创建专用 Namespace
# trivy-ns.yaml
apiVersion: v1
kind: Namespace
metadata: name: trivy-system
配置持久化存储(缓存数据库)
apiVersion: v1
kind: PersistentVolumeClaim
metadata: name: trivy-db-cache namespace: trivy-system
spec: accessModes: - ReadWriteOnce resources: requests: storage: 5Gi storageClassName: standard
部署 Trivy 服务
apiVersion: apps/v1
kind: Deployment
metadata: name: trivy-scanner namespace: trivy-system
spec: replicas: 2 selector: matchLabels: app: trivy-scanner template: metadata: labels: app: trivy-scanner spec: containers: - name: trivy image: aquasec/trivy:0.45.1 args: ["--cache-dir", "/trivy/cache"] volumeMounts: - name: trivy-cache - mountPath: /trivy/cache ports: - containerPort: 8080 resources: requests: memory: "512Mi" cpu: "500m" limits: memory: "2Gi" cpu: "1" volumes: - name: trivy-cache persistentVolumeClaim: claimName: trivy-db-cache
创建 Service 暴露接口
# trivy-service.yaml
apiVersion: v1
kind: Service
metadata: name: trivy-service namespace: trivy-system
spec: selector: app: trivy-scanner ports: - protocol: TCP port: 80 targetPort: 8080
配置自动数据库更新(可选)
# trivy-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata: name: trivy-db-updater namespace: trivy-system
spec: schedule: "0 0 * * *" jobTemplate: spec: template: spec: containers: - name: trivy-db-update image: aquasec/trivy:0.45.1 args: ["--download-db-only", "--cache-dir", "/trivy/cache"] volumeMounts: - name: trivy-cache mountPath: /trivy/cache restartPolicy: OnFailure volumes: - name: trivy-cache persistentVolumeClaim: claimName: trivy-db-cache
验证部署
# 检查组件状态
kubectl get pods -n trivy-system
# 执行测试扫描
kubectl run test-scan --rm -i --tty --image aquasec/trivy:0.45.1 \ --namespace trivy-system \ --command -- sh -c "trivy image --server http://trivy-service:80 alpine:3.12"
集成到 CI/CD(示例)
// Jenkins Pipeline 示例
pipeline { agent any
stages { stage('Scan Image') { steps { script { sh 'docker build -t myapp:${BUILD_ID} .' def scanResult = sh(script: ''' kubectl run trivy-scan-${BUILD_ID} \ --namespace trivy-system \ --image aquasec/trivy:0.45.1 \ --rm -i --restart=Never \ -- \ image --severity HIGH,CRITICAL \ --format json \ --server http://trivy-service:80 \ myapp:${BUILD_ID} ''', returnStdout: true) def report = readJSON text: scanResult if(report.Results[0].Vulnerabilities) { error "发现高危漏洞!" } } } } }}
高级配置选项
- 私有镜像仓库认证:
# 添加认证信息到 Deployment
env:
- name: TRIVY_USERNAME valueFrom: secretKeyRef: name: registry-creds key: username
- name: TRIVY_PASSWORD valueFrom: secretKeyRef: name: registry-creds key: password
- 自定义策略规则:
# 创建 ConfigMap 挂载自定义策略
volumes:
- name: trivy-policies configMap: name: trivy-custom-policiesvolumeMounts:- name: trivy-policies - mountPath: /etc/trivy/policies
- 服务网格集成:
annotations: sidecar.istio.io/inject: "true" sidecar.istio.io/rewriteAppHTTPProbers: "true"
监控指标配置
# 添加 Prometheus 监控
args: - "--listen=0.0.0.0:8080"- "--cache-dir=/trivy/cache"- "--metrics"
# ServiceMonitor 配置
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata: name: trivy-monitor namespace: trivy-systemspec:
endpoints:
- port: http interval: 30s selector: matchLabels: app: trivy-scanner
该部署方案具备以下特性:- 高可用部署(多副本)- 数据库缓存持久化- 每日自动更新漏洞库- 集成 Prometheus 监控- 支持私有仓库认证- 可扩展策略管理- 服务网格兼容性根据实际环境需要,可调整存储类、资源配额、网络策略等配置参数。
