What steps did you take and what happened:
When deploying air-gapped trivy-operator using a helm chart to namespace, trivy-operator doesn't generate Config Audit Reports or RBAC Assessments. Vulnerability reports do have resutls, however. I am viewing the reports using Prometheus/Grafana.
When looking at the logs for my trivy-operator logs in k9s I am seeing this error:
{"level":"error","ts":"2026-02-10T15:51:46Z","logger":"policyLoader.Get misconfig bundle policies","msg":"failed to load policies","error":"failed to download policies: failed to download built-in policies: download error: oci download error: download error: failed to download /tmp/trivy-1/oci-download-4106154273/bundle.tar.gz: mkdir tmp: permission denied","stacktrace":"github.com/aquasecurity/trivy-operator/pkg/policy.(*policyLoader).GetPoliciesAndBundlePath\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/policy/loader.go:65\ngithub.com/aquasecurity/trivy-operator/pkg/policy.(*Policies).loadPolicies\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/policy/policy.go:227\ngithub.com/aquasecurity/trivy-operator/pkg/policy.(*Policies).Hash\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/policy/policy.go:165\ngithub.com/aquasecurity/trivy-operator/pkg/operator.(*TTLReportReconciler).applicableForDeletion\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/operator/ttl_report.go:169\ngithub.com/aquasecurity/trivy-operator/pkg/operator.(*TTLReportReconciler).DeleteReportIfExpired\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/operator/ttl_report.go:105\ngithub.com/aquasecurity/trivy-operator/pkg/operator.(*TTLReportReconciler).SetupWithManager.(*TTLReportReconciler).reconcileReport.func5\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/operator/ttl_report.go:79\nsigs.k8s.io/controller-runtime/pkg/reconcile.TypedFunc[...].Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.1/pkg/reconcile/reconcile.go:134\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.1/pkg/internal/controller/controller.go:216\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.1/pkg/internal/controller/controller.go:461\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.1/pkg/internal/controller/controller.go:421\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func1.1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.1/pkg/internal/controller/controller.go:296"}
What did you expect to happen:
I'd expect to see the information for config reports and rbac assessments.
**When running these commands:
kubectl -n trivy-system-privileged patch deploy trivy-operator --type='json' -p='[{"op":"add","path":"/spec/template/spec/containers/0/workingDir","value":"/tmp"}]'
kubectl -n trivy-system-privileged rollout restart deploy/trivy-operator
It resolves the issue until the next uninstall/reinstall
Sanitized YAML I am using for deployment, sorry I tried formatting it but it wasn't working well with multilines:
global:
image:
registry: "myharbor.mydomain.com"
managedBy: Helm
targetNamespaces: ""
excludeNamespaces: ""
extraEnv:
- name: TRIVY_OPERATOR_ADD_CA_CERTS
value: "true"
- name: TRIVY_OPERATOR_CA_CERTS_PATH
value: "/etc/ssl/certs/my-ca.crt" # Must match mountPath in extraVolumeMounts
- name: TMPDIR
value: /tmp
- name: TMP
value: /tmp
- name: TEMP
value: /tmp
hostAliases: []
targetWorkloads: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job"
nameOverride: ""
fullnameOverride: ""
operator:
namespace: ""
replicas: 1
revisionHistoryLimit: ~
annotations: {}
labels: {}
podLabels: {}
leaderElectionId: "trivyoperator-lock"
logDevMode: false
scanJobTTL: ""
scanSecretTTL: ""
scanJobTimeout: 5m
scanJobsConcurrentLimit: 10
scanNodeCollectorLimit: 1
scanJobsRetryDelay: 30s
vulnerabilityScannerEnabled: true
sbomGenerationEnabled: true
clusterSbomCacheEnabled: false
scannerReportTTL: "24h"
cacheReportTTL: "120h"
configAuditScannerEnabled: true
rbacAssessmentScannerEnabled: true
infraAssessmentScannerEnabled: true
clusterComplianceEnabled: true
batchDeleteLimit: 10
vulnerabilityScannerScanOnlyCurrentRevisions: true
configAuditScannerScanOnlyCurrentRevisions: true
batchDeleteDelay: 10s
accessGlobalSecretsAndServiceAccount: true
builtInTrivyServer: false
builtInServerRegistryInsecure: false
controllerCacheSyncTimeout: "5m"
trivyServerHealthCheckCacheExpiration: 10h
metricsFindingsEnabled: true
metricsVulnIdEnabled: true
exposedSecretScannerEnabled: true
metricsExposedSecretInfo: false #10Feb
metricsConfigAuditInfo: false #10Feb
metricsRbacAssessmentInfo: true
metricsInfraAssessmentInfo: false
metricsImageInfo: false
metricsClusterComplianceInfo: false #10Feb
serverAdditionalAnnotations: {}
webhookBroadcastURL: ""
webhookBroadcastTimeout: 30s
webhookBroadcastCustomHeaders: ""
webhookSendDeletedReports: false
privateRegistryScanSecretsNames:
myharbor.mydomain.com: "myharbr-secret-operator-privateregistryscansecretsnames"
mergeRbacFindingWithConfigAudit: false
httpProxy: ~
httpsProxy: ~
noProxy: ~
valuesFromConfigMap: ""
valuesFromSecret: ""
pprofBindAddress: ""
extraEnvs: ""
image:
registry: "myharbor.mydomain.com"
repository: "trivy/trivy-operator"
tag: "0.29.0"
pullPolicy: IfNotPresent
pullSecrets:
- name: my-super-secret
service:
headless: true
metricsPort: 80
annotations: {}
metricsAppProtocol: TCP
type: ClusterIP
nodePort:
serviceMonitor:
enabled: false
namespace: ~
interval: ~
annotations: {}
labels: {}
honorLabels: true
endpointAdditionalProperties: {}
trivyOperator:
vulnerabilityReportsPlugin: "Trivy"
configAuditReportsPlugin: "Trivy"
scanJobCompressLogs: true
scanJobsInSameNamespace: false
scanJobAffinity: {}
scanJobTolerations: []
scanJobNodeSelector: {}
scanJobCustomVolumesMount: []
scanJobCustomVolumes: []
useGCRServiceAccount: true
scanJobAutomountServiceAccountToken: false
scanJobAnnotations: "prometheus.io/scrape=true,prometheus.io/path=/metrics,prometheus.io/port=8080"
scanJobPodTemplateLabels: ""
skipInitContainers: false
scanJobPodTemplatePodSecurityContext:
runAsUser: 10000
fsGroup: 10000
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: false
scanJobPodTemplateContainerSecurityContext:
runAsUser: 10000
fsGroup: 10000
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
scanJobPodPriorityClassName: ""
reportResourceLabels: ""
reportRecordFailedChecksOnly: true
skipResourceByLabels: ""
metricsResourceLabelsPrefix: "k8s_label_"
additionalReportLabels: ""
policiesConfig: ""
excludeImages: ""
trivy:
createConfig: true
image:
registry: myharbor.mydomain.com
repository: trivy/trivy
tag: 0.66.0
imagePullSecret: my-harbor-secret
pullPolicy: IfNotPresent
mode: Standalone
sbomSources: ""
includeDevDeps: false
storageClassEnabled: true
storageClassName: ""
storageSize: "5Gi"
labels: {}
podLabels: {}
priorityClassName: ""
additionalVulnerabilityReportFields: ""
httpProxy: ~
httpsProxy: ~
noProxy: ~
nonSslRegistries: {}
sslCertDir: /etc/ssl/certs #~
insecureRegistries:
myHarborRegistry: myharbor.mydomain.com
registry:
mirror: {}
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
slow: true
ignoreUnfixed: false
skipFiles:
skipDirs:
offlineScan: true
timeout: "5m0s"
ignoreFile: ~
configFile: ~
vulnType: ~
resources:
requests:
cpu: 100m
memory: 100M
limits:
cpu: 500m
memory: 500M
githubToken: ~
clientServerSkipUpdate: false
skipJavaDBUpdate: false
serverInsecure: true
serverToken: ~
existingSecret: false
serverTokenHeader: "Trivy-Token"
serverCustomHeaders: ~
dbRegistry: "myharbor.mydomain.com"
dbRepository: "trivy/trivy-db"
dbRepositoryUsername: robot$Harbor
dbRepositoryPassword: simulated-password-here
javaDbRegistry: "myharbor.mydomain.com"
javaDbRepository: "trivy/trivy-java-db"
dbRepositoryInsecure: "true"
useBuiltinRegoPolicies: "true"
externalRegoPoliciesEnabled: false
useEmbeddedRegoPolicies: "false"
supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
command: image
imageScanCacheDir: "/tmp/trivy/.cache"
filesystemScanCacheDir: "/var/trivyoperator/trivy-db"
serverUser: ""
serverPassword: ""
serverServiceName: "trivy-service"
debug: true
server:
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1
memory: 1Gi
podSecurityContext:
runAsUser: 65534
fsGroup: 65534
readOnlyRootFilesystem: false
securityContext:
privileged: false
readOnlyRootFilesystem: false
replicas: 1
extraServerVolumes:
volumeMounts: []
volumes: []
valuesFromConfigMap: ""
valuesFromSecret: ""
compliance:
failEntriesLimit: 10
reportType: summary
cron: 0 */6 * * *
specs:
- k8s-cis-1.23
- k8s-nsa-1.0
- k8s-pss-baseline-0.1
- k8s-pss-restricted-0.1
rbac:
create: true
serviceAccount:
create: true
annotations: {}
name: ""
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/path: "/metrics"
prometheus.io/port: "8080"
podSecurityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
securityContext:
runAsUser: 10000
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
capabilities:
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /tmp
name: cache-policies
readOnly: false
- mountPath: /etc/ssl/certs/mydomain.com-ca.crt
name: mydomain-com-ca-cert
subPath: mydomain-com.crt # The key name within the secret created in Step 1
readOnly: true
volumes:
- name: cache-policies
emptyDir: {}
- name: mydomain-com-ca-cert
secret:
secretName: my-secret
items:
- key: CA01.cer
path: mydomain-com.crt
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
priorityClassName: ""
automountServiceAccountToken: true
policiesBundle:
registry: myharbor.mydomain.com
repository: trivy/trivy-checks
tag: 1
existingSecret: true
insecure: true
nodeCollector:
useNodeSelector: true
registry: myharbor.mydomain.com
repository: trivy/node-collector
tag: 0.3.1
imagePullSecret:
- name: my-harbor-secret
excludeNodes:
tolerations: []
volumeMounts:
- name: var-lib-etcd
mountPath: /var/lib/etcd
readOnly: true
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
readOnly: true
- name: var-lib-kube-scheduler
mountPath: /var/lib/kube-scheduler
readOnly: true
- name: var-lib-kube-controller-manager
mountPath: /var/lib/kube-controller-manager
readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
readOnly: true
- name: lib-systemd
mountPath: /lib/systemd/
readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
- name: etc-cni-netd
mountPath: /etc/cni/net.d/
readOnly: true
volumes:
- name: var-lib-etcd
hostPath:
path: /var/lib/etcd
- name: var-lib-kubelet
hostPath:
path: /var/lib/kubelet
- name: var-lib-kube-scheduler
hostPath:
path: /var/lib/kube-scheduler
- name: var-lib-kube-controller-manager
hostPath:
path: /var/lib/kube-controller-manager
- name: etc-systemd
hostPath:
path: /etc/systemd
- name: lib-systemd
hostPath:
path: /lib/systemd
- name: etc-kubernetes
hostPath:
path: /etc/kubernetes
- name: etc-cni-netd
hostPath:
path: /etc/cni/net.d/
alternateReportStorage:
enabled: false
mountPath: "/mnt/data/trivy-operator"
volumeName: "trivy-operator-pvc"
storage: "10Gi"
storageClassName: ""
podSecurityContext:
runAsUser: 10000
readOnlyRootFilesystem: false
fsGroup: 10000
[Miscellaneous information that will assist in solving the issue.]
Environment:
- Trivy-Operator version (use
trivy-operator version): 0.29.0
- Kubernetes version (use
kubectl version): v1.29.7+vmware.wcp.1
- OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): RHEL 9
What steps did you take and what happened:
When deploying air-gapped trivy-operator using a helm chart to namespace, trivy-operator doesn't generate Config Audit Reports or RBAC Assessments. Vulnerability reports do have resutls, however. I am viewing the reports using Prometheus/Grafana.
When looking at the logs for my trivy-operator logs in k9s I am seeing this error:
{"level":"error","ts":"2026-02-10T15:51:46Z","logger":"policyLoader.Get misconfig bundle policies","msg":"failed to load policies","error":"failed to download policies: failed to download built-in policies: download error: oci download error: download error: failed to download /tmp/trivy-1/oci-download-4106154273/bundle.tar.gz: mkdir tmp: permission denied","stacktrace":"github.com/aquasecurity/trivy-operator/pkg/policy.(*policyLoader).GetPoliciesAndBundlePath\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/policy/loader.go:65\ngithub.com/aquasecurity/trivy-operator/pkg/policy.(*Policies).loadPolicies\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/policy/policy.go:227\ngithub.com/aquasecurity/trivy-operator/pkg/policy.(*Policies).Hash\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/policy/policy.go:165\ngithub.com/aquasecurity/trivy-operator/pkg/operator.(*TTLReportReconciler).applicableForDeletion\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/operator/ttl_report.go:169\ngithub.com/aquasecurity/trivy-operator/pkg/operator.(*TTLReportReconciler).DeleteReportIfExpired\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/operator/ttl_report.go:105\ngithub.com/aquasecurity/trivy-operator/pkg/operator.(*TTLReportReconciler).SetupWithManager.(*TTLReportReconciler).reconcileReport.func5\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/operator/ttl_report.go:79\nsigs.k8s.io/controller-runtime/pkg/reconcile.TypedFunc[...].Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.1/pkg/reconcile/reconcile.go:134\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Reconcile\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.1/pkg/internal/controller/controller.go:216\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.1/pkg/internal/controller/controller.go:461\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.1/pkg/internal/controller/controller.go:421\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func1.1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.22.1/pkg/internal/controller/controller.go:296"}What did you expect to happen:
I'd expect to see the information for config reports and rbac assessments.
**When running these commands:
kubectl -n trivy-system-privileged patch deploy trivy-operator --type='json' -p='[{"op":"add","path":"/spec/template/spec/containers/0/workingDir","value":"/tmp"}]'kubectl -n trivy-system-privileged rollout restart deploy/trivy-operatorIt resolves the issue until the next uninstall/reinstall
Sanitized YAML I am using for deployment, sorry I tried formatting it but it wasn't working well with multilines:
global:
image:
registry: "myharbor.mydomain.com"
managedBy: Helm
targetNamespaces: ""
excludeNamespaces: ""
extraEnv:
value: "true"
value: "/etc/ssl/certs/my-ca.crt" # Must match mountPath in extraVolumeMounts
value: /tmp
value: /tmp
value: /tmp
hostAliases: []
targetWorkloads: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job"
nameOverride: ""
fullnameOverride: ""
operator:
namespace: ""
replicas: 1
revisionHistoryLimit: ~
annotations: {}
labels: {}
podLabels: {}
leaderElectionId: "trivyoperator-lock"
logDevMode: false
scanJobTTL: ""
scanSecretTTL: ""
scanJobTimeout: 5m
scanJobsConcurrentLimit: 10
scanNodeCollectorLimit: 1
scanJobsRetryDelay: 30s
vulnerabilityScannerEnabled: true
sbomGenerationEnabled: true
clusterSbomCacheEnabled: false
scannerReportTTL: "24h"
cacheReportTTL: "120h"
configAuditScannerEnabled: true
rbacAssessmentScannerEnabled: true
infraAssessmentScannerEnabled: true
clusterComplianceEnabled: true
batchDeleteLimit: 10
vulnerabilityScannerScanOnlyCurrentRevisions: true
configAuditScannerScanOnlyCurrentRevisions: true
batchDeleteDelay: 10s
accessGlobalSecretsAndServiceAccount: true
builtInTrivyServer: false
builtInServerRegistryInsecure: false
controllerCacheSyncTimeout: "5m"
trivyServerHealthCheckCacheExpiration: 10h
metricsFindingsEnabled: true
metricsVulnIdEnabled: true
exposedSecretScannerEnabled: true
metricsExposedSecretInfo: false #10Feb
metricsConfigAuditInfo: false #10Feb
metricsRbacAssessmentInfo: true
metricsInfraAssessmentInfo: false
metricsImageInfo: false
metricsClusterComplianceInfo: false #10Feb
serverAdditionalAnnotations: {}
webhookBroadcastURL: ""
webhookBroadcastTimeout: 30s
webhookBroadcastCustomHeaders: ""
webhookSendDeletedReports: false
privateRegistryScanSecretsNames:
myharbor.mydomain.com: "myharbr-secret-operator-privateregistryscansecretsnames"
mergeRbacFindingWithConfigAudit: false
httpProxy: ~
httpsProxy: ~
noProxy: ~
valuesFromConfigMap: ""
valuesFromSecret: ""
pprofBindAddress: ""
extraEnvs: ""
image:
registry: "myharbor.mydomain.com"
repository: "trivy/trivy-operator"
tag: "0.29.0"
pullPolicy: IfNotPresent
pullSecrets:
- name: my-super-secret
service:
headless: true
metricsPort: 80
annotations: {}
metricsAppProtocol: TCP
type: ClusterIP
nodePort:
serviceMonitor:
enabled: false
namespace: ~
interval: ~
annotations: {}
labels: {}
honorLabels: true
endpointAdditionalProperties: {}
trivyOperator:
vulnerabilityReportsPlugin: "Trivy"
configAuditReportsPlugin: "Trivy"
scanJobCompressLogs: true
scanJobsInSameNamespace: false
scanJobAffinity: {}
scanJobTolerations: []
scanJobNodeSelector: {}
scanJobCustomVolumesMount: []
scanJobCustomVolumes: []
useGCRServiceAccount: true
scanJobAutomountServiceAccountToken: false
scanJobAnnotations: "prometheus.io/scrape=true,prometheus.io/path=/metrics,prometheus.io/port=8080"
scanJobPodTemplateLabels: ""
skipInitContainers: false
scanJobPodTemplatePodSecurityContext:
runAsUser: 10000
fsGroup: 10000
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: false
scanJobPodTemplateContainerSecurityContext:
runAsUser: 10000
fsGroup: 10000
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
scanJobPodPriorityClassName: ""
reportResourceLabels: ""
reportRecordFailedChecksOnly: true
skipResourceByLabels: ""
metricsResourceLabelsPrefix: "k8s_label_"
additionalReportLabels: ""
policiesConfig: ""
excludeImages: ""
trivy:
createConfig: true
image:
registry: myharbor.mydomain.com
repository: trivy/trivy
tag: 0.66.0
imagePullSecret: my-harbor-secret
pullPolicy: IfNotPresent
mode: Standalone
sbomSources: ""
includeDevDeps: false
storageClassEnabled: true
storageClassName: ""
storageSize: "5Gi"
labels: {}
podLabels: {}
priorityClassName: ""
additionalVulnerabilityReportFields: ""
httpProxy: ~
httpsProxy: ~
noProxy: ~
nonSslRegistries: {}
sslCertDir: /etc/ssl/certs #~
insecureRegistries:
myHarborRegistry: myharbor.mydomain.com
registry:
mirror: {}
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
slow: true
ignoreUnfixed: false
skipFiles:
skipDirs:
offlineScan: true
timeout: "5m0s"
ignoreFile: ~
configFile: ~
vulnType: ~
resources:
requests:
cpu: 100m
memory: 100M
limits:
cpu: 500m
memory: 500M
githubToken: ~
clientServerSkipUpdate: false
skipJavaDBUpdate: false
serverInsecure: true
serverToken: ~
existingSecret: false
serverTokenHeader: "Trivy-Token"
serverCustomHeaders: ~
dbRegistry: "myharbor.mydomain.com"
dbRepository: "trivy/trivy-db"
dbRepositoryUsername: robot$Harbor
dbRepositoryPassword: simulated-password-here
javaDbRegistry: "myharbor.mydomain.com"
javaDbRepository: "trivy/trivy-java-db"
dbRepositoryInsecure: "true"
useBuiltinRegoPolicies: "true"
externalRegoPoliciesEnabled: false
useEmbeddedRegoPolicies: "false"
supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
command: image
imageScanCacheDir: "/tmp/trivy/.cache"
filesystemScanCacheDir: "/var/trivyoperator/trivy-db"
serverUser: ""
serverPassword: ""
serverServiceName: "trivy-service"
debug: true
server:
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1
memory: 1Gi
podSecurityContext:
runAsUser: 65534
fsGroup: 65534
readOnlyRootFilesystem: false
securityContext:
privileged: false
readOnlyRootFilesystem: false
replicas: 1
extraServerVolumes:
volumeMounts: []
volumes: []
valuesFromConfigMap: ""
valuesFromSecret: ""
compliance:
failEntriesLimit: 10
reportType: summary
cron: 0 */6 * * *
specs:
- k8s-cis-1.23
- k8s-nsa-1.0
- k8s-pss-baseline-0.1
- k8s-pss-restricted-0.1
rbac:
create: true
serviceAccount:
create: true
annotations: {}
name: ""
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/path: "/metrics"
prometheus.io/port: "8080"
podSecurityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
securityContext:
runAsUser: 10000
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
capabilities:
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
name: cache-policies
readOnly: false
name: mydomain-com-ca-cert
subPath: mydomain-com.crt # The key name within the secret created in Step 1
readOnly: true
volumes:
emptyDir: {}
secret:
secretName: my-secret
items:
path: mydomain-com.crt
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
priorityClassName: ""
automountServiceAccountToken: true
policiesBundle:
registry: myharbor.mydomain.com
repository: trivy/trivy-checks
tag: 1
existingSecret: true
insecure: true
nodeCollector:
useNodeSelector: true
registry: myharbor.mydomain.com
repository: trivy/node-collector
tag: 0.3.1
imagePullSecret:
- name: my-harbor-secret
excludeNodes:
tolerations: []
volumeMounts:
- name: var-lib-etcd
mountPath: /var/lib/etcd
readOnly: true
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
readOnly: true
- name: var-lib-kube-scheduler
mountPath: /var/lib/kube-scheduler
readOnly: true
- name: var-lib-kube-controller-manager
mountPath: /var/lib/kube-controller-manager
readOnly: true
- name: etc-systemd
mountPath: /etc/systemd
readOnly: true
- name: lib-systemd
mountPath: /lib/systemd/
readOnly: true
- name: etc-kubernetes
mountPath: /etc/kubernetes
readOnly: true
- name: etc-cni-netd
mountPath: /etc/cni/net.d/
readOnly: true
volumes:
- name: var-lib-etcd
hostPath:
path: /var/lib/etcd
- name: var-lib-kubelet
hostPath:
path: /var/lib/kubelet
- name: var-lib-kube-scheduler
hostPath:
path: /var/lib/kube-scheduler
- name: var-lib-kube-controller-manager
hostPath:
path: /var/lib/kube-controller-manager
- name: etc-systemd
hostPath:
path: /etc/systemd
- name: lib-systemd
hostPath:
path: /lib/systemd
- name: etc-kubernetes
hostPath:
path: /etc/kubernetes
- name: etc-cni-netd
hostPath:
path: /etc/cni/net.d/
alternateReportStorage:
enabled: false
mountPath: "/mnt/data/trivy-operator"
volumeName: "trivy-operator-pvc"
storage: "10Gi"
storageClassName: ""
podSecurityContext:
runAsUser: 10000
readOnlyRootFilesystem: false
fsGroup: 10000
[Miscellaneous information that will assist in solving the issue.]
Environment:
trivy-operator version): 0.29.0kubectl version): v1.29.7+vmware.wcp.1