--- apiVersion: apps/v1 kind: Deployment metadata: name: trivy namespace: artifact-keeper labels: app.kubernetes.io/name: artifact-keeper app.kubernetes.io/instance: ak app.kubernetes.io/part-of: artifact-keeper app.kubernetes.io/component: trivy spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app.kubernetes.io/name: artifact-keeper app.kubernetes.io/instance: ak app.kubernetes.io/component: trivy template: metadata: labels: app.kubernetes.io/name: artifact-keeper app.kubernetes.io/instance: ak app.kubernetes.io/component: trivy spec: automountServiceAccountToken: false securityContext: runAsNonRoot: true runAsUser: 10000 fsGroup: 10000 containers: - name: trivy image: "aquasec/trivy:0.62.1" imagePullPolicy: IfNotPresent securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL command: ["trivy"] args: ["server", "--listen", "0.0.0.0:8090", "--cache-dir", "/home/trivy/.cache"] ports: - name: http containerPort: 8090 protocol: TCP resources: limits: cpu: "1" memory: 2Gi requests: cpu: 250m memory: 256Mi readinessProbe: tcpSocket: port: 8090 initialDelaySeconds: 15 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 5 livenessProbe: tcpSocket: port: 8090 initialDelaySeconds: 30 periodSeconds: 30 timeoutSeconds: 5 failureThreshold: 3 volumeMounts: - name: trivy-cache mountPath: /home/trivy/.cache - name: tmp mountPath: /tmp - name: scan-workspace mountPath: /scan-workspace readOnly: true volumes: - name: tmp emptyDir: sizeLimit: 256Mi - name: trivy-cache persistentVolumeClaim: claimName: trivy-cache - name: scan-workspace persistentVolumeClaim: claimName: scan-workspace