How to run a security scan with Trivy
The Trivy community addon for MicroK8s comprises the Trivy Operator and the Trivy CLI, both of which can be used to perform security scans on your cluster.
This ‘how to’ guide assumes you already have a MicroK8s cluster installed and running on a local machine.
If you have not yet done so, enable the Trivy addon:
microk8s enable community microk8s enable trivy
Once the operator has been installed you can verify that it is running by inspecting the pods:
microk8s kubectl get all -A
The output should show that the namespace ‘trivy-system’ and the pod ‘trivy-operator’ have been created, as shown below:
NAMESPACE NAME READY STATUS RESTARTS AGE kube-system pod/calico-node-clg22 1/1 Running 3 (32h ago) 4d2h kube-system pod/calico-kube-controllers-79568db7f8-kn96d 1/1 Running 3 (32h ago) 4d2h kube-system pod/coredns-6f5f9b5d74-h445n 1/1 Running 3 (32h ago) 4d2h trivy-system pod/trivy-operator-67f7c7f4d8-zq57g 1/1 Running 0 3m30s
The Trivy-Operator runs trivy security tools and incorporates their outputs into Kubernetes CRDs (Custom Resource Definitions). From there, security reports are accessible through the Kubernetes API, making it eay for users to find and view the risks that relate to different resources in a Kubernetes-native way.
In order to perform scans, Trivy needs to find resources to scan. By default it is configured to scan resources in all namespaces.
To test this, you can try deploying the Kubernetes bootcamp image:
microk8s kubectl create deployment kubernetes-bootcamp --image=gcr.io/google-samples/kubernetes-bootcamp:v1
Then see the following sections for reviewing the reports
Vulnerability reports are available within the cluster. A simple status can be found by running:
microk8s kubectl get vulnerabilityreports --all-namespaces -o wide
The output will list the vulnerability issues detected in each of the namespaces in the cluster:
NAMESPACE NAME REPOSITORY TAG SCANNER AGE CRITICAL HIGH MEDIUM LOW UNKNOWN default replicaset-kubernetes-bootcamp-5485cc6795-kubernetes-bootcamp google-samples/kubernetes-bootcamp v1 Trivy 28h 76 201 161 17 22
As Trivy exposes the details of scans through the API, you can use the ‘describe’ command to retrieve more details
microk8s kubectl describe vulnerabilityreports --all-namespaces
In this case, for examle:
Vulnerability ID: CVE-2019-3462 Fixed Version: 184.108.40.206.4 Installed Version: 220.127.116.11.3 Links: Primary Link: https://avd.aquasec.com/nvd/cve-2016-1252 Resource: apt Severity: MEDIUM Target: Title: The apt package in Debian jessie before 18.104.22.168.4, in Debian unstable ...
Searching for a specific vulnerability ID is fairly easy as there is a lot of documentation associated to each vulnerability ID. In this example
As with vulnerability scans, configuratuion audits are exposed through the Kubernetes API. Run the command:
microk8s kubectl get configauditreports --all-namespaces -o wide
…and the reports should be shown, as below in the case the example application:
NAMESPACE NAME SCANNER AGE CRITICAL HIGH MEDIUM LOW default replicaset-kubernetes-bootcamp-5485cc6795 Trivy 4m36s 0 0 2 10
This output shows the number configuration issues identified by Trivy. There are 2 medium and 10 low-security issues found. It is possible to get more details about each of the issues detected by running the command below.
microk8s.kubectl describe configauditreports --all-namespaces
Severity: HIGH Success: true Title: Access to host network Category: Kubernetes Security Check Check ID: KSV018 Description: Enforcing memory limits prevents DoS via resource exhaustion.
The outcome of the configuration audit shows if the policy compliance is committed (Success: True) or not. If you want to get more information about some of the configuration policies you can search for policy description on the Trivy Operator website.
In our example “Enforcing memory limits”:
Trivy CLI runs from the MicroK8s cluster to scan workloads and get reports about vulneratbilites, missconfigurations and secrets. However if you want to have continuous cluster scanning it is recommended to use the Trivy addon on MicroK8s as explained above.
This example is based on Ubuntu 22.04. For more information about installing on different environments or to update to use the latest Trivy release, please check the link: Installation - Trivy
On the local host, run the following command to install Trivy v0.41.0.
wget https://github.com/aquasecurity/trivy/releases/download/v0.41.0/trivy_0.41.0_Linux-64bit.deb sudo dpkg -i trivy_0.41.0_Linux-64bit.deb
Check the version:
The output should correspond to the version above, and confirms the software has been installed.
The Trivy cli tool connects with the Kubernetes cluster by accessing the local ‘~/.kube/config’ file for the current user. If you have not done so already, you should copy the MicroK8s cluster configuration there:
sudo microk8s.kubectl config view --raw > $HOME/.kube/config
Run the following command to see a summary of the cluster scan.
trivy k8s --report=summary cluster
To dig down in one of the vulnerabilities with more description and filter by severity.
trivy k8s --severity=CRITICAL --report=all cluster
Scanning configuration issues works in a similar way to the Trivy Operator. Initiate the scan with:
trivy k8s --scanners=config --report=summary cluster
The CLI command also includes a scanner for exposed secrets. Use the command:
trivy k8s --scanners=secret --report=summary cluster
In this guide we covered how to enhance the security in a Kubernetes cluster using Trivy Operator and/or Trivy CLI with full integration with MicroK8s. The MicroK8s team also encourage developers to scan OCI images before deploying them into the clusters and also incorporate MicroK8s and Trivy to their CI/CD processes.