Everyone can contribute! Let's learn together in a weekly cafe ☕


We love to break things, make mistakes, debug, analyse, fix problems together. Live and unfiltered on Youtube.

Community members and thought leaders regularly join and share their projects and ideas.

"Everyone Can Contribute" is inspired by GitLab's mission.

41. #EveryoneCanContribute cafe: Kubernetes Cluster Image Scanning with Trivy & Starboard


Niclas Mietz walks us Aqua Security Starboard, installed into a Civo Cloud k3s cluster. Philip Welz takes over with Trivy in Estafette.

Reminder: GitLab Commit Virtual day 2 is today. Register now!

Recording

Enjoy the session! 🦊


Highlights

First, the Starboard Operator will be installed and collecting the cluster image reports in our Civo k2s cluster. You can specifiy the namespaces for the Starboard Operator in the configuration. If left empty, all namespaces are scanned - we defined the default namespace.

The next step is to combine this with GitLab CI/CD to see the security reports. Follow the GitLab documentation to generate the CIS_KUBECONFIG variable as file. You can also define additional parameters for the CI/CD job.

The Estafette Vulnerability Scanner runs Trivy in a pod in a given interval and reports similar cluster image vulnerabilities. The installation with the Helm chart and values.yml override took longer, and the Grafana dashboard sourcing the Prometheus exporter and ServiceMonitor resource needed extra attention.

Insights


Date published: August 4, 2021

Tags: Security, Gitlab, Trivy, Kubernetes, Starboard