Managed Kubernetes

Instructions for adding a Kubernetes Cluster to InsightCloudSec

The following instructions walk through the steps to add a Kubernetes cluster to your current InsightCloudSec installation. You will create an RBAC service account, ClusterRole, ClusterRoleBinding, and run a short script to generate an InsightCloudSec-specific Kubernetes config file.


Before you can complete this setup, you will need to ensure you have the following:

  • An existing InsightCloudSec platform installation
  • An existing Kubernetes account with admin access to creating cluster roles to which you want to connect with a service account
  • Beginning with InsightCloudSec version 21.7.2 users must request/enable the DIVVY_LEGACY_KUBERNETES_SUPPORT_ENABLED environment variable to gain access to these capabilities

For questions or concerns reach out to us through the Customer Support Portal.

Steps to Connect Your Kubernetes Cluster


Installation Notes

For customers attempting to onboard a Managed Kubernetes cluster to InsightCloudSec with a cluster that is configured on a private IP address, you must validate that the cluster has VPC Peering/Transit Gateway configured and enabled in the same environment as your InsightCloudSec installation. This ensures that the Managed Kubernetes server endpoint is accessible to InsightCloudSec

Note: Installation instructions or examples may reference either DivvyCloud or InsightCloudSec, but the functionality is the same.

If you have questions or concerns about your configuration reach out to us through the Customer Support Portal.

Creating the RBAC Service Account

The first step to add your Kubernetes cluster to InsightCloudSec is to create a ServiceAccount, ClusterRole, and ClusterRoleBinding. Refer to the following steps:

1. Download the following files and place them in the same directory.

  • cluster_role.yaml
  • cluster_role_binding.yaml
  • service_account.yaml
kind: ClusterRole
  name: divvycloud-cluster-role
      - ""
      - apps
      - autoscaling
      - batch
      - extensions
      - policy
      - componentstatuses
      - configmaps
      - daemonsets
      - deployments
      - events
      - endpoints
      - horizontalpodautoscalers
      - ingresses
      - jobs
      - limitranges
      - namespaces
      - nodes
      - pods
      - persistentvolumes
      - persistentvolumeclaims
      - podsecuritypolicies
      - networkpolicies 
      - resourcequotas
      - replicasets
      - replicationcontrollers
      - serviceaccounts
      - services
    verbs: ["*"]
  - nonResourceURLs: ["*"]
    verbs: ["*"]
kind: ClusterRoleBinding
  name: api-access
  kind: ClusterRole
  name: divvycloud-cluster-role
- kind: ServiceAccount
  name: divvycloud-service-account
  namespace: default
apiVersion: v1
kind: ServiceAccount
  name: divvycloud-service-account

2. From the directory where you’ve placed these three files, run the following commands to apply the YAML files.

Note: This sample deployment is using the default namespaces but can be modified based on your requirements.

kubectl apply -f cluster_role.yaml
kubectl apply -f cluster_role_binding.yaml
kubectl apply -f service_account.yaml

Creating the Kubernetes Config File

The next step to connecting your Kubernetes cluster to InsightCloudSec is to generate a custom Kubernetes config file. You will need to get the following information from the cluster:

  • cluster name
  • cluster server
  • CA Cert Data
  • Namespace
  • Token

We recommend using the following script to obtain this information:


This bash script requires including the property assignment for the service account you created earlier. Here we've used divvycloud-service-account. If you don't include the correct service account information, the script will fail.

#!/usr/bin/env bash

# Copyright 2017, Z Lab Corporation. All rights reserved.
# Copyright 2017, Kubernetes scripts contributors
# For the full copyright and license information, please view the LICENSE
# file that was distributed with this source code.

set -e

if [[ $# == 0 ]]; then
  echo "Usage: $0 SERVICEACCOUNT [kubectl options]" >&2
  echo "" >&2
  echo "This script creates a kubeconfig to access the apiserver with the specified serviceaccount and outputs it to stdout." >&2

  exit 1

function _kubectl() {
  kubectl [email protected] $kubectl_options


if ! secret="$(_kubectl get serviceaccount "$serviceaccount" -o 'jsonpath={.secrets[0].name}' 2>/dev/null)"; then
  echo "serviceaccounts \"$serviceaccount\" not found." >&2
  exit 2

if [[ -z "$secret" ]]; then
  echo "serviceaccounts \"$serviceaccount\" doesn't have a serviceaccount token." >&2
  exit 2

# context
context="$(_kubectl config current-context)"
# cluster
cluster="$(_kubectl config view -o "jsonpath={.contexts[?(\"$context\")].context.cluster}")"
server="$(_kubectl config view -o "jsonpath={.clusters[?(\"$cluster\")].cluster.server}")"
# token
ca_crt_data="$(_kubectl get secret "$secret" -o "jsonpath={\.crt}" | openssl enc -d -base64 -A)"
namespace="$(_kubectl get secret "$secret" -o "jsonpath={.data.namespace}" | openssl enc -d -base64 -A)"
token="$(_kubectl get secret "$secret" -o "jsonpath={.data.token}" | openssl enc -d -base64 -A)"

export KUBECONFIG="$(mktemp)"
kubectl config set-credentials "$serviceaccount" --token="$token" >/dev/null
ca_crt="$(mktemp)"; echo "$ca_crt_data" > $ca_crt
kubectl config set-cluster "$cluster" --server="$server" --certificate-authority="$ca_crt" --embed-certs >/dev/null
kubectl config set-context "$context" --cluster="$cluster" --namespace="$namespace" --user="$serviceaccount" >/dev/null
kubectl config use-context "$context" >/dev/null

# vim: ft=sh :

Download the script above and run it using the following command:

sh divvycloud-service-account

This command will print a Kubernetes config file to STDOUT. This file can be used to add a Kubernetes cloud account to DivvyCloud.

Add the Configuration to InsightCloudSec

1. From your InsightCloudSec platform locate "Cloud --> Clouds" on the main navigation menu.

*2. Click on "Add Cloud" in the upper right.

Add a CloudAdd a Cloud

Add a Cloud

3. Give your Kubernetes cloud a name under “Nickname” and paste the script output STDOUT into the “Kubernetes Config” space of the dialog.

4. Select “Add Cloud” to complete.

Success! After adding your Kubernetes account you can confirm installation under the Clouds section, or under Resources, you can browse to Containers to see your Kubernetes data. Note: Data will take some time to appear after harvesting is initiated.

Did this page help you?