trivy-operator integration with kube-enforcer

With this change, we are replacing starboard operator with trivy operator
1. We have updated kube_enforcer,kube_enforcer_advanced manifest files with Trivy Operator Resources
2. Moved starboard manifest files to kube_enforcer_starbaord and kube_enforcer_advanced_starboard
3. Updated relevant gen_ke_certs.sh and readme files
Reference PR: aquasecurity#566

4. Upgraded trivy-operator version to  latest (0.20.1)as the existing version has critical vulnerabilities
5. Upgraded kube-bench version with latest (v0.7.3)
Reference PR: aquasecurity#567

6. Added keys for Admission Control when the GW is disconnected, Enable workload discovery, Register discovered pod images, and Add discovered registries.
7. Removed the AQUA_WATCH_CONFIG_AUDIT_REPORT key as it is no longer supported.
Reference PR: aquasecurity#565

Author: KiranBodipi

enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/001_kube_enforcer_config.yaml

@@ -93,63 +93,100 @@ spec:
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: starboard-operator
+  name: trivy-operator
   namespace: aqua
   labels:
-    app: starboard-operator
+    app.kubernetes.io/name: trivy-operator
+    app.kubernetes.io/instance: trivy-operator
+    app.kubernetes.io/version: "0.20.1"
+    app.kubernetes.io/managed-by: kubectl
 spec:
   replicas: 1
   strategy:
     type: Recreate
   selector:
     matchLabels:
-      app: starboard-operator
+      app.kubernetes.io/name: trivy-operator
+      app.kubernetes.io/instance: trivy-operator
   template:
     metadata:
       labels:
-        app: starboard-operator
+        app.kubernetes.io/name: trivy-operator
+        app.kubernetes.io/instance: trivy-operator
     spec:
-      serviceAccountName: starboard-operator
+      serviceAccountName: trivy-operator
       automountServiceAccountToken: true
-      securityContext: {}
       containers:
-        - name: operator
-          image: docker.io/aquasec/starboard-operator:0.15.20
+        - name: "trivy-operator"
+          image: "docker.io/aquasec/trivy-operator:0.20.1"
           imagePullPolicy: IfNotPresent
-          securityContext:
-            privileged: false
-            readOnlyRootFilesystem: true
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-                - ALL
           env:
             - name: OPERATOR_NAMESPACE
               value: aqua
             - name: OPERATOR_TARGET_NAMESPACES
               value: ""
+            - name: OPERATOR_EXCLUDE_NAMESPACES
+              value: ""
+            - name: OPERATOR_TARGET_WORKLOADS
+              value: "pod,replicaset,replicationcontroller,statefulset,daemonset,cronjob,job"
+            - name: OPERATOR_SERVICE_ACCOUNT
+              value: "trivy-operator"
             - name: OPERATOR_LOG_DEV_MODE
-              value: "false"
+              value: "true"
+            - name: OPERATOR_SCAN_JOB_TIMEOUT
+              value: "5m"
             - name: OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT
               value: "10"
             - name: OPERATOR_SCAN_JOB_RETRY_AFTER
-              value: 30s
+              value: "30s"
+            - name: OPERATOR_BATCH_DELETE_LIMIT
+              value: "10"
+            - name: OPERATOR_BATCH_DELETE_DELAY
+              value: "10s"
             - name: OPERATOR_METRICS_BIND_ADDRESS
-              value: :8080
-            - name: OPERATOR_HEALTH_PROBE_BIND_ADDRESS
-              value: :9090
-            - name: OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED
+              value: ":8080"
+            - name: OPERATOR_METRICS_FINDINGS_ENABLED
+              value: "true"
+            - name: OPERATOR_METRICS_VULN_ID_ENABLED
               value: "false"
+            - name: OPERATOR_HEALTH_PROBE_BIND_ADDRESS
+              value: ":9090"
             - name: OPERATOR_VULNERABILITY_SCANNER_ENABLED
               value: "false"
-            - name: OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS
+            - name: OPERATOR_VULNERABILITY_SCANNER_SCAN_ONLY_CURRENT_REVISIONS
+              value: "true"
+            - name: OPERATOR_SCANNER_REPORT_TTL
+              value: "24h"
+            - name: OPERATOR_SBOM_GENERATION_ENABLED
+              value: "false"
+            - name: OPERATOR_CONFIG_AUDIT_SCANNER_ENABLED
               value: "true"
-            - name: OPERATOR_BATCH_DELETE_LIMIT
-              value: "10"
-            - name: OPERATOR_BATCH_DELETE_DELAY
-              value: "10s"
             - name: OPERATOR_CLUSTER_COMPLIANCE_ENABLED
               value: "false"
+            - name: OPERATOR_RBAC_ASSESSMENT_SCANNER_ENABLED
+              value: "true"
+            - name: OPERATOR_INFRA_ASSESSMENT_SCANNER_ENABLED
+              value: "false"
+            - name: OPERATOR_CONFIG_AUDIT_SCANNER_SCAN_ONLY_CURRENT_REVISIONS
+              value: "true"
+            - name: OPERATOR_EXPOSED_SECRET_SCANNER_ENABLED
+              value: "false"
+            - name: OPERATOR_WEBHOOK_BROADCAST_URL
+              value: ""
+            - name: OPERATOR_WEBHOOK_BROADCAST_TIMEOUT
+              value: "30s"
+            - name: OPERATOR_PRIVATE_REGISTRY_SCAN_SECRETS_NAMES
+              value: "{}"
+            - name: OPERATOR_ACCESS_GLOBAL_SECRETS_SERVICE_ACCOUNTS
+              value: "true"
+            - name: OPERATOR_BUILT_IN_TRIVY_SERVER
+              value: "false"
+            - name: TRIVY_SERVER_HEALTH_CHECK_CACHE_EXPIRATION
+              value: "10h"
+            - name: OPERATOR_MERGE_RBAC_FINDING_WITH_CONFIG_AUDIT
+              value: "true"
+            - name: CONTROLLER_CACHE_SYNC_TIMEOUT
+              value: "5m"
           ports:
             - name: metrics
               containerPort: 8080
@@ -171,3 +208,14 @@ spec:
             periodSeconds: 10
             successThreshold: 1
             failureThreshold: 10
+          resources:
+            {}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+      securityContext:
+        {}

enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/003_kube_enforcer_deploy.yaml

@@ -7,9 +7,9 @@ This repository shows the manifest yaml files required to deploy Aqua KubeEnforc
 * OpenShift 
 * Kubernetes engines: EKS, GKE, ICP, AKS, TKG, and TKGI
 
-Starboard is deployed with the KubeEnforcer to increase the effectiveness of Kubernetes security.
+Trivy Operator is deployed with the KubeEnforcer to increase the effectiveness of Kubernetes security.
 
-Starboard assesses workload compliance throughout the lifecycle of the workloads. This enables the KubeEnforcer to:
+Trivy Operator assesses workload compliance throughout the lifecycle of the workloads. This enables the KubeEnforcer to:
 * Re-evaluate workload compliance during workload runtime, taking any workload and policy changes into account
 * Reflect the results of compliance evaluation in the Aqua UI at all times, not only when workloads are created
 

enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/README.md

@@ -100,39 +100,30 @@ EOF
     fi
 }
 
-# for using custom namespace instead of AQUA NS download the 001_kube_enforcer_config.yaml, make changes to it and keep it in current directory where this script is running
-_prepare_ke() {          
+_prepare_ke() {
     script_dir=$(cd "$(dirname "${BASH_SOURCE[0]}")" &> /dev/null && pwd)
     _rootCA=$(cat rootCA.crt | base64 | tr -d '\n' | tr -d '\r')
-    local_config_file="./001_kube_enforcer_config.yaml"             # path of local 001_kube_enforcer_config.yaml file
-
-    if test -f "$local_config_file"; then
-        # Add CA bundle to the local KubeEnforcer config file
+    githubBranch="2022.4"
+    if test -f "$script_dir/001_kube_enforcer_config.yaml"; then
         _addCABundle=$(sed -i'.original' "s/caBundle.*/caBundle\:\ $_rootCA/g" "$script_dir/001_kube_enforcer_config.yaml")
         if eval "$_addCABundle"; then
-            printf "\nInfo: Successfully prepared config.yaml manifest file.\n"
+            printf "\nInfo: Successfully prepared 001_kube_enforcer_config.yaml manifest file.\n"
             _deploy_ke_admin
         else
             printf "\nError: Failed to prepare KubeEnforcer config file from local"
             exit 1
         fi
-    else                                # for deploying kube enforcer in default namespace, i.e., AQUA.
-        printf "\nInfo: Local config file not found, attempting to download from GitHub\n"
-        githubBranch="2022.4"
-        if curl https://raw.githubusercontent.com/aquasecurity/deployments/$githubBranch/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/001_kube_enforcer_config.yaml -o "$local_config_file"; then
-            # Add CA bundle to the downloaded KubeEnforcer config file
-            _addCABundle=$(sed -i'.original' "s/caBundle.*/caBundle\:\ $_rootCA/g" "$local_config_file")
-            if eval "$_addCABundle"; then
-                printf "\nInfo: Successfully prepared config.yaml manifest file.\n"
-                _deploy_ke_admin
-            else
-                printf "\nError: Failed to prepare KubeEnforcer config file from GitHub"
-                exit 1
-            fi
+    elif curl https://raw.githubusercontent.com/aquasecurity/deployments/$githubBranch/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/001_kube_enforcer_config.yaml -o "001_kube_enforcer_config.yaml"; then
+        _addCABundle=$(sed -i'.original' "s/caBundle.*/caBundle\:\ $_rootCA/g" "$script_dir/001_kube_enforcer_config.yaml")
+        if eval "$_addCABundle"; then
+            printf "\nInfo: Successfully prepared 001_kube_enforcer_config.yaml manifest file.\n"
+            _deploy_ke_admin
         else
-            printf "\nError: Failed to download config.yaml manifest file from GitHub"
+            printf "\nError: Failed to prepare KubeEnforcer config file from github"
             exit 1
         fi
+    else
+        printf "\nError: Failed to download 001_kube_enforcer_config.yaml manifest file"
     fi
 }