Merge pull request #9 from devopstales/AC

Ac

OLM/0.0.1/manifests/namespace-scanners.trivy-operator.devopstales.io.crd.yaml

@@ -0,0 +1,50 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: namespace-scanners.trivy-operator.devopstales.io
+spec:
+  conversion:
+    strategy: None
+  group: trivy-operator.devopstales.io
+  names:
+    kind: NamespaceScanner
+    listKind: NamespaceScannerList
+    plural: namespace-scanners
+    shortNames:
+    - ns-scan
+    singular: namespace-scanner
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Namespace Selector for pod scanning
+      jsonPath: .spec.namespace_selector
+      name: NamespaceSelector
+      type: string
+    - description: crontab value
+      jsonPath: .spec.crontab
+      name: Crontab
+      type: string
+    - description: As returned from the handler (sometimes).
+      jsonPath: .status.create_fn.message
+      name: Message
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          crontab:
+            pattern: ^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$
+            type: string
+          namespace_selector:
+            type: string
+          spec:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+          status:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

OLM/0.0.1/metadata/annotations.yaml

@@ -0,0 +1,7 @@
+annotations:
+  operators.operatorframework.io.bundle.channel.default.v1: alpha
+  operators.operatorframework.io.bundle.channels.v1: alpha
+  operators.operatorframework.io.bundle.manifests.v1: manifests/
+  operators.operatorframework.io.bundle.mediatype.v1: registry+v1
+  operators.operatorframework.io.bundle.metadata.v1: metadata/
+  operators.operatorframework.io.bundle.package.v1: trivy-operator

OLM/2.1.0/manifests/namespace-scanners.trivy-operator.devopstales.io.crd.yaml

@@ -0,0 +1,50 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: namespace-scanners.trivy-operator.devopstales.io
+spec:
+  conversion:
+    strategy: None
+  group: trivy-operator.devopstales.io
+  names:
+    kind: NamespaceScanner
+    listKind: NamespaceScannerList
+    plural: namespace-scanners
+    shortNames:
+    - ns-scan
+    singular: namespace-scanner
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Namespace Selector for pod scanning
+      jsonPath: .spec.namespace_selector
+      name: NamespaceSelector
+      type: string
+    - description: crontab value
+      jsonPath: .spec.crontab
+      name: Crontab
+      type: string
+    - description: As returned from the handler (sometimes).
+      jsonPath: .status.create_fn.message
+      name: Message
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          crontab:
+            pattern: ^(\d+|\*)(/\d+)?(\s+(\d+|\*)(/\d+)?){4}$
+            type: string
+          namespace_selector:
+            type: string
+          spec:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+          status:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

OLM/2.1.0/metadata/annotations.yaml

@@ -0,0 +1,6 @@
+annotations:
+  operators.operatorframework.io.bundle.channels.v1: stable
+  operators.operatorframework.io.bundle.manifests.v1: manifests/
+  operators.operatorframework.io.bundle.mediatype.v1: registry+v1
+  operators.operatorframework.io.bundle.metadata.v1: metadata/
+  operators.operatorframework.io.bundle.package.v1: trivy-operator

OLM/bundle.Dockerfile

@@ -0,0 +1,10 @@
+FROM scratch
+
+LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1
+LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
+LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
+LABEL operators.operatorframework.io.bundle.package.v1=trivy-operator
+LABEL operators.operatorframework.io.bundle.channels.v1=alpha
+
+COPY manifests /manifests/
+COPY metadata /metadata/

OLM/cs-trivy-operator.yaml

@@ -0,0 +1,13 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: CatalogSource
+metadata:
+  name: devopstales-catalog
+  namespaces: oml
+spec:
+  displayName: devopstales
+  publisher: devopstales
+  sourceType: grpc
+  image: docker.io/devopstales/trivy-operator-index:2.1.1-oc
+  updateStrategy:
+    registryPoll:
+      interval: 1m

OLM/og.yaml

@@ -0,0 +1,8 @@
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: test-og
+  namespace: default
+spec:
+  targetNamespaces:
+  - default

OLM/sub_devopstales-catalog.yaml

@@ -0,0 +1,12 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: trivy-operator
+  namespace: default
+spec:
+  channel: stable
+  installPlanApproval: Automatic
+  name: trivy-operator
+  source: devopstales-catalog
+  sourceNamespace: olm
+  startingCSV: trivy-operator.v2.1.1

build-image.sh

@@ -9,7 +9,7 @@ if [ ! -f /tmp/trivy ]; then
 fi
 cp /tmp/trivy docker
 cp trivy-operator.py docker/trivy-operator.py
-#kim build --tag ${1} docker
+#kim build --tag ${1}-devel docker
 docker build -t ${1} docker
 rm -f docker/trivy-operator.py
 rm -f docker/trivy

docker/Dockerfile

@@ -4,7 +4,7 @@ ENV TRIVY_CACHE_DIR=/home/trivy-operator/trivy-cache \
     TRIVY_QUIET=true \
     IN_CLUSTER=true
 
-RUN apk add --no-cache gcc musl-dev libffi-dev openssl-dev
+RUN apk add --no-cache gcc musl-dev libffi-dev openssl-dev curl bash
 
 RUN pip3 install --no-cache-dir kopf[dev] kubernetes asyncio pycron prometheus_client oscrypto certvalidator certbuilder validators pyOpenSSL
 

grafana-dashboard/trivy.json → grafana-dashboard/admissioncontroller.json

@@ -1,4 +1,14 @@
 {
+  "__inputs": [
+    {
+      "name": "DS_PROMETHEUS",
+      "label": "Prometheus",
+      "description": "",
+      "type": "datasource",
+      "pluginId": "prometheus",
+      "pluginName": "Prometheus"
+    }
+  ],
   "annotations": {
     "list": [
       {
@@ -12,7 +22,7 @@
       }
     ]
   },
-  "description": "Dashboard for Trivy Vulnerabilities",
+  "description": "Dashboard for Admission Controllers Trivy Vulnerabilities",
   "editable": true,
   "gnetId": 12331,
   "graphTooltip": 0,
@@ -21,7 +31,7 @@
   "panels": [
     {
       "cacheTimeout": null,
-      "datasource": "Prometheus",
+      "datasource": "${DS_PROMETHEUS}",
       "fieldConfig": {
         "defaults": {
           "mappings": [
@@ -74,7 +84,7 @@
         {
           "dateTimeType": "DATETIME",
           "exemplar": true,
-          "expr": "sum(so_vulnerabilities{severity=\"CRITICAL\"})",
+          "expr": "sum(ac_vulnerabilities{severity=\"CRITICAL\"})",
           "format": "table",
           "formattedQuery": "SELECT $timeSeries as t, count() FROM $table WHERE $timeFilter GROUP BY t ORDER BY t",
           "group": [
@@ -144,7 +154,7 @@
     },
     {
       "cacheTimeout": null,
-      "datasource": "Prometheus",
+      "datasource": "${DS_PROMETHEUS}",
       "fieldConfig": {
         "defaults": {
           "mappings": [
@@ -197,7 +207,7 @@
         {
           "dateTimeType": "DATETIME",
           "exemplar": true,
-          "expr": "sum(so_vulnerabilities{severity=\"HIGH\"})",
+          "expr": "sum(ac_vulnerabilities{severity=\"HIGH\"})",
           "format": "table",
           "formattedQuery": "SELECT $timeSeries as t, count() FROM $table WHERE $timeFilter GROUP BY t ORDER BY t",
           "group": [
@@ -267,7 +277,7 @@
     },
     {
       "cacheTimeout": null,
-      "datasource": "Prometheus",
+      "datasource": "${DS_PROMETHEUS}",
       "fieldConfig": {
         "defaults": {
           "mappings": [
@@ -320,7 +330,7 @@
         {
           "dateTimeType": "DATETIME",
           "exemplar": true,
-          "expr": "sum(so_vulnerabilities{severity=\"MEDIUM\"})",
+          "expr": "sum(ac_vulnerabilities{severity=\"MEDIUM\"})",
           "format": "table",
           "formattedQuery": "SELECT $timeSeries as t, count() FROM $table WHERE $timeFilter GROUP BY t ORDER BY t",
           "group": [
@@ -390,7 +400,7 @@
     },
     {
       "cacheTimeout": null,
-      "datasource": "Prometheus",
+      "datasource": "${DS_PROMETHEUS}",
       "fieldConfig": {
         "defaults": {
           "mappings": [
@@ -443,7 +453,7 @@
         {
           "dateTimeType": "DATETIME",
           "exemplar": true,
-          "expr": "sum(so_vulnerabilities{severity=\"LOW\"})",
+          "expr": "sum(ac_vulnerabilities{severity=\"LOW\"})",
           "format": "table",
           "formattedQuery": "SELECT $timeSeries as t, count() FROM $table WHERE $timeFilter GROUP BY t ORDER BY t",
           "group": [
@@ -513,7 +523,7 @@
     },
     {
       "cacheTimeout": null,
-      "datasource": "Prometheus",
+      "datasource": "${DS_PROMETHEUS}",
       "fieldConfig": {
         "defaults": {
           "mappings": [
@@ -566,7 +576,7 @@
         {
           "dateTimeType": "DATETIME",
           "exemplar": true,
-          "expr": "sum(so_vulnerabilities{severity=\"UNKNOWN\"})",
+          "expr": "sum(ac_vulnerabilities{severity=\"UNKNOWN\"})",
           "format": "table",
           "formattedQuery": "SELECT $timeSeries as t, count() FROM $table WHERE $timeFilter GROUP BY t ORDER BY t",
           "group": [
@@ -642,7 +652,7 @@
         "label": "Severiy",
         "threshold": 0
       },
-      "datasource": "Prometheus",
+      "datasource": "${DS_PROMETHEUS}",
       "fieldConfig": {
         "defaults": {},
         "overrides": []
@@ -675,7 +685,7 @@
         {
           "dateTimeType": "DATETIME",
           "exemplar": true,
-          "expr": "sum(so_vulnerabilities{}) by(severity)",
+          "expr": "sum(ac_vulnerabilities{}) by(severity)",
           "format": "time_series",
           "formattedQuery": "SELECT $timeSeries as t, count() FROM $table WHERE $timeFilter GROUP BY t ORDER BY t",
           "group": [
@@ -738,7 +748,7 @@
     },
     {
       "columns": [],
-      "datasource": "Prometheus",
+      "datasource": "${DS_PROMETHEUS}",
       "fieldConfig": {
         "defaults": {},
         "overrides": []
@@ -881,7 +891,7 @@
       "targets": [
         {
           "exemplar": true,
-          "expr": "sum(so_vulnerabilities{severity=\"CRITICAL\"}) by (image,exported_namespace)",
+          "expr": "sum(ac_vulnerabilities{severity=\"CRITICAL\"}) by (image,exported_namespace)",
           "format": "table",
           "instant": true,
           "interval": "",
@@ -890,7 +900,7 @@
         },
         {
           "exemplar": true,
-          "expr": "sum(so_vulnerabilities{severity=\"HIGH\"}) by (image,exported_namespace)",
+          "expr": "sum(ac_vulnerabilities{severity=\"HIGH\"}) by (image,exported_namespace)",
           "format": "table",
           "instant": true,
           "interval": "",
@@ -945,7 +955,7 @@
     ]
   },
   "timezone": "",
-  "title": "Trivy Vulnerabilities",
-  "uid": "BQnjzl-iz",
+  "title": "Admission Controllers Vulnerabilities",
+  "uid": "BQnjzl-iz4",
   "version": 6
 }