aquasecurity · chen-keinan · May 2, 2024 · Apr 7, 2024 · Apr 8, 2024 · Apr 9, 2024
@@ -9,7 +9,7 @@ Trivy can also be installed *inside* your cluster as a Kubernetes Operator, and
 When scanning a Kubernetes cluster, Trivy differentiates between the following:
 
 1. Cluster infrastructure (e.g api-server, kubelet, addons)
-1. Cluster configuration (e.g Roles, ClusterRoles). 
+1. Cluster configuration (e.g Roles, ClusterRoles).
 1. Application workloads (e.g nginx, postgresql).
 
 When scanning any of the above, the container image is scanned separately to the Kubernetes resource definition (the YAML manifest) that defines the resource.
@@ -30,58 +30,79 @@ Kubernetes resource definition is scanned for:
 
 Trivy follows the behavior of the `kubectl` tool as much as possible.
 
-### Scope
-
-The command expects an argument that selects the scope of the scan (similarly to how `kubectl` expects an argument after `kubectl get`). This argument can be:
-1. A Kubernetes Kind. e.g `pod`, `deployment`, etc. 
-2. A Kubernetes Resource. e.g `pods/mypod`, etc.
-3. `all`. Scan common workload kinds, as listed [here](https://github.com/aquasecurity/trivy-kubernetes/blob/bf8cc2a00d9772e0aa271f06d375b936152b54b1/pkg/k8s/k8s.go#L296:L314)
-4. `cluster` scan the entire cluster including all namespaced resources and cluster level resources.
-
-Examples:
-
-```
-trivy k8s all
-trivy k8s pods
-trivy k8s deploy myapp
-trivy k8s pod/mypod
-trivy k8s pods,deploy
-trivy k8s cluster
+```sh
+trivy k8s [flags] [CONTEXT] -  if the target name [CONTEXT] is not specified, the default will be used.
 ```
 
-Note that the scope argument must appear last in the command line, after any other flag.
+for example:
 
-### Cluster
+```sh
+trivy k8s --report summary
+```
 
 By default Trivy will look for a [`kubeconfig` configuration file in the default location](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/), and use the default cluster that is specified.  
 You can also specify a `kubeconfig` using the `--kubeconfig` flag:
 
-```
+```sh
 trivy k8s --kubeconfig ~/.kube/config2
 ```
 
-### Namespace
+By default, all cluster resource images will be downloaded and scanned.
 
-By default Trivy will scan all namespaces (following `kubectl` behavior). To specify a namespace use the `--namespace` flag:
+### Skip-images
 
+You can control whether Trivy will scan and download the cluster resource images. To disable this feature, add the --skip-images flag.
+
+- `--skip-images` flag will prevent the downloading and scanning of images (including vulnerabilities and secrets) in the cluster resources.
+
+Example:
+
+```sh
+trivy k8s --report summary --skip-images
 ```
-trivy k8s --kubeconfig ~/.kube/config2 --namespace default
-```
-### Node
 
-You can exclude specific nodes from the scan using the `--exclude-nodes` flag, which takes a label in the format `label-name:label-value` and excludes all matching nodes:
+### Include/Exclude Kinds
+
+You can control which kinds of resources will be discovered using the `--include-kinds` or `--exclude-kinds` comma-separated flags:
+
+***Note:*** Both flags (`--include-kinds` or `--exclude-kinds`) cannot be set in conjunction.
+
+- `--include-kinds` will include the listed kinds in cluster scanning.
+- `--exclude-kinds` will exclude the listed kinds from cluster scanning.
+
+By default, all kinds will be included in cluster scanning.
+
+Example:
 
+```sh
+trivy k8s --report summary --exclude-kinds node,pod
 ```
-trivy k8s cluster --report summary --exclude-nodes kubernetes.io/arch:arm6
+
+### Include/Exclude Namespaces
+
+You can control which namespaces will be discovered using the `--include-namespaces` or `--exclude-namespaces` comma-separated flags:
+
+***Note:*** Both flags (`--include-namespaces` or `--exclude-namespaces`) cannot be set in conjunction.
+
+- `--include-namespaces` will include the listed namespaces in cluster scanning.
+- `--exclude-namespaces` will exclude the listed namespaces from cluster scanning.
+
+By default, all namespaces will be included in cluster scanning.
+
+Example:
+
+```sh
+trivy k8s --report summary --exclude-namespace dev-system,staging-system
 ```
 
 ## Control Plane and Node Components Vulnerability Scanning
 
-Trivy is capable of discovering Kubernetes control plane (apiserver, controller-manager and etc) and node components(kubelet, kube-proxy and etc), matching them against the [official Kubernetes vulnerability database feed](https://github.com/aquasecurity/vuln-list-k8s), and reporting any vulnerabilities it finds
+Trivy is capable of discovering Kubernetes control plane (apiserver, controller-manager and etc) and node components(kubelet, kube-proxy and etc), matching them against the [official Kubernetes vulnerability database feed](https://github.com/aquasecurity/vuln-list-k8s), and reporting any vulnerabilities it finds.
 
+To read more about KBOM, see the [documentation for Kubernetes scanning](./sbom.md#kbom).
 
-```
-trivy k8s cluster --scanners vuln  --report all
+```sh
+trivy k8s --scanners vuln  --report all
 
 NodeComponents/kind-control-plane (kubernetes)
 
@@ -101,13 +122,43 @@ Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
 └────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────┘
 ```
 
+## Node-Collector
+
+Node-collector is a scan job that collects node configuration parameters and permission information. This information will be evaluated against Kubernetes hardening (e.g. CIS benchmark) and best practices values. The scan results will be output in infrastructure assessment and CIS benchmark compliance reports.
+
+### Disable Node Collector
+
+You can control whether the node scan-job (`node-collector`) will run in the cluster. To disable it, add the `--disable-node-collector` flag  
+
+- `--disable-node-collector` This flag will exclude findings related to Node (infra assessment) misconfigurations
+
+By default, the node scan-job (`node-collector`) will run in the cluster.
+
+Example:
+
+```sh
+trivy k8s --report summary --disable-node-collector
+```
+
+### Taints and Tolerations
 
-### Components types
+The node-collector scan-job will run on every node. In case the node has been tainted, it is possible to add toleration to the scan job for it to be scheduled on the tainted node. for more details [see k8s docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
 
-You can control what kinds of components are discovered using the `--components` flag:
-- `--components infra` will discover only cluster infrastructure components.
-- `--components workload` will discover only application workloads.
-- If the flag is omitted: infra, workloads, and RBAC are discovered.
+- `--tolerations  key1=value1:NoExecute,key2=value2:NoSchedule` this flag wil enable node-collector to be schedule on tainted Node
+
+Example:
+
+```sh
+trivy k8s --report summary --tolerations  key1=value1:NoExecute,key2=value2:NoSchedule
+```
+
+### Exclude Nodes by Label
+
+You can exclude specific nodes from the scan using the `--exclude-nodes` flag, which takes a label in the format `label-name:label-value` and excludes all matching nodes:
+
+```sh
+trivy k8s --report summary --exclude-nodes kubernetes.io/arch:arm6
+```
 
 ## Reporting and filtering
 
@@ -117,24 +168,24 @@ You can always choose the report granularity using the `--report summary`/`--rep
 
 Scan a full cluster and generate a simple summary report:
 
-```
-$ trivy k8s --report=summary cluster
+```sh
+trivy k8s --report=summary
 ```
 
 ![k8s Summary Report](../../imgs/trivy-k8s.png)
 
 Filter by severity:
 
 ```
-trivy k8s --severity=CRITICAL --report=all cluster
+trivy k8s --severity=CRITICAL --report=all
 ```
 
 Filter by scanners (Vulnerabilities, Secrets or Misconfigurations):
 
 ```
-trivy k8s --scanners=secret --report=summary cluster
+trivy k8s --scanners=secret --report=summary
 # or
-trivy k8s --scanners=misconfig --report=summary cluster
+trivy k8s --scanners=misconfig --report=summary
 ```
 
 The supported output formats are `table`, which is the default, and `json`.
@@ -300,6 +351,7 @@ trivy k8s --format json -o results.json cluster
 </details>
 
 ## Compliance
+
 This section describes Kubernetes specific compliance reports.
 For an overview of Trivy's Compliance feature, including working with custom compliance, check out the [Compliance documentation](../compliance/compliance.md).
 
@@ -318,31 +370,31 @@ Scan the cluster for Kubernetes Pod Security Standards Baseline compliance:
 
 ```
 
-$ trivy k8s cluster --compliance=k8s-pss-baseline --report summary
+trivy k8s --compliance=k8s-pss-baseline --report summary
 
 ```
 
 Get the detailed report for checks:
 
 ```
 
-$ trivy k8s cluster --compliance=k8s-cis --report all
+trivy k8s --compliance=k8s-cis --report all
 
 ```
 
 Get summary report in JSON format:
 
 ```
 
-$ trivy k8s cluster --compliance=k8s-cis --report summary --format json
+trivy k8s --compliance=k8s-cis --report summary --format json
 
 ```
 
 Get detailed report in JSON format:
 
 ```
 
-$ trivy k8s cluster --compliance=k8s-cis --report all --format json
+trivy k8s --compliance=k8s-cis --report all --format json
 
 ```
 
@@ -355,15 +407,15 @@ Trivy can generate KBOM in CycloneDX format:
 
 ```sh
 
-$ trivy k8s cluster --format cyclonedx --output mykbom.cdx.json
+trivy k8s --format cyclonedx --output mykbom.cdx.json
 
 ```
 
 Trivy can also scan that generated KBOM (or any SBOM) for vulnerabilities:
 
 ```sh
 
-$ trivy sbom mykbom.cdx.json
+trivy sbom mykbom.cdx.json
 
 ```
 

@@ -1,58 +1,51 @@
 # Kubernetes Scanning Tutorial
 
-## Prerequisites 
+## Prerequisites
 
 To test the following commands yourself, make sure that you’re connected to a Kubernetes cluster. A simple kind, a Docker-Desktop or microk8s cluster will do. In our case, we’ll use a one-node kind cluster.  
-
-Pro tip: The output of the commands will be even more interesting if you have some workloads running in your cluster. 
+Pro tip: The output of the commands will be even more interesting if you have some workloads running in your cluster.
 
 ## Cluster Scanning
 
 Trivy K8s is great to get an overview of all the vulnerabilities and misconfiguration issues or to scan specific workloads that are running in your cluster. You would want to use the Trivy K8s command either on your own local cluster or in your CI/CD pipeline post deployments.  
 
-The `trivy k8s` command is part of the Trivy CLI. 
+The `trivy k8s` command is part of the Trivy CLI.
 
-With the following command, we can scan our entire Kubernetes cluster for vulnerabilities and get a summary of the scan: 
+With the following command, we can scan our entire Kubernetes cluster for vulnerabilities and get a summary of the scan:
 
-```
-trivy k8s --report=summary cluster
+```sh
+trivy k8s --report=summary
 ```
 
 To get detailed information for all your resources, just replace ‘summary’ with ‘all’: 
 
-```
-trivy k8s --report=all cluster
+```sh
+trivy k8s --report=all
 ```
 
 However, we recommend displaying all information only in case you scan a specific namespace or resource since you can get overwhelmed with additional details. 
 
 Furthermore, we can specify the namespace that Trivy is supposed to scan to focus on specific resources in the scan result: 
 
-```
-trivy k8s -n kube-system --report=summary cluster
+```sh
+trivy k8s --include-namespaces kube-system --report summary
 ```
 
 Again, if you’d like to receive additional details, use the ‘--report=all’ flag: 
 
-```
-trivy k8s -n kube-system --report=all cluster
+```sh
+trivy k8s --include-namespaces kube-system --report all
 ```
 
 Like with scanning for vulnerabilities, we can also filter in-cluster security issues by severity of the vulnerabilities: 
 
-```
-trivy k8s --severity=CRITICAL --report=summary cluster
+```sh
+trivy k8s --severity=CRITICAL --report=summary
 ```
 
 Note that you can use any of the Trivy flags on the Trivy K8s command. 
 
-With the Trivy K8s command, you can also scan specific workloads that are running within your cluster, such as our deployment: 
-
-```
-trivy k8s --namespace  app --report=summary deployments/react-application
-```
-
-## Trivy Operator 
+## Trivy Operator
 
 The Trivy K8s command is an imperative model to scan resources. We wouldn’t want to manually scan each resource across different environments. The larger the cluster and the more workloads are running in it, the more error-prone this process would become. With the Trivy Operator, we can automate the scanning process after the deployment.  
 
@@ -66,15 +59,9 @@ This has several benefits:
 
 - The CRDs can be both machine and human-readable depending on which applications consume the CRDs. This allows for more versatile applications of the Trivy operator. 
 
-
 There are several ways that you can install the Trivy Operator in your cluster. In this guide, we’re going to use the Helm installation based on the [following documentation.](../../docs/target/kubernetes.md#trivy-operator)
 
 Please follow the Trivy Operator documentation for further information on:
 
 - [Installation of the Trivy Operator](https://aquasecurity.github.io/trivy-operator/latest/getting-started/installation/)
-- [Getting started guide](https://aquasecurity.github.io/trivy-operator/latest/getting-started/quick-start/)
-
-
-
-
-
+- [Getting started guide](https://aquasecurity.github.io/trivy-operator/latest/getting-started/quick-start/)