Installing and Upgrading Qualys Cluster Sensor

After getting the Qualys Cluster Sensor Image, install it on your K8s cluster using the unified helm chart - 'qualys-tc' hosted on ArtifactHub - https://artifacthub.io/packages/helm/qualys-helm-chart/qualys-tc.

Before you install helm chart, you need to add and update it in your repository, by running below commands.

helm repo add qualys-helm-chart https://qualys.github.io/Qualys-Helm-Charts/ 
helm repo update


'qualys-tc' is an unified helm chart used to install: 

  • Qualys Cluster Sensor (cluster-sensor)
  • Qualys Container Security Sensor (qcs-sensor)
  • Qualys Admission Controller (admission-controller)

Qualys Cluster Sensor has a default configuration that caters to the most popular use cases. However, you can change this default configuration by modifying the unified Helm chart.

To install Qualys Cluster Sensor in your Cloud Provider,

  1. Identify the environment in which your K8s Cluster is present. Cluster Sensor currently supports Azure, AWS, GCP, Self-managed K8s, and Openshift environments.
  2. Get the respective resource id of your environment and run the installation commands.

Once a Cluster Sensor is installed and running, it gets displayed on Qualys Cloud Platform under Container Security > Configuration > Sensors > status: 'RUNNING'.

Installing Cluster Sensor in Azure

To install Cluster Sensor in Azure environment,

  1. Get the 'global.clusterInfoArgs.AZURE.id' (Azure Resource ID) value from your Azure environment by running this command - 
    az resource list --name '<Name of your cluster>'
     

    Sample O/P
    Search for the similar snippet shown below to get your Azure resource id ("id":xxxxxxxxxxxxxxxxxxxxxxxxxxxx).

    "id""/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.ContainerService/managedClusters/clustername1",

    "location""<location>",

    "name""<cluster name>"

    ...}

  2. Run the following CLI commands to install the Cluster Sensor.
    helm install qualys-tc qualys-helm-chart/qualys-tc \
    --set global.customerId=<customer id> \
    --set global.activationId=<activation id> \
    --set global.gatewayUrl=<gateway URL> \
    --set global.clusterInfoArgs.cloudProvider=AZURE \
    --set global.clusterInfoArgs.AZURE.id=<Azure Resource Id> \
    --set global.clusterInfoArgs.AZURE.region=<Region> \
    --create-namespace \
    -n qualys

Installing Cluster Sensor in AWS EKS

To install Cluster Sensor in AWS environment,

  1. Get the 'global.clusterInfoArgs.AWS.arn' (AWS Resource ID) value from your AWS environment by running this command - 
    aws eks describe-cluster --name <cluster-name>
     

    Sample O/P
    Search for the similar snippet shown below to get your AWS arn
    ("arn":"arn:aws:eks:us-west-2:123456789012:cluster/aws-cluster-1" ).

    cluster": {

           "name": "eks-cluster-1",

           "arn": "arn:aws:eks:us-west-2:123456789012:cluster/eks-cluster-1",

    ...}

  2. Run the following CLI commands to install the Cluster Sensor.
    helm install qualys-tc qualys-helm-chart/qualys-tc \
    --set global.customerId=<customer id> \
    --set global.activationId=<activation id> \
    --set global.gatewayUrl=<gateway URL> \ 
    --set global.clusterInfoArgs.cloudProvider=AWS \
    --set global.clusterInfoArgs.AWS.arn=<Cluster ARN> \
    --create-namespace \
    -n qualys

Installing Cluster Sensor in GCP

To install Cluster Sensor in GCP environment,

  1. Get the 'global.clusterInfoArgs.GCP.krn' value from your GCP environment by running this command - gcloud container clusters describe <cluster-name> --zone <zone/region>.

    Sample O/P
    Search for the 'selfLink' in the output (selfLink:<URL link><GCP Key Resource Name>)


    selfLink:     https://container.googleapis.com/v1/projects/<GCP Project ID>/zones/us-central1-c/clusters/cluster-zonal

    ...

    GCP Key Resource Name (KRN) in the above self link - /projects/<GCP Project ID>/zones/us-central1-c/clusters/cluster-zonal
    KRN is constructed based on your GCP project ID, GCP zone, and the cluster name.   

  2. Run the following CLI commands to install the Cluster Sensor.
    helm install qualys-tc qualys-helm-chart/qualys-tc \
    --set global.customerId=<customer id> \
    --set global.activationId=<activation id> \
    --set global.gatewayUrl=<gateway URL>     \ 
    --set global.clusterInfoArgs.cloudProvider=GCP     \
    --set global.clusterInfoArgs.GCP.krn=<GCP Key Resource Name>     \ 
    --create-namespace \
    -n qualys

Installing Cluster Sensor in OCI

To install Cluster Sensor in OCI environment,

  1. Get the 'global.clusterInfoArgs.OCI.ocid' value from your OCI environment using the OCI console (Cluster Details > Cluster ID).

    Sample O/P
    OCI.ocid=ocid1.cluster.oc1.phx.axxxaaaa7bpfuy3uxxx6ssvhfwpfcxxxxj233evxcn6xxxxcoayt6vcocq

  2. Run the following CLI commands to install the Cluster Sensor.
    helm install qualys-tc qualys-helm-chart/qualys-tc \
    --set global.customerId=<customer id>     \
    --set global.activationId=<activation id>     \
    --set global.gatewayUrl=<gateway URL>     \ 
    --set global.clusterInfoArgs.cloudProvider=OCI     \
    --set global.clusterInfoArgs.OCI.ocid=<Cluster OCID>     \
    --set global.clusterInfoArgs.OCI.clusterName=<Cluster Name>     \ 
    --create-namespace \
    -n qualys

Installing Cluster Sensor in Self-managed K8s

An environment is considered as 'Self-managed K8s' when the K8s cluster is not from cloud provider Azure, Aws, OCI, or GCP and it is created and managed by you. 

To install Cluster Sensor in a self-managed K8s environment, run the following CLI commands.

  1. Get the 'global.clusterInfoArgs.name=<cluster name>' value from your Self-managed k8s environment.
  2. Run the following CLI commands.
    helm install qualys-tc qualys-helm-chart/qualys-tc \
    --set global.customerId=<customer ID> \
    --set global.activationId=<activation ID> \
    --set global.gatewayUrl=<gateway URL> \
    --set global.clusterInfoArgs.SELF_MANAGED_K8S.clusterName=<cluster name> \
    --set global.clusterInfoArgs.cloudProvider=SELF_MANAGED_K8S \
    --create-namespace \
    -n qualys

Installing Cluster Sensor in Openshift

To install Cluster Sensor in a Openshift environment, run the following CLI commands.

  1. Get the 'global.clusterInfoArgs.name=<cluster name>' value from your Openshift environment.
  2. Run the following CLI commands.
    helm install qualys-tc qualys-helm-chart/qualys-tc \
    --set global.customerId=<customer ID> \
    --set global.activationId=<activation ID> \
    --set global.gatewayUrl=<gateway URL> \
    --set global.clusterInfoArgs.SELF_MANAGED_K8S.clusterName=<cluster name> \
    --set global.clusterInfoArgs.cloudProvider=SELF_MANAGED_K8S \ 
    --set global.openshift=true \
    --create-namespace \
    -n qualys

 

To know about Cluster Sensor parameters, refer to Command and Options.