Prepare a Kubernetes Cluster

To determine whether your existing Kubernetes cluster meets the requirements for use with Tenable Enclave Security, see System Requirements.

Before you begin

  • Configure a routable URL or external gateway.

  • Determine whether to create a new Kubernetes or use an existing cluster.

Configure a Kubernetes cluster

  1. Create a new Kubernetes cluster. For instructions on how to create a new cluster, see the Kubernetes documentation.

    -or-

    Use an existing cluster. To determine whether your existing cluster meets the requirements for your Tenable Enclave Security deployment, see System Requirements.

  2. Define a default storage class on the cluster. For instructions on how to change the default storage class, see the Kubernetes documentation.

  3. Install cert-manager in your Kubernetes cluster. For instructions on how to install cert-manager, see the cert-manager documentation.

    Note: if you want to use your own certificates, contact your Tenable Support representative.

  4. Install cert-manager-csi-installer in your Kubernetes cluster.

  5. Configure the Container Security database. This database contains the data visible in the Container Security UI, including vulnerabilities, images, packages, and layers.

    Tenable recommends you use a managed PostgreSQL database service (for example, RDS, AWS, or GCP). If you want to host the database yourself, see the Kubegres documentation.

    Recommended PostgreSQL version: 16.x

    Compatible versions: 13.x, 14.x, 15.x

  6. Create a Kubernetes secret named tes-pg-secrets to identify characteristics about the database.

    Copy 
    kubectl apply --namespace tenable-enclave-security -f tes-pg-secrets.yaml

    The following is an example tes-pg-secrets.yaml:

    Copy 
    apiVersion: v1
    data:
      pg_host: # base64 encoded hostname and port connection string
      pg_user: # base64 encoded username to use (must have privileges to create databases and users)
      pg_pass: # base64 encoded password for the above username
      pg_ro_host: # base64 encoded read-only host string (can be same as pg_host)
    kind: Secret
    metadata:
      name: tes-pg-secrets
      namespace: tenable-enclave-security
    type: Opaque