Skip to content

Commit

Permalink
docs: add node-collector section and remove irrelevant sectios
Browse files Browse the repository at this point in the history 
Signed-off-by: chenk <[email protected]>
  • Loading branch information
@chen-keinan
chen-keinan committed Apr 30, 2024
1 parent f8e9faa commit 07e56cd
Showing 1 changed file with 50 additions and 61 deletions.
111 changes: 50 additions & 61 deletions docs/docs/target/kubernetes.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,15 +30,6 @@ Kubernetes resource definition is scanned for:

Trivy follows the behavior of the `kubectl` tool as much as possible.

### Scope

The command expects an argument that selects the scope of the scan (similarly to how `kubectl` expects an argument after `kubectl get`). This argument can be:

1. A Kubernetes Kind. e.g `pod`, `deployment`, etc.
2. A Kubernetes Resource. e.g `pods/mypod`, etc.

Examples:

```sh
trivy k8s --report summary
```
Expand All @@ -50,25 +41,59 @@ You can also specify a `kubeconfig` using the `--kubeconfig` flag:
trivy k8s --kubeconfig ~/.kube/config2
```

### Namespace
### Skip-images

By default Trivy will scan all namespaces (following `kubectl` behavior). To specify a namespace use the `--namespace` flag:
You can control whether Trivy will scan and download the cluster resource images. To disable this feature, add the --skip-images flag.

- `--skip-images` flag will prevent the downloading and scanning of images (including vulnerabilities and secrets) in the cluster resources.

By default, all cluster resource images will be downloaded and scanned.

Example:

```sh
trivy k8s --kubeconfig ~/.kube/config2 --namespace default
trivy k8s --report summary --skip-images
```

### Node
### Include/Exclude Kinds

You can exclude specific nodes from the scan using the `--exclude-nodes` flag, which takes a label in the format `label-name:label-value` and excludes all matching nodes:
You can control which kinds of resources will be discovered using the `--include-kinds` or `--exclude-kinds` comma-separated flags:

***Note:*** Both flags (`--include-kinds` or `--exclude-kinds`) cannot be set in conjunction.

- `--include-kinds` will include the listed kinds in cluster scanning.
- `--exclude-kinds` will exclude the listed kinds from cluster scanning.

By default, all kinds will be included in cluster scanning.

Example:

```sh
trivy k8s --report summary --exclude-nodes kubernetes.io/arch:arm6
trivy k8s --report summary --exclude-kinds node,pod
```

### Include/Exclude Namespaces

You can control which namespaces will be discovered using the `--include-namespaces` or `--exclude-namespaces` comma-separated flags:

***Note:*** Both flags (`--include-namespaces` or `--exclude-namespaces`) cannot be set in conjunction.

- `--include-namespaces` will include the listed namespaces in cluster scanning.
- `--exclude-namespaces` will exclude the listed namespaces from cluster scanning.

By default, all namespaces will be included in cluster scanning.

Example:

```sh
trivy k8s --report summary --exclude-namespace dev-system,staging-system
```

## Control Plane and Node Components Vulnerability Scanning

Trivy is capable of discovering Kubernetes control plane (apiserver, controller-manager and etc) and node components(kubelet, kube-proxy and etc), matching them against the [official Kubernetes vulnerability database feed](https://github.com/aquasecurity/vuln-list-k8s), and reporting any vulnerabilities it finds
Trivy is capable of discovering Kubernetes control plane (apiserver, controller-manager and etc) and node components(kubelet, kube-proxy and etc), matching them against the [official Kubernetes vulnerability database feed](https://github.com/aquasecurity/vuln-list-k8s), and reporting any vulnerabilities it finds.

To read more about KBOM, see the [documentation for Kubernetes scanning](./sbom.md#kbom).

```sh
trivy k8s --scanners vuln --report all
Expand All @@ -91,17 +116,9 @@ Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
└────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────┘
```

### Taints and Tolerations
## Node-Collector

The node-collector scan-job will run on every node. In case the node has been tainted, it is possible to add toleration to the scan job for it to be scheduled on the tainted node. for more details [see k8s docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)

- `--tolerations key1=value1:NoExecute,key2=value2:NoSchedule` this flag wil enable node-collector to be schedule on tainted Node

Example:

```sh
trivy k8s --report summary --tolerations key1=value1:NoExecute,key2=value2:NoSchedule
```
Node-collector is a scan job that collects node configuration parameters and permission information. This information will be evaluated against Kubernetes hardening (e.g. CIS benchmark) and best practices values. The scan results will be output in infrastructure assessment and CIS benchmark compliance reports.

### Disable Node Collector

Expand All @@ -117,52 +134,24 @@ Example:
trivy k8s --report summary --disable-node-collector
```

### Skip-images

You can control whether Trivy will scan and download the cluster resource images. To disable this feature, add the --skip-images flag.

- `--skip-images` flag will prevent the downloading and scanning of images (including vulnerabilities and secrets) in the cluster resources.

By default, all cluster resource images will be downloaded and scanned.

Example:

```sh
trivy k8s --report summary --skip-images
```

### Include/Exclude Kinds

You can control which kinds of resources will be discovered using the `--include-kinds` or `--exclude-kinds` comma-separated flags:

***Note:*** Both flags (`--include-kinds` or `--exclude-kinds`) cannot be set in conjunction.
### Taints and Tolerations

- `--include-kinds` will include the listed kinds in cluster scanning.
- `--exclude-kinds` will exclude the listed kinds from cluster scanning.
The node-collector scan-job will run on every node. In case the node has been tainted, it is possible to add toleration to the scan job for it to be scheduled on the tainted node. for more details [see k8s docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)

By default, all kinds will be included in cluster scanning.
- `--tolerations key1=value1:NoExecute,key2=value2:NoSchedule` this flag wil enable node-collector to be schedule on tainted Node

Example:

```sh
trivy k8s --report summary --exclude-kinds node,pod
trivy k8s --report summary --tolerations key1=value1:NoExecute,key2=value2:NoSchedule
```

### Include/Exclude Namespaces

You can control which namespaces will be discovered using the `--include-namespaces` or `--exclude-namespaces` comma-separated flags:

***Note:*** Both flags (`--include-namespaces` or `--exclude-namespaces`) cannot be set in conjunction.

- `--include-namespaces` will include the listed namespaces in cluster scanning.
- `--exclude-namespaces` will exclude the listed namespaces from cluster scanning.
### Exclude Nodes by Label

By default, all namespaces will be included in cluster scanning.

Example:
You can exclude specific nodes from the scan using the `--exclude-nodes` flag, which takes a label in the format `label-name:label-value` and excludes all matching nodes:

```sh
trivy k8s --report summary --exclude-namespace dev-system,staging-system
trivy k8s --report summary --exclude-nodes kubernetes.io/arch:arm6
```

## Reporting and filtering
Expand Down

0 comments on commit 07e56cd

Please sign in to comment.