The Starboard Operator has moved to the main Starboard repository, and we're about to archive this repo.
This operator for Starboard automatically updates security report resources in response to workload and other changes on a Kubernetes cluster - for example, initiating a vulnerability scan when a new pod is started. Please see the main Starboard repo for more info about the Starboard project.
Configuration of the operator is done via environment variables at startup.
NAME | DEFAULT | DESCRIPTION |
---|---|---|
OPERATOR_NAMESPACE |
N/A | See Install modes |
OPERATOR_TARGET_NAMESPACES |
N/A | See Install modes |
OPERATOR_SCANNER_TRIVY_ENABLED |
true |
The flag to enable Trivy vulnerability scanner |
OPERATOR_SCANNER_TRIVY_VERSION |
0.11.0 |
The version of Trivy to be used |
OPERATOR_SCANNER_TRIVY_IMAGE |
aquasec/trivy:0.11.0 |
The Docker image of Trivy to be used |
OPERATOR_SCANNER_AQUA_CSP_ENABLED |
false |
The flag to enable Aqua CSP vulnerability scanner |
OPERATOR_SCANNER_AQUA_CSP_VERSION |
5.0 |
The version of Aqua CSP scanner to be used |
OPERATOR_SCANNER_AQUA_CSP_IMAGE |
aquasec/scanner:5.0 |
The Docker image of Aqua CSP scanner to be used |
OPERATOR_LOG_DEV_MODE |
false |
The flag to use (or not use) development mode (more human-readable output, extra stack traces and logging information, etc). |
OPERATOR_SCAN_JOB_TIMEOUT |
5m |
The length of time to wait before giving up on a scan job |
OPERATOR_METRICS_BIND_ADDRESS |
:8080 |
The TCP address to bind to for serving Prometheus metrics. It can be set to 0 to disable the metrics serving. |
OPERATOR_HEALTH_PROBE_BIND_ADDRESS |
:9090 |
The TCP address to bind to for serving health probes, i.e. /healthz/ and /readyz/ endpoints. |
The values of the OPERATOR_NAMESPACE
and OPERATOR_TARGET_NAMESPACES
determine the install mode,
which in turn determines the multitenancy support of the operator.
MODE | OPERATOR_NAMESPACE | OPERATOR_TARGET_NAMESPACES | DESCRIPTION |
---|---|---|---|
OwnNamespace | operators |
operators |
The operator can be configured to watch events in the namespace it is deployed in. |
SingleNamespace | operators |
foo |
The operator can be configured to watch for events in a single namespace that the operator is not deployed in. |
MultiNamespace | operators |
foo,bar,baz |
The operator can be configured to watch for events in more than one namespace. |
AllNamespaces | operators |
The operator can be configured to watch for events in all namespaces. |
To enable Aqua CSP as vulnerability scanner set the value of the OPERATOR_SCANNER_AQUA_CSP_ENABLED
to true
and
disable the default Trivy scanner by setting OPERATOR_SCANNER_TRIVY_ENABLED
to false
.
To configure the Aqua CSP scanner create the starboard-operator
secret in the operators
namespace:
$ kubectl create secret generic starboard-operator \
--namespace $OPERATOR_NAMESPACE \
--from-literal OPERATOR_SCANNER_AQUA_CSP_USERNAME=$AQUA_CONSOLE_USERNAME \
--from-literal OPERATOR_SCANNER_AQUA_CSP_PASSWORD=$AQUA_CONSOLE_PASSWORD \
--from-literal OPERATOR_SCANNER_AQUA_CSP_VERSION=$AQUA_VERSION \
--from-literal OPERATOR_SCANNER_AQUA_CSP_HOST=http://csp-console-svc.aqua:8080
Thanks for taking the time to join our community and start contributing!
- See CONTRIBUTING.md for information about setting up your development environment and deploying the operator.
- Check out the open issues.