クラウド ネイティブ セキュリティ管理プラットフォーム hummerrisk k8s-yaml ファイルのデプロイメント
公式 Web サイト: https://docs.hummerrisk.com/
導入バージョンは 9.0.0 です
-
yaml ファイルをデプロイ
https://gitcode.net/weixin_43606975/hummer-yaml -
スタートアップを実行します (pv のマッピング パスと mysql-deployment にバインドされているノード名ホストを変更する必要があることに注意してください)
kubectl create ns hummerisk
kubeclt apply -f .
- ip+32642 ユーザー管理者/ハマーにアクセスしてください
4.k8sに接続する
# 1.添加 chart 仓库
helm repo add hummer https://registry.hummercloud.com/repository/charts
# 2.更新仓库源
helm repo update
# 3.开始安装, 可以自定义应用名称和NameSpace
helm install trivy-operator hummer/trivy-operator \
--namespace trivy-system \
--set="image.repository=registry.cn-beijing.aliyuncs.com/hummerrisk/trivy-operator" \
--create-namespace --set="trivy.ignoreUnfixed=true"
# 4.检测operator是否启动成功
kubectl get pod -A|grep trivy-operator
trivy-system trivy-operator-69f99f79c4-lvzvs 1/1 Running 0 118s
- k8s token
# 获取 token
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep hummer | awk '{
print $1}') | grep token: | awk '{
print $2}'
注: yaml ファイル ソース:
レンダリング ファイル:
[root@master hummerrisk]# cat values.yaml
# Default values for HummerRisk.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
nameOverride: "hummerrisk"
fullnameOverride: "hummerrisk"
global:
imageRegistry: "registry.cn-beijing.aliyuncs.com"
## E.g.
## imagePullSecrets:
## - myRegistryKeySecretName
##
# imagePullSecrets: []
imagePullPolicy: Always
storageClass: "nfs"
hummerrisk:
image:
repository: nginx
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: v0.9.0
replicas: 1
trivyDBVersion: "2023011805"
# servicePort is the HTTP listener port for the webserver
servicePort: 80
serviceType: ClusterIP
sessionAffinity: ClientIP
mysql:
enabled: true
image: mysql
imageTag: "5.7.38"
rootPassword: "Hummer@password123"
persistence:
enabled: true
accessModes: ReadWriteOnce
externalMySQL:
enabled: false
host: mysql.local
port: 3306
username: root
password: ""
database: ""
storage:
logSize: 5Gi
imageSize: 5Gi
fileSize: 5Gi
dbSize: 5Gi
accessModes:
- ReadWriteMany
serviceAccount:
# Specifies whether a service account should be created
create: false
# Annotations to add to the service account
annotations: {
}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {
}
podSecurityContext: {
}
# fsGroup: 2000
securityContext: {
}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
ingress:
enabled: true
className: "nginx"
annotations:
nginx.ingress.kubernetes.io/affinity: "cookie"
nginx.ingress.kubernetes.io/affinity-mode: "persistent"
nginx.ingress.kubernetes.io/session-cookie-name: "route"
# nginx.ingress.kubernetes.io/ingress.class: "nginx"
# kubernetes.io/tls-acme: "true"
hosts:
- host: hummerrisk.example.local
paths:
- path: /
pathType: ImplementationSpecific
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources:
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
limits:
cpu: 2
memory: 4Gi
requests:
cpu: 500m
memory: 1Gi
レンダリングコマンド:
helm template hummerrisk/ --output-dir ./hummerrisk-2023 -f hummerrisk/values.yaml