Configure the OpenShift Container Platform
The Tenable integration for the Red Hat OpenShift Container Platform requires a service account configured with appropriate permissions.
Complete the following steps to create the service account, update <service-account-name>, and configure access:
-
Create a yml file with the following:
apiVersion: v1 kind: ServiceAccount metadata: name: <service-account-name> namespace: default --- - apiGroups: apiVersion: v1 kind: Secret type: kubernetes.io/service-account-token metadata: name: <service-account-name>-token namespace: default annotations: kubernetes.io/service-account.name: <service-account-name> -
To apply the above file, run the following command:
$ oc apply -f <file.yml>
serviceaccount/audit created
secret/audit-token created
-
To describe the service account to list the tokens, run the following command:
$ oc describe sa <service-account-name>
Name: audit
Tokens: audit-token
-
To retrieve the token for API authentication, run the following command:
Note: The token value is used as the Token in the OpenShift Container Platform Nessus credential.$ oc describe secret <service-account-name>-token
Name: robot-token-uzkbh
Labels: <none>
Annotations:
kubernetes.io/service-account.name=audit,kubernetes.io/service-account.uid=49f19e2e-16c6-11e5-afdc-3c970e4b7ffe
Type: kubernetes.io/service-account-token
Data token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
-
Grant the service account appropriate permissions by logging in to your OpenShift cluster console: https://console-openshift-console.apps.openshift.<your-domain>
-
Create the following role, and add the role to the service account created in step 1:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: audit-viewonly rules: - apiGroups: - '*' resources: - '*' verbs: - get - watch - list - view