Tenable Enclave Security Helm Charts
Tenable Enclave Security leverages the Helm open-source package manager. When you install, configure, or upgrade Tenable Enclave Security, use this Helm Chart.
To download the Helm Chart for Tenable Enclave Security, go to https://github.com/tenable/helm-charts.
Helm Chart
| Helm Chart | Description |
|---|---|
|
tes-operator |
Configures the namespace, persistent volume claim, and StatefulSet Pods to pull images from container registries. |
Note: Tenable Enclave Security does not support changing any values besides the ones listed here.
Specify CPU and Memory Requests and Limits
The following example is for an environment with 10,000 active IPs. For sizing requirements specific to your needs, see System Requirements.
tes:
blades:
securitycenter:
resources:
requests:
cpu: 2000m
memory: 8Gi
limits:
cpu: 4000m
memory: 8Gi
container-security:
tes-consec-ui:
resources:
requests:
memory: "3Gi"
cpu: "2"
limits:
memory: "4Gi"
cpu: "4"
tes-consec-api:
resources:
requests:
memory: "3Gi"
cpu: "2"
limits:
memory: "6Gi"
cpu: "4"
tes-consec-scan:
resources:
requests:
memory: "5Gi"
cpu: "2"
limits:
memory: "10Gi"
cpu: "4"
tes-consec-policy:
resources:
requests:
memory: "2Gi"
cpu: "2"
limits:
memory: "6Gi"
cpu: "4"
tes-consec-tvdl:
resources:
requests:
memory: "10Gi"
cpu: "2"
limits:
memory: "15Gi"
cpu: "4"Specify Service Annotations (Optional)
If you are using Kubernetes in a hosted environment and your provider (for example, AWS) supports it, use the following annotation to restrict access to the created load balancer.
tes:
blades:
securitycenter:
service:
annotations:
service.beta.kubernetes.io/load-balancer-source-ranges: "<IP Range>"Specify Node Affinity (Optional)
Tenable Enclave Security requires an amd64 node. If you are using Kubernetes in an environment with multiple available node types, or that requires a node affinity policy, you can add the policy to values.yaml. The following is an example policy for Karpenter in AWS and EKS.
tes:
blades:
global:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- key: karpenter.sh/capacity-type
operator: In
values:
- on-demand
Disable cert-manager CSI Driver (Optional)
Tenable Enclave Security recommends using the cert-manager CSI driver for provisioning certificates used by its services for mTLS. However, if the CSI driver cannot be installed on your cluster, you can disable it by specifying the following configuration. This will use cert-manager certificate resources to provision certificates into a secret that will be consumed by respective services:
tes:
blades:
global:
disableCertManagerCsiDriver: trueSpecify PVC Size (Optional)
You can use the following option to adjust the PVC size for the services.
tes:
blades:
securitycenter:
persistentVolumeClaim:
size: {size}
container-security:
tes-consec-scan:
persistentVolumeClaim:
size: {size}
tes-consec-tvdl:
persistentVolumeClaim:
size: {size}Specify PVC Storage Class (Optional)
You can use the following option to specify the PVC storage class.
tes:
blades:
securitycenter:
persistentVolumeClaim:
storageClassName: {storage class}
container-security:
tes-consec-scan:
persistentVolumeClaim:
storageClassName: {storage class}
tes-consec-tvdl:
persistentVolumeClaim:
storageClassName: {storage class}Specify Registry for PostgreSQL DB Image (Optional)
You can use the following option to specify the PostgreSQL DB image registry.
tes:
blades:
securitycenter:
db:
initJob:
image:
registry: {registry}
container-security:
db:
initJob:
image:
registry: {registry}Provide Tenable Enclave Security Routable URL or external gateway (Optional)
You can configure the URL to access and route traffic to Tenable Enclave Security. This URL is used by the scanners to publish data to the Tenable Enclave Security instance.
Note: If you do not configure a URL, Tenable Enclave Security automatically tries to use the LoadBalancer service tes ingress hostname as the URL.
tes:
blades:
global:
url: tes.tenable.comChange Service type for Tenable Enclave Security (Optional)
By default, Tenable Enclave Security attempts to deploy a LoadBalancer Service to provide access to the Tenable Enclave Security instance. You can modify the service type using the following option.
tes:
blades:
securitycenter:
service:
type: ClusterIP
annotations: ""Note: If you change the service type from LoadBalancer, you must provide the URL for Tenable Enclave Security to provide the correct configuration to its scanners.
External DNS annotation (Optional)
You can add an external DNS annotation to the Tenable Enclave Security service with the following options.
tes:
blades:
securitycenter:
service:
# value specified in subdomain would be added to the extdns annotation
# in the format:
# external-dns.alpha.kubernetes.io/hostname: {{ .Release.Namespace -}}.{{ .Values.service.subdomain }}
extDnsAnnotation:
subdomain: "tenable.com"
enabled: trueWhen applied to the tenable-enclave-security namespace, these Helm Chart settings will result in the following annotation:
apiVersion: v1
kind: Service
metadata:
annotations:
external-dns.alpha.kubernetes.io/hostname: tenable-enclave-security.tenable.com