Installing Admission Controller

After getting Admission Controller image, install it on your K8s cluster using the unified helm chart - 'qualys-tc' hosted on ArtifactHub - https://artifacthub.io/packages/helm/qualys-helm-chart/qualys-tc

'qualys-tc' is a unified helm chart that is used to install: 

  • Qualys Cluster Sensor (cluster-sensor)
  • Qualys Container Security Sensor (qcs-sensor)
  • Qualys Admission Controller (admission-controller)

Qualys Admission Controller have a default configuration that caters to the most popular use cases. However, you can change this default configuration by modifying the unified Helm chart.

To install Qualys Admission Controller in your Cloud Provider,

  1. Identify the environment in which your Admission Controller is present. Qualys currently supports Azure, AWS, GCP, Self-managed K8s, and Openshift environments.
  2. If you do not want to install Cluster Sensor, disable it using the below command.
    --set clusterSensor.enabled="false"
  3. Get the respective resource id of your environment and run the installation commands.

Once Admission Controller is installed and running, it gets displayed on Qualys Cloud Platform under Container Security > ASSETS > Clusters (Beta)> Quick Actions.

Installing in Azure

To install Cluster Sensor or Admission Controller in Azure environment,

  1. Get the 'global.clusterInfoArgs.AZURE.id' (Azure Resource ID) value from your Azure environment by running this command - 
    az resource list --name '<Name of your cluster>'

    Sample O/P
    Search for the similar snippet shown below to get your Azure resource id ("id":xxxxxxxxxxxxxxxxxxxxxxxxxxxx).

    "id""/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/rg1/providers/Microsoft.ContainerService/managedClusters/clustername1",

    "location""<location>",

    "name""<cluster name>"

    ...}

  2. Run the following CLI commands.
    helm install qualys-tc ./qualys-tc \
    --set global.customerId="<Customer ID>" \
    --set global.activationId="<Activation ID>" \    
    --set global.gatewayUrl="<POD Gateway URL>" \      
    --set global.clusterInfoArgs.cloudProvider="AZURE" \ 
    --set global.clusterInfoArgs.AZURE.id="<Azure ID>" \
     --set global.clusterInfoArgs.AZURE.region="<Azure Region>" \
     --set admissionController.image=    "qualys/admission-controller" \
         --set admissionController.tag="latest" OR "<Admission Controller Tag>" \
     --set admissionController.logging.level="<debug/info/error/warn/fatal>" \ 
     --set admissionController.syncInterval="<Sync Interval in Seconds>" \
     --set admissionController.enabled=true \
     --create-namespace \
     -n qualys

Installing in AWS

To install Cluster Sensor in AWS environment,

  1. Get the 'global.clusterInfoArgs.AWS.arn' (AWS Resource ID) value from your AWS environment by running this command - 
    aws eks describe-cluster --name <cluster-name>
     

    Sample O/P
    Search for the similar snippet shown below to get your AWS arn
    ("arn":"arn:aws:eks:us-west-2:123456789012:cluster/aws-cluster-1" ).

    cluster": {

           "name": "eks-cluster-1",

           "arn": "arn:aws:eks:us-west-2:123456789012:cluster/eks-cluster-1",

    ...}

  2. Run the following CLI commands.
    helm install qualys-tc ./qualys-tc \
    --set global.customerId="<Customer ID>" \
    --set global.activationId="<Activation ID>" \   
    --set global.gatewayUrl="<POD Gateway URL>" \  
    --set global.clusterInfoArgs.cloudProvider="AWS" \
    --set global.clusterInfoArgs.AWS.arn="    <AWS ARN>" \
    --set admissionController.enabled=true \
    --set admissionController.image="qualys/admission-controller" \
    --set admissionController.tag="latest" OR "<Admission Controller Tag>" \
    --set admissionController.resources.replicas="<Number of replicas>" \
    --set admissionController.logging.level="<debug/info/error/warn/fatal>" \ 
    --set admissionController.syncInterval="<Sync Interval in Seconds>" \
    --create-namespace \
    -n qualys 

Installing in GCP

To install Cluster Sensor in GCP environment,

  1. Get the 'global.clusterInfoArgs.GCP.krn' value from your GCP environment by running this command - gcloud container clusters describe <cluster-name> --zone <zone/region>.

    Sample O/P
    Search for the 'selfLink' in the output (selfLink:<URL link><GCP Key Resource Name>)


    selfLink: https://container.googleapis.com/v1/projects/qualys-cms/zones/us-central1-c/clusters/cluster-zonal
    ...

    Example of GCP Key Resource Name (KRN) in the above self link - /projects/qualys-cms/zones/us-central1-c/clusters/cluster-zonal
    KRN is constructed based on your GCP project ID, GCP zone, and the cluster name.   

  2. To install the Admission Controller in your GCP environment, run the following commands.
    -helm install qualys-tc ./qualys-tc 
    --set global.customerId="<Customer ID>" \
    --set global.activationId="<Activation ID>" \ 
    --set global.gatewayUrl="<POD Gateway URL>" \
    --set global.clusterInfoArgs.cloudProvider="GCP" \ 
    --set global.clusterInfoArgs.GCP.krn="<GCP KRN>" \
    --set admissionController.image=    "qualys/admission-controller" \
    --set admissionController.tag="latest" OR "<Admission Controller Tag>" \
    --set admissionController.resources.replicas=<Number of replicas> \ 
    --set admissionController.logging.level="<debug/info/error/warn/fatal>" \ 
    --set admissionController.syncInterval=<Sync Interval in Seconds> \
    --set admissionController.persistentStorage.enabled=<true/false> \  
    --set admissionController.enabled=true \
    --create-namespace \
    -n qualys 

Installing in OCI

To install Cluster Sensor in OCI environment,

  1. Get the 'global.clusterInfoArgs.OCI.ocid' value from your OCI environment using the OCI console (Cluster Details > Cluster ID).

    Sample O/P
    OCI.ocid=ocid1.cluster.oc1.phx.aaaaaaaa7bpfuy3ucll6ssvhfwpfcqrzx6j233evxcn6bkfincoayt6vcocq

  2. To install the Admission Controller, run the following commands.
    helm install qualys-tc qualys-helm-chart/qualys-tc \
    --set global.customerId=<customer id> \
    --set global.activationId=<activation id>     \
    --set global.gatewayUrl=<gateway URL>     \ 
    --set global.clusterInfoArgs.cloudProvider="OCI"     \
    --set global.clusterInfoArgs.OCI.ocid=<Cluster OCID>     \
    --set global.clusterInfoArgs.OCI.clusterName="<cluster Name>"     \ 
    --set admissionController.image="qualys/admission-controller" \
    --set admissionController.tag="latest" OR "<Admission Controller Tag>" \
    --set admissionController.logging.level="<debug/info/error/warn/fatal>" \ 
    --set admissionController.syncInterval=<Sync Interval in Seconds> \
    --create-namespace \
    -n qualys

Installing in Self-managed K8s

An environment is considered as 'Self-managed K8s' when the K8s cluster is not from cloud provider Azure, Aws, OCI, or GCP and it is created and managed by you. 

To install Cluster Sensor in a self-managed K8s environment, run the following CLI commands.

  1. Get the 'global.clusterInfoArgs.name=<cluster name>' value from your Self-managed k8s environment.
  2. To install the Admission Controller, run the following commands.
    helm install qualys-tc ./qualys-tc 
    --set global.customerId=<customer id> \
    --set global.activationId=<activation id>     \
    --set global.gatewayUrl="<Gateway URL>" \     
    --set global.clusterInfoArgs.cloudProvider=SELF_MANAGED_K8S / 
    --set global.clusterInfoArgs.SELF_MANAGED_K8S.clusterName="<cluster name>" \
    --set global.qcsSensor.enabled=false \ 
    --set admissionController.image="qualys/admission-controller" \
    --set admissionController.tag="<Admission Controller tag>" \
    --set admissionController.logging.level="<debug/info/error/warn/fatal>" \ 
    --set admissionController.syncInterval=<Sync Interval in Seconds> \
    --set admissionController.enabled=true \
    --create-namespace \
    -n qualys

Installing in Openshift

To install Cluster Sensor in a Openshift environment, run the following CLI commands.

  1. Get the 'global.clusterInfoArgs.name=<cluster name>' value from your Openshift environment.
  2. To install the Admission Controller, run the following commands.
    helm install qualys-tc ./qualys-tc 
    --set global.customerId=<customer id> \
    --set global.activationId=<activation id>     \
    --set global.gatewayUrl="<Gateway URL>" \ 
    --set clusterSensor.openshift=true \  
    --set global.clusterInfoArgs.cloudProvider=SELF_MANAGED_K8S \ 
    --set global.clusterInfoArgs.SELF_MANAGED_K8S.clusterName="<Openshift Cluster name>" \
    --set global.qcsSensor.enabled=false \ 
    --set admissionController.image="qualys/admission-controller" \
    --set admissionController.tag="<Admission Controller tag>" \
    --set admissionController.logging.level="<debug/info/error/warn/fatal>" \ 
    --set admissionController.syncInterval=<Sync Interval in Seconds> \
    --set admissionController.enabled=true \
    --create-namespace \
    -n qualys

 

To uninstall Admission Controller deployed in your environment, uninstall the unified helm chart by running the following command:

helm uninstall qualys-tc \
-n qualys

To know about Cluster Sensor and Admission Controller parameters, refer to Command and Options.

 

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.