YML Files associated with CS Sensor Installation
This topic provides you with the following YML files, which are required during CS Sensor operations.
| YML file name | Applicable Runtime or Environment |
| cssensor-containerd-ds.yml | Containerd |
| cssensor-crio-ds.yml | Cri-O |
| cssensor-ds.yml | Docker |
| cssensor-openshift-crio-ds.yml | Cri-O Openshift |
| cssensor-openshift-ds.yml | Openshift |
Containerd DS YML (cssensor-containerd-ds.yml)
The code given below shows the content of cssensor-containerd-ds.yml file which is useful in Containerd runtime.
kind: List
apiVersion: v1
items:
# Service Account
- kind: ServiceAccount
apiVersion: v1
metadata:
name: qualys-service-account
namespace: qualys
# Role for all permission to qualys namespace
- kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: qualys-reader-role
namespace: qualys
rules:
- apiGroups: ["","batch"]
resources: ["pods","jobs"]
verbs: ["get", "list", "watch","create", "delete", "deletecollection"]
- apiGroups: [""]
resources: ["pods/attach", "pods/exec"]
verbs: ["create"]
# ClusterRole for read permission to whole cluster
- kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: qualys-cluster-reader-role
rules:
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
- apiGroups: [""]
resources: ["nodes", "pods", "pods/status", "replicationcontrollers/status", "nodes/status", "namespaces"]
verbs: ["get"]
- apiGroups: ["apps"]
resources: ["replicasets/status", "daemonsets/status", "deployments/status", "statefulsets/status"]
verbs: ["get"]
- apiGroups: ["batch"]
resources: ["jobs/status", "cronjobs/status"]
verbs: ["get"]
# RoleBinding to assign permissions in qualys-reader-role to qualys-service-account
- kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: qualys-reader-rb
namespace: qualys
subjects:
- kind: ServiceAccount
name: qualys-service-account
namespace: qualys
roleRef:
kind: Role
name: qualys-reader-role
apiGroup: rbac.authorization.k8s.io
# ClusterRoleBinding to assign permissions in qualys-cluster-reader-role to qualys-service-account
- kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: qualys-cluster-reader-rb
subjects:
- kind: ServiceAccount
name: qualys-service-account
namespace: qualys
roleRef:
kind: ClusterRole
name: qualys-cluster-reader-role
apiGroup: rbac.authorization.k8s.io
#- kind: PriorityClass
# apiVersion: scheduling.k8s.io/v1
# metadata:
# name: qualys-priority-class
# value: 0
# preemptionPolicy: PreemptLowerPriority
# description: Priority class for daemonset
#- apiVersion: v1
# kind: Secret
# metadata:
# name: cert-config
# namespace: qualys
# data:
# ca.crt: # Paste base 64 encoded content of ca.crt file
# Qualys Container Sensor pod with
- apiVersion: apps/v1
kind: DaemonSet
metadata:
name: qualys-container-sensor
namespace: qualys
labels:
k8s-app: qualys-cs-sensor
spec:
selector:
matchLabels:
name: qualys-container-sensor
updateStrategy:
type: RollingUpdate
template:
metadata:
labels:
name: qualys-container-sensor
spec:
#tolerations:
# this toleration is to have the daemonset runnable on master nodes
# remove it if want your masters to run sensor pod
#- key: node-role.kubernetes.io/master
# effect: NoSchedule
serviceAccountName: qualys-service-account
#priorityClassName: qualys-priority-class
containers:
- name: qualys-container-sensor
image: qualys/qcs-sensor:latest
imagePullPolicy : IfNotPresent
resources:
limits:
cpu: "0.5" # Default CPU usage limit on each node for sensor.
requests:
cpu: "0.1"
args: ["--k8s-mode", "--container-runtime", "containerd", "--storage-driver-type", "overlay", "--optimize-image-scans"] # optimize-image-scans is applicable only for general sensor
env:
- name: CUSTOMERID
value: __customerId
- name: ACTIVATIONID
value: __activationId
- name: POD_URL
value: https://cmsqagpublic.qg1.apps.qualys.ca/ContainerSensor
- name: QUALYS_SCANNING_CONTAINER_LAUNCH_TIMEOUT
value: "10"
# uncomment(and indent properly) below section if proxy is required to connect Qualys Cloud
#- name: qualys_https_proxy
# value: <proxy FQDN or Ip address>:<port#>
# uncomment(and indent properly) below section for a registry sensor version 1.21.0 or later used for a public registry, the proxy value needs to be set with the name https_proxy
#- name: https_proxy
# value: <proxy FQDN or Ip address>:<port#>
- name: QUALYS_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: QUALYS_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: QUALYS_SENSOR_HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
volumeMounts:
- mountPath: /var/run/containerd/containerd.sock
name: socket-volume
readOnly: true
- mountPath: /usr/local/qualys/qpa/data
name: persistent-volume
- mountPath: /usr/local/qualys/qpa/data/conf/agent-data
name: agent-volume
- mountPath: /var/lib/containerd
name: containerd-root-dir
readOnly: true
# uncomment(and indent properly) below section if proxy(with CA cert) required to connect Qualys Cloud
#- mountPath: /etc/qualys/qpa/cert/custom-ca.crt
# name: proxy-cert-path
#- mountPath: /etc/containerd/certs.d/hostIP:port/ca.crt
# name: registry-cert-volume
# subPath: ca.crt
# readOnly: true
securityContext:
allowPrivilegeEscalation: false
volumes:
- name: socket-volume
hostPath:
path: /var/run/containerd/containerd.sock
type: Socket
- name: containerd-root-dir
hostPath:
path: /var/lib/containerd # if root directory of containerd is different then update actual containerd root directory path
- name: persistent-volume
hostPath:
path: /usr/local/qualys/sensor/data
type: DirectoryOrCreate
- name: agent-volume
hostPath:
path: /etc/qualys
type: DirectoryOrCreate
# uncomment(and indent properly) below section if proxy(with CA cert) required to connect Qualys Cloud
#- name: proxy-cert-path
# hostPath:
# path: <proxy certificate path>
# type: File
#- name: registry-cert-volume
# secret:
# secretName: cert-config
hostNetwork: true
Cri-O DS YML (cssensor-crio-ds.yml)
The code shown below displays the latest content of cssensor-crio-ds.yml file which is used if you are using Cri-O runtime.
kind: List apiVersion: v1 items: # Service Account - kind: ServiceAccount apiVersion: v1 metadata: name: qualys-service-account namespace: qualys # Role for all permission to qualys namespace - kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: qualys-reader-role namespace: qualys rules: - apiGroups: [""] resources: ["pods"] verbs: ["create", "delete", "deletecollection"] - apiGroups: ["batch"] resources: ["jobs"] verbs: ["get","create", "delete", "deletecollection"] - apiGroups: [""] resources: ["pods/attach"] verbs: ["create"] # ClusterRole for read permission to whole cluster - kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: qualys-cluster-reader-role rules: - apiGroups: [""] resources: ["nodes", "pods/status", "replicationcontrollers/status", "nodes/status", "namespaces"] verbs: ["get"] - apiGroups: [""] resources: ["pods"] verbs: ["get","list","watch"] - apiGroups: [""] resources: ["pods/exec"] verbs: ["create"] - apiGroups: ["apps"] resources: ["replicasets/status", "daemonsets/status", "deployments/status", "statefulsets/status"] verbs: ["get"] - apiGroups: ["batch"] resources: ["jobs/status", "cronjobs/status"] verbs: ["get"] # RoleBinding to assign permissions in qualys-reader-role to qualys-service-account - kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: qualys-reader-rb namespace: qualys subjects: - kind: ServiceAccount name: qualys-service-account namespace: qualys roleRef: kind: Role name: qualys-reader-role apiGroup: rbac.authorization.k8s.io # ClusterRoleBinding to assign permissions in qualys-cluster-reader-role to qualys-service-account - kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: qualys-cluster-reader-rb subjects: - kind: ServiceAccount name: qualys-service-account namespace: qualys roleRef: kind: ClusterRole name: qualys-cluster-reader-role apiGroup: rbac.authorization.k8s.io #- kind: PriorityClass # apiVersion: scheduling.k8s.io/v1 # metadata: # name: qualys-priority-class # value: 0 # preemptionPolicy: PreemptLowerPriority # description: Priority class for daemonset # Qualys Container Sensor pod with - apiVersion: apps/v1 kind: DaemonSet metadata: name: qualys-container-sensor namespace: qualys labels: k8s-app: qualys-cs-sensor spec: selector: matchLabels: name: qualys-container-sensor updateStrategy: type: RollingUpdate template: metadata: labels: name: qualys-container-sensor spec: #tolerations: # this toleration is to have the daemonset runnable on master nodes # remove it if want your masters to run sensor pod #- key: node-role.kubernetes.io/master # effect: NoSchedule serviceAccountName: qualys-service-account #priorityClassName: qualys-priority-class containers: - name: qualys-container-sensor image: qualys/qcs-sensor:latest imagePullPolicy : IfNotPresent resources: limits: cpu: "0.5" # Default CPU usage limit on each node for sensor. requests: cpu: "0.1" args: ["--k8s-mode", "--container-runtime", "cri-o", "--optimize-image-scans"] # optimize-image-scans is applicable only for general sensor env: - name: CUSTOMERID value: __customerId - name: ACTIVATIONID value: __activationId - name: POD_URL value: https://cmsqagpublic.qg1.apps.qualys.ca/ContainerSensor - name: QUALYS_SCANNING_CONTAINER_LAUNCH_TIMEOUT value: "10" # uncomment(and indent properly) below section if proxy is required to connect Qualys Cloud #- name: qualys_https_proxy # value: <proxy FQDN or Ip address>:<port#> # uncomment(and indent properly) below section for a registry sensor version 1.21.0 or later used for a public registry, the proxy value needs to be set with the name https_proxy #- name: https_proxy # value: <proxy FQDN or Ip address>:<port#> - name: QUALYS_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: QUALYS_POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: QUALYS_SENSOR_HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP volumeMounts: - mountPath: /var/run/crio/crio.sock name: socket-volume readOnly: true - mountPath: /usr/local/qualys/qpa/data name: persistent-volume - mountPath: /usr/local/qualys/qpa/data/conf/agent-data name: agent-volume - mountPath: /var/lib/containers/storage name: container-storage - mountPath: /etc/containers/storage.conf name: storage-config-volume readOnly: true # uncomment(and indent properly) below section if proxy(with CA cert) required to connect Qualys Cloud #- mountPath: /etc/qualys/qpa/cert/custom-ca.crt # name: proxy-cert-path securityContext: privileged: true volumes: - name: socket-volume hostPath: path: /var/run/crio/crio.sock type: Socket - name: persistent-volume hostPath: path: /usr/local/qualys/sensor/data type: DirectoryOrCreate - name: agent-volume hostPath: path: /etc/qualys type: DirectoryOrCreate - name: container-storage hostPath: path: /var/lib/containers/storage - name: storage-config-volume hostPath: path: /etc/containers/storage.conf type: File # uncomment(and indent properly) below section if proxy(with CA cert) required to connect Qualys Cloud #- name: proxy-cert-path # hostPath: # path: <proxy certificate path> # type: File hostNetwork: true
Docker DS YML (cssensor-ds.yml)
The code shown below displays the latest content of cssensor-ds.yml file which is used if you are using Docker runtime.
kind: List apiVersion: v1 items: # Service Account - kind: ServiceAccount apiVersion: v1 metadata: name: qualys-service-account namespace: qualys # Role for read/write/delete permission to qualys namespace - kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: qualys-reader-role namespace: qualys rules: - apiGroups: ["","batch"] resources: ["pods","jobs"] verbs: ["get", "list", "watch","create", "delete", "deletecollection"] - apiGroups: [""] resources: ["pods/status"] verbs: ["get"] - apiGroups: [""] resources: ["pods/attach", "pods/exec"] verbs: ["create"] - kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: qualys-cluster-reader-role rules: - apiGroups: [""] resources: ["nodes", "pods/status", "replicationcontrollers/status", "nodes/status", "namespaces"] verbs: ["get"] - apiGroups: ["apps"] resources: ["replicasets/status", "daemonsets/status", "deployments/status", "statefulsets/status"] verbs: ["get"] - apiGroups: ["batch"] resources: ["jobs/status", "cronjobs/status"] verbs: ["get"] # RoleBinding to assign permissions in qualys-reader-role to qualys-service-account - kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: qualys-reader-role-rb namespace: qualys subjects: - kind: ServiceAccount name: qualys-service-account namespace: qualys roleRef: kind: Role name: qualys-reader-role apiGroup: rbac.authorization.k8s.io - kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: qualys-cluster-reader-rb subjects: - kind: ServiceAccount name: qualys-service-account namespace: qualys roleRef: kind: ClusterRole name: qualys-cluster-reader-role apiGroup: rbac.authorization.k8s.io #- kind: PriorityClass # apiVersion: scheduling.k8s.io/v1 # metadata: # name: qualys-priority-class # value: 0 # preemptionPolicy: PreemptLowerPriority # description: Priority class for daemonset # Qualys Container Sensor pod with - apiVersion: apps/v1 kind: DaemonSet metadata: name: qualys-container-sensor namespace: qualys labels: k8s-app: qualys-cs-sensor spec: selector: matchLabels: name: qualys-container-sensor updateStrategy: type: RollingUpdate template: metadata: labels: name: qualys-container-sensor spec: #tolerations: # this toleration is to have the daemonset runnable on master nodes # remove it if want your masters to run sensor pod #- key: node-role.kubernetes.io/master # effect: NoSchedule serviceAccountName: qualys-service-account #priorityClassName: qualys-priority-class containers: - name: qualys-container-sensor image: qualys/qcs-sensor:latest imagePullPolicy : IfNotPresent resources: limits: cpu: "0.5" # Default CPU usage limit on each node for sensor. requests: cpu: "0.1" args: ["--k8s-mode", "--optimize-image-scans", "--storage-driver-type", "overlay2"] # optimize-image-scans is applicable only for general sensor env: - name: CUSTOMERID value: __customerId - name: ACTIVATIONID value: __activationId - name: POD_URL value: https://cmsqagpublic.qg1.apps.qualys.ca/ContainerSensor - name: QUALYS_SCANNING_CONTAINER_LAUNCH_TIMEOUT value: "10" # uncomment(and indent properly) below section if using Docker HTTP socket with TLS #- name: DOCKER_TLS_VERIFY # value: "1" # uncomment(and indent properly) below section if proxy is required to connect Qualys Cloud #- name: qualys_https_proxy # value: <proxy FQDN or Ip address>:<port#> # uncomment(and indent properly) below section for a registry sensor version 1.21.0 or later used for a public registry, the proxy value needs to be set with the name https_proxy #- name: https_proxy # value: <proxy FQDN or Ip address>:<port#> - name: QUALYS_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: QUALYS_POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: QUALYS_SENSOR_HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP volumeMounts: - mountPath: /var/run/docker.sock name: socket-volume readOnly: true - mountPath: /usr/local/qualys/qpa/data name: persistent-volume - mountPath: /usr/local/qualys/qpa/data/conf/agent-data name: agent-volume - mountPath: /var/lib/docker name: docker-root-dir readOnly: true # uncomment(and indent properly) below section if proxy(with CA cert) required to connect Qualys Cloud #- mountPath: /etc/qualys/qpa/cert/custom-ca.crt # name: proxy-cert-path # uncomment(and indent properly) below section if using Docker HTTP socket with TLS #- mountPath: /root/.docker # name: tls-cert-path securityContext: allowPrivilegeEscalation: false volumes: - name: socket-volume hostPath: path: /var/run/docker.sock type: Socket - name: docker-root-dir hostPath: path: /var/lib/docker # if root directory of docker is different then update actual docker root directory path here. - name: persistent-volume hostPath: path: /usr/local/qualys/sensor/data type: DirectoryOrCreate - name: agent-volume hostPath: path: /etc/qualys type: DirectoryOrCreate # uncomment(and indent properly) below section if proxy(with CA cert) required to connect Qualys Cloud #- name: proxy-cert-path # hostPath: # path: <proxy certificate path> # type: File # uncomment(and indent properly) below section if using Docker HTTP socket with TLS #- name: tls-cert-path # hostPath: # path: <Path of directory of client certificates> # type: Directory hostNetwork: true
Cri-O Openshift DS YML (cssensor-openshift-crio-ds.yml)
The code shown below displays the latest content of cssensor-openshift-crio-ds.yml file which is used if you are using Cri-O runtime.
kind: List
apiVersion: v1
items:
# Service Account
- kind: ServiceAccount
apiVersion: v1
metadata:
name: qualys-service-account
namespace: qualys
# Role for all permission to qualys namespace
- kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: qualys-reader-role
namespace: qualys
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create", "delete", "deletecollection"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["get","create", "delete", "deletecollection"]
- apiGroups: [""]
resources: ["pods/attach"]
verbs: ["create"]
# ClusterRole for read permission to whole cluster
- kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: qualys-cluster-reader-role
rules:
- apiGroups: [""]
resources: ["nodes", "pods/status", "replicationcontrollers/status", "nodes/status", "namespaces"]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
- apiGroups: ["apps"]
resources: ["replicasets/status", "daemonsets/status", "deployments/status", "statefulsets/status"]
verbs: ["get"]
- apiGroups: ["batch"]
resources: ["jobs/status", "cronjobs/status"]
verbs: ["get"]
# RoleBinding to assign permissions in qualys-reader-role to qualys-service-account
- kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: qualys-reader-rb
namespace: qualys
subjects:
- kind: ServiceAccount
name: qualys-service-account
namespace: qualys
roleRef:
kind: Role
name: qualys-reader-role
apiGroup: rbac.authorization.k8s.io
# ClusterRoleBinding to assign permissions in qualys-cluster-reader-role to qualys-service-account
- kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: qualys-cluster-reader-rb
subjects:
- kind: ServiceAccount
name: qualys-service-account
namespace: qualys
roleRef:
kind: ClusterRole
name: qualys-cluster-reader-role
apiGroup: rbac.authorization.k8s.io
- kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
name: scc-qualys-sensor
allowHostDirVolumePlugin: true
allowHostNetwork: true
allowHostIPC: false
allowHostPID: false
allowHostPorts: false
allowPrivilegedContainer: true
readOnlyRootFilesystem: false
runAsUser:
type: RunAsAny
seLinuxContext:
type: RunAsAny
users:
- system:serviceaccount:qualys:qualys-service-account
#- kind: PriorityClass
# apiVersion: scheduling.k8s.io/v1
# metadata:
# name: qualys-priority-class
# value: 0
# preemptionPolicy: PreemptLowerPriority
# description: Priority class for daemonset
# Qualys Container Sensor pod with
- apiVersion: apps/v1
kind: DaemonSet
metadata:
name: qualys-container-sensor
namespace: qualys
labels:
k8s-app: qualys-cs-sensor
spec:
selector:
matchLabels:
name: qualys-container-sensor
updateStrategy:
type: RollingUpdate
template:
metadata:
labels:
name: qualys-container-sensor
spec:
#tolerations:
# this toleration is to have the daemonset runnable on master nodes
# remove it if want your masters to run sensor pod
#- key: node-role.kubernetes.io/master
# effect: NoSchedule
serviceAccountName: qualys-service-account
#priorityClassName: qualys-priority-class
containers:
- name: qualys-container-sensor
image: qualys/qcs-sensor:latest
imagePullPolicy : IfNotPresent
resources:
limits:
cpu: "0.5" # Default CPU usage limit on each node for sensor.
requests:
cpu: "0.1"
args: ["--k8s-mode", "--container-runtime", "cri-o", "--optimize-image-scans"] # optimize-image-scans is applicable only for general sensor
env:
- name: CUSTOMERID
value: __customerId
- name: ACTIVATIONID
value: __activationId
- name: POD_URL
value: https://cmsqagpublic.qg1.apps.qualys.ca/ContainerSensor
- name: QUALYS_SCANNING_CONTAINER_LAUNCH_TIMEOUT
value: "10"
# uncomment(and indent properly) below section if proxy is required to connect Qualys Cloud
#- name: qualys_https_proxy
# value: <proxy FQDN or Ip address>:<port#>
# uncomment(and indent properly) below section for a registry sensor version 1.21.0 or later used for a public registry, the proxy value needs to be set with the name https_proxy
#- name: https_proxy
# value: <proxy FQDN or Ip address>:<port#>
- name: QUALYS_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: QUALYS_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: QUALYS_SENSOR_HOST_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
volumeMounts:
- mountPath: /var/run/crio/crio.sock
name: socket-volume
readOnly: true
- mountPath: /usr/local/qualys/qpa/data
name: persistent-volume
- mountPath: /usr/local/qualys/qpa/data/conf/agent-data
name: agent-volume
- mountPath: /var/lib/containers/storage
name: container-storage
- mountPath: /etc/containers/storage.conf
name: storage-config-volume
readOnly: true
# uncomment(and indent properly) below section if proxy(with CA cert) required to connect Qualys Cloud
#- mountPath: /etc/qualys/qpa/cert/custom-ca.crt
# name: proxy-cert-path
securityContext:
privileged: true
volumes:
- name: socket-volume
hostPath:
path: /var/run/crio/crio.sock
type: Socket
- name: persistent-volume
hostPath:
path: /usr/local/qualys/sensor/data
type: DirectoryOrCreate
- name: agent-volume
hostPath:
path: /etc/qualys
type: DirectoryOrCreate
- name: container-storage
hostPath:
path: /var/lib/containers/storage
- name: storage-config-volume
hostPath:
path: /etc/containers/storage.conf
type: File
# uncomment(and indent properly) below section if proxy(with CA cert) required to connect Qualys Cloud
#- name: proxy-cert-path
# hostPath:
# path: <proxy certificate path>
# type: File
hostNetwork: true
Openshift DS YML (cssensor-openshift-ds.yml)
The code shown below displays the latest content of cssensor-openshift-ds.yml file which is used if you are using Docker Runtime.
kind: List apiVersion: v1 items: # Service Account - kind: ServiceAccount apiVersion: v1 metadata: name: qualys-service-account namespace: qualys # Role for read/write/delete permission to qualys namespace - kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: qualys-reader-role namespace: qualys rules: - apiGroups: ["","batch"] resources: ["pods","jobs"] verbs: ["get", "list", "watch","create", "delete", "deletecollection"] - apiGroups: [""] resources: ["pods/status"] verbs: ["get"] - apiGroups: [""] resources: ["pods/attach", "pods/exec"] verbs: ["create"] - kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: qualys-cluster-reader-role rules: - apiGroups: [""] resources: ["nodes", "pods/status", "replicationcontrollers/status", "nodes/status", "namespaces"] verbs: ["get"] - apiGroups: ["apps"] resources: ["replicasets/status", "daemonsets/status", "deployments/status", "statefulsets/status"] verbs: ["get"] - apiGroups: ["batch"] resources: ["jobs/status", "cronjobs/status"] verbs: ["get"] # RoleBinding to assign permissions in qualys-reader-role to qualys-service-account - kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: qualys-reader-role-rb namespace: qualys subjects: - kind: ServiceAccount name: qualys-service-account namespace: qualys roleRef: kind: Role name: qualys-reader-role apiGroup: rbac.authorization.k8s.io - kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: qualys-cluster-reader-rb subjects: - kind: ServiceAccount name: qualys-service-account namespace: qualys roleRef: kind: ClusterRole name: qualys-cluster-reader-role apiGroup: rbac.authorization.k8s.io - kind: SecurityContextConstraints apiVersion: security.openshift.io/v1 metadata: name: scc-qualys-sensor allowHostDirVolumePlugin: true allowHostNetwork: true allowHostPID: true allowPrivilegedContainer: true readOnlyRootFilesystem: false runAsUser: type: RunAsAny seLinuxContext: type: RunAsAny users: - system:serviceaccount:qualys:qualys-service-account #- kind: PriorityClass # apiVersion: scheduling.k8s.io/v1 # metadata: # name: qualys-priority-class # value: 0 # preemptionPolicy: PreemptLowerPriority # description: Priority class for daemonset - apiVersion: apps/v1 kind: DaemonSet metadata: name: qualys-container-sensor namespace: qualys labels: k8s-app: qualys-cs-sensor spec: selector: matchLabels: name: qualys-container-sensor updateStrategy: type: RollingUpdate template: metadata: labels: name: qualys-container-sensor spec: #tolerations: # this toleration is to have the daemonset runnable on master nodes # remove it if want your masters to run sensor pod #- key: node-role.kubernetes.io/master # effect: NoSchedule serviceAccountName: qualys-service-account #priorityClassName: qualys-priority-class containers: - name: qualys-container-sensor image: qualys/qcs-sensor:latest imagePullPolicy : IfNotPresent resources: limits: cpu: "0.5" # Default CPU usage limit on each node for sensor. requests: cpu: "0.1" args: ["--k8s-mode", "--optimize-image-scans"] # optimize-image-scans is applicable only for general sensor env: - name: CUSTOMERID value: __customerId - name: ACTIVATIONID value: __activationId - name: POD_URL value: https://cmsqagpublic.qg1.apps.qualys.ca/ContainerSensor - name: QUALYS_SCANNING_CONTAINER_LAUNCH_TIMEOUT value: "10" # uncomment(and indent properly) below section if using Docker HTTP socket with TLS #- name: DOCKER_TLS_VERIFY # value: "1" # uncomment(and indent properly) below section if proxy is required to connect Qualys Cloud #- name: qualys_https_proxy # value: <proxy FQDN or Ip address>:<port#> # uncomment(and indent properly) below section for a registry sensor version 1.21.0 or later used for a public registry, the proxy value needs to be set with the name https_proxy #- name: https_proxy # value: <proxy FQDN or Ip address>:<port#> - name: QUALYS_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: QUALYS_POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: QUALYS_SENSOR_HOST_IP valueFrom: fieldRef: fieldPath: status.hostIP volumeMounts: - mountPath: /var/run/docker.sock name: socket-volume readOnly: true - mountPath: /usr/local/qualys/qpa/data name: persistent-volume - mountPath: /usr/local/qualys/qpa/data/conf/agent-data name: agent-volume # uncomment(and indent properly) below section if proxy(with CA cert) required to connect Qualys Cloud #- mountPath: /etc/qualys/qpa/cert/custom-ca.crt # name: proxy-cert-path # uncomment(and indent properly) below section if using Docker HTTP socket with TLS #- mountPath: /root/.docker # name: tls-cert-path securityContext: privileged: true volumes: - name: socket-volume hostPath: path: /var/run/docker.sock type: Socket - name: persistent-volume hostPath: path: /usr/local/qualys/sensor/data type: DirectoryOrCreate - name: agent-volume hostPath: path: /etc/qualys type: DirectoryOrCreate # uncomment(and indent properly) below section if proxy(with CA cert) required to connect Qualys Cloud #- name: proxy-cert-path # hostPath: # path: <proxy certificate path> # type: File # uncomment(and indent properly) below section if using Docker HTTP socket with TLS #- name: tls-cert-path # hostPath: # path: <Path of directory of client certificates> # type: Directory hostNetwork: true hostPID: true