diff --git a/charts/zora/README.md b/charts/zora/README.md index f9dd44d4..4a57200e 100644 --- a/charts/zora/README.md +++ b/charts/zora/README.md @@ -123,7 +123,7 @@ The following table lists the configurable parameters of the Zora chart and thei | scan.plugins.trivy.envFrom | list | `[]` | List of sources to populate environment variables in trivy container. | | scan.plugins.trivy.timeout | string | `"10m"` | Trivy timeout | | scan.plugins.trivy.insecure | bool | `false` | Allow insecure server connections for Trivy | -| scan.plugins.trivy.fsGroup | int | `nil` | Trivy fsGroup. Should be greater than 0. | +| scan.plugins.trivy.fsGroup | int | `0` | Specifies the fsGroup to use when mounting the persistent volume. Should be greater than 0. | | scan.plugins.trivy.persistence.enabled | bool | `true` | Specifies whether Trivy vulnerabilities database should be persisted between the scans, using PersistentVolumeClaim | | scan.plugins.trivy.persistence.accessMode | string | `"ReadWriteOnce"` | [Persistence access mode](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) | | scan.plugins.trivy.persistence.storageClass | string | `""` | [Persistence storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/). Set to empty for default storage class | diff --git a/charts/zora/templates/operator/deployment.yaml b/charts/zora/templates/operator/deployment.yaml index 8f453626..c16e9663 100644 --- a/charts/zora/templates/operator/deployment.yaml +++ b/charts/zora/templates/operator/deployment.yaml @@ -104,8 +104,8 @@ spec: - --worker-image={{ printf "%s:%s" .Values.scan.worker.image.repository (.Values.scan.worker.image.tag | default .Chart.AppVersion) }} - --cronjob-clusterrolebinding-name=zora-plugins-rolebinding - --cronjob-serviceaccount-name=zora-plugins - - --trivy-db-pvc={{- if .Values.scan.plugins.trivy.persistence.enabled }}trivy-db-volume{{- end }} - - --trivy-fs-group={{- if .Values.scan.plugins.trivy.fsGroup }}{{ .Values.scan.plugins.trivy.fsGroup }}{{- else }}0{{- end}} + - --trivy-db-pvc={{- if .Values.scan.plugins.trivy.persistence.enabled }}trivy-dbs-volume{{- end }} + - --trivy-fs-group={{ .Values.scan.plugins.trivy.fsGroup }} {{- if .Values.scan.plugins.annotations}} - --cronjob-serviceaccount-annotations={{ $first := true }}{{- range $key, $value := .Values.scan.plugins.annotations }}{{if not $first}},{{else}}{{$first = false}}{{end}}{{ $key }}={{$value}}{{- end }} {{- end }} diff --git a/charts/zora/templates/plugins/trivy-job.yaml b/charts/zora/templates/plugins/trivy-job.yaml index 8e186506..fe0a4f41 100644 --- a/charts/zora/templates/plugins/trivy-job.yaml +++ b/charts/zora/templates/plugins/trivy-job.yaml @@ -24,11 +24,9 @@ spec: volumes: - name: trivy-db persistentVolumeClaim: - claimName: trivy-db-volume - {{- if .Values.scan.plugins.trivy.fsGroup }} + claimName: trivy-dbs-volume securityContext: fsGroup: {{ .Values.scan.plugins.trivy.fsGroup }} - {{- end }} containers: - name: trivy-download-db image: "{{ .Values.scan.plugins.trivy.image.repository }}:{{ .Values.scan.plugins.trivy.image.tag }}" @@ -42,6 +40,7 @@ spec: - ALL privileged: false runAsNonRoot: true + runAsGroup: {{ .Values.scan.plugins.trivy.fsGroup }} seccompProfile: type: "RuntimeDefault" volumeMounts: @@ -66,8 +65,8 @@ spec: {{- if .Values.scan.plugins.trivy.insecure }} --insecure \ {{- end }} - --download-java-db-only - {{- end }} + --download-java-db-only {{- end }} && \ + chgrp -f -R {{ .Values.scan.plugins.trivy.fsGroup }} /tmp/trivy-cache/* && chmod -f -R g+rwX /tmp/trivy-cache/* env: - name: SSL_CERT_DIR value: "/etc/ssl/:/run/secrets/kubernetes.io/serviceaccount/" diff --git a/charts/zora/templates/plugins/trivy-pvc.yaml b/charts/zora/templates/plugins/trivy-pvc.yaml index 38ca07b3..a1ae6ad0 100644 --- a/charts/zora/templates/plugins/trivy-pvc.yaml +++ b/charts/zora/templates/plugins/trivy-pvc.yaml @@ -16,7 +16,7 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: trivy-db-volume + name: trivy-dbs-volume spec: {{- if .Values.scan.plugins.trivy.persistence.storageClass }} storageClassName: {{ .Values.scan.plugins.trivy.persistence.storageClass | quote }} diff --git a/charts/zora/values.yaml b/charts/zora/values.yaml index 6a5cf90a..cbbb9b4a 100644 --- a/charts/zora/values.yaml +++ b/charts/zora/values.yaml @@ -241,8 +241,8 @@ scan: # -- Allow insecure server connections for Trivy insecure: false - # -- (int) Trivy fsGroup. Should be greater than 0. - fsGroup: null + # -- Specifies the fsGroup to use when mounting the persistent volume. Should be greater than 0. + fsGroup: 0 persistence: # -- Specifies whether Trivy vulnerabilities database should be persisted between the scans, using PersistentVolumeClaim diff --git a/pkg/plugins/cronjob.go b/pkg/plugins/cronjob.go index 722456b0..97e30763 100644 --- a/pkg/plugins/cronjob.go +++ b/pkg/plugins/cronjob.go @@ -146,6 +146,7 @@ func (r *CronJobMutator) Mutate() error { }) } + setRunAsGroup := false if r.Plugin.Name == "trivy" { if r.TrivyPVC != "" { r.Existing.Spec.JobTemplate.Spec.Template.Spec.Volumes = append(r.Existing.Spec.JobTemplate.Spec.Template.Spec.Volumes, corev1.Volume{ @@ -155,8 +156,9 @@ func (r *CronJobMutator) Mutate() error { }, }) } - if r.TrivyFSGroup != 0 { + if r.TrivyFSGroup >= 0 { r.Existing.Spec.JobTemplate.Spec.Template.Spec.SecurityContext = &corev1.PodSecurityContext{FSGroup: &r.TrivyFSGroup} + setRunAsGroup = true } } @@ -204,6 +206,12 @@ func (r *CronJobMutator) Mutate() error { r.Existing.Spec.JobTemplate.Spec.Template.Spec.Containers = containers } + if setRunAsGroup { + for _, container := range r.Existing.Spec.JobTemplate.Spec.Template.Spec.Containers { + container.SecurityContext.RunAsGroup = &r.TrivyFSGroup + } + } + return ctrl.SetControllerReference(r.ClusterScan, r.Existing, r.Scheme) }