ESET PRIVATE Scanning Solution – Table of Contents

Manifest files

Copy current article URL Share via email

This article (PDF) Whole documentation (PDF)

loadbalancer.yaml

Defines the Load Balancer component deployment as a single pod.

If using a private registry, include ServiceAccountName to enable image pulling.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: loadbalancer
  labels:
     eset: loadbalancer
spec:
  replicas: 1
  selector:
     matchLabels:
     eset: loadbalancer
  template:
    metadata:
     labels:
     eset: loadbalancer
spec:
  serviceAccountName: ocr-creds
  containers:
  - name: loadbalancer
    image: ecscn.azurecr.io/cloud_scanner/load_balancer:1.0.11-amd64
    ports:
    name: input
    containerPort: 50052
  - name: config
    containerPort: 50053
apiVersion: v1
kind: Service
metadata:
  name: esets-load-balancer
spec:
  selector:
    eset: loadbalancer
  ports:
  - protocol: TCP
    name: input
    port: 50052
  - protocol: TCP
    name: config
    port: 50053

scanner.yaml

Defines the Scanner deployment. The Scanner component supports horizontal scaling—any number of replicas can be specified based on demand. Currently, pods use the node’s ephemeral storage to temporarily hold archives during scanning.

The serviceAccountName field should be omitted if container images are not pulled from a private registry.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: scanner
  labels:
    eset: scanner
spec:
  replicas: 1
  selector:
    matchLabels:
      eset: scanner
  template:
    metadata:
      labels:
        eset: scanner
    spec:
      serviceAccountName: ocr-creds
      containers:
      - name: scanner
        image: ecscn.azurecr.io/cloud_scanner/scanner:1.0.11-amd64
      ports:
      - name: input
        containerPort: 50051
      - name: config
        containerPort: 50053

agents.yaml

Defines the deployment of Agent components. These pods are intended for use as CLI tools; as such, the container command is set to sleep to keep them active and accessible.

The serviceAccountName field should be omitted if container images are not pulled from a private registry.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: scanner-agent
  labels:
    eset: scanner-agent-deployment
  spec:
    replicas: 1
    selector:
      matchLabels:
       eset: scanner-agent
    template:
     metadata:
       labels:
          eset: scanner-agent
    spec:
      serviceAccountName: ocr-creds
      containers:
      - name: scanner-agent
        image: ecscn.azurecr.io/cloud_scanner/scanner_agent:1.0.6-amd64
        command: \['sleep', '3600000000'\]
apiVersion: apps/v1
kind: Deployment
metadata:
  name: config-agent
  labels:
    eset: config-agent-deployment
  spec:
    replicas: 1
    selector:
      matchLabels:
        eset: config-agent
    template:
      metadata:
       labels:
          eset: config-agent
  spec:
    serviceAccountName: ocr-creds
    containers:
    - name: config-agent
      image: ecscn.azurecr.io/cloud_scanner/config_agent:1.0.0-amd64
      command: \['sleep', '3600000000'\]

containerregistry.yaml

Defined the Kubernetes resources needed to authenticate with a private container registry, so the cluster can pull container images securely.

If the container images are hosted in a private registry, authentication credentials must be provided to allow image pulling. A corresponding ServiceAccountName with a configured image pull secret must be created and referenced to enable access.

apiVersion: v1
kind: ServiceAccount
metadata:
name: ocr-creds
imagePullSecrets:
- name: regcred

Creating a Credentials Secret for Private Container Registry Access

To securely pull container images from a private registry, Kubernetes needs access credentials stored as a Secret. This step is essential before referencing the Secret in your ServiceAccountName.

kubectl create secret docker-registry regcred --docker-server=\<your-registry-server\> --docker-
username=\<your-name\> --docker-password=\<your-pword\>

˄˅