Jump to main content

How to run a security scan with Trivy

The Trivy community addon for MicroK8s comprises the Trivy Operator and the Trivy CLI, both of which can be used to perform security scans on your cluster.

This ‘how to’ guide assumes you already have a MicroK8s cluster installed and running on a local machine.

If you have not yet done so, enable the Trivy addon:

microk8s enable community
microk8s enable trivy

Once the operator has been installed you can verify that it is running by inspecting the pods:

microk8s kubectl get all -A

The output should show that the namespace ‘trivy-system’ and the pod ‘trivy-operator’ have been created, as shown below:

NAMESPACE      NAME                                           READY   STATUS    RESTARTS      AGE
kube-system    pod/calico-node-clg22                          1/1     Running   3 (32h ago)   4d2h
kube-system    pod/calico-kube-controllers-79568db7f8-kn96d   1/1     Running   3 (32h ago)   4d2h
kube-system    pod/coredns-6f5f9b5d74-h445n                   1/1     Running   3 (32h ago)   4d2h
trivy-system   pod/trivy-operator-67f7c7f4d8-zq57g            1/1     Running   0             3m30s

Using the Trivy Operator

The Trivy-Operator runs trivy security tools and incorporates their outputs into Kubernetes CRDs (Custom Resource Definitions). From there, security reports are accessible through the Kubernetes API, making it eay for users to find and view the risks that relate to different resources in a Kubernetes-native way.

In order to perform scans, Trivy needs to find resources to scan. By default it is configured to scan resources in all namespaces.
To test this, you can try deploying the Kubernetes bootcamp image:

microk8s kubectl create deployment kubernetes-bootcamp --image=gcr.io/google-samples/kubernetes-bootcamp:v1

Then see the following sections for reviewing the reports

Vulnerability reports

Vulnerability reports are available within the cluster. A simple status can be found by running:

microk8s kubectl get vulnerabilityreports --all-namespaces -o wide

The output will list the vulnerability issues detected in each of the namespaces in the cluster:

NAMESPACE   NAME                                                            REPOSITORY                           TAG   SCANNER   AGE   CRITICAL   HIGH   MEDIUM   LOW   UNKNOWN
default     replicaset-kubernetes-bootcamp-5485cc6795-kubernetes-bootcamp   google-samples/kubernetes-bootcamp   v1    Trivy     28h   76         201    161      17    22

As Trivy exposes the details of scans through the API, you can use the ‘describe’ command to retrieve more details

microk8s kubectl describe vulnerabilityreports --all-namespaces

In this case, for examle:

Vulnerability ID:   CVE-2019-3462
    Fixed Version:      1.0.9.8.4
    Installed Version:  1.0.9.8.3
    Links:
    Primary Link:       https://avd.aquasec.com/nvd/cve-2016-1252
    Resource:           apt
    Severity:           MEDIUM
    Target:             
    Title:              The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable  ...

Searching for a specific vulnerability ID is fairly easy as there is a lot of documentation associated to each vulnerability ID. In this example

https://ubuntu.com/security/CVE-2019-3462

or

https://avd.aquasec.com/nvd/2019/cve-2019-3462/

Run a configuration audit

As with vulnerability scans, configuratuion audits are exposed through the Kubernetes API. Run the command:

microk8s kubectl get configauditreports --all-namespaces -o wide

…and the reports should be shown, as below in the case the example application:

NAMESPACE   NAME                                        SCANNER   AGE     CRITICAL   HIGH   MEDIUM   LOW
default     replicaset-kubernetes-bootcamp-5485cc6795   Trivy     4m36s   0          0      2        10

This output shows the number configuration issues identified by Trivy. There are 2 medium and 10 low-security issues found. It is possible to get more details about each of the issues detected by running the command below.

microk8s.kubectl describe configauditreports --all-namespaces

For example:

Severity:     HIGH
    Success:      true
    Title:        Access to host network
    Category:     Kubernetes Security Check
    Check ID:     KSV018
    Description:  Enforcing memory limits prevents DoS via resource exhaustion.

The outcome of the configuration audit shows if the policy compliance is committed (Success: True) or not. If you want to get more information about some of the configuration policies you can search for policy description on the Trivy Operator website.

In our example “Enforcing memory limits”:

https://aquasecurity.github.io/trivy-operator/v0.11.0/docs/configuration-auditing/built-in-policies/

Using the Trivy CLI

Trivy CLI runs from the MicroK8s cluster to scan workloads and get reports about vulneratbilites, missconfigurations and secrets. However if you want to have continuous cluster scanning it is recommended to use the Trivy addon on MicroK8s as explained above.

This example is based on Ubuntu 22.04. For more information about installing on different environments or to update to use the latest Trivy release, please check the link: Installation - Trivy

On the local host, run the following command to install Trivy v0.41.0.

wget https://github.com/aquasecurity/trivy/releases/download/v0.41.0/trivy_0.41.0_Linux-64bit.deb
sudo dpkg -i trivy_0.41.0_Linux-64bit.deb

Check the version:

trivy version

The output should correspond to the version above, and confirms the software has been installed.

The Trivy cli tool connects with the Kubernetes cluster by accessing the local ‘~/.kube/config’ file for the current user. If you have not done so already, you should copy the MicroK8s cluster configuration there:

sudo microk8s.kubectl config view --raw > $HOME/.kube/config

Run a Trivy CLI vulnerability scan on MicroK8s

Run the following command to see a summary of the cluster scan.
trivy k8s --report=summary cluster

To dig down in one of the vulnerabilities with more description and filter by severity.
trivy k8s --severity=CRITICAL --report=all cluster

Run a Trivy configuration scan with the CLI

Scanning configuration issues works in a similar way to the Trivy Operator. Initiate the scan with:

trivy k8s --scanners=config --report=summary cluster

Trivy CLI Secrets on MicroK8s

The CLI command also includes a scanner for exposed secrets. Use the command:

trivy k8s --scanners=secret --report=summary cluster

Summary

In this guide we covered how to enhance the security in a Kubernetes cluster using Trivy Operator and/or Trivy CLI with full integration with MicroK8s. The MicroK8s team also encourage developers to scan OCI images before deploying them into the clusters and also incorporate MicroK8s and Trivy to their CI/CD processes.

Further reading

Last updated 1 year, 5 months ago. Help improve this document in the forum.