Configure trivy-operator to use single ImagePullSecret from operator namespace without enabling global secret access #2053
Unanswered
maltemorgenstern
asked this question in
Help & Support
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hey there, I have a question about private registries.
We are running a private registry for all of our docker images (there are gatekeeper policies in place to enforce that only internal images can be deployed into the cluster). Therefore every deployment/namespace contains an
ImagePullSecret
with credentials to our registry.Using the default
trivy-operator
configuration this works like a charm - and reports for all resources are being created (because the operator is using theImagePullSecret
from each workload to pull the image, see the docs).The problem is that the default configuration comes with highly privileged permissions. Because
operator.accessGlobalSecretsAndServiceAccount
defaults totrue
, the deployedClusterRole
grants the operator access to all secrets in all namespaces - which is being criticised by our security team.Based on this discussion instead of using the
ImagePullSecret
in each namespace one can configure the operator to use a different secret from other namespaces. In our case we would just reference the secret from the operator namespace which contains credentials that are valid for all images in the cluster:But this does not work - and all scan jobs fail with
unauthorized
errors.Looking at the code the reason seems to be that
privateRegistryScanSecretsNames
requiresaccessGlobalSecretsAndServiceAccount
to be enabled?trivy-operator/pkg/vulnerabilityreport/controller/workload.go
Lines 255 to 269 in 4b1c6c3
And - in general - I can understand this requirement - because if you reference a workload namespace as the secret source that cluster-wide access is required to read the data.
But if the namespace is the operator namespace this is not needed - because the default role already contains the required permissions to read kubernetes secrets:
trivy-operator/deploy/helm/templates/rbac/role.yaml
Lines 18 to 25 in 4b1c6c3
Question
Kind Regard Malte
Beta Was this translation helpful? Give feedback.
All reactions