Kubernetes

SureCloud connects to Kubernetes clusters to retrieve RBAC configuration, workload security posture, network policy status, and cluster-level security settings. This allows SureCloud to verify that cluster access is controlled through role-based permissions, that workloads are not running with excessive privileges, and that network policies are in place — providing continuous evidence for container orchestration security controls.

SureCloud connects to Kubernetes clusters via the Kubernetes API server. Each cluster requires a separate connection. For clusters running in managed Kubernetes services (EKS, AKS, GKE), the connection configuration may differ slightly — refer to the tabs below.

Authentication and setup

Kubernetes authenticates API requests using a service account token. SureCloud uses a dedicated service account with a ClusterRole scoped to read-only access.

Self-managed / on-premises

1

Create a read-only ClusterRole and ServiceAccount

Apply the following manifest to your cluster:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: surecloud-reader
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: surecloud-reader
rules:
  - apiGroups: [""]
    resources: ["pods","nodes","namespaces","services","serviceaccounts","configmaps"]
    verbs: ["get","list"]
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["roles","rolebindings","clusterroles","clusterrolebindings"]
    verbs: ["get","list"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["networkpolicies"]
    verbs: ["get","list"]
  - apiGroups: ["policy"]
    resources: ["podsecuritypolicies","poddisruptionbudgets"]
    verbs: ["get","list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: surecloud-reader
subjects:
  - kind: ServiceAccount
    name: surecloud-reader
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: surecloud-reader
  apiGroup: rbac.authorization.k8s.io

2

Extract the service account token

kubectl create token surecloud-reader -n kube-system --duration=8760h

Copy the generated token.

3

Enter the credentials in SureCloud

Navigate to SureCloud → Integrations → Kubernetes → Connect. Enter the API server URL (e.g. https://your-cluster-api:6443), the service account token, and the cluster CA certificate (base64 encoded, available from your kubeconfig). Click Save and then Test Connection.

EKS / AKS / GKE (managed)

Endpoints

API Call	Use Case
GET /api/v1/nodes	Enumerate cluster nodes and their status
GET /api/v1/namespaces	List namespaces to scope workload collection
GET /api/v1/pods	Enumerate running pods including security context (privilege settings, host network)
GET /api/v1/serviceaccounts	Enumerate service accounts per namespace
GET /rbac.authorization.k8s.io/v1/clusterroles	Retrieve ClusterRole definitions for RBAC analysis
GET /rbac.authorization.k8s.io/v1/clusterrolebindings	Retrieve ClusterRoleBinding assignments
GET /rbac.authorization.k8s.io/v1/roles	Retrieve namespace-scoped Role definitions
GET /rbac.authorization.k8s.io/v1/rolebindings	Retrieve namespace-scoped RoleBinding assignments
GET /networking.k8s.io/v1/networkpolicies	Retrieve network policies to confirm traffic segmentation is enforced

Pagination

Kubernetes API list endpoints use continue token pagination. SureCloud uses the continue field from each response's metadata to retrieve subsequent pages until no continue token is returned.

GET /api/v1/pods?limit=500&continue=<value_from_previous_response>

Required permissions

SureCloud requires the ClusterRole defined in the setup section above. Key permissions:

Resource	Verbs
pods, nodes, namespaces, services, serviceaccounts	get, list
roles, rolebindings, clusterroles, clusterrolebindings	get, list
networkpolicies	get, list
podsecuritypolicies (if applicable)	get, list

No create, update, delete, or exec permissions are required.

Polling frequency

Data Type	Interval
Node and namespace inventory	Every 24 hours
Pod security context and workload posture	Every 24 hours
RBAC roles and bindings	Every 24 hours
Network policies	Every 24 hours

Troubleshooting

Connection test fails with TLS certificate error

The cluster CA certificate entered in SureCloud does not match the API server's certificate, or the API server URL is using a private CA. Retrieve the correct CA certificate from your kubeconfig (clusters[].cluster.certificate-authority-data) and re-enter it in SureCloud → Integrations → Kubernetes → Edit Connection.

RBAC resources return empty despite roles being configured

Confirm the service account has get and list verbs on rbac.authorization.k8s.io resources. Some clusters use namespace-scoped RBAC only and may not grant ClusterRole visibility. Review the ClusterRoleBinding applied in the setup step to ensure it covers RBAC resources at the cluster level.

API server is unreachable from SureCloud

Kubernetes API servers on private networks require network access from the SureCloud collector. For private clusters, a VPN, bastion, or API server allowlist entry may be required. Contact SureCloud Support for connectivity options.