DEV Community: Jeg

Trivy command lines

Jeg — Wed, 11 Feb 2026 04:41:37 +0000

trivy image nginx:1.23.2-perl

The above command will scan by updating the vulnerability database, which takes around one minute.
Shortly after, a flood of scan results is displayed.

Each result includes the following columns from left to right:

Library: The name of the library or package that contains the vulnerability
Vulnerability: The identifier of the vulnerability in the CVE (Common Vulnerabilities and Exposures) database
Severity: The severity of the vulnerability as determined by the CVSS (Common Vulnerability Scoring System) score and categorized into UNKNOWN, LOW, MEDIUM, HIGH, and CRITICAL
Installed Version: The version of the library or package that is installed in the image
Fixed Version: The version of the library or package that fixes the vulnerability
Title: The title of the vulnerability and a link to more details

Reissuing the same command:

trivy image nginx:1.23.2-perl

The vulnerability database is cached and the command completes much faster the second time.

You will have to determine what level of severity is acceptable for your organization.
You can filter the vulnerabilites by severity using the --severity option.

trivy image --severity HIGH,CRITICAL nginx:1.23.2-perl

The list of vulnerabilities is much shorter and only includes the vulnerabilities that are of high or critical severity.
As time goes on, new vulnerabilities are discovered and the list may grow.
That is why it is important to keep periodically scan your images to have a current understanding of risk.

trivy image nginx:1.23.2-alpine

The scan results are much shorter because the alpine image is based on a much smaller base image containing fewer libraries and packages.

The alpine image is said to have a smaller attack surface than the perl image.

trivy image --format json --output /home/ubuntu/nginx.json nginx:1.23.2-alpine
Scan results can be saved to a JSON file for future analysis.

Scan container images used by pods running in a Kubernetes namespace

Jeg — Tue, 10 Feb 2026 06:17:10 +0000

Below is a shell script that will scan all the images in the kubernetes-dashboard namespace and save the results to JSON files:

cat << 'EOF' > scan_images.sh

#!/bin/bash

namespace="kubernetes-dashboard"
# create a directory for the scan results
mkdir -p $namespace 

# get a list of all the images used by Pods in the Namespace
images=($(kubectl get pods -n $namespace -o jsonpath='{.items[*].spec.containers[*].image}' | sort | uniq))

# loop through the images and scan each one
for image in ${images[@]}; do
    echo "Scanning image: $image"
    # Scan the image with --scanners vuln to skip scanning for secrets to speed up the scan (for demonstration purposes)
    trivy image --severity HIGH,CRITICAL $image --scanners vuln --quiet --format json --output $namespace/$(basename $image).json
done

EOF

The script uses a kubectl command to get a list of all the images used by Pods in the kubernetes-dashboard Namespace.

The script could be modified to scan all the images in the cluster but only one Namespace is considered to reduce the amount of time.

bash scan_images.sh

The results are saved to JSON files.

Kyverno - Namespace restriction policy

Jeg — Sun, 11 May 2025 06:56:24 +0000

Following are the helm commands to install kyverno using helm:


helm repo add kyverno https://kyverno.github.io/kyverno
helm repo update
helm install kyverno kyverno/kyverno -n kyverno --create-namespace

To uninstall kyverno from helm:
helm uninstall kyverno -n kyverno

Chart version: 3.4.1
Kyverno version: v1.14.1

The following components will get installed in the cluster:

CRDs
Admission controller
Reports controller
Cleanup controller
Background controller

kyverno.yaml:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: namespace-restriction
spec:
  rules:
  - name: require namespace standard names
    match:
      any:
      - resources:
          kinds:
          - Namespace
    validate:
      failureAction: Enforce
      message: "You must have the proper naming standard for namespace creation"
      pattern:
        metadata:
            name: dev

Adding multiple values with "or" condition for the namespace names:


apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: namespace-restriction
spec:
  rules:
  - name: require namespace standard names
    match:
      any:
      - resources:
          kinds:
          - Namespace
    validate:
      failureAction: Enforce
      message: "You must have the proper naming standard for namespace creation"
      pattern:
        metadata:
            name: app-poc-* | app-prod-* | app-test*

kubectl get ClusterPolicy
NAME                    ADMISSION   BACKGROUND   READY   AGE     MESSAGE

namespace-restriction   true        true         True    2m49s   Ready

The namespace yaml is now created with a different namespace name:

namespace.yaml:


apiVersion: v1
kind: Namespace
metadata:
  name: development
  labels:
    name: development

Following is the error thrown:

Error from server: error when creating "namespace.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: 

resource Namespace//development was blocked due to the following policies 

namespace-restriction:
  require namespace standard names: 'validation error: You must have the proper naming
    standard for namespace creation. rule require namespace standard names failed
    at path /metadata/name/'

By applying the policy, the existing pods and namespace will not get disturbed. The cluster policy is for the entire cluster.

Yaml file to install kyverno from Argocd:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: kyverno
  namespace: argocd
spec:
  destination:
    namespace: kyverno
    server: https://kubernetes.default.svc
  project: default
  source:
    chart: kyverno
    repoURL: https://kyverno.github.io/kyverno
    targetRevision: 3.4.1
  syncPolicy:
    automated:
      prune: true
      selfHeal: false
    syncOptions:
      - CreateNamespace=true
      - Replace=true

Docker: [output clipped, log limit 2MiB reached]

Jeg — Thu, 29 Feb 2024 14:27:11 +0000

Sometimes the builds inititated from Dockerfile would be taking longer time to complete than usual. This depends on the step we write in the Dockerfile and the process it would take to complete that particular step as a layer.

If an entire project wants to get built as a docker image then we may end up with log limiting issues in docker depending on the specification of the VM where the docker is installed.

If an error pops up like: "docker clipped log limit", please follow the configuration provided below to get it resolved.

Configuration to be added in the docker.service file.

Navigate to the below location:
/etc/systemd/system/multi-user.target.wants/

edit the file "docker.service"

Then, under the [Service] tag, add the environment variables:
Environment="BUILDKIT_STEP_LOG_MAX_SIZE=95971520"
Environment="BUILDKIT_STEP_LOG_MAX_SPEED=7048576"

This would increase the log size in docker.

Kubernetes memory management across node pools

Jeg — Thu, 22 Feb 2024 06:30:54 +0000

CPU and Memory is not shared to aks-nodepool1-13324706-vmss000032 node.

The reason is that, we have two different node pools. So memory cannot be shared across two node pools. It can only be shared across nodes.

So we may need to have single nodepool with nodes to share the memory or use tool called Karpenter (deploy as pods) to share the memory across multiple node pools or configure pods to deploy in specific nodes or use autoscaling.

Azure pipelines - Passing variables across stages

Jeg — Sat, 17 Feb 2024 10:50:43 +0000

The following code block explains passing the variable 'agentvalue' to the StopVM stage.

Code explanation:

In the StartVM stage, the variable 'agentvalue' is declared and the agentname value is assigned to the variable 'agentvalue'. Task name 'setagentname' has to be defined for the task if a variable is defined.

In the StopVM stage, the variable called 'VirtualMachine' is created to access the output of agentvalue. The 'VirtualMachine' is accessed only within that stage.
Any variable can only be accessed within that stage after defined.

The dependsOn condition on the StopVM stage is dependent with StartVM and Cleanup stages to complete their executions to continue with StopVM stage.

By default in azure pipelines, the second stage is dependent to the first stage - third to second and so on. If we have only the second stage (Build stage) and StopVM stage, then these two stages will be executed parallely once StartVM stage is completed.

Syntax:

To use the output from a different stage, the format for referencing variables is stageDependencies.STAGE.JOB.outputs['TASK.VARIABLE']

To reference a variable from a task from a different job, use dependencies.JOB.outputs['TASK.VARIABLE']

# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml

trigger:
  - none 

name: $(TeamProject)-$(SourceBranchName)-$(Build.BuildId)-$(Hours)$(Minutes)$(Seconds)-$(Date:yyyyMMdd)$(Rev:.r)

pool:
  name: test

parameters:
- name: WarGeneration
  displayName: Run WarGeneration
  type: boolean
  default: false

stages:
- stage: StartVM
  displayName: StartVM
  jobs:
  - job: StartVM
    timeoutInMinutes: 0
    displayName: StartVM
    pool:
      name: Azure Pipelines
    steps:
    - checkout: none
    - task: AzureKeyVault@2
      inputs:
        azureSubscription: 'xxx'
        KeyVaultName: 'xxx'
        SecretsFilter: 'xxx,yyy'
        RunAsPreJob: true
    - task: CmdLine@2
      inputs:
        script: |
          az login --service-principal --username $(xxx) --password $(xxx)  --tenant $(xxx)
                                                      flag=true;
                                                          echo $flag
                                                          while ($flag); do
                                                          vmstatusvm1=`az vm show -g xxx -n vm1 -d --query powerState -o tsv`
                                                          vmnamevm1=`az vm show -g xxx -n vm1 -d --query name -o tsv`
                                                          vmstatusvm2=`az vm show -g xxx -n vm2 -d --query powerState -o tsv`
                                                          vmnamevm2=`az vm show -g xxx -n vm2 -d --query name -o tsv`

                                                          if [[ $vmstatusvm1 == 'VM deallocate' && $vm1 == 'vm1' ]]; then
                                                            agentname=vm1
                                                            echo $agentname
                                                            az vm start --resource-group xxx --name $agentname
                                                            echo "##vso[task.setvariable variable=agentvalue;isOutput=true]$agentname"
                                                            flag=false
                                                           elif [[ $vmstatusvm2 == 'VM deallocated' && $vm2 == 'vm2' ]]; then
                                                            agentname=vm2
                                                            echo $agentname
                                                            az vm start --resource-group xxx --name $agentname
                                                            echo "##vso[task.setvariable variable=agentvalue;isOutput=true]$agentname"
                                                            flag=false
                                                          else
                                                            echo "There are no VM's available to trigger a new build."
                                                          fi  
                                                          done


      name: setagentname    



- stage: Build
  displayName: Build stage
  jobs:
  - job: Build
    timeoutInMinutes: 0
    displayName: Build
    steps:
    - checkout: none
    - task: Bash@3
      inputs:
        targetType: 'inline'
        script: |
          echo "Printing virtual none"

- ${{ if eq(parameters.WarGeneration, true) }}:
  - stage: WarGeneration
    displayName: WarGeneration
    jobs:
    - job: War
      timeoutInMinutes: 0 
      displayName: War
      pool:
        name: test
        demands:
        - Agent.OS -equals Linux
      steps:
      - checkout: none            
      - task: AzureKeyVault@2
        inputs:
          azureSubscription: 'xxx'
          KeyVaultName: 'xxx'
          SecretsFilter: 'xxx'
          RunAsPreJob: true

- stage: Cleanup
  displayName: Cleanup stage
  condition: always()
  jobs:
  - job: CleanupJob
    timeoutInMinutes: 0 
    displayName: Cleanup Job
    pool:
     name: test
     demands:
     - Agent.OS -equals Linux
    steps:
      - checkout: none    
      - task: PowerShell@2
        displayName: Cleanup Task
        inputs:
          targetType: 'inline'
          script: |
            echo "Cleanup"

- stage: StopVM
  displayName: StopVM stage
  dependsOn:
  - StartVM
  - Cleanup
  condition:  always()
  variables:
    - name: VirtualMachine
      value: $[ stageDependencies.StartVM.StartVM.outputs['setagentname.agentvalue'] ]
  jobs:
  - job: StopVM
    timeoutInMinutes: 0
    displayName: StopVM
    pool:
      name: Azure Pipelines
    steps:
    - checkout: none
    - task: AzureKeyVault@2
      inputs:
        azureSubscription: 'xxx'
        KeyVaultName: 'xxx'
        SecretsFilter: 'xxx,yyy'
        RunAsPreJob: true

    - task: Bash@3
      inputs:
        targetType: 'inline'
        script: |
         az login --service-principal --username $(xxx) --password $(xxx)  --tenant $(xxx)
         az vm deallocate --resource-group xxx --name $(VirtualMachine)

Reference link:

[Use outputs in a different stage - section from link]
https://learn.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch#set-in-script

Creating user with an expiry date in Linux

Jeg — Sat, 11 Nov 2023 10:47:09 +0000

Steps to create an user with an expiry date in Linux:

sudo useradd -e YYYY-MM-DD username

useradd is a command used to add a new user account.
-e YYYY-MM-DD specifies the expiry date for a new user account.

Reference Link: https://www.geeksforgeeks.org/creating-a-user-with-an-expiry-date-in-linux/

Disabling root login [CentOs]

Jeg — Fri, 10 Nov 2023 01:57:41 +0000

To disable the root login [CentOs]:

sudo passwd root [to change the password for root user if needed].

sudo vi /etc/ssh/sshd_config
PermitRootLogin no
sudo systemctl restart sshd

ssh root@ip;
You should not be allowed to login [Permission denied, error]

Reference URL: https://www.tecmint.com/disable-ssh-root-login-in-linux/

Creating Linux user without home directory

Jeg — Sat, 04 Nov 2023 15:37:12 +0000

To create a linux user without home directory:

sudo useradd --no-create-home john
or
sudo useradd -M john

sudo: Grants administrative privileges.
useradd: Adds a new user
-M or --no-create-home: Skips creating a home directory for the new user.
john: Creates a new user named john.

Reference URL: https://linuxsimply.com/ubuntu-create-user-without-home-directory/

Create a group - Linux

Jeg — Tue, 31 Oct 2023 04:18:04 +0000

To Create a group:
Syntax: sudo groupadd groupname

To add the user to the group:
Syntax: sudo usermod -a -G groupname username

To create the user:
Syntax: sudo useradd username

Reference URL's:

https://linuxize.com/post/how-to-add-user-to-group-in-linux/
https://linuxize.com/post/how-to-create-users-in-linux-using-the-useradd-command/

Create user in Linux and set its UID and home directory

Jeg — Tue, 24 Oct 2023 06:32:05 +0000

To create a user named james and set its UID to 1859 and home directory to /var/www/james

By default useradd creates the user’s home directory in /home. If you want to create the user’s home directory in other location, use the d (--home) option.

On most Linux distributions, when creating a new user account with useradd, the user’s home directory is not created.

Use the -m (--create-home) option to create the user home directory as /home/username:

sudo useradd -m username

sudo useradd -u 1859 -m -d /var/www/james james

To verify id of an user
id -u username

To change after creating user
sudo usermod -u 1859 kirsty

Reference link: https://linuxize.com/post/how-to-create-users-in-linux-using-the-useradd-command/

Getting the latest tagged image to the AKS cluster while deploying the application

Jeg — Tue, 25 Oct 2022 05:37:26 +0000

I came across a scenario where the application is developed and built as a docker image with the tag (xxx.azurecr.io/sampleimage:latest). Then the built docker image is pushed to the Azure container registry.

The pushed docker image is then deployed in the AKS cluster using kubectl apply -f filename.yaml

Now, the code base is updated and the docker image is also updated with the same tag (xxx.azurecr.io/sampleimage:latest) and pushed to the container registry. The container registry is now having an image with the latest code base.

For the latest image (the one which is updated 2nd time - as mentioned above) to get deployed in the AKS cluster, we need to use imagePullPolicy as Always in the yaml files. If it is not set, the AKS cluster would only take the already available image (the one which is pushed first) from the cluster.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-tomcat-helloworld
  labels:
    app: test-tomcat-helloworld
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test-tomcat-helloworld
  template:
    metadata:
      labels:
        app: test-tomcat-helloworld
    spec:
      containers:
      - name: test-tomcat-helloworld
        image: cicdcontainervol.azurecr.io/test-tomcat-helloworld:v1
        imagePullPolicy: Always
        resources:
          limits:
            memory: "2Gi"
            cpu: "1200m"
        ports:
        - containerPort: 8080
      imagePullSecrets:
      - name: secret
---
apiVersion: v1
kind: Service
metadata:
    name: test-tomcat-helloworld
    annotations:
      service.beta.kubernetes.io/azure-load-balancer-internal: "true"
spec:
    type: LoadBalancer
    loadBalancerIP: xx.xx.xxx.xx
    ports:
    - port: 8080
      targetPort: 8080
    selector:
        app: test-tomcat-helloworld