From 513430745cf0b7ea46ec490a0c28dc7edb37fd5c Mon Sep 17 00:00:00 2001 From: Oleg Korznikov <54912398+sudoleg@users.noreply.github.com> Date: Sun, 17 Mar 2024 16:27:17 +0100 Subject: [PATCH] docs: Improve documentation for ClusterVulnerabilityReports (#1910) * chore: add hint for enabling ClusterVulnerabilityReports Signed-off-by: Korznikov, Oleg * docs: provide link to CVEs source for ClusterVulnerabilityReports Signed-off-by: Korznikov, Oleg --------- Signed-off-by: Korznikov, Oleg --- deploy/helm/README.md | 4 ++-- deploy/helm/values.yaml | 4 ++-- docs/docs/crds/clustervulnerability-report.md | 1 + 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/deploy/helm/README.md b/deploy/helm/README.md index 411d49046..d2d982a79 100644 --- a/deploy/helm/README.md +++ b/deploy/helm/README.md @@ -40,7 +40,7 @@ Keeps security report resources updated | operator.batchDeleteDelay | string | `"10s"` | batchDeleteDelay the duration to wait before deleting another batch of config audit reports. | | operator.batchDeleteLimit | int | `10` | batchDeleteLimit the maximum number of config audit reports deleted by the operator when the plugin's config has changed. | | operator.builtInServerRegistryInsecure | bool | `false` | builtInServerRegistryInsecure is the flag to enable insecure connection from the built-in Trivy server to the registry. | -| operator.builtInTrivyServer | bool | `false` | builtInTrivyServer The flag enable the usage of built-in trivy server in cluster ,its also override the following trivy params with built-in values trivy.mode = ClientServer and serverURL = http://.:4975 | +| operator.builtInTrivyServer | bool | `false` | builtInTrivyServer The flag enables the usage of built-in trivy server in cluster. It also overrides the following trivy params with built-in values trivy.mode = ClientServer and serverURL = http://.:4975 | | operator.cacheReportTTL | string | `"120h"` | cacheReportTTL the flag to set how long a cluster sbom report should exist. "" means that the cacheReportTTL feature is disabled | | operator.clusterComplianceEnabled | bool | `true` | clusterComplianceEnabled the flag to enable cluster compliance scanner | | operator.clusterSbomCacheEnabled | bool | `false` | the flag to enable cluster sbom cache generation | @@ -67,7 +67,7 @@ Keeps security report resources updated | operator.rbacAssessmentScannerEnabled | bool | `true` | rbacAssessmentScannerEnabled the flag to enable rbac assessment scanner | | operator.replicas | int | `1` | replicas the number of replicas of the operator's pod | | operator.revisionHistoryLimit | string | `nil` | number of old history to retain to allow rollback (if not set, default Kubernetes value is set to 10) | -| operator.sbomGenerationEnabled | bool | `true` | the flag to enable sbom generation | +| operator.sbomGenerationEnabled | bool | `true` | the flag to enable sbom generation, required for enabling ClusterVulnerabilityReports | | operator.scanJobTTL | string | `""` | scanJobTTL the set automatic cleanup time after the job is completed | | operator.scanJobTimeout | string | `"5m"` | scanJobTimeout the length of time to wait before giving up on a scan job | | operator.scanJobsConcurrentLimit | int | `10` | scanJobsConcurrentLimit the maximum number of scan jobs create by the operator | diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml index 463468728..a7c0cf0ae 100644 --- a/deploy/helm/values.yaml +++ b/deploy/helm/values.yaml @@ -73,7 +73,7 @@ operator: # -- the flag to enable vulnerability scanner vulnerabilityScannerEnabled: true - # -- the flag to enable sbom generation + # -- the flag to enable sbom generation, required for enabling ClusterVulnerabilityReports sbomGenerationEnabled: true # -- the flag to enable cluster sbom cache generation clusterSbomCacheEnabled: false @@ -99,7 +99,7 @@ operator: batchDeleteDelay: 10s # -- accessGlobalSecretsAndServiceAccount The flag to enable access to global secrets/service accounts to allow `vulnerability scan job` to pull images from private registries accessGlobalSecretsAndServiceAccount: true - # -- builtInTrivyServer The flag enable the usage of built-in trivy server in cluster ,its also override the following trivy params with built-in values + # -- builtInTrivyServer The flag enables the usage of built-in trivy server in cluster. It also overrides the following trivy params with built-in values # trivy.mode = ClientServer and serverURL = http://.:4975 builtInTrivyServer: false # -- builtInServerRegistryInsecure is the flag to enable insecure connection from the built-in Trivy server to the registry. diff --git a/docs/docs/crds/clustervulnerability-report.md b/docs/docs/crds/clustervulnerability-report.md index 410939cd4..22037356e 100644 --- a/docs/docs/crds/clustervulnerability-report.md +++ b/docs/docs/crds/clustervulnerability-report.md @@ -3,6 +3,7 @@ An instance of the ClusterVulnerabilityReport represents the latest vulnerabilities found in kubernetes cluster control-plane and node components. It consists of a list of control-plane and node components vulnerabilities with a summary of vulnerabilities grouped by severity. +ClusterVulnerabilityReports are based on [CVEs](https://github.com/aquasecurity/vuln-list-k8s/tree/main/upstream) from the K8s vulnerability advisory. The following listing shows a sample ClusterVulnerabilityReport associated with the kind cluster v1.21.1