!!! info "Directory Context" This document is part of the Infrastructure Directory. See the Infrastructure Directory Inventory for related resources.
The scanner-infrastructure chart creates and manages service accounts for container scanning operations. These service accounts are the identity used for authentication to the Kubernetes API and are bound to specific roles through RBAC.
The chart creates a dedicated service account for scanning operations:
apiVersion: v1
kind: ServiceAccount
metadata:
name: inspec-scanner
namespace: scanning-namespaceThis service account:
- Acts as the identity for all scanning operations
- Is bound to a role with specific permissions
- Exists in the target namespace for scanning
The chart supports token generation for service account authentication:
# Generate kubeconfig with time-limited token
./kubernetes-scripts/generate-kubeconfig.sh scanning-namespace inspec-scanner ./kubeconfig.yamlThis process:
- Creates a short-lived token (typically 1 hour)
- Configures kubeconfig with the token
- Provides temporary access for scanning
For EKS clusters with IAM roles for service accounts:
# Create IAM role with proper permissions first, then:
helm install scanner-infrastructure ./helm-charts/scanner-infrastructure \
--set targetNamespace=scanning-namespace \
--set serviceAccount.annotations."eks.amazonaws.com/role-arn"=arn:aws:iam::123456789012:role/scanner-roleFor GKE clusters with Workload Identity:
# Create GCP service account and bind IAM policy first, then:
helm install scanner-infrastructure ./helm-charts/scanner-infrastructure \
--set targetNamespace=scanning-namespace \
--set serviceAccount.annotations."iam.gke.io/gcp-service-account"[email protected]For AKS clusters with Pod Identity or Workload Identity:
# Create Azure identity first, then:
helm install scanner-infrastructure ./helm-charts/scanner-infrastructure \
--set targetNamespace=scanning-namespace \
--set serviceAccount.annotations."azure.workload.identity/client-id"=00000000-0000-0000-0000-000000000000For multi-team environments, create separate service accounts:
# Team A service account
helm install team-a-scanner-infra ./helm-charts/scanner-infrastructure \
--set targetNamespace=team-a-namespace \
--set serviceAccount.name=team-a-scanner
# Team B service account
helm install team-b-scanner-infra ./helm-charts/scanner-infrastructure \
--set targetNamespace=team-b-namespace \
--set serviceAccount.name=team-b-scanner| Parameter | Description | Default | Required |
|---|---|---|---|
serviceAccount.create |
Create service account | true |
No |
serviceAccount.name |
Service account name | inspec-scanner |
No |
serviceAccount.annotations |
Service account annotations | {} |
No |
serviceAccount.labels |
Service account labels | {} |
No |
serviceAccount.automountToken |
Automount API token | true |
No |
serviceAccount.imagePullSecrets |
Image pull secrets | [] |
No |
Configure token time-to-live for enhanced security:
helm install scanner-infrastructure ./helm-charts/scanner-infrastructure \
--set targetNamespace=scanning-namespace \
--set serviceAccount.tokenTTL=900 # 15 minutes in secondsFor automated scanning in CI/CD pipelines:
# Ensure fresh token for each CI job
before_script:
- ./kubernetes-scripts/generate-kubeconfig.sh ${NAMESPACE} ${SERVICE_ACCOUNT} ./kubeconfig.yaml
- export KUBECONFIG=./kubeconfig.yaml
# Run scan
script:
- ./kubernetes-scripts/scan-container.sh ${NAMESPACE} ${POD_NAME} ${CONTAINER_NAME} ./profiles/container-baseline
# Clean up token
after_script:
- rm ./kubeconfig.yaml- Use Dedicated Service Accounts: Create separate accounts for different teams or purposes
- Limit Token Lifetime: Use short-lived tokens (15-60 minutes)
- Avoid Persistent Credentials: Generate tokens only when needed
- Clean Up Tokens: Remove token files after use
- Leverage Cloud IAM: Use cloud provider IAM integration when available
- Set Appropriate Annotations: Configure annotations for cloud provider integration