feat: Provide credentials in imagePullSecret without global access #2584
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When running a cluster that contains images from a private registry one needs to configure authentication. This is done by using kubernetes ImagePullSecrets. By default the trivy-operator is able to read the secrets attached to a target workload and use them to access the container registry. While this is necessary when working with different registries inside the cluster, this comes with one security downside: the operator needs access to all secrets inside the cluster. If all images are being pulled from a single private registry then one ImagePullSecret can be used for all of them. The easiest one to use is inside the operator namespace. This change does not impact any deployments running with default settings (global access enabled). But in case one disables that access this allows to instead read a single ImagePullSecret and use it for all images.
The unit tests have been fixed and now cover three different scenarios: - No credentials have been configured at all - ImagePullSecret for workload exists but global access is disabled - ImagePullSecret for workload exists and global access is enabled Also a small typo in the CONTRIBUTING.md is being fixed.
In [1] the trivy-operator updates the temporary secrets to reflect the ownership by
each scan job. This requires the 'update' persmission for secrets - otherwise the
call with result in an error ("forbidden").
While the ClusterRole has this permission the Role does not. This needs to be added
to run the trivy-operator without global access - while still using imagePullSecrets
to configure authentication for private registries.
[1]: https://github.com/aquasecurity/trivy-operator/blob/d5d7e3d25c5e98f92c6a596af639b1f8df721869/pkg/vulnerabilityreport/controller/workload.go#L380-L389
* fix: helm param gcr service account auth Signed-off-by: chenk <hen.keinan@gmail.com> * fix: gcr basic auth Signed-off-by: chenk <hen.keinan@gmail.com> * fix: gcr basic auth Signed-off-by: chenk <hen.keinan@gmail.com> --------- Signed-off-by: chenk <hen.keinan@gmail.com>
Signed-off-by: chenk <hen.keinan@gmail.com>
…2164) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.54.6 to 1.54.11. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Commits](aws/aws-sdk-go@v1.54.6...v1.54.11) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> * feat: dynamic compliance reports Signed-off-by: chenk <hen.keinan@gmail.com> --------- Signed-off-by: chenk <hen.keinan@gmail.com>
* release: prepare v0.22.0 Signed-off-by: chenk <hen.keinan@gmail.com> * release: prepare v0.22.0 Signed-off-by: chenk <hen.keinan@gmail.com> --------- Signed-off-by: chenk <hen.keinan@gmail.com> # Conflicts: # deploy/static/trivy-operator.yaml
…hart (#2168) Signed-off-by: Vadim Aleksandrov <valeksandrov@me.com>
…igmap or secret (#2174) * fix: add value to Helm Chart to load Trivy configuration from custom secret * style: fix indentation * feat: add trivy.valuesFromConfigMap * docs: add new values to configuration.md * docs: generate docs
…2177) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.54.6 to 1.54.15. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Commits](aws/aws-sdk-go@v1.54.6...v1.54.15) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Update chart * Update README.md
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.26.0 to 0.27.0. - [Commits](golang/net@v0.26.0...v0.27.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…2187) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.54.15 to 1.54.19. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Commits](aws/aws-sdk-go@v1.54.15...v1.54.19) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.1.0 to 5.1.1. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@82c7e63...39cd149) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Add headless: false to values.yaml. Removed this line from the documentation as no longer needed. Run the following command to remove the headless setting by editing the trivy-operator service: clusterIP: None * Added additional clarification comment for the values. * Removed Command
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.19.2 to 0.20.0. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](google/go-containerregistry@v0.19.2...v0.20.0) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [k8s.io/cli-runtime](https://github.com/kubernetes/cli-runtime) from 0.30.2 to 0.30.3. - [Commits](kubernetes/cli-runtime@v0.30.2...v0.30.3) --- updated-dependencies: - dependency-name: k8s.io/cli-runtime dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…2195) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.54.19 to 1.54.20. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG_PENDING.md) - [Commits](aws/aws-sdk-go@v1.54.19...v1.54.20) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [docker/login-action](https://github.com/docker/login-action) from 3.2.0 to 3.3.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@v3.2.0...v3.3.0) --- updated-dependencies: - dependency-name: docker/login-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.33.1 to 1.34.0. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.33.1...v1.34.0) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
) Bumps [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) from 2.19.0 to 2.19.1. - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](onsi/ginkgo@v2.19.0...v2.19.1) --- updated-dependencies: - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…2215) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.54.20 to 1.55.5. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Commits](aws/aws-sdk-go@v1.54.20...v1.55.5) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.5.0 to 3.6.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@v3.5.0...v3.6.0) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.20.0 to 0.20.2. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](google/go-containerregistry@v0.20.0...v0.20.2) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…2213) Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 6.0.1 to 6.1.0. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@v6.0.1...v6.1.0) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.34.0 to 1.34.1. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.34.0...v1.34.1) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Emmanuel Ferdman <emmanuelferdman@gmail.com>
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com>
Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com>
* fix: enable contextcheck and usetesting linters Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com> * fix unused-parameter issue Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com> --------- Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com> Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com>
…ranch (#2578) * copying over original alternate store writing to rebased main branch * linting * more minor lint * go mod tidy * fix helm chart lint --------- Co-authored-by: Simar <simar@linux.com>
…updates (#2537) Bumps the github-actions group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [aquaproj/aqua-installer](https://github.com/aquaproj/aqua-installer) | `3.1.1` | `3.1.2` | | [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) | `6.5.0` | `7.0.0` | | [actions/setup-python](https://github.com/actions/setup-python) | `5.4.0` | `5.6.0` | | [docker/login-action](https://github.com/docker/login-action) | `3.3.0` | `3.4.0` | | [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | `3.8.1` | `3.8.2` | Updates `aquaproj/aqua-installer` from 3.1.1 to 3.1.2 - [Release notes](https://github.com/aquaproj/aqua-installer/releases) - [Commits](aquaproj/aqua-installer@v3.1.1...v3.1.2) Updates `golangci/golangci-lint-action` from 6.5.0 to 7.0.0 - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@v6.5.0...v7.0.0) Updates `actions/setup-python` from 5.4.0 to 5.6.0 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@v5.4.0...v5.6.0) Updates `docker/login-action` from 3.3.0 to 3.4.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@v3.3.0...v3.4.0) Updates `sigstore/cosign-installer` from 3.8.1 to 3.8.2 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@v3.8.1...v3.8.2) --- updated-dependencies: - dependency-name: aquaproj/aqua-installer dependency-version: 3.1.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: golangci/golangci-lint-action dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/setup-python dependency-version: 5.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: docker/login-action dependency-version: 3.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: sigstore/cosign-installer dependency-version: 3.8.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…2580) Bumps the common group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [github.com/aquasecurity/trivy-checks](https://github.com/aquasecurity/trivy-checks) | `1.11.2-0.20250529074512-7afea1b738c4` | `1.11.2` | | [github.com/go-logr/logr](https://github.com/go-logr/logr) | `1.4.2` | `1.4.3` | | [github.com/onsi/gomega](https://github.com/onsi/gomega) | `1.36.3` | `1.37.0` | | [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver) | `0.32.3` | `0.33.1` | | [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) | `0.20.4` | `0.21.0` | Updates `github.com/aquasecurity/trivy-checks` from 1.11.2-0.20250529074512-7afea1b738c4 to 1.11.2 - [Release notes](https://github.com/aquasecurity/trivy-checks/releases) - [Commits](https://github.com/aquasecurity/trivy-checks/commits/v1.11.2) Updates `github.com/go-logr/logr` from 1.4.2 to 1.4.3 - [Release notes](https://github.com/go-logr/logr/releases) - [Changelog](https://github.com/go-logr/logr/blob/master/CHANGELOG.md) - [Commits](go-logr/logr@v1.4.2...v1.4.3) Updates `github.com/onsi/gomega` from 1.36.3 to 1.37.0 - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](onsi/gomega@v1.36.3...v1.37.0) Updates `k8s.io/apiextensions-apiserver` from 0.32.3 to 0.33.1 - [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases) - [Commits](kubernetes/apiextensions-apiserver@v0.32.3...v0.33.1) Updates `sigs.k8s.io/controller-runtime` from 0.20.4 to 0.21.0 - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.20.4...v0.21.0) --- updated-dependencies: - dependency-name: github.com/aquasecurity/trivy-checks dependency-version: 1.11.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: common - dependency-name: github.com/go-logr/logr dependency-version: 1.4.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: common - dependency-name: github.com/onsi/gomega dependency-version: 1.37.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: common - dependency-name: k8s.io/apiextensions-apiserver dependency-version: 0.33.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: common - dependency-name: sigs.k8s.io/controller-runtime dependency-version: 0.21.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: common ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
The unit tests have been fixed and now cover three different scenarios: - No credentials have been configured at all - ImagePullSecret for workload exists but global access is disabled - ImagePullSecret for workload exists and global access is enabled Also a small typo in the CONTRIBUTING.md is being fixed. # Conflicts: # pkg/kube/secrets_test.go
In [1] the trivy-operator updates the temporary secrets to reflect the ownership by
each scan job. This requires the 'update' persmission for secrets - otherwise the
call with result in an error ("forbidden").
While the ClusterRole has this permission the Role does not. This needs to be added
to run the trivy-operator without global access - while still using imagePullSecrets
to configure authentication for private registries.
[1]: https://github.com/aquasecurity/trivy-operator/blob/d5d7e3d25c5e98f92c6a596af639b1f8df721869/pkg/vulnerabilityreport/controller/workload.go#L380-L389
afdesk
force-pushed
the
2158-private-images-without-global-access
branch
from
da9e2d5 to
9545bca
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Related issues
Checklist