Prepare a Kubernetes Cluster

To determine whether your existing Kubernetes cluster meets the requirements for use with Tenable Enclave Security, see Tenable Enclave Security System Requirements.

Before you begin

  • Configure a routable URL or external gateway.

  • Determine whether to create a new Kubernetes or use an existing cluster.

Configure a Kubernetes cluster

  1. Create a new Kubernetes cluster. For instructions on how to create a new cluster, see the Kubernetes documentation.

    -or-

    Use an existing cluster. To determine whether your existing cluster meets the requirements for your Tenable Enclave Security deployment, see Tenable Enclave Security System Requirements.

  2. Define a default storage class on the cluster. For instructions on how to change the default storage class, see the Kubernetes documentation.

  3. Install cert-manager in your Kubernetes cluster. For instructions on how to install cert-manager, see the cert-manager documentation.

    Note: if you want to use your own certificates, contact your Tenable Support representative.

  4. Install cert-manager-csi-installer in your Kubernetes cluster.

  5. Configure the Container Security database. This database contains the data visible in the Container Security UI, including vulnerabilities, images, packages, and layers.

    Tenable recommends you use a managed PostgreSQL database service (for example, RDS, AWS, or GCP). If you want to host the database yourself, see the Kubegres documentation.

    Recommended PostgreSQL version: 16.x

    Compatible versions: 13.x, 14.x, 15.x

  6. Create a Kubernetes secret named tes-pg-secrets to identify characteristics about the database.

    Copy 
    kubectl apply --namespace tenable-enclave-security -f tes-pg-secrets.yaml

    Note: Supported SSL modes include prefer, require, and verify-ca. The default SSL mode for Tenable Enclave Security services is prefer.

    The following is an example tes-pg-secrets.yaml:

    Copy 
    apiVersion: v1
    kind: Secret
    type: Opaque
    metadata:
      name: tes-pg-secrets
    data:
      # All values below must be base64 encoded strings
      pg_host: # Hostname and optional port (e.g., db.example.com or db.example.com:5432)
      pg_user: # Admin username (must have CREATEDB and CREATEROLE permissions)
      pg_pass: # Password for the pg_user
      pg_ro_host: # Hostname for read-only replica (defaults to pg_host if not applicable)
      pg_ssl_mode: # Optional: SSL level. Use 'prefer' (default), 'require', or 'verify-ca'
      pg_ca_cert: # Required if pg_ssl_mode=verify-ca. The CA certificate content.

    Note: To encode pg_ssl_mode correctly on Linux or macOS, use: echo -n "verify-ca" | base64 If you omit the -n flag, the encoded string will include a hidden "newline" character, which will cause the database driver to reject the SSL mode.