在 Kubernetes 中部署 Trivy 漏洞扫描服务
创建专用 Namespace
# trivy-ns.yaml
apiVersion: v1
kind: Namespace
metadata:
name: trivy-system
配置持久化存储(缓存数据库)
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: trivy-db-cache
namespace: trivy-system
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: standard
部署 Trivy 服务
apiVersion: apps/v1
kind: Deployment
metadata:
name: trivy-scanner
namespace: trivy-system
spec:
replicas: 2
selector:
matchLabels:
app: trivy-scanner
template:
metadata:
labels:
app: trivy-scanner
spec:
containers:
- name: trivy
image: aquasec/trivy:0.45.1
args: ["--cache-dir", "/trivy/cache"]
volumeMounts:
- name: trivy-cache
- mountPath: /trivy/cache
ports:
- containerPort: 8080
resources:
requests:
memory: "512Mi"
cpu: "500m"
limits:
memory: "2Gi"
cpu: "1"
volumes:
- name: trivy-cache
persistentVolumeClaim:
claimName: trivy-db-cache
创建 Service 暴露接口
# trivy-service.yaml
apiVersion: v1
kind: Service
metadata:
name: trivy-service
namespace: trivy-system
spec:
selector:
app: trivy-scanner
ports:
- protocol: TCP
port: 80
targetPort: 8080
配置自动数据库更新(可选)
# trivy-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
name: trivy-db-updater
namespace: trivy-system
spec:
schedule: "0 0 * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: trivy-db-update
image: aquasec/trivy:0.45.1
args: ["--download-db-only", "--cache-dir", "/trivy/cache"]
volumeMounts:
- name: trivy-cache
mountPath: /trivy/cache
restartPolicy: OnFailure
volumes:
- name: trivy-cache
persistentVolumeClaim:
claimName: trivy-db-cache
验证部署
# 检查组件状态
kubectl get pods -n trivy-system
# 执行测试扫描
kubectl run test-scan --rm -i --tty --image aquasec/trivy:0.45.1 \ --namespace trivy-system \ --command -- sh -c "trivy image --server http://trivy-service:80 alpine:3.12"
集成到 CI/CD(示例)
// Jenkins Pipeline 示例
pipeline { agent any
stages { stage('Scan Image') { steps { script { sh 'docker build -t myapp:${BUILD_ID} .' def scanResult = sh(script: ''' kubectl run trivy-scan-${BUILD_ID} \ --namespace trivy-system \ --image aquasec/trivy:0.45.1 \ --rm -i --restart=Never \ -- \ image --severity HIGH,CRITICAL \ --format json \ --server http://trivy-service:80 \ myapp:${BUILD_ID} ''', returnStdout: true) def report = readJSON text: scanResult if(report.Results[0].Vulnerabilities) { error "发现高危漏洞!" } } } } }}
高级配置选项
- 私有镜像仓库认证:
# 添加认证信息到 Deployment
env:
- name: TRIVY_USERNAME
valueFrom:
secretKeyRef:
name: registry-creds
key: username
- name: TRIVY_PASSWORD
valueFrom:
secretKeyRef:
name: registry-creds
key: password
- 自定义策略规则:
# 创建 ConfigMap 挂载自定义策略
volumes:
- name: trivy-policies
configMap:
name: trivy-custom-policies
volumeMounts:
- name: trivy-policies
- mountPath: /etc/trivy/policies
- 服务网格集成:
annotations:
sidecar.istio.io/inject: "true"
sidecar.istio.io/rewriteAppHTTPProbers: "true"
监控指标配置
# 添加 Prometheus 监控
args: - "--listen=0.0.0.0:8080"- "--cache-dir=/trivy/cache"- "--metrics"
# ServiceMonitor 配置
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: trivy-monitor
namespace: trivy-systemspec:
endpoints:
- port: http
interval: 30s
selector:
matchLabels:
app: trivy-scanner
该部署方案具备以下特性:- 高可用部署(多副本)- 数据库缓存持久化- 每日自动更新漏洞库- 集成 Prometheus 监控- 支持私有仓库认证- 可扩展策略管理- 服务网格兼容性根据实际环境需要,可调整存储类、资源配额、网络策略等配置参数。