ESET PRIVATE Scanning Solution – Table of Contents

Deployment in EKS

Copy current article URL Share via email

This article (PDF) Whole documentation (PDF)

This section guides the deployment of ESET PRIVATE Static Scanning Engine on a managed single-node Amazon EKS cluster with IRSA for AWS Marketplace metering integration, including validation via scanner agent.

The variable values (e.g., AWS account ID, ECR image tags, cluster names, regions) shown here are for demonstration purposes only. Update them based on your specific customer requirements, AWS account details, and ESET image availability before running these commands.

1.Variables

Define reusable environment variables for cluster details, AWS resources, images, IAM policy, and kubeconfig to streamline the deployment process and ensure consistency across commands.

export EKS_CLUSTER_NAME=eks-demo

export AWS_REGION=us-east-1

export AWS_ACCOUNT_ID=123456789012

export K8S_NAMESPACE=marketplace

export K8S_SERVICE_ACCOUNT=marketplace-sa

export SCANNER_IMAGE=709825985650.dkr.ecr.us-east-1.amazonaws.com/eset/eset-cloud-scanner-hourly:1.34.0-amd64

export SCANNER_AGENT_IMAGE=709825985650.dkr.ecr.us-east-1.amazonaws.com/eset/eset-private-scanner-agent:1.13.0-amd64

export IAM_POLICY_NAME=EKSListReceivedLicenses

export KUBECONFIG=~/.kube/eks-demo-config

Customize all variables to match your environment, including the EKS cluster name, AWS region, AWS account ID, Kubernetes namespace, service account, container image tags, IAM policy name, and kubeconfig path before running the subsequent commands.

2.Create Cluster

Provision a managed EKS cluster with one t3.xlarge node and OIDC provider enabled, required for IRSA integration with AWS services like License Manager.

eksctl create cluster \

--name "$EKS_CLUSTER_NAME" --region "$AWS_REGION" \

--managed --nodes 1 --node-type t3.xlarge --with-oidc

3.Connect kubectl

Update or create a dedicated kubeconfig file to securely connect kubectl to the new EKS cluster for subsequent namespace and workload management.

aws eks update-kubeconfig \

--region "$AWS_REGION" \

--name "$EKS_CLUSTER_NAME" \

--kubeconfig "$KUBECONFIG"

4.Create Namespace

Set up an isolated Kubernetes namespace for the scanner deployment to organize resources and enable network policies or RBAC scoping.

kubectl create namespace "$K8S_NAMESPACE"

5.Create License Manager IAM Policy

Create a custom IAM policy granting permission to list received licenses from AWS License Manager, essential for subscription eligibility verification in the scanner.

aws iam create-policy \

--policy-name "$IAM_POLICY_NAME" \

--policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["license-manager:ListReceivedLicenses"],"Resource":"*"}]}'

6.Create IRSA Service Account

Provision an IAM Roles for Service Accounts (IRSA) with Marketplace Metering and custom License Manager policies, allowing pods to securely call AWS APIs without long-term credentials.

eksctl create iamserviceaccount \

--cluster "$EKS_CLUSTER_NAME" --region "$AWS_REGION" \

--namespace "$K8S_NAMESPACE" --name "$K8S_SERVICE_ACCOUNT" \

--attach-policy-arn arn:aws:iam::aws:policy/AWSMarketplaceMeteringRegisterUsage \

--attach-policy-arn arn:aws:iam::${AWS_ACCOUNT_ID}:policy/${IAM_POLICY_NAME} \

--approve

7.Deploy Scanner

Deploy the Cloud Scanner as a Deployment with ClusterIP Service exposing gRPC ports, configured with the IRSA service account for AWS API access and optimized resource limits.

cat <<EOF | kubectl apply -f -

apiVersion: apps/v1

kind: Deployment

metadata:

name: scanner

namespace: ${K8S_NAMESPACE}

spec:

replicas: 1

selector:

matchLabels:

app: scanner

template:

metadata:

labels:

app: scanner

spec:

serviceAccountName: ${K8S_SERVICE_ACCOUNT}

containers:

- name: app

image: ${SCANNER_IMAGE}

args:

- -o

- grpc_scan_enable_ssl=false

- -o

- main_log_file=/dev/stdout

- -o

- default_log_type=fifo

resources:

requests:

cpu: "0.5"

memory: 3Gi

limits:

cpu: "0.5"

memory: 3Gi

ports:

- containerPort: 50051

- containerPort: 50053

---

apiVersion: v1

kind: Service

metadata:

name: scanner

namespace: ${K8S_NAMESPACE}

spec:

type: ClusterIP

selector:

app: scanner

ports:

- name: grpc-input

port: 50051

targetPort: 50051

- name: grpc-config

port: 50053

targetPort: 50053

EOF

8.Validate – Run Scanner Agent

Launch a Scanner Agent pod to test connectivity and scanning functionality against the deployed scanner service on port 50051, verifying end-to-end operation interactively.

kubectl run scanner-agent -n "$K8S_NAMESPACE" --rm -it \

--image="$SCANNER_AGENT_IMAGE" \

--restart=Never \

-- scanner_agent -t scanner:50051 --skip_cloud_reputation /bin/bash

9.Cleanup

Safely remove all provisioned resources including the EKS cluster (which cascades to VPC/nodegroup), IAM policy, and temporary kubeconfig to avoid lingering costs and permissions.

# Delete cluster (also removes CloudFormation stacks, VPC, subnets, node group)

eksctl delete cluster --name "$EKS_CLUSTER_NAME" --region "$AWS_REGION"

# Delete IAM policy

aws iam delete-policy \

--policy-arn arn:aws:iam::${AWS_ACCOUNT_ID}:policy/${IAM_POLICY_NAME}

# Remove temporary kubeconfig

unset KUBECONFIG

rm -f ~/.kube/eks-demo-config

˄˅