Admission Controller Commands and Options
This topic explains the available commands and options for Admission Controller.
Global Parameters
Both Cluster Sensor and Admission Controller support the following parameters irrespective of commands.
| Parameter | Mandatory/Optional | Description |
|---|---|---|
| global.customerId | Mandatory | Unique customer id associated with customer's account. |
| global.activationId | Mandatory | Unique activation id associated with customer's account. |
| global.gatewayUrl | Mandatory | Specify Qualys Platform (POD) gateway URL for backend communication. Specify this to use a POD which is not listed in: https://www.qualys.com/platform-identification/ |
| global.pod | Optional | Specify Qualys Platform (POD) for communicating with Qualys Cloud Platfrom. For example, US1, US2, US3, US4, EU1, EU2, IN1, CA1, AE1, UK1, AU1, KSA1. If your platform is not mentioned here, please provide the gateway URL using ' global.gatewayUrl' |
| global.imagePullSecret | Optional | Specify to pull images from the private registry. |
| global.clusterInfoArgs.cloudProvider | Optional | Specify the name of the Cloud provider. Cloud Provider examples: AWS, GCP, AZURE, OCI, selfManagedK8S |
| global.clusterInfoArgs.AWS.arn | Mandatory | Mandatory if the cloud provider is 'AWS'. Specify value of the arn. Example: arn:aws:eks:<region>:<accountid>:cluster/<clustername>
|
| global.clusterInfoArgs.AZURE.id | Mandatory | Mandatory if the cloud provider is 'AZURE'. Specify value of the id. Example: /subscriptions/<subscription_id>/resourcegroups/NK_test/providers/Microsoft.ContainerService/managedClusters/<cluster_name>
|
| global.clusterInfoArgs.AZURE.region | Mandatory | Provide the value of the region. Mandatory if the cloud provider is 'AZURE'. |
| global.clusterInfoArgs.GCP.krn | Mandatory | Provide value of the krn. Mandatory if the cloud provider is 'GCP'. Example: projects/<project_id>/locations/<region>/clusters/<cluster_name>
|
| global.clusterInfoArgs.OCI.ocid | Mandatory | Specify value of the ocid. Mandatory if the Cloud Provider is 'OCI' Example: ocid1.cluster.oc1.<REGION>.<TENANCY_OCID>.<CLUSTER_OCID> |
| global.clusterInfoArgs.OCI.clusterName | Mandatory | Use this provide cluster name. Mandatory if the Cloud Provider is 'OCI'. |
| global.clusterInfoArgs.SELF_ MANAGED_K8S.clusterName |
Mandatory | Use this to provide cluster name. Mandatory if the Cloud Provider is 'SELF_MANAGED_K8S`. |
| global.rootCA.certificate | Optional | Provide custom certificate in base64 encoded format to connect with qualys backend if required. |
| global.proxy.value | Optional | Specify Url of the proxy server. Example: FQDN or Ip address |
| global.proxy.certificate | Optional | Provide proxy certificate in base64 encoded format to connect with proxy server if required. |
| global.proxy.skipVerifyTLS | Optional | Use this to skip secure TLS verification. |
Admission Controller Parameters
Here are the parameters specific to Admission Controller commands.
| Parameter | Mandatory/Optional | Description |
|---|---|---|
| admissionController.enabled | Mandatory | Specify the to enable Admission Controller Default value: false |
| admissionController.logging.level | Specify log collection mode. Default value: info Valid valus: debug/info/error/warn/fatal |
|
| admissionController.logging.file.name | Optional | Specify the name of the log file. Default value: admissionController.log |
| admissionController.logging.file.rotation.enabled | Optional | Enables rotation of the log file. It archives the old files. The archived file name follows the path: admissionController-2023-09-28T19-29-04.072.log.gzWhrein, the suffix (xx-29-04-072) is the time at which the log file is archived. Default value: true |
| admissionController.logging.file.rotation.maxSize | Optional | Maximum size of the log file at which point the log file is archived. Default value: 100MB |
| admissionController.logging.file.rotation.maxBackups | Optional | Maximum number of backups to keep. This deletes older archives from the disk. Default value: 4 |
| admissionController.logging.file.rotation.maxAge | Optional | The maximum age in days to retain the old log files based on time-stamp encoded in their filename. Default value: 180 Days |
| admissionController.logging.file.rotation.compress | Optional | Compresses old log files using Gunzip compression. Default value: true Valid values: true / false |
| admissionController.syncInterval |
Optional | Specify the sync interval with backend (gateway). Default Value: 15 minutes |
| admissionController.platformSyncInterval | Optional | Specify the k8s cluster node info (OS/Architecture) read frequency. Default value: 5 minutes |
| admissionController.persistentStorage.enabled | Optional | Enables Persistent storage. This is used for writing log files to a persistent storage. This can be either a persistent volume claim or path on the k8s (worker) node. Default Value: false Valid Values: true / false |
| admissionController.persistentVolumeHostPath | Optional | Specify the HostPath on k8s worker node that is used as Persistent storage. Default value: /usr/local/qualys/admissionController/dataThis will be used as fallback if, 'admissionController.persistentVolumeClaim.enabled' is 'false' and 'admissionController.persistentStorage.enabled' is 'true'. |
| admissionController.persistentVolumeClaim.enabled | Optional | Enables Persistent volume claim. Default Value: false |
| admissionController.persistentVolumeClaim.storageClassName | Optional | Specify the K8s Storage class name for the PVC. Default Value: Empty |
| admissionController.persistentVolumeClaim.storageSize | Optional | Specify the K8s Storage size for the PVC. Default Value: Empty |
| admissionController.persistentVolumeClaim.accessModes | Optional | Specify the K8s Storage access modes for the PVC. Default Value: ReadWriteOnce |
| admissionController.enforcementAction | Optional | Specify the Passthrough mode. Default Value: AUDIT Valid Values: AUDIT / BLOCK |
| admissionController.serviceAccount.name | Optional | Specify the name of the service account for the admission controller deployment. Default Value: admissionController-qualys-sa |
| admissionController.serviceAccount.create | Optional | Enable or disable creation of service account. Default Value: true If disabled, the customer has to specify a service account with sufficient privileges for admission controller to function correctly. Qualys recommends not to disable this. It should be used only for advanced cases. |
| admissionController.registry.config.name | Optional | Specify the name of the K8s ConfigMap that refers to registry configuration. Default Value: qualys-registry-config |
| admissionController.registry.config.filename | Optional | Specify the name of the registry configuration file inside the container. Default Value: registry-config.yaml |
| admissionController.registry.config.fileContent | Mandatory | Specify the registry configuration For example, --set admissionController.registry.config.fileContent=`cat /path/to/registry-config.yamlDefault Value: Empty |
| admissionController.nameOverride | Optional | Specify the name for the deployment. Default Value: admissionController Qualys recommends not to edit the deployment name, as if it is changed, the self-signed certificates need to follow the same name in its FQDN. |
| admissionController.fullnameOverride | Optional | Specify the Helm release name. Default Value: admissionController |
| admissionController.certificateFilePath | Optional | Specify the path of the SSL server certificate inside the container. Default Value: /etc/certs/server.crt |
| admissionController.certificateKeyPath | Optional | Specify the path of the SSL server certificate key inside the container. Default Value: /etc/certs/server.key |
| admissionController.port | Optional | Specify the port of the admission controller server. Default Value: 8443 |
| admissionController.configPathDir | Optional | Specify the directory path of configuration files inside the container. Default Value: /etc/config |
| admissionController.configFile | Optional | Specify the configuration file name inside the container. Default Value: config.yaml |
| admissionController.certs.secretName | Optional | Specify the optional, name of K8s secret containing the certificate. Default Value: admissionController-certs |
| admissionController.certs.serverCertificate | Mandatory | Specify the Certificate file for admission webhook server to use. Default Value: Empty Should be in base64 encoded format of the Server cert in PEM format. For example, --set admissionController.certs.serverCertificate=`cat /path/to/certs/server.crt
|
| admissionController.certs.serverKey | Mandatory | Specify the Certificate Key file for admission webhook server to use. Default Value: Empty Should be in base64 encoded format of the Server cert's key in PEM format. For example, --set admissionController.certs.serverKey=`cat /path/to/certs/server.key
|
| admissionController.webhook.caBundle | Mandatory | Specify the Certificate Authority file for admission webhook server to use. Default Value: Empty Should be in base64 encoded format of the Certificate Authority in PEM format. For example, --set admissionController.webhook.caBundle=`cat /path/to/certs/ca.crt
|
| admissionController.webhook.failurePolicy | Optional | Specify the K8s webhook configuration property that decides to allow or reject a request in case of the admission webhook (or Qualys Cloud Platform) failure. Default Value: Ignore Valid Values : Ignore or Fail |
| admissionController.webhook.timeoutSeconds | Optional | Specify the K8s webhook configuration timeout property that mark the request as 'failed'. Default Value: 30 |
| admissionController.resources.replicas | Optional | Specify the number of replicas of container required. Default Value: 1 |
| admissionController.resources.limits.enabled | Optional | Enables or disables limits. Default Value: true |
| admissionController.resources.limits.cpu | Optional | Specify the container CPU limit. Default Value: 200m |
| admissionController.resources.limits.memory | Optional | Specify the container memory limit Default Value: 256Mi |
| admissionController.resources.requests.enabled | Optional | Enables or disables limits. Default Value: true |
| admissionController.resources.requests.cpu | Optional | Specify the container CPU requests. Default Value: 100m |
| admissionController.resources.requests.memory | Optional | Specify the container memory requests. Default Value: 256Mi |
| admissionController.dataRetention.inDays | Optional | Specify the data retention period of (failed) admission review records in the admission controller container. Default Value: 30 Days Currently this parameter is used for Debugging purposes only. |
| admissionController.dataRetention.scheduleInDays | Optional | Specify the frequency of the retention job to purge the failed admission review records in the admission controller container. Default Value: 1 Day |
| admissionController.image |
Optional | Specify the name of the admission controller image in the private/dockerhub registry Default value: qualys/admission-controller |
| admissionController.tag | Optional | Specify the name of the admission controller image's tag in the private/dockerhub registry Default value: latest or <tag> |
| admissionController.imagePullPolicy | Optional | Pull policy for admission controller image Default value: AlwaysAccepted Values: IfNotPresent/Always/Never |