Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update helm/trivy-operator to 0.26.0 and trivy-operator to 0.24.0 #2418

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Update helm/trivy-operator to 0.26.0 and trivy-operator to 0.24.0 #2418

wants to merge 6 commits into from

Conversation

OlleLarsson
Copy link
Contributor

@OlleLarsson OlleLarsson commented Jan 29, 2025
edited
Loading

Warning

This is a public repository, ensure not to disclose:

  • personal data beyond what is necessary for interacting with this pull request, nor
  • business confidential information, such as customer names.

What kind of PR is this?

Required: Mark one of the following that is applicable:

  • kind/feature
  • kind/improvement
  • kind/deprecation
  • kind/documentation
  • kind/clean-up
  • kind/bug
  • kind/other

Optional: Mark one or more of the following that are applicable:

Important

Breaking changes should be marked kind/admin-change or kind/dev-change depending on type
Critical security fixes should be marked with kind/security

  • kind/admin-change
  • kind/dev-change
  • kind/security
  • [kind/adr](set-me)

What does this PR do / why do we need this PR?

Upgrades Trivy-operator helm chart to version 0.26.0 which run Trivy-operator app version 0.24.0.

Information to reviewers

Checklist

  • Proper commit message prefix on all commits
  • Change checks:
    • The change is transparent
    • The change is disruptive
    • The change requires no migration steps
    • The change requires migration steps
    • The change updates CRDs
    • The change updates the config and the schema
  • Documentation checks:
  • Metrics checks:
    • The metrics are still exposed and present in Grafana after the change
    • The metrics names didn't change (Grafana dashboards and Prometheus alerts required no updates)
    • The metrics names did change (Grafana dashboards and Prometheus alerts required an update)
  • Logs checks:
    • The logs do not show any errors after the change
  • PodSecurityPolicy checks:
    • Any changed Pod is covered by Kubernetes Pod Security Standards
    • Any changed Pod is covered by Gatekeeper Pod Security Policies
    • The change does not cause any Pods to be blocked by Pod Security Standards or Policies
  • NetworkPolicy checks:
    • Any changed Pod is covered by Network Policies
    • The change does not cause any dropped packets in the NetworkPolicy Dashboard
  • Audit checks:
    • The change does not cause any unnecessary Kubernetes audit events
    • The change requires changes to Kubernetes audit policy
  • Falco checks:
    • The change does not cause any alerts to be generated by Falco
  • Bug checks:
    • The bug fix is covered by regression tests

@OlleLarsson
apps: helm/trivy-operator 0.25.0
d288099 
The helm chart defaults to trivy-operator version v0.23.0
@OlleLarsson OlleLarsson force-pushed the ol/update-trivy-operator branch from 3c9eee4 to d288099 Compare February 18, 2025 13:15
@OlleLarsson OlleLarsson marked this pull request as ready for review February 18, 2025 15:34
@OlleLarsson OlleLarsson requested review from a team as code owners February 18, 2025 15:34
@OlleLarsson OlleLarsson changed the title apps: helm/trivy-operator 0.25.0 Update helm/trivy-operator to 0.25.0 and trivy-operator to 0.23.0 Feb 18, 2025
OlleLarsson
OlleLarsson commented Feb 19, 2025
View reviewed changes
helmfile.d/values/trivy/trivy-operator.yaml.gotmpl Outdated
@@ -39,9 +33,9 @@ trivy:
timeout: {{- toYaml .Values.trivy.scanner.timeout | nindent 4 }}
{{- end }}

operator:
useEmbeddedRegoPolicies: "false"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was false previously so I decided to keep it that way by overriding it here.
I don't see us using any policies in Trivy as it is now.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Look into

{"level":"error","ts":"2025-02-21T13:27:54Z","msg":"Reconciler error","controller":"job","controllerGroup":"batch","controllerKind":"Job","Job":{"name":"node-collector-76c989d645","namespace":"monitoring"},"namespace":"monitoring","name":"node-collector-76c989d645","reconcileID":"a4efb86a-60e8-46af-a01a-2779bc8d2bb6","error":"failed to evaluate policies on Node : failed to load rego checks from [externalPolicies]: stat externalPolicies: file does not exist","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:332\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:279\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:240"}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed the override of the embedded policies to not have any job complain.

@OlleLarsson OlleLarsson changed the title Update helm/trivy-operator to 0.25.0 and trivy-operator to 0.23.0 Update helm/trivy-operator to 0.26.0 and trivy-operator to 0.24.0 Feb 19, 2025
@OlleLarsson
Copy link
Contributor Author

Updated to latest version of the helm chart and trivy-operator to resolve a few vulnerabilities in Trivy.

@OlleLarsson OlleLarsson requested a review from Xartos February 19, 2025 10:01
Xartos
Xartos approved these changes Feb 19, 2025
View reviewed changes
Copy link
Contributor

@Xartos Xartos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@OlleLarsson OlleLarsson force-pushed the ol/update-trivy-operator branch from 516ba8b to baea4c2 Compare February 21, 2025 12:53
@OlleLarsson
apps: helm/trivy-operator 0.26.0
78c9f29 
The helm chart defaults to trivy-operator version v0.24.0
@OlleLarsson OlleLarsson force-pushed the ol/update-trivy-operator branch from baea4c2 to 78c9f29 Compare February 21, 2025 12:57
aarnq
aarnq approved these changes Feb 24, 2025
View reviewed changes
Copy link
Contributor

@aarnq aarnq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

helmfile.d/values/falco/falco-common.yaml.gotmpl Outdated
Comment on lines 164 to 166
- mirror.gcr.io/aquasec/node-collector
- mirror.gcr.io/aquasec/trivy
- mirror.gcr.io/aquasec/trivy-operator
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit, sort.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Xartos Xartos Xartos approved these changes

@viktor-f viktor-f viktor-f approved these changes

@aarnq aarnq aarnq approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Upgrade trivy-operator
4 participants
@OlleLarsson @Xartos @viktor-f @aarnq