Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch to new trivy-operator and trivy-server #953

Closed
wants to merge 16 commits into from
Closed

Switch to new trivy-operator and trivy-server #953

wants to merge 16 commits into from

Conversation

CalleB3
Copy link
Member

@CalleB3 CalleB3 commented Mar 6, 2023
edited

This needs to be verified in AWS before merging

@CalleB3 CalleB3 changed the title Switch to new trivy operator and trivy server Switch to new trivy-operator and trivy-server Mar 6, 2023
NissesSenap
NissesSenap reviewed Mar 6, 2023
View reviewed changes
Copy link
Contributor

@NissesSenap NissesSenap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it looks good, but I think you need to take an extra look on the EKS side.
See comment

modules/kubernetes/trivy/templates/trivy-operator-values.yaml.tpl
%{~ if provider == "aws" ~}
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: ${trivy_operator_role_arn}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm isn't there a service account created for the trivy server?
You will probably need to use var.trivy_role_arn this because the role that gets created is specific to the serviceAccount.
You might also need to update the role_arn to match the new serviceAccount that gets created by the oeprator.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From what i can tell, trivy-server uses the SA created for trivy-operator.
What do you mean with "update the role_arn to match the new serviceAccount that gets created by the oeprator." Which role is this?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently there are 2 arn's,trivy_operator_role_arn and trivy_role_arn.
There should be no use for both?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahh okay if there is only one SA, you can remove the one called trivy_role_arn just as you say.

terraform-modules/modules/aws/eks/iam.tf

Line 248 in 1aff96b

module "trivy_ecr" {

Good job

@CalleB3
Copy link
Member Author

CalleB3 commented Mar 14, 2023

Fixes #941

@landerss1
Copy link
Contributor

Support for EKS has been deprecated. Furthermore, we are already running the trivy-operator. Closing this.

@landerss1 landerss1 closed this May 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NissesSenap NissesSenap NissesSenap left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@CalleB3 @landerss1 @NissesSenap