diff --git a/charts/zora/README.md b/charts/zora/README.md index eeb03c49..62fe98af 100644 --- a/charts/zora/README.md +++ b/charts/zora/README.md @@ -118,6 +118,7 @@ The following table lists the configurable parameters of the Zora chart and thei | scan.plugins.trivy.image.tag | string | `"0.48.2"` | trivy plugin image tag | | scan.plugins.trivy.env | list | `[]` | List of environment variables to set in trivy container. | | scan.plugins.trivy.envFrom | list | `[]` | List of sources to populate environment variables in trivy container. | +| scan.plugins.trivy.timeout | string | `"10m"` | Trivy timeout | | scan.plugins.popeye.skipInternalResources | bool | `false` | Specifies whether the following resources should be skipped by `popeye` scans. 1. resources from `kube-system`, `kube-public` and `kube-node-lease` namespaces; 2. kubernetes system reserved RBAC (prefixed with `system:`); 3. `kube-root-ca.crt` configmaps; 4. `default` namespace; 5. `default` serviceaccounts; 6. Helm secrets (prefixed with `sh.helm.release`); 7. Zora components. See `popeye` configuration file that is used for this case: https://github.com/undistro/zora/blob/main/charts/zora/templates/plugins/popeye-config.yaml | | scan.plugins.popeye.resources | object | `{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"250m","memory":"256Mi"}}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers) to add to `popeye` container | | scan.plugins.popeye.podAnnotations | object | `{}` | Annotations added to the popeye pods | diff --git a/charts/zora/templates/plugins/trivy.yaml b/charts/zora/templates/plugins/trivy.yaml index 8b784743..22dd5800 100644 --- a/charts/zora/templates/plugins/trivy.yaml +++ b/charts/zora/templates/plugins/trivy.yaml @@ -61,6 +61,7 @@ spec: {{- if .Values.scan.plugins.trivy.ignoreUnfixed }} --ignore-unfixed \ {{- end }} + --timeout={{ .Values.scan.plugins.trivy.timeout | quote }} \ -o $(DONE_DIR)/results.json \ cluster diff --git a/charts/zora/values.yaml b/charts/zora/values.yaml index c2f40b94..338d0441 100644 --- a/charts/zora/values.yaml +++ b/charts/zora/values.yaml @@ -226,6 +226,8 @@ scan: envFrom: [] # - secretRef: # name: trivy-credentials + # -- Trivy timeout + timeout: 10m popeye: # -- Specifies whether the following resources should be skipped by `popeye` scans. # 1. resources from `kube-system`, `kube-public` and `kube-node-lease` namespaces; diff --git a/docs/plugins/trivy.md b/docs/plugins/trivy.md index e536b9d8..880d23d0 100644 --- a/docs/plugins/trivy.md +++ b/docs/plugins/trivy.md @@ -31,3 +31,18 @@ The `ClusterScan` will have a `Failed` status. You will see a log entry similar ``` 2023-09-26T14:18:02Z ERROR worker failed to run worker {"error": "failed to create VulnerabilityReport \"kind-kind-usdockerpkgdevgooglesamplescontainersgkegbfrontendsha256dc8de8e0d569d2f828b187528c9317bd6b605c273ac5a282aebe471f630420fc-rzntw\": etcdserver: request is too large"} ``` + +## Scan timeout + +Trivy's scan duration may vary depending on the total images in your cluster +and the time to download the vulnerability database during each scan. + +By default, Zora sets a timeout of **10 minutes** for Trivy scan completion. + +To adjust this timeout, use the following Helm parameter: + +```shell +--set scan.plugins.trivy.timeout=15m +``` + +Once this parameter is updated, the next scan will use the specified value. diff --git a/mkdocs.yml b/mkdocs.yml index 16424d2a..f256c690 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -90,6 +90,7 @@ nav: - HTTPS Proxy: configuration/https-proxy.md - Scanning Images hosted in AWS ECR: configuration/aws-elastic-container-registry.md - Scanning Images hosted in Azure ACR: configuration/acr.md + - Vulnerability scan timeout: plugins/trivy/#scan-timeout - "🔌 Plugins": - Overview: plugins/index.md - Misconfiguration: