wrenix/flux-charts
1
0
Fork 0
Code Issues 14 Pull requests 1 Projects Releases Packages Wiki Activity Actions

fix(infra-trivy): init

Browse source
This commit is contained in:
WrenIX 2023-11-25 02:25:22 +01:00
parent 83624d3719
commit abaccb3dde
Signed by: wrenix
GPG key ID: 7AFDB012974B1BB5
12 changed files with 2768 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
base-values/commons.yaml
View file

@ -24,6 +24,8 @@ commons:
grafana_dashboard: "1" grafana_dashboard: "1"
prometheus: prometheus:
alertmanager:
alertmanager: default
monitor: monitor:
labels: labels:
prometheus: default prometheus: default

9
base-values/infra.yaml
View file

@ -25,3 +25,12 @@ components:
dashboards: dashboards:
annotations: annotations:
grafana.mon.local/dashboard-folder: "Logging" grafana.mon.local/dashboard-folder: "Logging"
infra-trivy:
enabled: true
namespace: "monitoring-trivy"
values:
grafana:
dashboards:
annotations:
grafana.mon.local/dashboard-folder: "Security"

23
infra-trivy/.helmignore Normal file
View file

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

6
infra-trivy/Chart.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: v2
name: infra-trivy
description: deploy trivy-operator
type: application
version: 0.1.0

2249
infra-trivy/grafana_dashboards/trivy.json Normal file
View file

File diff suppressed because it is too large Load diff

39
infra-trivy/templates/alertmanager-config.yaml Normal file
View file

@ -0,0 +1,39 @@
{{- if (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1alpha1/AlertmanagerConfig") }}
---
apiVersion: "monitoring.coreos.com/v1alpha1"
kind: "AlertmanagerConfig"
metadata:
name: "trivy-alertmanager-conf"
labels:
{{- toYaml .Values.commons.prometheus.alertmanager.labels | nindent 4 }}
spec:
inhibitRules:
- sourceMatch:
- name: "severity"
matchType: "="
value: "critical"
targetMatch:
- name: "severity"
matchType: "=~"
value: "warning|info"
equal:
- "exported_namespace"
- "alertname"
- "image_repository"
- "image_registry"
- "image_tag"
- sourceMatch:
- name: "severity"
matchType: "="
value: "warning"
targetMatch:
- name: "severity"
matchType: "="
value: "info"
equal:
- "exported_namespace"
- "alertname"
- "image_repository"
- "image_registry"
- "image_tag"
{{- end }}

13
infra-trivy/templates/configmap_grafana_dashboards.yaml Normal file
View file

@ -0,0 +1,13 @@
{{- range $path, $bytes := $.Files.Glob "grafana_dashboards/*.json" }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: infra-trivy-grafana-db-{{ base $path }}
labels:
{{- toYaml $.Values.commons.grafana.dashboards.labels | nindent 4 }}
annotations:
{{- toYaml $.Values.grafana.dashboards.annotations | nindent 4 }}
data:
{{- ($.Files.Glob $path ).AsConfig | nindent 2 }}
{{- end }}

15
infra-trivy/templates/configmap_init_crd.yaml Normal file
View file

@ -0,0 +1,15 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-init
namespace: "{{ .Values.init.namespace }}"
data:
{{- if and
(.Capabilities.APIVersions.Has "monitoring.coreos.com/v1alpha1/AlertmanagerConfig")
(.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule")
(.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor")
}}
init: "-1"
{{- else }}
init: "{{ add1 .Values.init.version }}"
{{- end }}

266
infra-trivy/templates/prometheus-rule.yaml Normal file
View file

@ -0,0 +1,266 @@
{{- if and
.Values.prometheus.rules.enabled
(.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule")
}}
{{- $filter := `exported_namespace!="kube-system"` }}
{{- $without := "instance,endpoint,container,pod,service,job,alertmanagerInhibitDisable" }}
---
apiVersion: "monitoring.coreos.com/v1"
kind: "PrometheusRule"
metadata:
name: "security-alerts"
labels:
{{- toYaml .Values.commons.prometheus.rules.labels | nindent 4 }}
spec:
{{- with .Values.prometheus.rules }}
groups:
- name: "Vulnerabilities"
rules:
{{- with .imageVulnerabilities }}
{{- if .enabled }}
- alert: "TrivyImageVulerabilities"
expr: 'sum(trivy_image_vulnerabilities{ {{ $filter }},severity="Critical"}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "critical"
{{`
annotations:
summary: "Image {{ $labels.image_repository }} in namespace {{ $labels.exported_namespace }} has {{ $value }} {{ $labels.severity }} vulnerabilities"
description: "Affected by: {{ $labels.name }}, registry: {{ $labels.image_registry }}"
`}}
{{- if .warning.enabled }}
- alert: "TrivyImageVulerabilities"
expr: 'sum(trivy_image_vulnerabilities{ {{ $filter }},severity="High"}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "warning"
{{`
annotations:
summary: "Image {{ $labels.image_repository }} in namespace {{ $labels.exported_namespace }} has {{ $value }} {{ $labels.severity }} vulnerabilities"
description: "Affected by: {{ $labels.name }}, registry: {{ $labels.image_registry }}"
`}}
{{- end }}
{{- if .info.enabled }}
- alert: "TrivyImageVulerabilities"
expr: 'sum(trivy_image_vulnerabilities{ {{ $filter }},}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "info"
{{`
annotations:
summary: "Image {{ $labels.image_repository }} in namespace {{ $labels.exported_namespace }} has {{ $value }} {{ $labels.severity }} vulnerabilities"
description: "Affected by: {{ $labels.name }}, registry {{ $labels.image_registry }}"
`}}
{{- end }}
{{- end }}
{{- end }}{{/* end-with .imageVulnerabilities */}}
{{- with .imageExposedSecrets }}
{{- if .enabled }}
- alert: "TrivyImageExposedSecrets"
expr: 'sum(trivy_image_exposedsecrets{ {{ $filter }},severity="Critical"}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "critical"
{{`
annotations:
summary: "Found {{ $value }} exposed secrets with {{ $labels.severity }} severity in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}"
`}}
{{- if .warning.enabled }}
- alert: "TrivyImageExposedSecrets"
expr: 'sum(trivy_image_exposedsecrets{ {{ $filter }},severity="High"}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "warning"
{{`
annotations:
summary: "Found {{ $value }} exposed secrets with {{ $labels.severity }} severity in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}"
`}}
{{- end }}
{{- if .info.enabled }}
- alert: "TrivyImageExposedSecrets"
expr: 'sum(trivy_image_exposedsecrets{ {{ $filter }}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "info"
{{`
annotations:
summary: "Found {{ $value }} exposed secrets with {{ $labels.severity }} severity in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}"
`}}
{{- end }}
{{- end }}
{{- end }}{{/* end-witj .imageExposedSecrets */}}
{{- with .resourceConfigAudits }}
{{- if .enabled }}
- alert: "TrivyResourceConfigAudits"
expr: 'sum(trivy_resource_configaudits{ {{ $filter }},severity="Critical"}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "critical"
{{`
annotations:
summary: "{{ $value }} {{ $labels.severity }} problems with resource configs in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}"
`}}
{{- if .warning.enabled }}
- alert: "TrivyResourceConfigAudits"
expr: 'sum(trivy_resource_configaudits{ {{ $filter }},severity="High"}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "warning"
{{`
annotations:
summary: "{{ $value }} {{ $labels.severity }} problems with resource configs in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}"
`}}
{{- end }}
{{- if .info.enabled }}
- alert: "TrivyResourceConfigAudits"
expr: 'sum(trivy_resource_configaudits{ {{ $filter }}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "info"
{{`
annotations:
summary: "{{ $value }} {{ $labels.severity }} problems with resource configs in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}"
`}}
{{- end }}
{{- end }}
{{- end }}{{/* .resourceConfigAudits */}}
{{- with .roleRBACAssessments }}
{{- if .enabled }}
- alert: "TrivyRoleRBACAssessments"
expr: 'sum(trivy_role_rbacassessments{ {{ $filter }},severity="Critical"}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "critical"
{{`
annotations:
summary: "{{ $value }} {{ $labels.severity }} problems with RBACs in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}"
`}}
{{- if .warning.enabled }}
- alert: "TrivyRoleRBACAssessments"
expr: 'sum(trivy_role_rbacassessments{ {{ $filter }},severity="High"}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "warning"
{{`
annotations:
summary: "{{ $value }} {{ $labels.severity }} problems with RBACs in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}"
`}}
{{- end }}
{{- if .info.enabled }}
- alert: "TrivyRoleRBACAssessments"
expr: 'sum(trivy_role_rbacassessments{ {{ $filter }}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "info"
{{`
annotations:
summary: "{{ $value }} {{ $labels.severity }} problems with RBACs in {{ $labels.name }} in namespace {{ $labels.exported_namespace }}"
`}}
{{- end }}
{{- end }}
{{- end }}{{/* .roleRBACAssessments */}}
{{- with .clusterRBACAssessments }}
{{- if .enabled }}
- alert: "TrivyClusterRBACAssessments"
expr: 'sum(trivy_clusterrole_clusterrbacassessments{ {{ $filter }},severity="Critical"}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "critical"
{{`
annotations:
summary: "{{ $value }} {{ $labels.severity }} problems with Cluster RBACs in {{ $labels.name }}"
`}}
{{- if .warning.enabled }}
- alert: "TrivyClusterRBACAssessments"
expr: 'sum(trivy_clusterrole_clusterrbacassessments{ {{ $filter }},severity="High"} > 0'
for: "1m"
labels:
severity: "warning"
{{`
annotations:
summary: "{{ $value }} {{ $labels.severity }} problems with Cluster RBACs in {{ $labels.name }}"
`}}
{{- end }}
{{- if .info.enabled }}
- alert: "TrivyClusterRBACAssessments"
expr: 'sum(trivy_clusterrole_clusterrbacassessments{ {{ $filter }}) without ({{ $without }}) > 0'
for: "1m"
labels:
severity: "info"
{{`
annotations:
summary: "{{ $value }} {{ $labels.severity }} problems with Cluster RBACs in {{ $labels.name }}"
`}}
{{- end }}
{{- end }}
{{- end }}{{/* end-with .clusterRBACAssessments */}}
{{- with .infraAssessments }}
{{- if .enabled }}
- alert: "TrivyInfraAssessments"
{{/* (exported_)namespace is always kube-system */}}
expr: 'sum(trivy_resource_infraassessments{severity="Critical"}) without ({{ $without }}, exported_namespace) > 0'
for: "1m"
labels:
severity: "critical"
{{`
annotations:
summary: "{{ $value }} {{ $labels.severity }} problems with infra assessments in {{ $labels.name }}"
`}}
{{- if .warning.enabled }}
- alert: "TrivyInfraAssessments"
expr: 'sum(trivy_resource_infraassessments{severity="High"}) without ({{ $without }}, exported_namespace) > 0'
for: "1m"
labels:
severity: "critical"
{{`
annotations:
summary: "{{ $value }} {{ $labels.severity }} problems with infra assessments in {{ $labels.name }}"
`}}
{{- end }}
{{- if .info.enabled }}
- alert: "TrivyInfraAssessments"
expr: 'sum(trivy_resource_infraassessments) without ({{ $without }}, exported_namespace) > 0'
for: "1m"
labels:
severity: "critical"
{{`
annotations:
summary: "{{ $value }} {{ $labels.severity }} problems with infra assessments in {{ $labels.name }}"
`}}
{{- end }}
{{- end }}
{{- end }}{{/* end-with .infraAssessments */}}
{{- with .clusterCompliance }}
{{- if .enabled }}
- alert: "TrivyClusterCompliance"
{{/* (exported_)namespace is always monitoring-security */}}
expr: 'sum(trivy_cluster_compliance{ {{ $filter }}, status="Fail"}) without ({{ $without }}, exported_namespace) > 0'
for: "1m"
labels:
severity: "critical"
{{`
annotations:
summary: "Compliance for {{ $labels.title }} failed {{ $value }} times"
`}}
{{- end }}
{{- end }}{{/* end-with .clusterCompliance */}}
{{- end }}{{/* end-with .prometheus.rules */}}
{{- end }}{{/* end-if */}}

64
infra-trivy/templates/release.yaml Normal file
View file

@ -0,0 +1,64 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: trivy-operator
spec:
chart:
spec:
sourceRef:
kind: HelmRepository
name: "aqua"
chart: "trivy-operator"
version: "0.18.4"
interval: 10m
install:
{{- toYaml .Values.commons.helm.release.install | nindent 4 }}
test:
{{- toYaml .Values.commons.helm.release.test | nindent 4 }}
upgrade:
{{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
interval: 10m
postRenderers:
- kustomize:
patchesJson6902:
- target:
group: monitoring.coreos.com
version: v1
kind: ServiceMonitor
name: trivy-operator
patch:
- op: "add"
path: "/spec/endpoints/0/metricRelabelings"
value:
- sourceLabels: [ "namespace" ]
targetLabel: "exported_namespace"
action: "replace"
- sourceLabels: []
targetLabel: "namespace"
replacement: {{ .Release.Namespace }}
action: "replace"
- sourceLabels: []
targetLabel: "alertmanagerInhibitDisable"
replacement: "true"
values:
trivy:
ignoreUnfixed: true
additionalVulnerabilityReportFields: "Description,Target,Class"
operator:
metricsVulnIdEnabled: true
scanJobsConcurrentLimit: {{ .Values.scans.concurrent }}
vulnerabilityScannerReportTTL: {{ .Values.scans.ttl }}
resources:
requests:
cpu: 100m
memory: 192Mi
limits:
memory: 768Mi
serviceMonitor:
enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
labels:
{{- toYaml .Values.commons.prometheus.monitor.labels | nindent 8 }}

8
infra-trivy/templates/repo.yaml Normal file
View file

@ -0,0 +1,8 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: aqua
spec:
url: https://aquasecurity.github.io/helm-charts/
interval: 10m0s

74
infra-trivy/values.yaml Normal file
View file

@ -0,0 +1,74 @@
init:
version: 0
namespace: "bases"
commons:
helm:
release:
install: {}
test: {}
upgrade: {}
prometheus:
alertmanager:
labels: {}
monitor:
labels: {}
rules:
labels: {}
grafana:
dashboards:
labels:
grafana_dashboard: "1"
grafana:
dashboards:
annotations: {}
scans:
concurrent: 2
ttl: "168h"
prometheus:
rules:
enabled: true
imageVulnerabilities:
enabled: false
warning:
enabled: false
info:
enabled: false
imageExposedSecrets:
enabled: true
warning:
enabled: false
info:
enabled: false
resourceConfigAudits:
enabled: true
warning:
enabled: false
info:
enabled: false
roleRBACAssessments:
enabled: false
warning:
enabled: false
info:
enabled: false
clusterRBACAssessments:
enabled: false
warning:
enabled: false
info:
enabled: false
infraAssessments:
enabled: true
warning:
enabled: true
info:
enabled: true
clusterCompliance:
enabled: false