Hi everyone! I work for a cloud provider where we offer a managed Kubernetes service. I'm tasked with finding a solution to monitor vulnerabilities within the running containers in our clusters, specifically looking into the kube-* namespaces like CoreDNS and others. I've tried several options, including the Trivy Operator, which showed promise but doesn't let me scan those management namespaces. I'm hoping for any suggestions or insights you might have on tackling this issue!
2 Answers
Trivy is definitely a solid choice! You just need to figure out how to address the namespace issue. It's doable with some tweaks.
Is the only solution to write a script that pulls the running containers with 'kubectl' and then runs Trivy on them? I thought there might be an easier way.
Focusing solely on vulnerability scanning is crucial, but remember that Kubernetes security encompasses much more. What are your plans for runtime security? How do you handle unpatched CVEs or zero-days? I've worked with NeuVector, which is now open source, so if you like, I can share insights on managing various security issues without a ton of effort, including vulnerability management.
My main task is just to report the CVEs in running containers, especially within the management namespace. I'm not even able to access the servers directly.
I was also thinking of forking the Trivy Operator to make it compatible with the management namespaces, but the codebase is quite massive.
Once you get it running, make sure to filter out false positives and check if the CVEs are triggered by code pathways you're actually using. Otherwise, it's just compliance without real security.