# Using environment variables (note security considerations)exportKUBECONFIG=~/.kube/secure/kubeconfig.yaml
# Avoid print or export commands that might expose the variable in logsset+x# Turn off command echo
# Generate kubeconfig in a subshell$(kubectlconfigset-credentialsscanner-user--token=$(kubectlcreatetokenscanner-sa-nscanner-namespace)--kubeconfig=/dev/shm/temp-config)$(kubectlconfigset-clusterscanner-cluster--server=...--kubeconfig=/dev/shm/temp-config)$(kubectlconfigset-contextscanner-context--cluster=scanner-cluster--user=scanner-user--kubeconfig=/dev/shm/temp-config)# Use the in-memory kubeconfigKUBECONFIG=/dev/shm/temp-configcinc-auditorexec...
# Clean uprm/dev/shm/temp-config
# Short-lived token for single scan (15 minutes)TOKEN=$(kubectlcreatetokenscanner-sa-nscanner-namespace--duration=15m)# Medium-lived token for CI/CD pipeline (1 hour)TOKEN=$(kubectlcreatetokenscanner-sa-nscanner-namespace--duration=1h)# Long-lived token should be avoided, but if necessary (24 hours max)TOKEN=$(kubectlcreatetokenscanner-sa-nscanner-namespace--duration=24h)
#!/bin/bash# rotate-tokens.shNAMESPACE="scanner-namespace"SA_NAME="scanner-sa"# Generate new tokenNEW_TOKEN=$(kubectlcreatetoken$SA_NAME-n$NAMESPACE--duration=24h)# Update configuration that uses the token# This depends on how you're storing/using the token# Example: Update a Kubernetes secretkubectlcreatesecretgenericscanner-token-n$NAMESPACE\--from-literal=token=$NEW_TOKEN--dry-run=client-oyaml|\kubectlapply-f-
echo"Token rotated for $SA_NAME in $NAMESPACE"
apiVersion:v1kind:Podmetadata:name:scanner-podnamespace:scanner-namespacespec:containers:-name:scannerimage:scanner-image:latestvolumeMounts:-name:configmountPath:"/etc/scanner/config"readOnly:trueenv:-name:KUBECONFIGvalue:"/etc/scanner/config/kubeconfig.yaml"volumes:-name:configsecret:secretName:scanner-kubeconfigdefaultMode:0400# Read-only for owner only