Prepare a Kubernetes Cluster

To determine whether your existing Kubernetes cluster meets the requirements for use with Tenable Enclave Security, see Tenable Enclave Security System Requirements.

Before you begin

  • Configure a routable URL or external gateway.

  • Determine whether to create a new Kubernetes or use an existing cluster.

Configure a Kubernetes cluster

  1. Create a new Kubernetes cluster. For instructions on how to create a new cluster, see the Kubernetes documentation.

    -or-

    Use an existing cluster. To determine whether your existing cluster meets the requirements for your Tenable Enclave Security deployment, see Tenable Enclave Security System Requirements.

  2. Define a default storage class on the cluster. For instructions on how to change the default storage class, see the Kubernetes documentation.

  3. Install cert-manager in your Kubernetes cluster. For instructions on how to install cert-manager, see the cert-manager documentation.

    Note: if you want to use your own certificates, contact your Tenable Support representative.

  4. Install cert-manager-csi-installer in your Kubernetes cluster.

    Note: Tenable Enclave Security recommends using the cert-manager CSI driver for provisioning certificates used by its services for mTLS. However, if the CSI driver cannot be installed on your cluster, you can disable the cert-manager CSI driver.

  5. Configure the Container Security database. This database contains the data visible in the Container Security UI, including vulnerabilities, images, packages, and layers.

    Tenable recommends you use a managed PostgreSQL database service (for example, RDS, AWS, or GCP). If you want to host the database yourself, see the Kubegres documentation.

    • PostgreSQL 14.x

    • PostgreSQL 15.x

    • PostgreSQL 16.x (preferred)

    • PostgreSQL 17.x

  6. Create a Kubernetes secret named tes-pg-secrets to identify characteristics about the database.

    Copy 
    kubectl apply --namespace tenable-enclave-security -f tes-pg-secrets.yaml

    Note: Supported SSL modes include prefer, require, and verify-ca. The default SSL mode for Tenable Enclave Security services is prefer.

    The following is an example tes-pg-secrets.yaml:

    Copy 
    apiVersion: v1
    kind: Secret
    type: Opaque
    metadata:
      name: tes-pg-secrets
    data:
      # All values below must be base64 encoded strings
      pg_host: # Hostname and optional port (e.g., db.example.com or db.example.com:5432)
      pg_user: # Admin username (must have CREATEDB and CREATEROLE permissions)
      pg_pass: # Password for the pg_user
      pg_ro_host: # Hostname for read-only replica (defaults to pg_host if not applicable)
      pg_ssl_mode: # Optional: SSL level. Use 'prefer' (default), 'require', or 'verify-ca'
      pg_ca_cert: # Required if pg_ssl_mode=verify-ca. The CA certificate content.

    Note: To encode pg_ssl_mode correctly on Linux or macOS, use: echo -n "verify-ca" | base64 If you omit the -n flag, the encoded string will include a hidden "newline" character, which will cause the database driver to reject the SSL mode.