创建专用 Namespace

# trivy-ns.yaml
apiVersion: v1
kind: Namespace
metadata:  name: trivy-system

配置持久化存储（缓存数据库）

apiVersion: v1
kind: PersistentVolumeClaim
metadata:  name: trivy-db-cache  namespace: trivy-system
spec:  accessModes:    - ReadWriteOnce  resources:    requests:      storage: 5Gi  storageClassName: standard

部署 Trivy 服务

apiVersion: apps/v1
kind: Deployment
metadata:  name: trivy-scanner  namespace: trivy-system
spec:  replicas: 2  selector:    matchLabels:      app: trivy-scanner  template:    metadata:      labels:        app: trivy-scanner    spec:      containers:      - name: trivy        image: aquasec/trivy:0.45.1        args: ["--cache-dir", "/trivy/cache"]        volumeMounts:        - name: trivy-cache          - mountPath: /trivy/cache        ports:        - containerPort: 8080        resources:          requests:            memory: "512Mi"            cpu: "500m"          limits:            memory: "2Gi"            cpu: "1"      volumes:      - name: trivy-cache        persistentVolumeClaim:          claimName: trivy-db-cache

创建 Service 暴露接口

# trivy-service.yaml
apiVersion: v1
kind: Service
metadata:  name: trivy-service  namespace: trivy-system
spec:  selector:    app: trivy-scanner  ports:    - protocol: TCP      port: 80      targetPort: 8080

配置自动数据库更新（可选）

# trivy-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:  name: trivy-db-updater  namespace: trivy-system
spec:  schedule: "0 0 * * *"  jobTemplate:    spec:      template:        spec:          containers:          - name: trivy-db-update            image: aquasec/trivy:0.45.1            args: ["--download-db-only", "--cache-dir", "/trivy/cache"]                     volumeMounts:            - name: trivy-cache              mountPath: /trivy/cache          restartPolicy: OnFailure          volumes:          - name: trivy-cache            persistentVolumeClaim:              claimName: trivy-db-cache

验证部署

# 检查组件状态
kubectl get pods -n trivy-system
# 执行测试扫描
kubectl run test-scan --rm -i --tty --image aquasec/trivy:0.45.1 \  --namespace trivy-system \  --command -- sh -c "trivy image --server http://trivy-service:80 alpine:3.12"

集成到 CI/CD（示例）

// Jenkins Pipeline 示例
pipeline {  agent any  
stages {    stage('Scan Image') {      steps {        script {          sh 'docker build -t myapp:${BUILD_ID} .'                    def scanResult = sh(script: '''            kubectl run trivy-scan-${BUILD_ID} \              --namespace trivy-system \              --image aquasec/trivy:0.45.1 \              --rm -i --restart=Never \              -- \              image --severity HIGH,CRITICAL \              --format json \              --server http://trivy-service:80 \              myapp:${BUILD_ID}          ''', returnStdout: true)                    def report = readJSON text: scanResult          if(report.Results[0].Vulnerabilities) {            error "发现高危漏洞！"          }        }      }    }  }}

高级配置选项

1. 私有镜像仓库认证：

# 添加认证信息到 Deployment
env:
- name: TRIVY_USERNAME  valueFrom:    secretKeyRef:      name: registry-creds      key: username
- name: TRIVY_PASSWORD  valueFrom:    secretKeyRef:      name: registry-creds      key: password

2. 自定义策略规则：

# 创建 ConfigMap 挂载自定义策略
volumes:
- name: trivy-policies  configMap:    name: trivy-custom-policiesvolumeMounts:- name: trivy-policies  - mountPath: /etc/trivy/policies

3. 服务网格集成：

annotations:  sidecar.istio.io/inject: "true"  sidecar.istio.io/rewriteAppHTTPProbers: "true"

监控指标配置

# 添加 Prometheus 监控
args: - "--listen=0.0.0.0:8080"- "--cache-dir=/trivy/cache"- "--metrics"
# ServiceMonitor 配置
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:  name: trivy-monitor  namespace: trivy-systemspec:  
endpoints:  
- port: http    interval: 30s  selector:    matchLabels:      app: trivy-scanner

该部署方案具备以下特性：- 高可用部署（多副本）- 数据库缓存持久化- 每日自动更新漏洞库- 集成 Prometheus 监控- 支持私有仓库认证- 可扩展策略管理- 服务网格兼容性根据实际环境需要，可调整存储类、资源配额、网络策略等配置参数。