docs(eks): add documentation about EKS onboarding (#6853)

Co-authored-by: Pepe Fagoaga <[email protected]>

Author: MrCloudSec

docs/index.md

@@ -548,6 +548,7 @@ prowler kubernetes --kubeconfig-file path
 
 For in-cluster execution, you can use the supplied yaml to run Prowler as a job within a new Prowler namespace:
 ```console
+kubectl apply -f kubernetes/prowler-sa.yaml
 kubectl apply -f kubernetes/job.yaml
 kubectl apply -f kubernetes/prowler-role.yaml
 kubectl apply -f kubernetes/prowler-rolebinding.yaml

docs/tutorials/kubernetes/in-cluster.md

@@ -9,6 +9,7 @@ For in-cluster execution, you can use the supplied yaml files inside `/kubernete
 They can be used to run Prowler as a job within a new Prowler namespace:
 
 ```console
+kubectl apply -f kubernetes/prowler-sa.yaml
 kubectl apply -f kubernetes/job.yaml
 kubectl apply -f kubernetes/prowler-role.yaml
 kubectl apply -f kubernetes/prowler-rolebinding.yaml

docs/tutorials/prowler-app.md

@@ -99,6 +99,32 @@ By default, the `kubeconfig` file is located at `~/.kube/config`.
 
 <img src="../../img/kubernetes-credentials.png" alt="Kubernetes Credentials" width="700"/>
 
+???+ note
+    If you are adding an **Amazon EKS** cluster, follow these additional steps to ensure proper authentication:
+
+    1. Apply the necessary Kubernetes resources to your EKS cluster (you can find the files in the [`kubernetes` directory of the Prowler repository](https://github.com/prowler-cloud/prowler/tree/master/kubernetes)):
+    ```console
+    kubectl apply -f kubernetes/prowler-sa.yaml
+    kubectl apply -f kubernetes/prowler-role.yaml
+    kubectl apply -f kubernetes/prowler-rolebinding.yaml
+    ```
+
+    2. Generate a long-lived token for authentication:
+    ```console
+    kubectl create token prowler-sa -n prowler-ns --duration=0
+    ```
+        - **Security Note:** The `--duration=0` option generates a non-expiring token, which may pose a security risk if not managed properly. Users should decide on an appropriate expiration time based on their security policies. If a limited-time token is preferred, set `--duration=<TIME>` (e.g., `--duration=24h`).
+        - **Important:** If the token expires, Prowler Cloud will no longer be able to authenticate with the cluster. In this case, you will need to generate a new token and **remove and re-add the provider in Prowler Cloud** with the updated `kubeconfig`.
+
+    3. Update your `kubeconfig` to use the ServiceAccount token:
+    ```console
+    kubectl config set-credentials prowler-sa --token=<SA_TOKEN>
+    kubectl config set-context <CLUSTER_ARN> --user=prowler-sa
+    ```
+    Replace <SA_TOKEN> with the generated token and <CLUSTER_ARN> with your EKS cluster ARN.
+
+    4. Now you can add the modified `kubeconfig` as the credentials of the AWS EKS Cluster in Prowler Cloud. Then simply test the connection.
+
 ---
 
 ## **Step 5: Test Connection**

kubernetes/job.yaml

@@ -1,16 +1,3 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: prowler-ns
-
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: prowler-sa
-  namespace: prowler-ns
-
----
 apiVersion: batch/v1
 kind: Job
 metadata:

kubernetes/prowler-sa.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: prowler-ns
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: prowler-sa
+  namespace: prowler-ns

prowler/providers/kubernetes/services/rbac/rbac_service.py

@@ -95,7 +95,7 @@ def _list_roles(self):
                             "resources": rule.resources,
                             "verbs": rule.verbs,
                         }
-                        for rule in role.rules
+                        for rule in (role.rules or [])
                     ],
                 }
                 roles[role.metadata.uid] = Role(**formatted_role)