starboard-security-operator

module

v0.0.0-...-40f476f Latest Latest Go to latest Published: Sep 7, 2020 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/aquasecurity/starboard-security-operator

README ¶

starboard-security-operator

This operator for Starboard automatically updates security report resources in response to workload and other changes on a Kubernetes cluster - for example, initiating a vulnerability scan when a new pod is started. Please see the main Starboard repo for more info about the Starboard project.

Getting started

Run make to build operator binaries into Docker containers:
```
$ make docker-build
```

Define Custom Security Resources used by Starboard:

$ kubectl apply -f https://raw.githubusercontent.com/aquasecurity/starboard/master/kube/crd/vulnerabilities-crd.yaml \
  -f https://raw.githubusercontent.com/aquasecurity/starboard/master/kube/crd/configauditreports-crd.yaml \
  -f https://raw.githubusercontent.com/aquasecurity/starboard/master/kube/crd/ciskubebenchreports-crd.yaml \
  -f https://raw.githubusercontent.com/aquasecurity/starboard/master/kube/crd/kubehunterreports-crd.yaml

Create the starboard-operator Namespace:
```
$ kubectl create ns starboard-operator
```

Create a Secret that holds configuration of the Aqua CSP scanner:

$ kubectl create secret generic starboard-operator \
  --namespace starboard-operator \
  --from-literal OPERATOR_SCANNER_AQUA_CSP_USERNAME=$AQUA_CONSOLE_USERNAME \
  --from-literal OPERATOR_SCANNER_AQUA_CSP_PASSWORD=$AQUA_CONSOLE_PASSWORD \
  --from-literal OPERATOR_SCANNER_AQUA_CSP_VERSION=$AQUA_VERSION \
  --from-literal OPERATOR_SCANNER_AQUA_CSP_HOST=http://csp-console-svc.aqua:8080

Create a Deployment for the Starboard Operator:

$ kubectl apply -f deploy/starboard-operator.yaml

Configuration

Name	Default	Description
`OPERATOR_STARBOARD_NAMESPACE`	`starboard-operator`	The default namespace for Starboard
`OPERATOR_SUPERVISED_NAMESPACE`	`default`	The namespace watched by the operator
`OPERATOR_SCAN_JOB_TIMEOUT`	`5m`	The length of time to wait before giving up on a scan job
`OPERATOR_SCANNER_TRIVY_ENABLED`	`true`	The flag to enable Trivy vulnerability scanner
`OPERATOR_SCANNER_TRIVY_VERSION`	`0.11.0`	The version of Trivy to be used
`OPERATOR_SCANNER_AQUA_CSP_ENABLED`	`false`	The flag to enable Aqua CSP vulnerability scanner
`OPERATOR_SCANNER_AQUA_CSP_VERSION`	`5.0`	The version of Aqua CSP scannercli container image to be used

How does it work?

Directories ¶

Path	Synopsis
cmd
operator
scanner
pkg
aqua
aqua/client
aqua/scanner/api
aqua/scanner/cli
controllers
etc
logs
reports
scanner
trivy

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL