Install Tenable Enclave Security

This topic describes how to install Tenable Enclave Security in a Kubernetes cluster. To update an existing Tenable Enclave Security deployment, see Update Tenable Enclave Security.

Before You Begin

Install Tenable Enclave Security

  1. Create a Kubernetes cluster or configure an existing Kubernetes cluster that meets the system requirements for Tenable Enclave Security.

  2. In the Kubernetes cluster where you want to install Tenable Enclave Security, create a namespace using the following command:

    Copy 
    kubectl create namespace tenable-enclave-security

    In this example, the namespace is tenable-enclave-security. You can use a namespace of your choice, just make sure you use the same namespace every time you install or upgrade Tenable Enclave Security.

  3. Get the cluster ID using the following command:

    Copy 
    kubectl get namespace kube-system --output jsonpath={.metadata.uid}

  4. Obtain a Tenable Enclave Security license file and save it to your local environment.

  5. Add your license to the namespace that you created in step 2 using the following command:

    Copy 
    kubectl --namespace tenable-enclave-security create secret generic tes-license --from-file=license=directory/license.key

  6. Add the Tenable Helm Charts repository with the following command:

    Copy 
    helm repo add tenable https://charts.tenable.com

  7. Update the repository:

    Copy 
    helm repo update

  8. Install the Helm Chart or upgrade an existing Helm Chart.

    Note: The values in these steps are based on a setup with 10,000 active IP addresses. For minimum requirements for your environment, see System Requirements.

    1. Create a values.yaml file with parameters sized to your deployment. The following is an example values.yaml:

      Copy 
      tes:
        blades:
          securitycenter:
            resources:
              limits:
                cpu: 32000m
                memory: 128Gi
              requests:
                cpu: 32000m
                memory: 128Gi
            persistentVolumeClaim:
              size: 5000Gi

      Note: If you create a custom values.yaml file, ensure you use the same file every time you upgrade. Otherwise, Tenable uses default values that may not match your configuration. For more information, see Values.yaml Configuration.

    2. To install the Helm Chart, run the following command:

      Copy 
      helm install tes-operator --namespace tenable-enclave-security -f values.yaml tenable/tes-operator

  9. Push the updated Tenable Enclave Security license file using the following commands:

    1. Copy 
      kubectl --namespace tenable-enclave-security delete secret tes-license
    2. Copy 
      kubectl --namespace tenable-enclave-security create secret generic tes-license --from-file=license=directory/license.key

  10. Access Tenable Enclave Security via the URL that you defined in Prepare a Kubernetes Cluster.

Install Tenable Enclave Security in an air-gapped environment

  1. Obtain the Helm Charts and publish them locally.

    1. Add the Tenable Helm Charts repository with the following command:

      Copy 
      helm repo add tenable https://charts.tenable.com

    2. Update the repository:

      Copy 
      helm repo update

  2. Contact your Tenable support representative for a list of required container images and tags for your version of Tenable Enclave Security, and add the container images and tags to your internal image registry.

    Copy 
    #!/usr/bin/env bash

    TEMP_DIR=$(mktemp -d)
    ARCHIVE="tes-offline.tar.gz"

    cleanup() {
        rm -rf "$TEMP_DIR"
    }
    trap cleanup EXIT

    helm repo add tenable https://charts.tenable.com
    helm repo add jetstack https://charts.jetstack.io

    helm pull tenable/tes-operator --untar --untardir "$TEMP_DIR"
    helm pull jetstack/cert-manager --untar --untardir "$TEMP_DIR"

    manifest_images=()

    while IFS= read -r line || [[ -n "$line" ]]; do
        if [[ -n "$line" && ! "$line" =~ ^# ]]; then
            manifest_images+=("$line")
        fi
    done < "$TEMP_DIR/tes-operator/image-manifest.txt"

    for IMAGE in "${manifest_images[@]}"; do
      IMAGE_ARCHIVE="$TEMP_DIR/$(echo "$IMAGE" | sed 's/[/:]/_/g').tar"

      echo "Downloading Docker image: $IMAGE"
      (export DOCKER_CLI_HINTS=false; docker pull "$IMAGE")
      echo "Saving Image $IMAGE to $IMAGE_ARCHIVE"
      docker save -o "$IMAGE_ARCHIVE" "$IMAGE"
      printf "\n"
    done

    tar -czf "$ARCHIVE" -C "$TEMP_DIR" .

    echo "TES offline bundle created successfully. Output archive: $ARCHIVE"

  3. Obtain a new license if needed. For more information, see License Tenable Enclave Security Offline.

  4. Install the Helm Chart or upgrade an existing Helm Chart.

    Note: The values in these steps are based on a setup with 10,000 active IP addresses. For minimum requirements for your environment, see System Requirements.

    1. Create a values.yaml file with your private registry information. The following is an example values.yaml for an air-gapped deployment:

      Copy 
      operator:
        image:
          registry: some-private-registry.example.com # private image registry hostname
          imagePullSecret: registrypullsecret # private image registry access secret, if needed

      tes:
        blades:
          securitycenter:
            resources:
              limits:
                cpu: 32000m
                memory: 128Gi
              requests:
                cpu: 32000m
                memory: 128Gi
            persistentVolumeClaim:
              size: 5000Gi

      Note: If you create a custom values.yaml file, ensure you use the same file every time you upgrade. Otherwise, Tenable uses default values that may not match your configuration. For more information, see Values.yaml Configuration.

    2. To install the Helm Chart, run the following command:

      Copy 
      helm install tes-operator --create-namespace --namespace tenable-enclave-security -f values.yaml tenable/tes-operator

  5. Update the repository:

    Copy 
    helm repo update

  6. Upgrade the Tenable Enclave Security operator using the following command:

    Copy 
    helm upgrade tes-operator --create-namespace --namespace tenable-enclave-security -f values.yaml tenable/tes-operator

  7. Add your license to the namespace using the following command:

    Copy 
    kubectl --namespace tenable-enclave-security create secret generic tes-license --from-file=license=directory/license.key

  8. Access Tenable Enclave Security via the URL that you defined in Prepare a Kubernetes Cluster.

Install Tenable Enclave Security using OpenShift

  1. Create an OpenShift cluster that meets the system requirements for Tenable Enclave Security.

  2. In the OpenShift cluster where you want to install Tenable Enclave Security, create a namespace using the following command:

    Copy 
    kubectl create namespace tenable-enclave-security

    In this example, the namespace is tenable-enclave-security. You can use a namespace of your choice, just make sure you use the same namespace every time you install or upgrade Tenable Enclave Security.

  3. Label the namespace, cert manager, Container Storage Interface (CSI) driver, and persistent CSI driver with a pod security standard of baseline or higher using the following commands:

    Copy 
    kubectl label csidriver csi.cert-manager.io  security.openshift.io/csi-ephemeral-volume-profile=baseline

    kubectl label ns tenable-enclave-security pod-security.kubernetes.io/enforce=baseline

    If you do not want to label the CSI driver, use the privileged namespace pod security standard:

    Copy 
    kubectl label ns tenable-enclave-security pod-security.kubernetes.io/enforce=privileged

  4. Get the cluster ID using the following command:

    Copy 
    kubectl get namespace kube-system --output jsonpath={.metadata.uid}

  5. Obtain a Tenable Enclave Security license file and save it to your local environment.

  6. Add your license to the namespace that you created in step 2 using the following command:

    Copy 
    kubectl --namespace tenable-enclave-security create secret generic tes-license --from-file=license=directory/license.key

  7. Add the Tenable Helm Charts repository with the following command:

    Copy 
    helm repo add tenable-ea https://github.com/tenable/helm-charts/raw/refs/heads/vc/release-tes-operator-1.3

  8. Update the repository:

    Copy 
    helm repo update

  9. Install the Helm Chart or upgrade an existing Helm Chart.

    Note: The values in these steps are based on a setup with 10,000 active IP addresses. For minimum requirements for your environment, see System Requirements.

    1. Create a values.yaml file with parameters sized to your deployment. The following is an example values.yaml:

      Copy 
      tes:
        blades:
          securitycenter:
            resources:
              limits:
                cpu: 32000m
                memory: 128Gi
              requests:
                cpu: 32000m
                memory: 128Gi
            persistentVolumeClaim:
              size: 5000Gi

      Note: If you create a custom values.yaml file, ensure you use the same file every time you upgrade. Otherwise, Tenable uses default values that may not match your configuration. For more information, see Values.yaml Configuration.

    2. To install the Helm Chart, run the following command:

      Copy 
      helm upgrade --install tes-operator --namespace tenable-enclave-security -f values.yaml tenable-ea/tes-operator

  10. Push the updated Tenable Enclave Security license file using the following commands:

    1. Copy 
      kubectl --namespace tenable-enclave-security delete secret tes-license
    2. Copy 
      kubectl --namespace tenable-enclave-security create secret generic tes-license --from-file=license=directory/license.key

What to do next