New in Zora: Enhanced Kubernetes Security with Trivy-Zora Vulnerability Scanning Integration

The recent integration of Trivy as a scanner plugin has significantly bolstered Zora's security capabilities. This milestone empowers Zora to scan container images within the cluster, adding a new layer of security beyond just misconfigurations. In addition to existing plugins like Marvin and Popeye, Zora now provides vulnerability reports for container images.

For example, Zora can identify and report misconfigurations such as "Container could be running as root user", "Memory not limited", and "Privileged container". Moreover, it can now report critical vulnerabilities in specific container images, such as myregistry.com/foo/bar:v0.1.3 having 10 critical vulnerabilities, including CVE-2023-49569.

This feature is available in both Zora OSS and Zora Dashboard, giving users the flexibility to manage their Kubernetes security posture effectively.

Why Did Getup Choose Trivy for Zora Integration?

The decision to integrate Trivy with Zora was based on several key factors. These factors included licensing, output formats (JSON or YAML), support for multi-platform images, project maturity, and the ability to execute within a Pod. However, one standout feature was particularly well-suited to Zora's needs: the trivy k8s command.

Unlike other tools we considered, Trivy not only scans individual container images but also has the capability to identify and scan all images within a Kubernetes cluster directly using the trivy k8s command. This aligns perfectly with Zora's core functionality of scanning Kubernetes clusters with plugins.

With Zora installed in a cluster, the exact commands used for plugin scanning can be viewed by running:

kubectl get plugin trivy -n zora-system -o yaml

The command is specified in .spec.command:

time trivy k8s \
  --debug \
  --no-progress \
  --all-namespaces \
  --scanners=vuln \
  -f=json \
  --cache-dir=/tmp/trivy-cache \
  --timeout="10m" \
  -o $(DONE_DIR)/results.json \
  cluster

It's worth noting the --scanners=vuln flag, indicating that Trivy is exclusively used within Zora as a plugin for vulnerability scanning.

How do Zora plugins work?

Zora plugins scan a Kubernetes cluster, write the results in a file (-o $(DONE_DIR)/results.json) and signal Worker by writing the path of the results file into a designated “done file” (echo $(DONE_DIR)/results.json > $(DONE_DIR)/done).

Worker is a “sidecar” container that waits for the “done file” then transforms the results into objects of  VulnerabilityReports CRD (or ClusterIssues for misconfiguration plugins).

This model draws inspiration from Sonobuoy, a project used for CNCF conformance certification. For further details on Zora's plugin architecture, please refer to Zora documentation.

Upon successful completion of both the plugin and worker containers, the VulnerabilityReports become available and can be listed using kubectl:

Furthermore, if the installation is integrated with Zora Dashboard, the results from all clusters with Zora installed are centralized and available for filtering and managing.

Configurations

It's worth noting that Trivy's scanning process involves some differences compared to other Zora plugins. To scan container images, Trivy requires pulling them, along with a vulnerability database. This process can consume more time and computational resources, leading to Trivy's default scan schedule being once per day. Additionally, images may reside in private and authenticated registries, requiring additional configuration.

However, Trivy already provides configurations to address these challenges, and Zora simplifies configuring these options through Helm Chart variables. For instance, users can easily provide registry credentials via a secret, set the scan timeout, ignore unfixed vulnerabilities, and configure resource (memory and CPU) requests and limits. All these configurations are described in the Zora documentation.

Facilitating Open Source Collaboration: Contribution to the Trivy Project

The integration of Trivy with Zora has opened up avenues to Getup for open source collaboration and contribution to the Trivy project. Check out some of the discussions and pull requests we've initiated, offering us the opportunity to give back and help to enhance and improve Trivy's capabilities.

Conclusion

In conclusion, the integration of Trivy as a scanner plugin represents a major advancement in strengthening Zora's security features. This integration allows for precise scanning of container images within Kubernetes clusters, enabling users to effectively address vulnerabilities alongside misconfigurations. Not only does this integration streamline security operations, but it also highlights our dedication to providing comprehensive solutions for Kubernetes environments.