TOC & Recently Viewed

Recently Viewed Topics

Prepare Kubernetes Objects to Configure and Run the CS Scanner

Required User Role: Scan Operator, Standard, Scan Manager, or Administrator

You must prepare your Kubernetes namespace and secret objects before you can configure and run the CS Scanner in Kubernetes. The CS Scanner refers to these objects when it scans an image in Kubernetes.

Secrets contain sensitive information associated with the TENABLE_ACCESS_KEY, TENABLE_SECRET_KEY, REGISTRY_USERNAME, and REGISTRY_PASSWORD environment variables described in Environment Variables. To run the CS Scanner in Kubernetes, you must configure these secrets and deploy them to the registry where the image you want to scan is stored.

For more information about how to create objects in Kubernetes, see the Kubernetes documentation at

Before you begin:

To prepare Kubernetes to configure and run the CS Scanner:

  1. Log in to the CLI on the machine where you want to configure and run the CS Scanner.
  2. In a text editor, create a namespace file (tiocsscanner-namespace.yaml) for your CS Scanner. For example:

    apiVersion: v1

    kind: Namespace


    name: tiocsscanner


    name: tiocsscanner

  3. Save and close the file.
  4. Deploy the tiocsscanner-namespace.yaml file to Kubernetes. For example:

    kubectl apply -f tiocsscanner-namespace.yaml

    Your namepsace is configured and deployed.

    Note: The above command works only if the file is saved to the current working directory. If the file is saved somewhere other than the working directory, include the full path directory in the command. For example:

    kubectl apply -f /home/jsmith/images/tiocsscanner-namespace.yaml

  5. Configure secrets for your access and secret keys. For example:

    $ kubectl create secret generic tio

    --from-literal=username=<Your access key>

    --from-literal=password=<Your secret key>


    Your access key and secret key secrets are configured.

  6.  Configure secrets for your private registry username and password. For example:

    $ kubectl create secret generic private_registry

    --from-literal=username=<Your private registry username>

    --from-literal=password=<Your private registry password>


    Your private registry username and password secrets are configured.

  7. Deploy your secrets to the registry where the image you want to scan is stored. For example:

    kubectl create secret docker-registry jfrog-tio


    --docker-username=<Your username from the Container Security console>

    --docker-password=<Your password from the Container Security console>

    --docker-email=<Your email address>


    Your secrets are deployed to the registry.

What to do next:

Copyright © 2020 Tenable, Inc. All rights reserved. Tenable,, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.., Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.