Configure the OpenShift Container Platform

The Tenable integration for the Red Hat OpenShift Container Platform requires a service account configured with appropriate permissions.

Complete the following steps to create the service account, update <service-account-name>, and configure access:

  1. Create a yaml file with the following (defines service account, token, cluster role, and cluster role mapping):

    Copy 
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: <service-account-name>
      namespace: default
    ---
    apiVersion: v1
    kind: Secret
    type: kubernetes.io/service-account-token
    metadata:
      name: <service-account-name>-token
      namespace: default
      annotations:
        kubernetes.io/service-account.name: <service-account-name>
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: <service-account-name>-viewonly
    rules:
      - apiGroups:
          - '*'
        resources:
          - '*'
        verbs:
          - get
          - watch
          - list
          - view
    ---
    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: <service-account-name>-readonly
    subjects:
      - kind: ServiceAccount
        name: <service-account-name>
        namespace: default
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: <service-account-name>-viewonly

  2. To apply the file in the previous step, run the following command:

    Copy 
    $ oc apply -f <file.yml>
    serviceaccount/<service-account-name> created
    secret/<service-account-name>-token created
    clusterrole.rbac.authorization.k8s.io/<service-account-name>-viewonly created
    clusterrolebinding.rbac.authorization.k8s.io/<service-account-name>-readonly created

  3. To retrieve the token for API authentication, run the following command:

    Note: The token value is used as the Token in the OpenShift Container Platform Nessus credential.
    Copy 
    $ oc describe secret <service-account-name>-token
    Name:         <service-account-name>-token
    Namespace:    default
    Labels:       kubernetes.io/legacy-token-last-used=2025-11-04
    Annotations:  kubernetes.io/service-account.name: <service-account-name>
                  kubernetes.io/service-account.uid: e25ef2a6-93bf-4ff3-83d3-5328b6c82877
    Type:  kubernetes.io/service-account-token
    Data
    ====
    ca.crt:          7262 bytes
    namespace:       7 bytes
    service-ca.crt:  8475 bytes
    token:           eyJhbGciOiJSUzI1NiI…