diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/001_kube_enforcer_config.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/001_kube_enforcer_config.yaml index bb3070db2..a97e2694b 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/001_kube_enforcer_config.yaml +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/001_kube_enforcer_config.yaml @@ -1096,7 +1096,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" + app.kubernetes.io/version: "0.20.1" app.kubernetes.io/managed-by: kubectl data: trivy.repository: "ghcr.io/aquasecurity/trivy" @@ -1124,7 +1124,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" + app.kubernetes.io/version: "0.20.1" app.kubernetes.io/managed-by: kubectl data: scanJob.podTemplateContainerSecurityContext: "{\"allowPrivilegeEscalation\":false,\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"readOnlyRootFilesystem\":true}" @@ -1141,7 +1141,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" + app.kubernetes.io/version: "0.20.1" app.kubernetes.io/managed-by: kubectl data: --- @@ -1153,7 +1153,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" + app.kubernetes.io/version: "0.20.1" app.kubernetes.io/managed-by: kubectl --- apiVersion: v1 @@ -1164,7 +1164,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" + app.kubernetes.io/version: "0.20.1" app.kubernetes.io/managed-by: kubectl --- apiVersion: rbac.authorization.k8s.io/v1 @@ -1402,7 +1402,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" + app.kubernetes.io/version: "0.20.1" app.kubernetes.io/managed-by: kubectl roleRef: apiGroup: rbac.authorization.k8s.io @@ -1421,7 +1421,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" + app.kubernetes.io/version: "0.20.1" app.kubernetes.io/managed-by: kubectl rules: - apiGroups: @@ -1451,7 +1451,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" + app.kubernetes.io/version: "0.20.1" app.kubernetes.io/managed-by: kubectl roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/003_kube_enforcer_deploy.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/003_kube_enforcer_deploy.yaml index 1d2420c6e..3ad4f6d1a 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/003_kube_enforcer_deploy.yaml +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced_trivy/003_kube_enforcer_deploy.yaml @@ -158,7 +158,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" + app.kubernetes.io/version: "0.20.1" app.kubernetes.io/managed-by: kubectl spec: replicas: 1 @@ -178,7 +178,7 @@ spec: automountServiceAccountToken: true containers: - name: "trivy-operator" - image: "docker.io/aquasec/trivy-operator:0.16.1" + image: "docker.io/aquasec/trivy-operator:0.20.1" imagePullPolicy: IfNotPresent env: - name: OPERATOR_NAMESPACE @@ -245,6 +245,8 @@ spec: value: "10h" - name: OPERATOR_MERGE_RBAC_FINDING_WITH_CONFIG_AUDIT value: "true" + - name: CONTROLLER_CACHE_SYNC_TIMEOUT + value: "5m" ports: - name: metrics containerPort: 8080 diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/001_kube_enforcer_config.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/001_kube_enforcer_config.yaml index e6eb5d95c..a2740c4e1 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/001_kube_enforcer_config.yaml +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/001_kube_enforcer_config.yaml @@ -946,7 +946,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" + app.kubernetes.io/version: "0.20.1" app.kubernetes.io/managed-by: kubectl data: trivy.repository: "ghcr.io/aquasecurity/trivy" @@ -974,7 +974,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" + app.kubernetes.io/version: "0.20.1" app.kubernetes.io/managed-by: kubectl data: scanJob.podTemplateContainerSecurityContext: "{\"allowPrivilegeEscalation\":false,\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"readOnlyRootFilesystem\":true}" @@ -991,7 +991,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" + app.kubernetes.io/version: "0.20.1" app.kubernetes.io/managed-by: kubectl data: --- @@ -1003,7 +1003,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" + app.kubernetes.io/version: "0.20.1" app.kubernetes.io/managed-by: kubectl --- apiVersion: v1 @@ -1014,7 +1014,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" + app.kubernetes.io/version: "0.20.1" app.kubernetes.io/managed-by: kubectl --- apiVersion: rbac.authorization.k8s.io/v1 @@ -1252,7 +1252,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" + app.kubernetes.io/version: "0.20.1" app.kubernetes.io/managed-by: kubectl roleRef: apiGroup: rbac.authorization.k8s.io @@ -1271,7 +1271,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" + app.kubernetes.io/version: "0.20.1" app.kubernetes.io/managed-by: kubectl rules: - apiGroups: @@ -1301,7 +1301,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" + app.kubernetes.io/version: "0.20.1" app.kubernetes.io/managed-by: kubectl roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/003_kube_enforcer_deploy.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/003_kube_enforcer_deploy.yaml index 1d1dc2f2b..b61354809 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/003_kube_enforcer_deploy.yaml +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_trivy/003_kube_enforcer_deploy.yaml @@ -98,7 +98,7 @@ metadata: labels: app.kubernetes.io/name: trivy-operator app.kubernetes.io/instance: trivy-operator - app.kubernetes.io/version: "0.16.1" + app.kubernetes.io/version: "0.20.1" app.kubernetes.io/managed-by: kubectl spec: replicas: 1 @@ -118,7 +118,7 @@ spec: automountServiceAccountToken: true containers: - name: "trivy-operator" - image: "docker.io/aquasec/trivy-operator:0.16.1" + image: "docker.io/aquasec/trivy-operator:0.20.1" imagePullPolicy: IfNotPresent env: - name: OPERATOR_NAMESPACE @@ -185,6 +185,8 @@ spec: value: "10h" - name: OPERATOR_MERGE_RBAC_FINDING_WITH_CONFIG_AUDIT value: "true" + - name: CONTROLLER_CACHE_SYNC_TIMEOUT + value: "5m" ports: - name: metrics containerPort: 8080 diff --git a/scanner/kubernetes_and_openshift/manifests/003_scanner_configmap.yaml b/scanner/kubernetes_and_openshift/manifests/003_scanner_configmap.yaml index d78d53701..16a21765c 100644 --- a/scanner/kubernetes_and_openshift/manifests/003_scanner_configmap.yaml +++ b/scanner/kubernetes_and_openshift/manifests/003_scanner_configmap.yaml @@ -18,3 +18,10 @@ data: # Set this to 1 to establish mTLS connection with CyberCenter #OFFLINE_CC_MTLS_ENABLE: "1" + + #health monitor is supported from SaaS scanner version 2407.4.20 and for on-prem 2022.4.613.7 + # enable below two values for health check monitor (liveness probe) + #AQUA_HEALTH_MONITOR_ENABLED: "true" + #AQUA_HEALTH_MONITOR_PORT: "8081" + + diff --git a/scanner/kubernetes_and_openshift/manifests/004_scanner_deploy.yaml b/scanner/kubernetes_and_openshift/manifests/004_scanner_deploy.yaml index 249b03f4a..2e4ec8c9c 100644 --- a/scanner/kubernetes_and_openshift/manifests/004_scanner_deploy.yaml +++ b/scanner/kubernetes_and_openshift/manifests/004_scanner_deploy.yaml @@ -36,6 +36,16 @@ spec: - name: kube-scanner image: registry.aquasec.com/scanner:2022.4 imagePullPolicy: Always +# livenessProbe: +# httpGet: +# port: 8081 +# path: /healthz +# scheme: HTTP +# initialDelaySeconds: 15 +# periodSeconds: 60 +# successThreshold: 1 +# failureThreshold: 3 +# timeoutSeconds: 1 # resources: # limits: # cpu: 2000m