External PostgreSQL with Tenable Enclave Security

Note: When reviewing external PostgreSQL documentation, ensure that you use the appropriate documentation version for the PostgreSQL version you deployed.

Requirements

Tenable Enclave Security requires a customer-managed PostgreSQL instance. This instance can reside within the same Kubernetes cluster as the Tenable Enclave Security deployment or be hosted externally, provided the services within the Kubernetes cluster have network access to the database instance.

Required Privileges for the Bootstrap User

To complete this setup, the database user must have the following permissions:

  • CREATEDB: Allows the user to create service-specific databases.

  • CREATEROLE: Allows the user to create distinct user accounts for those services and set passwords for them.

Required PostgreSQL extensions

  • PGCRYPTO

  • PG_TRGM

Functional Overview

Bootstrap User and Permissions

The PostgreSQL user credential you provide via the tes-pg-secrets secret acts as a bootstrap administrator. This user must have CREATEDB and CREATEROLE privileges.

Purpose of the Bootstrap User

Tenable Enclave Security consists of multiple microservices, such as the Tenable Enclave Security operator, Tenable Security Center, and Container Security.

Instead of sharing one set of credentials across all services, the installation process uses the credentials in tes-pg-secrets to automatically orchestrate a secure, isolated environment:

  • Dynamic Provisioning: Upon deployment, a database initialization (DB init) job runs for each logical function. The bootstrap user accesses the database instance.

  • Dedicated Databases: The process creates a separate, dedicated database for each microservice that requires PostgreSQL access. To maintain security best practices, services do not share databases.

  • Unique Service Credentials: The process generates a unique application user role and a unique password for each service.

  • Least Privilege Access: Once configured, individual services use these restricted credentials to operate, not the administrative credentials found in the secret.

Responsibility Matrix

When you use an external PostgreSQL server with Tenable Enclave Security, you are responsible for the following:

  • Installing and configuring PostgreSQL.

  • Backing up PostgreSQL.

  • Securing PostgreSQL.

  • Patching and upgrading PostgreSQL.

  • Maintaining network connectivity to PostgreSQL from the Kubernetes cluster (for example, firewall rules and security groups).

Tenable is responsible for:

  • The databases and structures created by Tenable Enclave Security services within PostgreSQL.

    Caution: Do not directly access or modify any databases created by Tenable Enclave Security services. Unauthorized modifications can compromise data integrity and functionality.

  • Data integrity and database-level configuration.

Note: PostgreSQL database names use the namespace where you installed Tenable Enclave Security as a prefix.

Installation

You can use any currently supported version of PostgreSQL. Supported versions include:

  • PostgreSQL 14.x

  • PostgreSQL 15.x

  • PostgreSQL 16.x (preferred)

  • PostgreSQL 17.x

Tenable follows the PostgreSQL lifecycle and removes support after the final release of a major version. For example, Tenable will not support PostgreSQL 14.x after November 2026.

Review the PostgreSQL documentation for installation instructions. You can use a managed instance of PostgreSQL from a cloud vendor if the instance meets the requirements listed in this document.

Note: If you use an external PostgreSQL database and you uninstall Tenable Enclave Security, the associated PostgreSQL database remains. Contact your database administrator to remove the database and ensure you maintain any required backups.

Configuration

See the System Requirements for specific requirements.

Security

Tenable recommends that you implement a PostgreSQL security baseline if you host your own PostgreSQL instance. Examples include the Center for Internet Security (CIS) PostgreSQL Benchmark or the Crunchy Data PostgreSQL Security Technical Implementation Guide (STIG).

Tenable does not provide support for implementing these benchmarks. Certain configurations may impact Tenable Enclave Security performance or functionality.

Implementation of security benchmarks may require you to add external extensions to PostgreSQL, such as pgaudit and pgcrypto. Tenable does not provide support or documentation for the installation or configuration of these extensions.

Patching and Upgrades

Note: You must shut down Tenable Security Center before you patch or upgrade PostgreSQL.

Tenable recommends that you:

  • Monitor PostgreSQL security updates and apply relevant security patches after testing.

  • Back up your Tenable Enclave Security databases before you patch or upgrade PostgreSQL.