Skip to content



The two best known Kubernetes Security Benchmarks are CIS and NSA. As part of their work, they have released a set of recommendations for configuring Kubernetes clusters and workloads.

CIS (Center for Internet Security) benchmarks consists of secure configuration guidelines developed for Kubernetes. These include not only the running workloads but also the Kubernetes infrastructure set-up. CIS benchmarks are documented here.

NSA and CISA's guidance details recommendations to harden Kubernetes systems. Primary actions include the scanning of containers and Pods for vulnerabilities or misconfigurations, running containers and Pods with the least privileges possible, and using network separation, firewalls, strong authentication, and log auditing. NSA/CISA's Kubernetes Hardening Guidance report is available here.

This recipe describes how customers can standardize the deployment of the Trivy Operator, and generate CIS and NSA compliance reports.

What Will You Do

In this exercise,

  • You will create the Trivy Operator add-on using Trivy's official Helm chart
  • You will use the add-on in a custom cluster blueprint
  • You will then apply this cluster blueprint to a managed cluster
  • You will then query the Kubernetes benchmark reports generated by the Trivy Operator


  • You have already provisioned or imported one or more Kubernetes clusters using the controller.

Step 1: Create the Trivy Operator add-on

1.1: Create Repository

  • Log into the Web Console and navigate to your project as an Org admin or an Infrastructure Admin
  • Under Integrations, select Repositories
  • Create a New Repository
  • Provide a name (e.g. trivy-helm-repo) and select type as Helm, click on Create

Create Repository

Create Repository

1.2: Create Custom Catalog

  • Navigate to the Catalog section, select Manage Catalogs
  • Create a New Catalog
  • Provide a name (e.g. trivy-catalog) and select the repo (e.g. trivy-helm-repo) created as part of the previous step

Create Catalog

  • Click on Sync Catalog
  • Helm charts are now synced to the Custom Catalog, we will use the Trivy Operator Helm chart for this exercise

Create Catalog

1.3: Create Namespace

You will now create a managed namespace from the controller for the Trivy Operator.

  • Navigate to Infrastructure -> Namespaces
  • Click on New Namespace
  • Provide a name (e.g. trivy-system) and select type as Wizard
  • Click Save

Create Namespace

  • Click "Save & Go To Placement"
  • Select one of your clusters for placement
  • Click "Save & Go To Publish"
  • Click "Publish"
  • Click "Exit"

Publish Namespace

1.4: Create custom Add-on

In this step, you will create a custom cluster add-on from the Catalog. The add-on will then be used in a custom cluster blueprint.

  • Navigate to Add-Ons under the Infrastructure section
  • Create a New Add-On, select the Create New Add-On from Catalog option

Create Add-On

  • Search for trivy-operator

Create Add-On

  • Click Create Add-On
  • Provide a name (e.g. trivy-operator) and select the namespace (trivy-system) created as part of the previous step
  • Click Create

Create Add-On

  • Enter v1 for the version name
  • Click Save Changes

Create Add-On

Step 2: Create Blueprint

In this step, you will create a custom cluster blueprint which contains the previously created add-on.

  • Navigate to Blueprints under the Infrastructure section
  • Click New Blueprint
  • Provide a name (e.g. test-blueprint), select type as Custom Blueprint
  • Click Save

Create Blueprint

  • Enter v1 for the version name
  • Select minimal for the base blueprint
  • Click Configure Add-Ons
  • Click the + symbol to add the trivy-operator add-on to the blueprint
  • Click Save Changes

Create Blueprint

  • Click Save Changes

Step 3: Apply Bluprint

In this step, you will apply the previously created blueprint to the cluster. Applying the blueprint will install the Trivy operator.

  • Navigate to Infrastructure -> Clusters
  • Click the gear icon on your cluster
  • Select Update Blueprint
  • Select the blueprint created as part of the previous step (e.g. test-blueprint) and v1 for the version
  • Click Save and Publish

Apply Blueprint

  • Click Exit

Step 4: Query benchmark reports

4.1 Verify installation of Trivy Operator

  • Navigate to Infrastructure -> Clusters
  • Initiate a KubeCTL session through the web console


  • Run the following command
kubectl get all -n trivy-system

The output should be similar to below.


4.2 Query reports

Once you have verified that everything is running correctly, you should be able to query the Kubernetes benchmark reports generated by the Trivy Operator.

kubectl get clustercompliancereport


  • NSA report
kubectl get clustercompliancereport nsa -o yaml


  • CIS report
kubectl get clustercompliancereport cis -o yaml


Step 5: Aggregating Results across fleet of clusters

With 10s or 100s of clusters organization wide, it is critical to have the means to centrally aggregate CIS benchmark reports to demonstrate "compliance" to the auditors. By default, the Trivy operator scans the cluster every 6 hours. Each scan results in an updated cluster compliance report that can be downloaded as described below.

You can use Rafay's Zero Trust Kubectl as the means to securely access their fleet of clusters to centrally aggregate the CIS Benchmark reports.

For example, an external pipeline can download the consolidated kubeconfig with all cluster contexts to retrieve the CIS scan results in seconds. See visual below for an illustrative example.

    participant siem as Splunk
    participant pipe as Pipeline
    participant rafay as Rafay Controller
    participant cluster as Cluster Fleet

    loop Every "x" Hours
      pipe ->> rafay: Download consolidated kubeconfig
      loop Every Cluster
        pipe ->> rafay: Retrieve CIS scan report from each cluster <br> using Rafay's zero trust kubectl
        rafay ->> cluster: Retrieve CIS scan report
        pipe ->> siem: Store CIS scan report

You can aggregate the reports in your organization's preferred CMDB such as Service Now or enterprise security platform such as Splunk. This ensures that the compliance team has visibility and access to every compliance report right from the birth of each cluster.


Congratulations! You have successfully created a custom cluster blueprint with Trivy Operator as a custom add-on. You can now use this blueprint on as many clusters as you require and query/generate and aggregate NSA and CIS compliance reports.