Configure the dakr-security operator to scan your Kubernetes clusters for vulnerabilities and compliance issues.

Security Operator Configuration

The dakr-security operator automatically scans your Kubernetes workloads for:

Vulnerabilities - Known CVEs in container images and dependencies
Misconfigurations - Security issues in Kubernetes resources
Exposed Secrets - Accidentally committed credentials
Compliance - CIS Kubernetes benchmarks and security standards

Quick Installation

Install the dakr-security operator with default settings:

helm upgrade --install dakr-security \
  oci://registry-1.docker.io/devzeroinc/dakr-security \
  --version <CHART_VERSION> \
  --namespace dakr-security-system \
  --create-namespace

The operator will automatically start scanning all namespaces in your cluster.

Common Configuration Scenarios

1. Limit Scanning to Specific Namespaces

Use case: You only want to scan production workloads, not development or system namespaces.

helm upgrade --install dakr-security \
  oci://registry-1.docker.io/devzeroinc/dakr-security \
  --version <CHART_VERSION> \
  --namespace dakr-security-system \
  --create-namespace \
  --set targetNamespaces="production,staging" \
  --set excludeNamespaces="kube-system,kube-*,dev-*"

Configuration:

targetNamespaces: Comma-separated list of namespaces to scan (blank = all namespaces)
excludeNamespaces: Comma-separated list of namespaces or patterns to exclude

2. Adjust Scan Performance for Cluster Size

Use case: Control how many scans run concurrently based on your cluster capacity.

Small Clusters (< 50 nodes):

--set operator.scanJobsConcurrentLimit=5 \
--set trivy.resources.limits.cpu=200m \
--set trivy.resources.limits.memory=256Mi \
--set trivy.slow=true

Large Clusters (> 100 nodes):

--set operator.scanJobsConcurrentLimit=20 \
--set operator.scanJobTimeout=10m \
--set trivy.resources.limits.cpu=1 \
--set trivy.resources.limits.memory=1Gi \
--set trivy.slow=false

Configuration:

operator.scanJobsConcurrentLimit: Maximum parallel scans (default: 10)
operator.scanJobTimeout: How long to wait before giving up on a scan (default: 5m)
trivy.resources: CPU and memory limits for scanner pods
trivy.slow: Use less resources but take more time (default: true)

3. Private Container Registries

Use case: Your workloads use images from private registries like Docker Hub, ECR, or ACR.

⚠️ Important: privateRegistryScanSecretsNames is a map field that requires special syntax.

Option 1: Using values file (Recommended)

Create custom-values.yaml:

operator:
  privateRegistryScanSecretsNames:
    default: "my-registry-secret"
    production: "docker-registry-secret"
    staging: "acr-credentials,gcr-credentials" # Multiple secrets, comma-separated

Deploy:

helm upgrade --install dakr-security \
  oci://registry-1.docker.io/devzeroinc/dakr-security \
  --version <CHART_VERSION> \
  --namespace dakr-security-system \
  --create-namespace \
  -f custom-values.yaml

Option 2: Using --set with JSON (Advanced)

helm upgrade --install dakr-security \
  oci://registry-1.docker.io/devzeroinc/dakr-security \
  --version <CHART_VERSION> \
  --namespace dakr-security-system \
  --create-namespace \
  --set 'operator.privateRegistryScanSecretsNames={"default":"my-registry-secret","production":"prod-secret"}'

Configuration:

Provide a map of namespace: secret-name pairs
The secrets must already exist in those namespaces
Supports multiple registries per namespace (comma-separated)
Format: {"namespace1":"secret1","namespace2":"secret2,secret3"}

Complete Example:

Step 1: Create the registry secret in each namespace

# In default namespace
kubectl create secret docker-registry my-registry-secret \
  --docker-server=my-registry.example.com \
  --docker-username=myuser \
  --docker-password=mypassword \
  --docker-email=myemail@example.com \
  -n default

# In production namespace
kubectl create secret docker-registry prod-registry-secret \
  --docker-server=my-registry.example.com \
  --docker-username=prod-user \
  --docker-password=prod-password \
  -n production

Step 2: Configure dakr-security (values.yaml)

operator:
  privateRegistryScanSecretsNames:
    default: "my-registry-secret"
    production: "prod-registry-secret"
    staging: "staging-secret1,staging-secret2" # Multiple secrets

Step 3: Deploy with values file

helm upgrade --install dakr-security \
  oci://registry-1.docker.io/devzeroinc/dakr-security \
  --version <CHART_VERSION> \
  --namespace dakr-security-system \
  --create-namespace \
  -f values.yaml

4. Data Retention and Report Cleanup

Use case: Control how long security reports are kept in your cluster.

--set operator.scannerReportTTL=48h \
--set operator.cacheReportTTL=168h

Configuration:

operator.scannerReportTTL: How long vulnerability/config audit reports exist (default: 24h)
operator.cacheReportTTL: How long SBOM cache reports exist (default: 120h)
Set to "" to disable automatic cleanup

5. Compliance Scanning Schedule

Use case: Control how often compliance reports are generated.

--set compliance.cron="0 */12 * * *"

Configuration:

compliance.cron: Cron expression for compliance report generation
Default: "0 */6 * * *" (every 6 hours)

Common schedules:

Every 12 hours: "0 */12 * * *"
Daily at midnight: "0 0 * * *"
Weekly on Sunday: "0 0 * * 0"

6. Corporate Network / Proxy Configuration

Use case: Your cluster is behind a corporate proxy.

--set operator.httpProxy="http://proxy.company.com:8080" \
--set operator.httpsProxy="http://proxy.company.com:8080" \
--set operator.noProxy="localhost,127.0.0.1,.cluster.local" \
--set trivy.httpProxy="http://proxy.company.com:8080" \
--set trivy.httpsProxy="http://proxy.company.com:8080"

Scanner Controls

Enable or disable specific security scanners:

helm upgrade --install dakr-security \
  oci://registry-1.docker.io/devzeroinc/dakr-security \
  --version <CHART_VERSION> \
  --namespace dakr-security-system \
  --create-namespace \
  --set operator.vulnerabilityScannerEnabled=true \
  --set operator.configAuditScannerEnabled=true \
  --set operator.exposedSecretScannerEnabled=true \
  --set operator.rbacAssessmentScannerEnabled=true \
  --set operator.infraAssessmentScannerEnabled=true \
  --set operator.clusterComplianceEnabled=true

What each scanner does:

vulnerabilityScannerEnabled: Scans for CVEs in container images
configAuditScannerEnabled: Checks Kubernetes resource configurations
exposedSecretScannerEnabled: Detects hardcoded secrets
rbacAssessmentScannerEnabled: Analyzes RBAC permissions
infraAssessmentScannerEnabled: Scans node configurations
clusterComplianceEnabled: Runs CIS benchmark compliance checks

Configuration Best Practices

✅ Recommended Settings for Production

# Create a values.yaml file
targetNamespaces: "" # Scan all namespaces
excludeNamespaces: "kube-system,kube-public,kube-node-lease"

operator:
  scanJobsConcurrentLimit: 10
  scanJobTimeout: 5m
  scannerReportTTL: "24h"

  # Enable all scanners
  vulnerabilityScannerEnabled: true
  configAuditScannerEnabled: true
  exposedSecretScannerEnabled: true
  rbacAssessmentScannerEnabled: true
  infraAssessmentScannerEnabled: true
  clusterComplianceEnabled: true

trivy:
  resources:
    requests:
      cpu: 100m
      memory: 100M
    limits:
      cpu: 500m
      memory: 500M

compliance:
  cron: "0 */6 * * *" # Every 6 hours

Deploy with:

helm upgrade --install dakr-security \
  oci://registry-1.docker.io/devzeroinc/dakr-security \
  --version <CHART_VERSION> \
  --namespace dakr-security-system \
  --create-namespace \
  -f values.yaml

Updating Configuration

⚠️ Important: Configuration changes require operator restart

The operator reads configuration once at startup. To apply changes:

# 1. Update configuration via Helm
helm upgrade dakr-security \
  oci://registry-1.docker.io/devzeroinc/dakr-security \
  --version <CHART_VERSION> \
  --namespace dakr-security-system \
  --set <your-changes> \
  --reuse-values

# 2. Restart the operator to pick up changes
kubectl rollout restart deployment/dakr-security -n dakr-security-system

Viewing Scan Results

After installation, view security reports:

# Vulnerability reports
kubectl get vulnerabilityreports -A

# Configuration audit reports
kubectl get configauditreports -A

# Compliance reports
kubectl get clustercompliancereport -n dakr-security-system

# View specific report details
kubectl get vulnerabilityreport <name> -n <namespace> -o yaml

Reports are automatically sent to the DevZero platform for visualization.

Troubleshooting

Scans are slow or timing out

Solution: Increase timeout and reduce concurrency

--set operator.scanJobTimeout=10m \
--set operator.scanJobsConcurrentLimit=5

Running out of cluster resources

Solution: Reduce scanner resource limits

--set trivy.resources.limits.cpu=200m \
--set trivy.resources.limits.memory=256Mi \
--set trivy.slow=true

Can't pull images from private registries

Solution: Configure registry secrets using a values file (recommended)

Create registry-values.yaml:

operator:
  privateRegistryScanSecretsNames:
    default: "my-registry-secret"

Deploy:

helm upgrade dakr-security \
  oci://registry-1.docker.io/devzeroinc/dakr-security \
  --version <CHART_VERSION> \
  --namespace dakr-security-system \
  -f registry-values.yaml \
  --reuse-values

# Restart operator
kubectl rollout restart deployment/dakr-security -n dakr-security-system

Make sure the secret exists:

kubectl get secret my-registry-secret -n default

Alternative: Use --set with JSON format

helm upgrade dakr-security \
  oci://registry-1.docker.io/devzeroinc/dakr-security \
  --version <CHART_VERSION> \
  --namespace dakr-security-system \
  --set 'operator.privateRegistryScanSecretsNames={"default":"my-registry-secret"}' \
  --reuse-values

Operator logs show configuration errors

Solution: Check operator logs

kubectl logs -n dakr-security-system deployment/dakr-security --tail=100

Need Help?

View operator logs: kubectl logs -n dakr-security-system deployment/dakr-security
Check scan job status: kubectl get jobs -n dakr-security-system
Contact DevZero support for assistance

Security Operator Configuration

On this page