-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch to new trivy-operator and trivy-server #953
Conversation
This reverts commit 50986bc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it looks good, but I think you need to take an extra look on the EKS side.
See comment
%{~ if provider == "aws" ~} | ||
serviceAccount: | ||
annotations: | ||
eks.amazonaws.com/role-arn: ${trivy_operator_role_arn} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm isn't there a service account created for the trivy server?
You will probably need to use var.trivy_role_arn this because the role that gets created is specific to the serviceAccount.
You might also need to update the role_arn to match the new serviceAccount that gets created by the oeprator.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From what i can tell, trivy-server uses the SA created for trivy-operator.
What do you mean with "update the role_arn to match the new serviceAccount that gets created by the oeprator." Which role is this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently there are 2 arn's,trivy_operator_role_arn
and trivy_role_arn
.
There should be no use for both?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ahh okay if there is only one SA, you can remove the one called trivy_role_arn
just as you say.
terraform-modules/modules/aws/eks/iam.tf
Line 248 in 1aff96b
module "trivy_ecr" { |
Good job
Fixes #941 |
Support for EKS has been deprecated. Furthermore, we are already running the trivy-operator. Closing this. |
This needs to be verified in AWS before merging