Install Tenable Enclave Security
This topic describes how to install Tenable Enclave Security in a Kubernetes cluster. To update an existing Tenable Enclave Security deployment, see Update Tenable Enclave Security.
Before You Begin
-
You must have a Kubernetes cluster in a supported Kubernetes environment. For more information, see Supported Kubernetes Environments and Prepare a Kubernetes Cluster.
-
Download the kubectl binaries. For more information, see the Kubernetes documentation.
-
Update your kubeconfig file to allow kubectl to communicate with the Kubernetes cluster.
-
Download the Helm binaries. For more information, see the Helm documentation.
Install Tenable Enclave Security
-
Create a Kubernetes cluster or configure an existing Kubernetes cluster that meets the system requirements for Tenable Enclave Security.
-
In the Kubernetes cluster where you want to install Tenable Enclave Security, create a namespace using the following command:
Copykubectl create namespace tenable-enclave-securityIn this example, the namespace is tenable-enclave-security. You can use a namespace of your choice, just make sure you use the same namespace every time you install or upgrade Tenable Enclave Security.
-
Get the cluster ID using the following command:
Copykubectl get namespace kube-system --output jsonpath={.metadata.uid} -
Obtain a Tenable Enclave Security license file and save it to your local environment.
-
Add your license to the namespace that you created in step 2 using the following command:
Copykubectl --namespace tenable-enclave-security create secret generic tes-license --from-file=license=directory/license.key -
Add the Tenable Helm Charts repository with the following command:
Copyhelm repo add tenable https://charts.tenable.com -
Update the repository:
Copyhelm repo update -
Install the Helm Chart or upgrade an existing Helm Chart.
Note: The values in these steps are based on a setup with 10,000 active IP addresses. For minimum requirements for your environment, see System Requirements.
-
Create a values.yaml file with parameters sized to your deployment. The following is an example values.yaml:
Copytes:
blades:
securitycenter:
resources:
limits:
cpu: 32000m
memory: 128Gi
requests:
cpu: 32000m
memory: 128Gi
persistentVolumeClaim:
size: 5000GiNote: If you create a custom values.yaml file, ensure you use the same file every time you upgrade. Otherwise, Tenable uses default values that may not match your configuration. For more information, see Values.yaml Configuration.
-
To install the Helm Chart, run the following command:
Copyhelm install tes-operator --namespace tenable-enclave-security -f values.yaml tenable/tes-operator
-
-
Push the updated Tenable Enclave Security license file using the following commands:
-
Access Tenable Enclave Security via the URL that you defined in Prepare a Kubernetes Cluster.
Install Tenable Enclave Security in an air-gapped environment
-
Obtain the Helm Charts and publish them locally.
-
Contact your Tenable support representative for a list of required container images and tags for your version of Tenable Enclave Security, and add the container images and tags to your internal image registry.
(Optional) Use the following script to download tes-operator and all required container images.
Copy#!/usr/bin/env bash
TEMP_DIR=$(mktemp -d)
ARCHIVE="tes-offline.tar.gz"
cleanup() {
rm -rf "$TEMP_DIR"
}
trap cleanup EXIT
helm repo add tenable https://charts.tenable.com
helm repo add jetstack https://charts.jetstack.io
helm pull tenable/tes-operator --untar --untardir "$TEMP_DIR"
helm pull jetstack/cert-manager --untar --untardir "$TEMP_DIR"
manifest_images=()
while IFS= read -r line || [[ -n "$line" ]]; do
if [[ -n "$line" && ! "$line" =~ ^# ]]; then
manifest_images+=("$line")
fi
done < "$TEMP_DIR/tes-operator/image-manifest.txt"
for IMAGE in "${manifest_images[@]}"; do
IMAGE_ARCHIVE="$TEMP_DIR/$(echo "$IMAGE" | sed 's/[/:]/_/g').tar"
echo "Downloading Docker image: $IMAGE"
(export DOCKER_CLI_HINTS=false; docker pull "$IMAGE")
echo "Saving Image $IMAGE to $IMAGE_ARCHIVE"
docker save -o "$IMAGE_ARCHIVE" "$IMAGE"
printf "\n"
done
tar -czf "$ARCHIVE" -C "$TEMP_DIR" .
echo "TES offline bundle created successfully. Output archive: $ARCHIVE" -
Obtain a new license if needed. For more information, see License Tenable Enclave Security Offline.
-
Install the Helm Chart or upgrade an existing Helm Chart.
Note: The values in these steps are based on a setup with 10,000 active IP addresses. For minimum requirements for your environment, see System Requirements.
-
Create a values.yaml file with your private registry information. The following is an example values.yaml for an air-gapped deployment:
Copyoperator:
image:
registry: some-private-registry.example.com # private image registry hostname
imagePullSecret: registrypullsecret # private image registry access secret, if needed
tes:
blades:
securitycenter:
resources:
limits:
cpu: 32000m
memory: 128Gi
requests:
cpu: 32000m
memory: 128Gi
persistentVolumeClaim:
size: 5000GiNote: If you create a custom values.yaml file, ensure you use the same file every time you upgrade. Otherwise, Tenable uses default values that may not match your configuration. For more information, see Values.yaml Configuration.
-
To install the Helm Chart, run the following command:
Copyhelm install tes-operator --create-namespace --namespace tenable-enclave-security -f values.yaml tenable/tes-operator
-
-
Update the repository:
Copyhelm repo update -
Upgrade the Tenable Enclave Security operator using the following command:
Copyhelm upgrade tes-operator --create-namespace --namespace tenable-enclave-security -f values.yaml tenable/tes-operator -
Add your license to the namespace using the following command:
Copykubectl --namespace tenable-enclave-security create secret generic tes-license --from-file=license=directory/license.key -
Access Tenable Enclave Security via the URL that you defined in Prepare a Kubernetes Cluster.
What to do next
-
Configure Tenable Enclave Security using the setup steps in the UI. For more information, see Configure Tenable Enclave Security.