特里维操作员
Trivy Operator 是一款开源安全扫描仪,它利用Trivy 持续扫描 Kubernetes 集群,查找安全问题。
使用 Port 的 Kubernetes Exporter,您可以跟踪不同集群中的所有 Trivy 资源,并将所有安全问题导出到 Port。 您将使用 kubernetes 资源和 CRD 的内置元数据在 Port 中创建实体,并跟踪其状态。
先决条件
- Helm must be installed to use the chart. Please refer to Helm's documentation to get started;
- The
jqcommand must installed; - The
yqcommand must installed; - The
kubectlcommand must be installed; - Have your Port credentials ready.
In this use-case, you will use a custom bash script which will assist you in the process of installing Port's K8s exporter.
The script will install the helm chart to the Kubernetes cluster which is currently in kubectl context. To view the context name of the cluster the exporter will be installed on, run:
kubectl config current-context
设置蓝图和资源映射
下文将指导您使用安装脚本设置蓝图和资源映射。您可以阅读有关安装脚本的更多信息here 。
创建蓝图
安装脚本提供了一种创建蓝图的便捷方法。 使用 CUSTOM_BP_PATH 环境变量,您可以获取预定义的 blueprints.json 来创建蓝图。 在本例中,您将使用this file 来定义蓝图。请通过运行
export CUSTOM_BP_PATH="https://raw.githubusercontent.com/port-labs/template-assets/main/kubernetes/blueprints/trivy-blueprints.json"
该 blueprints.json 文件定义了以下蓝图:
- 集群;
- namespace;
- 节点
- Pod
- ReplicaSet;
- 工作负载 *;
- Trivy 漏洞。
- Workload "是创建和管理 pod 的 Kubernetes 对象的抽象。
通过创建该蓝图,可以避免为每种工作负载类型创建专用蓝图,因为所有这些蓝图都可能
看起来非常相似。
以下是 "Workload "将代表的 kubernetes 对象列表:
- 部署;
- StatefulSet;
- DaemonSet。
Trivy Vulnerabilities是最重要的 Trivy 资源之一,让开发人员能够查找和查看与 Kubernetes 集群中不同资源相关的风险。
导出自定义资源映射
使用 CONFIG_YAML_URL 参数,可以定义自定义资源映射,以便在安装导出程序时使用。
在本例中,您将被用于 ** this configuration file**。为此,请运行
export CONFIG_YAML_URL="https://raw.githubusercontent.com/port-labs/template-assets/main/kubernetes/templates/trivy-kubernetes_v1_config.yaml"
现在,您可以使用以下代码片段运行安装脚本:
export CLUSTER_NAME="my-cluster"
export PORT_CLIENT_ID="my-port-client-id"
export PORT_CLIENT_SECRET="my-port-client-secret"
curl -s https://raw.githubusercontent.com/port-labs/template-assets/main/kubernetes/install.sh | bash
现在您可以浏览您的 Port 环境,查看蓝图是否已创建,您的 k8s 和 Trivy 资源是否正在使用新安装的 k8s 导出器向 Port 报告。
�安装脚本如何工作?
Port's K8s exporter installation script will assist you in the process of installing Port's K8s exporter template using helm chart.
This script will help you with:
- setting up your custom Port blueprints;
- installing Port's k8s exporter using helm (check out the Helm chart's source code);
- deploying your custom integration resources configuration
You can view the bash script here.
General installation configuration
The script supports configuration via environment variables.
For each variable you'd like to set, run the following command before running the script:
export {VARIABLE_NAME}={value}
| Environment Variable | Description | Default |
|---|---|---|
PORT_CLIENT_ID | Required - Your Port organization's Client ID used to authenticate the exporter to Port | |
PORT_CLIENT_SECRET | Required - Your Port organization's Client Secret used to authenticate the exporter to Port | |
CUSTOM_BP_PATH | Required - The URL/path to a json file with an array of blueprint objects to create. Can be either a https://domain.com/path/to/blueprint.json format URL, or a local path to a file envs/production/blueprint.json. | |
CONFIG_YAML_URL | Required - The URL/path to the desired integration resource mapping. Can be either an https format URLhttps://domain.com/path/to/config.yaml, or a local path to a file envs/production/config.yaml | https://github.com/port-labs/template-assets/blob/main/kubernetes/kubernetes_config.yaml |
TARGET_NAMESPACE | Optional - The Kubernetes namespace in which the exporter will be installed | port-k8s-exporter |
DEPLOYMENT_NAME | Optional - The Kubernetes deployment name the exporter will be installed as | port-k8s-exporter |
CLUSTER_NAME | Optional - The cluster's name as it will be exported to. Check out the note bellow for more information. | my-cluster |
- CLUSTER_NAME: The script will set the cluster's name as the
CLUSTER_NAMEenvironment variable. This name will be used as the cluster's name in integration resources configuration. If you'd like to change the cluster's name, you can do so by setting theCLUSTER_NAMEenvironment variable before running the script. - CUSTOM_BP_PATH: It is important to order the blueprints while taking in to account the necessary relations for each blueprint. Once a blueprint was created, attempting to recreate it using the script will fail. To recreate a blueprint using the script, first delete the blueprint.
使用脚本的另一种整合方式
虽然上述 Trivy Kubernetes 输出程序是推荐的安装方法,但您可能更喜欢使用 webhook 和脚本来ingest your Trivy scan results to Port 。