Cluster Sensor 1.2.0

May 15, 2025 (Updated on 6th June 2025)

Cluster Sensor 1.2.0 has hard dependency on Unified Helm Chart 2.4.0 and vise versa. Hence, you must use Helm Chart 2.4.0 and Cluster Sensor 1.2.0 with each other for proper working. 

To know more about Cluster Sensor, refer to Qualys Cluster Sensor Online Help.

What’s New?

Support Qualys K8s Posture Management

With this release, Qualys Container Security has introduced K8s Posture Management feature. With this feature, Qualys Cluster Sensor acts as a communicator between your environment and Qualys Enterprise TruRisk™ Platform. To know more about Qualys K8s Posture Management feature, refer to Container Security 1.38 Release Notes. With this release, Cluster Sensor launches a pod (for example, qualys-host-scanner) on each node to collect k8s host compliance data. 

Added Support for Cluster Sensor Installation on a Specific Node

With this release, Qualys Cluster Sensor can be installed on a node specified by you. You can do it by using any of the following flags in Unified Helm Chart 2.4.0. The following points provides you command syntax to install Cluster Sensor with Unified Helm Chart 2.4.0 and values.yaml. You can use either of the two methods.

  • tolerations - specify tolerations to match the specified node taints.
    Set the following additional flags on command line during sensor installation using Unified Helm Chart.
    --set clusterSensor.tolerations[0].key="key1" \
    --set clusterSensor.tolerations[0].effect="NoSchedule" \
    --set clusterSensor.tolerations[0].operator="Equal" \
    --set clusterSensor.tolerations[0].value="value1"

    Alternatively, you can also add above flags in values.yaml.
    # Set tolerations here
    tolerations:
    - key: "node-role.kubernetes.io/master"
      effect: "NoSchedule"
      operator: "Exists"
      value: "value1"
  • nodeSelector - specify nodeSelector to indicate the node labels of the node.
    Set the following additional flag on command line during the sensor installation.
    --set clusterSensor.nodeSelector.hostname="node-abc"   

    Alternatively, you can also add above flags in values.yaml.
    # add nodeselector here
    nodeSelector:
      hostname: "node-abc"
  • affinity - specify affinity to indicate specifications of the node.
    Set the following additional flag on command line during the sensor installation.
    --set clusterSensor.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key="kubernetes.io/hostname" \
    --set clusterSensor.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator="In" \
    --set clusterSensor.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].values[0]="node-abc" 

    Alternatively, you can also add above flags in values.yaml.
    # set nodeAffinity, podAffinity under affinity
    affinity:
      nodeAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
          nodeSelectorTerms:
            - matchExpressions:
                - key: kubernetes.io/hostname
                  operator: In
                  values:
                    - node-abc

Added Support for GKE Autopilot Cluster

Container Security Cluster Sensor now supports Inventory collection on your GKE Autopilot Cluster. It collects PODs and Namespaces data present in your GKE Autopilot clusters and sends it to Qualys Enterprise TruRisk™ Platform.

To support this feature, ensure that you disable the Host Network while installing the cluster sensor.
--set clusterSensor.hostNetwork=false 

 

Unified Helm Chart (qualys-tc 2.4.0) Updates

The unified helm chart can be used to install Qcs Sensor, Admission Controller, Cluster Sensor, and Container Runtime Sensor. Refer to Qualys Unified Helm Chart (qualys-tc).

Enhancements

With this release, the following flags are introduced or updated in the 'qualys-tc 2.4.0' file.  

Flag/Entity Status Flag Location (qualys-tc 2.4.0 > charts > cluster-sensor > values.yaml) Description
maskEnvVariable New Line no. 20 To enable the masking of environment variables of containers.

Valid values: true/false
Default value: false
k8sCompliance:
  enable: true
       		 New Line no. 21, 22  To enable or disable kubernetes compliance scan.
The default value is 'true'.
Valid values: true/false
hostScanner:
  enable: true
  runOnMaster: true
  resources:
    limits:
      cpu: 100m
      memory: 256Mi    		 New Line No. 23-29 To enable or disable the host scanner.
tolerations New Line no. 32 Add tolerations to schedule cluster sensor pod with the matching taints.
nodeSelector New Line No. 35 Set nodeSelector if the cluster sensor needs to be deployed on specific node.
affinity New Line no. 38 Set nodeAffinity, podAffinity and podAntiAffinity based on requirement.

 

Issue Addressed

The following issue has been fixed with this release:

Category Issue
Cluster inventory In some cases, Cluster Sensor failed to upload the Cluster inventory and stuck in a loop. 

 

 

 

 

 

 


 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.