Recently Viewed Topics
Configure and Run the Tenable.io CS Scanner in Kubernetes
To scan images with the Tenable.io CS Scanner in Kubernetes, create a Kubernetes deployment file and deploy the file via the CLI on the machine where you want to run the scan.
Before you begin:
- Confirm your machine meets the system requirements, as described in CS Scanner System Requirements.
- Download the Tenable.io CS Scanner, as described in Download the CS Scanner.
- Prepare your environment variable value, as described in the Environment Parameters.
- Configure and deploy your Kubernetes namespace, as described in Configure and Deploy Kubernetes Namespace.
- Configure and deploy your secrets in Kubernetes, as described in Configure and Deploy Secrets in Kubernetes.
To configure and run the Tenable.io CS Scanner in Kubernetes:
In a text editor, open a new file.
- Save the file as
Copy and paste the following text into the file, typing your specific variables where applicable:
For information about these variables and their definitions, see Environment Parameters.
apiVersion: v1 kind: Service metadata: name: tiocsscanner namespace: tiocsscanner labels: app: tiocsscanner spec: selector: app: tiocsscanner type: ClusterIP ports: - name: http protocol: TCP port: 5000 --- apiVersion: extensions/v1beta1 kind: Deployment metadata: labels: app: tiocsscanner name: tiocsscanner namespace: tiocsscanner spec: minReadySeconds: 10 replicas: 1 selector: matchLabels: app: tiocsscanner strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 1 type: RollingUpdate template: metadata: labels: app: tiocsscanner spec: containers: - image: "tenableio-docker-consec-local.jfrog.io/cs-scanner:latest" name: tiocsscanner resources: limits: cpu:"3"
args: - import-registry env: - name: TENABLE_ACCESS_KEY valueFrom: secretKeyRef: name: tio key: username - name: TENABLE_SECRET_KEY valueFrom: secretKeyRef: name: tio key: password - name: REGISTRY_USERNAME valueFrom: secretKeyRef: name: private-registry key: username - name: REGISTRY_PASSWORD valueFrom: secretKeyRef: name: private-registry key: password - name: REGISTRY_NAME value: "<variable>
" - name: REGISTRY_URI value: "<variable>
" - name: IMPORT_INTERVAL_MINUTES value: "<variable>
"Note: If you are not pulling the image directly from the repository where it is hosted, append the following command to the end of the file, starting on a new line after the last variable:
imagePullSecrets -name: jfrog-tio
- Save and close the file.
In the CLI on the machine where you want to run the scan, type the following to deploy the file:kubectl apply -f tiocsscanner-deployment.yaml
Note: The above command works only if the file is saved to the current working directory. If the file is saved somewhere other than the working directory, include the full path directory in the command. For example:
The Tenable.io CS Scanner runs on Kubernetes.
Run the following command to confirm the scan ran successfully:kubectl get pods --namespace=tiocsscanner
The scan status log appears.
Note: If you receive error messages in the scan data, follow the error prompts to correct the issue.
What to do next:
- View the results of your scan, as described in View the Scan Results for Running Container Images.