Admission Controller Commands and Options

This topic explains the available commands and options for Admission Controller. 

Global Parameters 

Both Cluster Sensor and Admission Controller support the following parameters irrespective of commands.

Parameter Mandatory/Optional Description
global.customerId Mandatory Unique customer id associated with customer's account.
global.activationId Mandatory Unique activation id associated with customer's account.
global.gatewayUrl Mandatory Specify Qualys Platform (POD) gateway URL for backend communication. Specify this to use a POD which is not listed in: https://www.qualys.com/platform-identification/
global.pod Optional Specify Qualys Platform (POD) for communicating with Qualys Cloud Platfrom.
For example, US1, US2, US3, US4, EU1, EU2, IN1, CA1, AE1, UK1, AU1, KSA1.
If your platform is not mentioned here, please provide the gateway URL using 'global.gatewayUrl'
global.imagePullSecret Optional Specify to pull images from the private registry.
global.clusterInfoArgs.cloudProvider Optional Specify the name of the Cloud provider.
Cloud Provider examples:
AWS, GCP, AZURE, OCI, selfManagedK8S
global.clusterInfoArgs.AWS.arn Mandatory Mandatory if the cloud provider is 'AWS'. Specify value of the arn.
Example: 
arn:aws:eks:<region>:<accountid>:cluster/<clustername>
global.clusterInfoArgs.AZURE.id Mandatory Mandatory if the cloud provider is 'AZURE'. Specify value of the id.
Example: 
/subscriptions/<subscription_id>/resourcegroups/NK_test/providers/Microsoft.ContainerService/managedClusters/<cluster_name>
global.clusterInfoArgs.AZURE.region Mandatory Provide the value of the region. Mandatory if the cloud provider is 'AZURE'.
global.clusterInfoArgs.GCP.krn Mandatory Provide value of the krn. Mandatory if the cloud provider is 'GCP'.
Example:
projects/<project_id>/locations/<region>/clusters/<cluster_name>
global.clusterInfoArgs.OCI.ocid Mandatory Specify value of the ocid.
Mandatory if the Cloud Provider is 'OCI'
Example: ocid1.cluster.oc1.<REGION>.<TENANCY_OCID>.<CLUSTER_OCID>
global.clusterInfoArgs.OCI.clusterName Mandatory Use this provide cluster name.
Mandatory if the Cloud Provider is 'OCI'.
global.clusterInfoArgs.SELF_
MANAGED_K8S.clusterName
Mandatory Use this to provide cluster name.
Mandatory if the Cloud Provider is 'SELF_MANAGED_K8S`.
global.rootCA.certificate Optional Provide custom certificate in base64 encoded format to connect with qualys backend if required.
global.proxy.value Optional Specify Url of the proxy server.
Example: FQDN or Ip address
global.proxy.certificate Optional Provide proxy certificate in base64 encoded format to connect with proxy server if required.
global.proxy.skipVerifyTLS Optional Use this to skip secure TLS verification.

Admission Controller Parameters

Here are the parameters specific to Admission Controller commands. 

Parameter Mandatory/Optional Description
admissionController.enabled Mandatory Specify the to enable Admission Controller
Default value: false
admissionController.logging.file.name Optional Specify the name of the log file.
Default value: admissionController.log
admissionController.logging.file.rotation.enabled Optional Enables rotation of the log file. It archives the old files.
The archived file name follows the path: admissionController-2023-09-28T19-29-04.072.log.gz
Whrein, the suffix (xx-29-04-072) is the time at which the log file is archived.
Default value: true
admissionController.logging.file.rotation.maxSize Optional Maximum size of the log file at which point the log file is archived.
Default value: 100MB
admissionController.logging.file.rotation.maxBackups   Optional Maximum number of backups to keep. This deletes older archives from the disk.
Default value: 4
admissionController.logging.file.rotation.maxAge Optional The maximum age in days to retain the old log files based on time-stamp encoded in their filename.
Default value: 180 Days
admissionController.logging.file.rotation.compress Optional Compresses old log files using Gunzip compression.
Default value: true
Valid values: true / false
admissionController.syncInterval
 
Optional Specify the sync interval with backend (gateway).
Default Value: 15
admissionController.platformSyncInterval  Optional Specify the k8s cluster node info (OS/Architecture) read frequency.
Default value: 15 ??Seconds/Minutes??
admissionController.persistentStorage.enabled Optional Enables Persistent storage.
This is used for writing log files to a persistent storage. This can be either a persistent volume claim or path on the k8s (worker) node.

Default Value: false
Valid Values: true / false
admissionController.persistentVolumeHostPath Optional Specify the HostPath on k8s worker node that is used as Persistent storage.
Default value: /usr/local/qualys/admissionController/data

This will be used as fallback if, 'admissionController.persistentVolumeClaim.enabled' is 'false' and 'admissionController.persistentStorage.enabled' is 'true'.
admissionController.persistentVolumeClaim.enabled   Optional Enables Persistent volume claim.
Default Value: false
admissionController.persistentVolumeClaim.storageClassName   Optional Specify the K8s Storage class name for the PVC.
Default Value: Empty
admissionController.persistentVolumeClaim.storageSize Optional Specify the K8s Storage size for the PVC.
Default Value: Empty
admissionController.persistentVolumeClaim.accessModes Optional Specify the K8s Storage access modes for the PVC.
Default Value:  ReadWriteOnce
admissionController.enforcementAction Optional Specify the Passthrough mode.
Default Value: AUDIT
Valid Values: AUDIT / BLOCK
admissionController.serviceAccount.name   Optional Specify the name of the service account for the admission controller deployment.
Default Value: admissionController-qualys-sa
admissionController.serviceAccount.create Optional Enable or disable creation of service account.
Default Value: true
If disabled, the customer has to specify a service account with sufficient privileges for admission controller to function correctly.

Qualys recommends not to disable this. It should be used only for advanced cases.

admissionController.registry.config.name Optional Specify the name of the K8s ConfigMap that refers to registry configuration.
Default Value: qualys-registry-config
admissionController.registry.config.filename Optional Specify the name of the registry configuration file inside the container.
Default Value: registry-config.yaml
admissionController.registry.config.fileContent Mandatory Specify the registry configuration
For example,
--set admissionController.registry.config.fileContent=`cat /path/to/registry-config.yaml
Default Value: Empty
admissionController.nameOverride Optional Specify the name for the deployment.
Default Value: admissionController

Qualys recommends not to edit the deployment name, as if it is changed, the self-signed certificates need to follow the same name in its FQDN.

admissionController.fullnameOverride Optional Specify the Helm release name.
Default Value: admissionController 
admissionController.certificateFilePath Optional Specify the path of the SSL server certificate inside the container.
Default Value: /etc/certs/server.crt
admissionController.certificateKeyPath Optional Specify the path of the SSL server certificate key inside the container.
Default Value: /etc/certs/server.key
admissionController.port   Optional Specify the port of the admission controller server.
Default Value: 8443
admissionController.configPathDir Optional Specify the directory path of configuration files inside the container.
Default Value: /etc/config
admissionController.configFile Optional Specify the configuration file name inside the container.
Default Value: config.yaml
admissionController.certs.secretName Optional Specify the optional, name of K8s secret containing the certificate.
Default Value: admissionController-certs
admissionController.certs.serverCertificate Mandatory Specify the Certificate file for admission webhook server to use.
Default Value: Empty
Should be in base64 encoded format of the Server cert in PEM format.
For example,
--set admissionController.certs.serverCertificate=`cat /path/to/certs/server.crt
admissionController.certs.serverKey Mandatory Specify the Certificate Key file for admission webhook server to use.
Default Value: Empty
Should be in base64 encoded format of the Server cert's key in PEM format.
For example,
--set admissionController.certs.serverKey=`cat /path/to/certs/server.key
admissionController.webhook.caBundle Mandatory Specify the Certificate Authority file for admission webhook server to use.
Default Value: Empty 
Should be in base64 encoded format of the Certificate Authority in PEM format.
For example,
--set admissionController.webhook.caBundle=`cat /path/to/certs/ca.crt
admissionController.webhook.failurePolicy Optional Specify the K8s webhook configuration property that decides to allow or reject a request in case of the admission webhook (or Qualys Cloud Platform) failure.
Default Value: Ignore
Valid Values : Ignore or Fail
admissionController.webhook.timeoutSeconds Optional Specify the K8s webhook configuration timeout property that mark the request as 'failed'.
Default Value: 30
admissionController.resources.replicas Optional Specify the number of replicas of container required. Default Value: 1
admissionController.resources.limits.enabled Optional Enables or disables limits.
Default Value: true
admissionController.resources.limits.cpu Optional Specify the container CPU limit.
Default Value: 200m
admissionController.resources.limits.memory Optional Specify the container memory limit
Default Value: 256Mi
admissionController.resources.requests.enabled Optional Enables or disables limits.
Default Value: true
admissionController.resources.requests.cpu Optional Specify the container CPU requests.
Default Value: 100m
admissionController.resources.requests.memory Optional Specify the container memory requests.
Default Value: 256Mi
admissionController.dataRetention.inDays Optional Specify the data retention period of (failed) admission review records in the admission controller container.
Default Value: 30 Days

Currently this parameter is used for Debugging purposes only.

admissionController.dataRetention.scheduleInDays Optional Specify the frequency of the retention job to purge the failed admission review records in the admission controller container.
Default Value: 1 Day