Deploying and managing the Tenable.io agent in a Kubernetes cluster nodes can be a manual and time-consuming when you want to guarantee that agents are automatically installed in new nodes and avoid permanment writing of files inside the node's storage. In this article, we will introduce a solution that automates the deployment and management of the Tenable.io agent as a DaemonSet in a Kubernetes cluster. This solution simplifies the installation process and provides visibility into the security posture of your cluster.
The Problems
Before we dive into the solution, let's understand the problems that we're trying to cover with this solution:
1. First problem:
"I need to start a manual process of installing the tenable.io agent everytime that a node joins my cluster"
2. Second problem:
"I need to implement tenable.io agent in a pod and use this pod to scan the node filesystem"
3. Third problem
"I don't want to have a process writing permanent files in my node's storage"
Our way to solve it:
Github Repository: https://github.com/RocketChat/TenableAgent-Daemonset
Having tenable.io agent implemented as a kubernetes Daemonset can be a solution to the problems mentioned above. It automates the deployment of the Tenable.io agent as a DaemonSet in a Kubernetes cluster and streamlines the process of scanning the node's filesystem without writing permanent files in the node's storage, if the DaemonSet is gone, the files will be gone. To solve it, we create a k8s manifest with the specifications:
Unprivileged DaemonSet POD: The kubernetes manifest creates an unprivileged DaemonSet pod that runs the Tenable.io agent. This pod will be deployed on every node in the Kubernetes cluster.
Filesystem Access: To enable the Tenable.io agent to scan the node's filesystem, the manifest changes the filesystem root of the agent process to the node's filesystem. This ensures that the agent has the necessary access to perform security scans effectively
Ephemeral Filesystem Writing: It's simple: If the Daemonset is gone, the files will be removed from the node's filesystem.
Deployment Steps
To deploy this manifest and start using the Tenable.io agent in your Kubernetes cluster, follow these steps:
Prerequisites
Before getting started, make sure you have the following prerequisites:
- Sealed Secrets implemented in your cluster.
- kubectl installed and configured to access your cluster.
- A Tenable.io link key to link the agent with your Tenable.io Manager.
Preparing files and applying it
- Create a Sealed Secrets key inside your cluster. Replace 'YOUR TENABLE KEY GOES HERE' with your Tenable.io sync token and convert it to base64 format:
echo -n '{"link":{"host": "cloud.tenable.com","port": 443,"key": "YOUR TENABLE KEY GOES HERE","name": "$NODE_NAME", "groups": ["agent-group"]}}' | base64
- Insert the base64 encoded string in the 'secrets.yaml' file. Use 'kubeseal' to encrypt it:
cat secret.yaml | kubeseal \
--controller-namespace kube-system \
--controller-name sealed-secrets \
--format yaml \
> sealed-secret.yaml
- Apply the sealed secrets to your cluster:
kubectl apply -f sealed-secret.yaml
- Deploy the DaemonSet using the following command:
kubectl apply -f manifest/tenable-pod.yaml
After a few minutes, you should be able to see your node information in the tenable.io sensors list.
If you think that you have something to improve this solution, feel free to PR. We will review it and approve as soon as possible.
Top comments (0)