創建專用 Namespace

# trivy-ns.yaml
apiVersion: v1
kind: Namespace
metadata:  name: trivy-system

配置持久化存儲（緩存數據庫）

apiVersion: v1
kind: PersistentVolumeClaim
metadata:  name: trivy-db-cache  namespace: trivy-system
spec:  accessModes:    - ReadWriteOnce  resources:    requests:      storage: 5Gi  storageClassName: standard

部署 Trivy 服務

apiVersion: apps/v1
kind: Deployment
metadata:  name: trivy-scanner  namespace: trivy-system
spec:  replicas: 2  selector:    matchLabels:      app: trivy-scanner  template:    metadata:      labels:        app: trivy-scanner    spec:      containers:      - name: trivy        image: aquasec/trivy:0.45.1        args: ["--cache-dir", "/trivy/cache"]        volumeMounts:        - name: trivy-cache          - mountPath: /trivy/cache        ports:        - containerPort: 8080        resources:          requests:            memory: "512Mi"            cpu: "500m"          limits:            memory: "2Gi"            cpu: "1"      volumes:      - name: trivy-cache        persistentVolumeClaim:          claimName: trivy-db-cache

創建 Service 暴露接口

# trivy-service.yaml
apiVersion: v1
kind: Service
metadata:  name: trivy-service  namespace: trivy-system
spec:  selector:    app: trivy-scanner  ports:    - protocol: TCP      port: 80      targetPort: 8080

配置自動數據庫更新（可選）

# trivy-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:  name: trivy-db-updater  namespace: trivy-system
spec:  schedule: "0 0 * * *"  jobTemplate:    spec:      template:        spec:          containers:          - name: trivy-db-update            image: aquasec/trivy:0.45.1            args: ["--download-db-only", "--cache-dir", "/trivy/cache"]                     volumeMounts:            - name: trivy-cache              mountPath: /trivy/cache          restartPolicy: OnFailure          volumes:          - name: trivy-cache            persistentVolumeClaim:              claimName: trivy-db-cache

驗證部署

# 檢查組件狀態
kubectl get pods -n trivy-system
# 執行測試掃描
kubectl run test-scan --rm -i --tty --image aquasec/trivy:0.45.1 \  --namespace trivy-system \  --command -- sh -c "trivy image --server http://trivy-service:80 alpine:3.12"

集成到 CI/CD（示例）

// Jenkins Pipeline 示例
pipeline {  agent any  
stages {    stage('Scan Image') {      steps {        script {          sh 'docker build -t myapp:${BUILD_ID} .'                    def scanResult = sh(script: '''            kubectl run trivy-scan-${BUILD_ID} \              --namespace trivy-system \              --image aquasec/trivy:0.45.1 \              --rm -i --restart=Never \              -- \              image --severity HIGH,CRITICAL \              --format json \              --server http://trivy-service:80 \              myapp:${BUILD_ID}          ''', returnStdout: true)                    def report = readJSON text: scanResult          if(report.Results[0].Vulnerabilities) {            error "發現高危漏洞！"          }        }      }    }  }}

高級配置選項

1. 私有鏡像倉庫認證：

# 添加認證信息到 Deployment
env:
- name: TRIVY_USERNAME  valueFrom:    secretKeyRef:      name: registry-creds      key: username
- name: TRIVY_PASSWORD  valueFrom:    secretKeyRef:      name: registry-creds      key: password

2. 自定義策略規則：

# 創建 ConfigMap 掛載自定義策略
volumes:
- name: trivy-policies  configMap:    name: trivy-custom-policiesvolumeMounts:- name: trivy-policies  - mountPath: /etc/trivy/policies

3. 服務網格集成：

annotations:  sidecar.istio.io/inject: "true"  sidecar.istio.io/rewriteAppHTTPProbers: "true"

監控指標配置

# 添加 Prometheus 監控
args: - "--listen=0.0.0.0:8080"- "--cache-dir=/trivy/cache"- "--metrics"
# ServiceMonitor 配置
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:  name: trivy-monitor  namespace: trivy-systemspec:  
endpoints:  
- port: http    interval: 30s  selector:    matchLabels:      app: trivy-scanner

該部署方案具備以下特性：- 高可用部署（多副本）- 數據庫緩存持久化- 每日自動更新漏洞庫- 集成 Prometheus 監控- 支持私有倉庫認證- 可擴展策略管理- 服務網格兼容性根據實際環境需要，可調整存儲類、資源配額、網絡策略等配置參數。