Connect Kubernetes
Create a read-only service account and connect your Kubernetes cluster to VikingCloud.
This guide shows you how to create a Kubernetes service account with read-only cluster access for VikingCloud. This works with any Kubernetes cluster including Amazon EKS, Google GKE, Azure AKS, and self-managed clusters.
What VikingCloud Scans in Kubernetes
| Resource Type | Examples |
|---|---|
| Core | Pods, Nodes, Services, ConfigMaps, Secrets, Namespaces, ServiceAccounts |
| Workloads | Deployments, ReplicaSets, StatefulSets, DaemonSets, Jobs, CronJobs |
| Networking | Ingresses, IngressClasses, NetworkPolicies |
| RBAC | Roles, RoleBindings, ClusterRoles, ClusterRoleBindings |
| Storage | StorageClasses, PersistentVolumes, PersistentVolumeClaims |
| Policy | PodSecurityPolicies, PodDisruptionBudgets |
| Admission | ValidatingWebhookConfigurations, MutatingWebhookConfigurations |
All access is read-only — VikingCloud cannot create, modify, or delete any resources in your cluster.
Method 1: kubectl (Recommended)
Step 1: Create the RBAC Configuration
Save the following as vikingcloud-k8s-rbac.yaml:
apiVersion: v1
kind: Namespace
metadata:
name: vikingcloud
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vikingcloud-scanner-sa
namespace: vikingcloud
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: vikingcloud-scanner-reader
rules:
- apiGroups: [""]
resources: [pods, nodes, services, configmaps, secrets, namespaces, persistentvolumes, persistentvolumeclaims, serviceaccounts, endpoints, events, limitranges, resourcequotas]
verbs: [get, list, watch]
- apiGroups: ["apps"]
resources: [deployments, replicasets, statefulsets, daemonsets]
verbs: [get, list, watch]
- apiGroups: ["batch"]
resources: [jobs, cronjobs]
verbs: [get, list, watch]
- apiGroups: ["networking.k8s.io"]
resources: [ingresses, ingressclasses, networkpolicies]
verbs: [get, list, watch]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: [roles, rolebindings, clusterroles, clusterrolebindings]
verbs: [get, list, watch]
- apiGroups: ["policy"]
resources: [podsecuritypolicies, poddisruptionbudgets]
verbs: [get, list]
- apiGroups: ["storage.k8s.io"]
resources: [storageclasses, volumeattachments]
verbs: [get, list, watch]
- apiGroups: ["admissionregistration.k8s.io"]
resources: [validatingwebhookconfigurations, mutatingwebhookconfigurations]
verbs: [get, list]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: vikingcloud-scanner-reader-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vikingcloud-scanner-reader
subjects:
- kind: ServiceAccount
name: vikingcloud-scanner-sa
namespace: vikingcloud
---
apiVersion: v1
kind: Secret
metadata:
name: vikingcloud-scanner-token
namespace: vikingcloud
annotations:
kubernetes.io/service-account.name: vikingcloud-scanner-sa
type: kubernetes.io/service-account-token
Step 2: Apply and Retrieve Credentials
# Apply the RBAC configuration
kubectl apply -f vikingcloud-k8s-rbac.yaml
# Wait for the token to be generated
kubectl wait --for=condition=ready secret/vikingcloud-scanner-token \
-n vikingcloud --timeout=30s
# Get the service account token
TOKEN=$(kubectl get secret vikingcloud-scanner-token -n vikingcloud \
-o jsonpath='{.data.token}' | base64 -d)
# Get the cluster endpoint
ENDPOINT=$(kubectl config view --minify \
-o jsonpath='{.clusters[0].cluster.server}')
echo "Cluster Endpoint: $ENDPOINT"
echo "Token: $TOKEN"
Step 3: Enter Credentials in VikingCloud
- In VikingCloud, go to Settings > Connections
- Click Add Connection and select Kubernetes
- Enter the following:
| Field | Value |
|---|---|
| Cluster Endpoint | The endpoint URL from Step 2 |
| Service Account Token | The token from Step 2 |
| Cluster Name | A descriptive name (e.g., production-k8s or staging-eks) |
- Click Save
Method 2: Managed Kubernetes Console (GUI)
For managed Kubernetes services, you can create the service account through the cloud provider console, but you will still need kubectl access to apply the RBAC configuration and retrieve the token.
Amazon EKS
- Go to the EKS Console
- Select your cluster
- Ensure you have
kubectlconfigured:aws eks update-kubeconfig --name your-cluster-name - Follow the kubectl steps above
Google GKE
- Go to the GKE Console
- Select your cluster
- Click Connect and copy the
gcloudcommand to configurekubectl - Follow the kubectl steps above
Azure AKS
- Go to the AKS Console
- Select your cluster
- Configure
kubectl:az aks get-credentials --resource-group your-rg --name your-cluster - Follow the kubectl steps above
Verification
Verify the service account has the correct read-only access:
# Should output: yes kubectl auth can-i list pods \ --as=system:serviceaccount:vikingcloud:vikingcloud-scanner-sa -A # Should output: yes kubectl auth can-i list deployments \ --as=system:serviceaccount:vikingcloud:vikingcloud-scanner-sa -A # Should output: yes kubectl auth can-i list secrets \ --as=system:serviceaccount:vikingcloud:vikingcloud-scanner-sa -A # Should output: no (confirms read-only) kubectl auth can-i create pods \ --as=system:serviceaccount:vikingcloud:vikingcloud-scanner-sa -A
Troubleshooting
Forbidden Errors
Check that the ClusterRoleBinding is correctly configured:
kubectl get clusterrolebinding vikingcloud-scanner-reader-binding -o yaml
Token Not Generated
For Kubernetes 1.24+, service account tokens require an explicit Secret. Verify the Secret exists:
kubectl get secret vikingcloud-scanner-token -n vikingcloud
Connection Timeout
Ensure the cluster endpoint is accessible from the internet. For private clusters, you may need to configure a VPN or allowlist the VikingCloud scanner IP range.
Security Notes
- Strictly read-only: The ClusterRole only grants
get,list, andwatchverbs — VikingCloud cannot modify any resources - Namespace isolation: The service account lives in a dedicated
vikingcloudnamespace - No privileged access: VikingCloud does not require cluster-admin or any privileged role
- Token rotation: Recreate the Secret periodically to rotate the service account token