The `trivy k8s` command is part of the Trivy CLI.

With the following command, we can scan our entire Kubernetes cluster for vulnerabilities and get a summary of the scan:
With the following command, we can scan our entire Kubernetes cluster for vulnerabilities and get a summary of the scan:

```
trivy k8s --report=summary cluster
```sh
trivy k8s --report=summary
```

To get detailed information for all your resources, just replace ‘summary’ with ‘all’:

```
trivy k8s --report=all cluster
```sh
trivy k8s --report=all
```

However, we recommend displaying all information only in case you scan a specific namespace or resource since you can get overwhelmed with additional details.

Furthermore, we can specify the namespace that Trivy is supposed to scan to focus on specific resources in the scan result:

```
trivy k8s -n kube-system --report=summary cluster
```sh
trivy k8s --include-namespaces kube-system --report summary
```

Again, if you’d like to receive additional details, use the ‘--report=all’ flag:

```
trivy k8s -n kube-system --report=all cluster
```sh
trivy k8s --include-namespaces kube-system --report all
```

Like with scanning for vulnerabilities, we can also filter in-cluster security issues by severity of the vulnerabilities:

```
trivy k8s --severity=CRITICAL --report=summary cluster
```sh
trivy k8s --severity=CRITICAL --report=summary
```

Note that you can use any of the Trivy flags on the Trivy K8s command.

With the Trivy K8s command, you can also scan specific workloads that are running within your cluster, such as our deployment:

```
trivy k8s --namespace app --report=summary deployments/react-application
```

## Trivy Operator
## Trivy Operator

The Trivy K8s command is an imperative model to scan resources. We wouldn’t want to manually scan each resource across different environments. The larger the cluster and the more workloads are running in it, the more error-prone this process would become. With the Trivy Operator, we can automate the scanning process after the deployment.

Expand All @@ -66,15 +59,9 @@ This has several benefits:

- The CRDs can be both machine and human-readable depending on which applications consume the CRDs. This allows for more versatile applications of the Trivy operator.


There are several ways that you can install the Trivy Operator in your cluster. In this guide, we’re going to use the Helm installation based on the [following documentation.](../../docs/target/kubernetes.md#trivy-operator)

Please follow the Trivy Operator documentation for further information on:

- [Installation of the Trivy Operator](https://aquasecurity.github.io/trivy-operator/latest/getting-started/installation/)
- [Getting started guide](https://aquasecurity.github.io/trivy-operator/latest/getting-started/quick-start/)





- [Getting started guide](https://aquasecurity.github.io/trivy-operator/latest/getting-started/quick-start/)