Still can't find what you're looking for?
To add the Kubernetes API to your Cloudhouse Guardian (Guardian) instance for Agentless scanning, you need a service account set up with the correct permissions that will enable you to add the node to Guardian for monitoring. The service account is then used to generate the bearer token that is used to verify Guardian's access to the API.
Tip: For more information on how to add the Kubernetes API node to Guardian, see Kubernetes API Node.
Bearer Token
The bearer token is required to add the Kubernetes API to Guardian, as it is used to collect and report information about your Kubernetes cluster. To generate the bearer token, use the following manifest file.
Note: In the example below, the file has been saved as 'cluster-scan-manifest.yaml'.
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: guardian
namespace: default
---
apiVersion: v1
kind: Secret
metadata:
name: guardian-token
namespace: default
annotations:
kubernetes.io/service-account.name: guardian
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: guardian-cluster-view-all
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- nonResourceURLs:
- '*'
verbs:
- get
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: guardian-cluster-view
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: guardian-cluster-view-all
subjects:
- kind: ServiceAccount
name: guardian
namespace: defaultTo apply the above manifest to your cluster, run the following command.
kubectl apply -f cluster-scan-manifest.yaml