Skip to main content
InfraAudit connects to Kubernetes clusters via a kubeconfig file. Once connected, it syncs deployments, pods, services, namespaces, and more, and supports drift detection when you upload Kubernetes manifests.

Prerequisites

  • A running Kubernetes cluster (EKS, GKE, AKS, or self-managed)
  • kubectl installed locally and configured to access the cluster
  • Permission to create service accounts and ClusterRoleBindings in the cluster

Set up RBAC

Create a dedicated service account with a read-only ClusterRole so InfraAudit only has the access it needs. Save the following as infraudit-rbac.yaml: 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: infraudit
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: infraudit-reader
rules:
  - apiGroups: ["", "apps", "batch", "networking.k8s.io"]
    resources:
      - pods
      - deployments
      - services
      - namespaces
      - replicasets
      - daemonsets
      - statefulsets
      - jobs
      - cronjobs
      - ingresses
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: infraudit-reader-binding
subjects:
  - kind: ServiceAccount
    name: infraudit
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: infraudit-reader
  apiGroup: rbac.authorization.k8s.io
Apply it to your cluster: 
kubectl apply -f infraudit-rbac.yaml

Generate a kubeconfig for the service account

Run the following script to create a kubeconfig file scoped to the infraudit service account: 
# Get the secret name
SECRET=$(kubectl -n kube-system get serviceaccount infraudit \
  -o jsonpath='{.secrets[0].name}')

# Extract the token and CA certificate
TOKEN=$(kubectl -n kube-system get secret $SECRET \
  -o jsonpath='{.data.token}' | base64 -d)
CA=$(kubectl -n kube-system get secret $SECRET \
  -o jsonpath='{.data.ca\.crt}')

# Get the cluster server URL
SERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')

# Write the kubeconfig file
cat > infraudit-kubeconfig.yaml <<EOF
apiVersion: v1
kind: Config
clusters:
  - cluster:
      certificate-authority-data: $CA
      server: $SERVER
    name: infraudit-cluster
contexts:
  - context:
      cluster: infraudit-cluster
      user: infraudit
    name: infraudit-context
current-context: infraudit-context
users:
  - name: infraudit
    user:
      token: $TOKEN
EOF
Kubernetes 1.24 and later no longer create service account token secrets automatically. If the $SECRET variable is empty, generate a token manually with kubectl create token infraudit -n kube-system and use it in place of $TOKEN.

Register the cluster

1

Open the connection dialog

In the sidebar, click Cloud Providers → Connect Kubernetes.
2

Upload the kubeconfig

Upload or paste the contents of infraudit-kubeconfig.yaml into the Kubeconfig field.
3

Name the cluster

Enter a display name (for example, Production EKS).
4

Connect

Click Connect. InfraAudit validates connectivity and starts the initial resource sync.

What gets synced

After connecting, InfraAudit discovers and monitors the following Kubernetes resources:
  • Deployments, ReplicaSets, DaemonSets, StatefulSets
  • Pods and their current status
  • Services (ClusterIP, NodePort, LoadBalancer)
  • Namespaces
  • Jobs and CronJobs
  • Ingresses
The sync runs every 6 hours by default. You can trigger a manual sync at any time from Cloud Providers in the sidebar.

Multi-cluster support

Connect each cluster as a separate provider entry. All clusters appear together in the unified Kubernetes view, filterable by cluster name. There is no limit to the number of clusters you can register within your plan’s resource limit.

Security notes

  • The kubeconfig is encrypted at rest using AES-GCM.
  • InfraAudit never creates, modifies, or deletes any Kubernetes resources. All operations are read-only.
  • Rotate the service account token periodically and update the kubeconfig in InfraAudit when you do.