chore(k8s/amour): trivy operator

k8s/amour/BUILD.bazel

@@ -48,6 +48,7 @@ cue_export(
         "//k8s/amour/speedtest_exporter:cue_speedtest_exporter_library",
         "//k8s/amour/tailscale:cue_tailscale_library",
         "//k8s/amour/thomas:cue_thomas_library",
+        "//k8s/amour/trivy_system:cue_trivy_system_library",
         "//k8s/amour/vm:cue_vm_library",
         "//k8s/amour/vm_operator:cue_vm_operator_library",
         "//k8s/amour/volsync_system:cue_volsync_system_library",

k8s/amour/list.cue

@@ -29,6 +29,7 @@ import (
 	"github.com/uhthomas/automata/k8s/amour/speedtest_exporter"
 	"github.com/uhthomas/automata/k8s/amour/tailscale"
 	"github.com/uhthomas/automata/k8s/amour/thomas"
+	"github.com/uhthomas/automata/k8s/amour/trivy_system"
 	"github.com/uhthomas/automata/k8s/amour/vm_operator"
 	"github.com/uhthomas/automata/k8s/amour/vm"
 	"github.com/uhthomas/automata/k8s/amour/volsync_system"
@@ -86,6 +87,7 @@ _items: [
 	speedtest_exporter.#List.items,
 	tailscale.#List.items,
 	thomas.#List.items,
+	trivy_system.#List.items,
 	vm_operator.#List.items,
 	vm.#List.items,
 	volsync_system.#List.items,

k8s/amour/trivy_system/BUILD.bazel

@@ -0,0 +1,29 @@
+load("@com_github_tnarg_rules_cue//cue:cue.bzl", "cue_library")
+
+cue_library(
+    name = "cue_trivy_system_library",
+    srcs = [
+        "cluster_role_binding_list.cue",
+        "cluster_role_list.cue",
+        "config_map_list.cue",
+        "custom_resource_definition_list.cue",
+        "deployment_list.cue",
+        "list.cue",
+        "namespace_list.cue",
+        "role_binding_list.cue",
+        "role_list.cue",
+        "secret_list.cue",
+        "service_account_list.cue",
+        "service_list.cue",
+        "vm_service_scrape_list.cue",
+    ],
+    importpath = "github.com/uhthomas/automata/k8s/amour/trivy_system",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//cue.mod/gen/github.com/VictoriaMetrics/operator/api/victoriametrics/v1beta1:cue_v1beta1_library",
+        "//cue.mod/gen/k8s.io/api/apps/v1:cue_v1_library",
+        "//cue.mod/gen/k8s.io/api/core/v1:cue_v1_library",
+        "//cue.mod/gen/k8s.io/api/rbac/v1:cue_v1_library",
+        "//cue.mod/gen/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1:cue_v1_library",
+    ],
+)

k8s/amour/trivy_system/README.md

@@ -0,0 +1,5 @@
+# Trivy Operator
+
+[https://github.com/aquasecurity/trivy-operator](https://github.com/aquasecurity/trivy-operator)
+
+[Installation Instructions](https://aquasecurity.github.io/trivy-operator/latest/getting-started/installation/kubectl/)

k8s/amour/trivy_system/cluster_role_binding_list.cue

@@ -0,0 +1,25 @@
+package trivy_system
+
+import rbacv1 "k8s.io/api/rbac/v1"
+
+#ClusterRoleBindingList: rbacv1.#ClusterRoleBindingList & {
+	apiVersion: "rbac.authorization.k8s.io/v1"
+	kind:       "ClusterRoleBindingList"
+	items: [...{
+		apiVersion: "rbac.authorization.k8s.io/v1"
+		kind:       "ClusterRoleBinding"
+	}]
+}
+
+#ClusterRoleBindingList: items: [{
+	roleRef: {
+		apiGroup: "rbac.authorization.k8s.io"
+		kind:     "ClusterRole"
+		name:     #Name
+	}
+	subjects: [{
+		name:      #Name
+		namespace: #Namespace
+		kind:      rbacv1.#ServiceAccountKind
+	}]
+}]

k8s/amour/trivy_system/cluster_role_list.cue

@@ -0,0 +1,217 @@
+package trivy_system
+
+import rbacv1 "k8s.io/api/rbac/v1"
+
+#ClusterRoleList: rbacv1.#ClusterRoleList & {
+	apiVersion: "rbac.authorization.k8s.io/v1"
+	kind:       "ClusterRoleList"
+	items: [...{
+		apiVersion: "rbac.authorization.k8s.io/v1"
+		kind:       "ClusterRole"
+	}]
+}
+
+#ClusterRoleList: items: [{
+	rules: [{
+		apiGroups: [""]
+		resources: ["configmaps"]
+		verbs: ["get", "list", "watch"]
+	}, {
+		apiGroups: [""]
+		resources: ["limitranges"]
+		verbs: ["get", "list", "watch"]
+	}, {
+		apiGroups: [""]
+		resources: ["nodes"]
+		verbs: ["get", "list", "watch"]
+	}, {
+		apiGroups: [""]
+		resources: ["pods"]
+		verbs: ["get", "list", "watch"]
+	}, {
+		apiGroups: [""]
+		resources: ["pods/log"]
+		verbs: ["get", "list"]
+	}, {
+		apiGroups: [""]
+		resources: ["replicationcontrollers"]
+		verbs: ["get", "list", "watch"]
+	}, {
+		apiGroups: [""]
+		resources: ["resourcequotas"]
+		verbs: ["get", "list", "watch"]
+	}, {
+		apiGroups: [""]
+		resources: ["services"]
+		verbs: ["get", "list", "watch"]
+	}, {
+		apiGroups: ["apiextensions.k8s.io"]
+		resources: ["customresourcedefinitions"]
+		verbs: ["get", "list", "watch"]
+	}, {
+		apiGroups: ["apps"]
+		resources: ["daemonsets"]
+		verbs: ["get", "list", "watch"]
+	}, {
+		apiGroups: ["apps"]
+		resources: ["deployments"]
+		verbs: ["get", "list", "watch"]
+	}, {
+		apiGroups: ["apps"]
+		resources: ["replicasets"]
+		verbs: ["get", "list", "watch"]
+	}, {
+		apiGroups: ["apps"]
+		resources: ["statefulsets"]
+		verbs: ["get", "list", "watch"]
+	}, {
+		apiGroups: ["apps.openshift.io"]
+		resources: ["deploymentconfigs"]
+		verbs: ["get", "list", "watch"]
+	}, {
+		apiGroups: ["aquasecurity.github.io"]
+		resources: ["clustercompliancedetailreports"]
+		verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+	}, {
+		apiGroups: ["aquasecurity.github.io"]
+		resources: ["clustercompliancereports"]
+		verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+	}, {
+		apiGroups: ["aquasecurity.github.io"]
+		resources: ["clustercompliancereports/status"]
+		verbs: ["get", "patch", "update"]
+	}, {
+		apiGroups: ["aquasecurity.github.io"]
+		resources: ["clusterconfigauditreports"]
+		verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+	}, {
+		apiGroups: ["aquasecurity.github.io"]
+		resources: ["clusterinfraassessmentreports"]
+		verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+	}, {
+		apiGroups: ["aquasecurity.github.io"]
+		resources: ["clusterrbacassessmentreports"]
+		verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+	}, {
+		apiGroups: ["aquasecurity.github.io"]
+		resources: ["clustersbomreports"]
+		verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+	}, {
+		apiGroups: ["aquasecurity.github.io"]
+		resources: ["clustervulnerabilityreports"]
+		verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+	}, {
+		apiGroups: ["aquasecurity.github.io"]
+		resources: ["configauditreports"]
+		verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+	}, {
+		apiGroups: ["aquasecurity.github.io"]
+		resources: ["exposedsecretreports"]
+		verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+	}, {
+		apiGroups: ["aquasecurity.github.io"]
+		resources: ["infraassessmentreports"]
+		verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+	}, {
+		apiGroups: ["aquasecurity.github.io"]
+		resources: ["rbacassessmentreports"]
+		verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+	}, {
+		apiGroups: ["aquasecurity.github.io"]
+		resources: ["sbomreports"]
+		verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+	}, {
+		apiGroups: ["aquasecurity.github.io"]
+		resources: ["vulnerabilityreports"]
+		verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+	}, {
+		apiGroups: ["batch"]
+		resources: ["cronjobs"]
+		verbs: ["get", "list", "watch"]
+	}, {
+		apiGroups: ["batch"]
+		resources: ["jobs"]
+		verbs: ["create", "delete", "get", "list", "watch"]
+	}, {
+		apiGroups: ["networking.k8s.io"]
+		resources: ["ingresses"]
+		verbs: ["get", "list", "watch"]
+	}, {
+		apiGroups: ["networking.k8s.io"]
+		resources: ["networkpolicies"]
+		verbs: ["get", "list", "watch"]
+	}, {
+		apiGroups: ["rbac.authorization.k8s.io"]
+		resources: ["clusterrolebindings"]
+		verbs: ["get", "list", "watch"]
+	}, {
+		apiGroups: ["rbac.authorization.k8s.io"]
+		resources: ["clusterroles"]
+		verbs: ["get", "list", "watch"]
+	}, {
+		apiGroups: ["rbac.authorization.k8s.io"]
+		resources: ["rolebindings"]
+		verbs: ["get", "list", "watch"]
+	}, {
+		apiGroups: ["rbac.authorization.k8s.io"]
+		resources: ["roles"]
+		verbs: ["get", "list", "watch"]
+	}, {
+		apiGroups: [""]
+		resources: ["secrets"]
+		verbs: ["create", "get", "update"]
+	}, {
+		apiGroups: [""]
+		resources: ["serviceaccounts"]
+		verbs: ["get"]
+	}, {
+		apiGroups: [""]
+		resources: ["nodes/proxy"]
+		verbs: ["get"]
+	}]
+}, {
+	metadata: {
+		name: "aggregate-config-audit-reports-view"
+		labels: {
+			"rbac.authorization.k8s.io/aggregate-to-view":           "true"
+			"rbac.authorization.k8s.io/aggregate-to-edit":           "true"
+			"rbac.authorization.k8s.io/aggregate-to-admin":          "true"
+			"rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true"
+		}
+	}
+	rules: [{
+		apiGroups: ["aquasecurity.github.io"]
+		resources: ["configauditreports"]
+		verbs: ["get", "list", "watch"]
+	}]
+}, {
+	metadata: {
+		name: "aggregate-exposed-secret-reports-view"
+		labels: {
+			"rbac.authorization.k8s.io/aggregate-to-view":           "true"
+			"rbac.authorization.k8s.io/aggregate-to-edit":           "true"
+			"rbac.authorization.k8s.io/aggregate-to-admin":          "true"
+			"rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true"
+		}
+	}
+	rules: [{
+		apiGroups: ["aquasecurity.github.io"]
+		resources: ["exposedsecretreports"]
+		verbs: ["get", "list", "watch"]
+	}]
+}, {
+	metadata: {
+		name: "aggregate-vulnerability-reports-view"
+		labels: {
+			"rbac.authorization.k8s.io/aggregate-to-view":           "true"
+			"rbac.authorization.k8s.io/aggregate-to-edit":           "true"
+			"rbac.authorization.k8s.io/aggregate-to-admin":          "true"
+			"rbac.authorization.k8s.io/aggregate-to-cluster-reader": "true"
+		}
+	}
+	rules: [{
+		apiGroups: ["aquasecurity.github.io"]
+		resources: ["vulnerabilityreports"]
+		verbs: ["get", "list", "watch"]
+	}]
+}]