Add custom ServiceAccount for imperative Scan Hook

Author: J12934

hooks/imperative-subsequent-scans/templates/imperative-subsequent-scans-hook.yaml

@@ -17,6 +17,7 @@ spec:
   image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
   {{- end }}
   {{- end }}
+  serviceAccountName: imperative-combined-scans
   env:
     - name: CASCADE_AMASS_NMAP
       value: {{ .Values.cascade.amassNmap | quote }}

hooks/imperative-subsequent-scans/templates/role-binding.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    description: ImperativeCombinedScansHook needs to have the rights to create new scans and the usual patch rules to update the scan status
+  name: imperative-combined-scans
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: imperative-combined-scans
+subjects:
+  - kind: ServiceAccount
+    name: imperative-combined-scans

hooks/imperative-subsequent-scans/templates/role.yaml

@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    description: ImperativeCombinedScansHook needs to have the rights to create new scans and the usual patch rules to update the scan status
+  name: imperative-combined-scans
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups:
+      - execution.experimental.securecodebox.io
+    resources:
+      - scans
+    verbs:
+      - get
+      - list
+      - create
+  - apiGroups:
+      - execution.experimental.securecodebox.io
+    resources:
+      - scans/status
+    verbs:
+      - get
+      - patch

hooks/imperative-subsequent-scans/templates/service-account.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    description: ImperativeCombinedScansHook needs to have the rights to create new scans and the usual patch rules to update the scan status
+  name: imperative-combined-scans
+  namespace: {{ .Release.Namespace }}