Skip to content
/ TenableAgent-Daemonset Public

This repository contains Kubernetes resource files for deploying the Tenable agent as a DaemonSet in a Kubernetes cluster. The Tenable agent runs on all nodes in the cluster and provides visibility into the security posture of your cluster.

License

MIT license
11 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

RocketChat/TenableAgent-Daemonset

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
.github/workflows
.github/workflows
 
 
Manifest
Manifest
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
secrets.yaml
secrets.yaml
 
 

Repository files navigation

Tenable.io Agent DaemonSet

First Problem: "I need to start a manual process of installing the tenable.io agent everytime that a node joins my cluster"

Second Problem: "I need to implement tenable.io agent in a pod and use this pod to scan the node filesystem"

Third Problem: "I need to avoid agents permanently writing files in my kubernetes nodes"

Solution: Create an unprivilleged DaemonSet POD with tenable.io agent and change the filesystem root of the process to the node filesystem

Description

This repository contains Kubernetes resource files for deploying the Tenable agent as a DaemonSet in a Kubernetes cluster. The Tenable agent runs on all nodes in the cluster and provides visibility into the security posture of your cluster.

Prerequisites

Deployment

  1. Create a Sealed Secrets key inside your cluster. Replace YOUR TENABLE KEY GOES HERE with your tenable.io sync token and convert it to a base64 format:
echo -n '{"link":{"host": "cloud.tenable.com","port": 443,"key": "YOUR TENABLE KEY GOES HERE","name": "$NODE_NAME", "groups": ["agent-group"]}}' | base64
  1. Insert the base64 encoded string in the secrets.yaml file and use kubeseal to encrypt it:
cat secret.yaml | kubeseal \
    --controller-namespace kube-system \
    --controller-name sealed-secrets \
    --format yaml \
    > sealed-secret.yaml
  1. Apply the sealed secrets to your cluster:
kubectl apply -f sealed-secret.yaml
  1. Deploy the DaemonSet with the following command:
kubectl apply -f manifest/tenable-pod.yaml

After a few minutes, you should see your node information in your tenable.io sensors list

If you want to build the image in another registry, you can use the following command:

cd Dockerfile
docker build -t tenable-agent-image .

Important: Remember to change the reference of the image in tenable-pod.yaml if you build the dockerfile locally

Testing

To verify that the Tenable agent is running on all nodes in the cluster, run:

kubectl get pods -n tenable

You should see one pod for each node in the cluster, with a status of Running.

If you encounter any issues, you can check the logs for the Tenable agent pods using:

kubectl logs -n tenable <pod-name>

Maintenance

To update the Tenable agent image, modify the image field in the tenable-pod.yaml file and apply the changes using kubectl apply -f tenable-pod.yaml.

About

This repository contains Kubernetes resource files for deploying the Tenable agent as a DaemonSet in a Kubernetes cluster. The Tenable agent runs on all nodes in the cluster and provides visibility into the security posture of your cluster.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

11 stars

Watchers

4 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages