TOC & Recently Viewed

Recently Viewed Topics

Prepare Kubernetes Objects to Configure and Run the Tenable.io CS Scanner

You must prepare your Kubernetes namespace and secret objects before you can configure and run the Tenable.io CS Scanner in Kubernetes. The Tenable.io CS Scanner refers to these objects when it scans an image in Kubernetes.

Secrets contain sensitive information associated with the TENABLE_ACCESS_KEY, TENABLE_SECRET_KEY, REGISTRY_USERNAME, and REGISTRY_PASSWORD environment variables described in Environment Variables. To run the Tenable.io CS Scanner in Kubernetes, you must configure these secrets and deploy them to the registry where the image you want to scan is stored.

For more information about how to create objects in Kubernetes, see the Kubernetes documentation at kubernetes.io.

Before you begin:

To prepare Kubernetes to configure and run the Tenable.io CS Scanner:

  1. Log in to the CLI on the machine where you want to configure and run the Tenable.io CS Scanner.
  2. In a text editor, create a namespace file (tiocsscanner-namespace.yaml) for your CS Scanner. For example:

    apiVersion: v1

    kind: Namespace

    metadata:

    name: tiocsscanner

    labels:

    name: tiocsscanner

  3. Save and close the file.
  4. Deploy the tiocsscanner-namespace.yaml file to Kubernetes. For example:

    kubectl apply -f tiocsscanner-namespace.yaml

    Your namepsace is configured and deployed.

    Note: The above command works only if the file is saved to the current working directory. If the file is saved somewhere other than the working directory, include the full path directory in the command. For example:

    kubectl apply -f /home/jsmith/images/tiocsscanner-namespace.yaml

  5. Configure secrets for your Tenable.io access and secret keys. For example:

    $ kubectl create secret generic tio

    --from-literal=username=<Your Tenable.io access key>

    --from-literal=password=<Your Tenable.io secret key>

    --namespace=tiocsscanner

    Your Tenable.io access key and secret key secrets are configured.

  6.  Configure secrets for your private registry username and password. For example:

    $ kubectl create secret generic private_registry

    --from-literal=username=<Your private registry username>

    --from-literal=password=<Your private registry password>

    --namespace=tiocsscanner

    Your private registry username and password secrets are configured.

  7. Deploy your secrets to the registry where the image you want to scan is stored. For example:

    kubectl create secret docker-registry jfrog-tio

    --docker-server=https://tenableio-docker-consec-local.jfrog.io

    --docker-username=<Your username from the Tenable.io Container Security console>

    --docker-password=<Your password from the Tenable.io Container Security console>

    --docker-email=<Your email address>

    --namespace=tiocsscanner

    Your secrets are deployed to the registry.

What to do next:

Copyright © 2019 Tenable, Inc. All rights reserved. Tenable, Tenable.io, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.. Tenable.sc, Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.