One of Trivy’s core features is Trivy Kubernetes for in-cluster security scans of running workloads. This tutorial will showcase how to generate CIS and NSA reports both through the Trivy CLI and the Trivy Operator.
Additionally, we will look at how users can add the Kubernetes Specification for their own Compliance Report format to expand the security audits of the Trivy Operator.
Introduction to Kubernetes Benchmarks
The two best known Kubernetes Security Benchmarks are CIS and NSA. CIS (Center for Internet Security), which is a non-for-profit that provides recommendations on security best-practices. As part of their work, they have released a set of recommendations for configuring Kubernetes clusters and workloads. The CIS benchmarks take a closer look not only at the running workloads but also the infrastructure setup such as the Kubernetes. Additional details on CIS benchmarks can be found in the Aqua documentation.
In comparison, the NSA compliance checks are often categories as a benchmark but is much better referenced as being a Kubernetes hardening guide. The NSA guidelines also provide recommendations on resources and infrastructure outside of Kubernetes workloads. A closer look at the NSA guidelines is provided in the official Kubernetes documentation.
When a user is running a benchmark compliance check on their infrastructure and workloads, the scanner will compare the running resources in the cluster with the best practices detailed in the benchmark. Each recommendation of the benchmark will be evaluated separately. The final report will then detail which checks have failed. However, it is worth noting that there is not a 100% match between the compliance benchmarks and Kubernetes versions. Thus, users should evaluate the failures in the compliance report with caution.
Generate Trivy Compliance Reports
Trivy Kubernetes makes it possible to use the Trivy CLI to scan your infrastructure and running workloads for security issues through the Trivy Kubernetes command. This section will showcase how to use the Trivy CLI to generate CIS and NSA scans based on your Kubernetes cluster.
Prerequisites
Please ensure that you have the Trivy CLI installed. Different installation options can be found in the Trivy documentation.
Ensure that the Trivy CLI is installed correctly by verifying the version installed in your terminal:
trivy --version
Version: 0.36.1
Additionally, to generate compliance reports on a Kubernetes cluster, you will need access to the cluster.
Generating CIS reports with the Trivy CLI
To scan the full cluster and produce a CIS report summary, we can use the following command:
trivy k8s cluster --compliance=<compliance_id> --report summary
The <compliance_id> refers to k8s-nsa or k8s-cis scans. In this case, we are first going to generate a CIS report:
trivy k8s cluster --compliance=k8s-cis --report summary
To receive the details of the report, we can change the report type from summary to all:
trivy k8s cluster --compliance=k8s-cis --report all
Additionally, most flags can be used across Trivy commands. Thus, the report can be saved directly to a file with the –output flag:
trivy k8s cluster --compliance=k8s-cis --report all --output cis-report.json
Below you can see a partial screenshot of the result for the cis summary scan:
Partial screenshot of the result for the cis summary scan
Generating NSA reports with the Trivy CLI
The same commands can be used to produce NSA (US National Security Agency) reports with the Trivy CLI. We merely have to replace k8s-cis with k8s-nsa in the <compliance_id> field:
trivy k8s cluster --compliance=k8s-nsa --report summary
To receive the details of the report, we can change the report type from summary to all:
trivy k8s cluster --compliance=k8s-nsa --report all
Additionally, the report can be saved directly to a file as we have done before:
trivy k8s cluster --compliance=k8s-nsa --report all --output cis-report.json
Below you can see a screenshot of the result for the NSA summary scan:
Screenshot of the result for the NSA summary scan
Automate Benchmark Scans through the Trivy Operator
The Trivy CLI is great for user-initiated scans whether these are taking place through the command line or through a CI/CD pipeline. However, in large-scale environments it is important to have access to security reports on a continuous basis. Security Benchmark scans can be automated through the installation of the Trivy Operator on your Kubernetes cluster. In addition to Security Benchmark scans, it will scan for container Vulnerabilities, Expose Secrets, RBAC issues, and Misconfigurations.
Prerequisites
To follow this section of the tutorial, you will need:
- Helm CLI installed
- Kubectl installed and connected to a running Kubernetes cluster. A one-node Kind cluster will be sufficient.
Setting up the Trivy Kubernetes Operator
Next, we will follow the Trivy Operator Helm Chart installation from the documentation:
- Add the Helm Chart to your Helm repository list:
helm repo add aqua https://aquasecurity.github.io/helm-charts/ - Next, update the Helm Chart reposiotries that you are connected to:
helm repo update - And lastly, install the Trivy Operator Helm Chart:.
helm install trivy-operator aqua/trivy-operator
--namespace trivy-system
--create-namespace
--set="trivy.ignoreUnfixed=true"
--version 0.10.1
You should see the following success message upon successful installation:
NAME: trivy-operator
LAST DEPLOYED: Mon Jan 16 14:13:57 2023
NAMESPACE: trivy-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
You have installed Trivy Operator in the trivy-system namespace.
It is configured to discover Kubernetes workloads and resources in
all namespace(s).
Inspect created VulnerabilityReports by:
kubectl get vulnerabilityreports --all-namespaces -o wide
Inspect created ConfigAuditReports by:
kubectl get configauditreports --all-namespaces -o wide
Inspect the work log of trivy-operator by:
kubectl logs -n trivy-system deployment/trivy-operator
Next ensure that the Trivy Operator pod is running in your Kubernetes cluster:
kubectl get all -n trivy-system
The output should be like the following content:
❯ kubectl get all -n trivy-system
NAME READY STATUS RESTARTS AGE
pod/trivy-operator-59fc6d84d-xkr8h 1/1 Running 0 3m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/trivy-operator ClusterIP None <none> 80/TCP 3m
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/trivy-operator 1/1 1 1 3m
NAME DESIRED CURRENT READY AGE
replicaset.apps/trivy-operator-59fc6d84d 1 1 1 3m
Once everything is running correctly, you should be able to query the Kubernetes benchmark reports generated by the Trivy Operator:
kubectl get clustercompliancereport
NAME AGE
cis 10m
nsa 10m
• NSA report:
kubectl get clustercompliancereport nsa -o yaml
• CIS report:
kubectl get clustercompliancereport cis -o yaml
Modify Trivy Operator Compliance Report
By default, the Trivy Operator will perform the compliance scans every six hours. However, it is possible to modify the CronJob expression in the YAML manifest of each CRD (Custom Resource Definition). Each resort, NSA and CIS, has a CRD that is responsible for defining how the report is generated.
The respective CRDs can be accessed like any other Kubernetes resource in your cluster:
kubectl get crd -n trivy-system
To edit the CRD, simply open it in vim through the following command:
kubectl edit crd clustercompliancereports.aquasecurity.github.io -n trivy-system
Add your own Benchmark scans through Built-in Configuration Audit Policies to the Trivy Operator
Our Built-in Configuration Audit Policies enables users to add their own benchmark scans. Upon installing the Trivy Operator, the trivy-operator-policies-config ConfigMap is created in your cluster. This ConfigMap defines any additional audit scans that should be performed:
kubectl get configmap -n trivy-system
kubectl get configmap trivy-operator-policies-config -n trivy-system -o yaml
The configuration for the built-in audit policies can be modified directly in the ConfigMap. Additionally, users can add their own audit policies. The tutorial in the Trivy Operator documentation details how to go about it.
For instance, the following specification checks a Kubernetes cluster against the Kubernetes Pod Security Standard. The YAML manifest can then be used in the
trivy-operator-policies-configOnce you apply the YAML manifest to the trivy-system namespace inside your cluster, a new ConfigAudit report will be generated.
What’s next?
In this blog post, we detailed how you can generate CIS and NSA reports through the Trivy CLI. Benchmark Scans of your infrastructure and workloads can then be automated through the Trivy Operator.
Both projects, Trivy and the Trivy Operator are open source. If you like those projects, we would highly appreciate it if you could give them a star on GitHub.
Additionally, join the Slack community if you have any questions.