Deploy in Kubernetes - OpenShift
This section assumes you have the sensor image: Obtain the Container Sensor Image
Integrate the Container Sensor into the DaemonSet like other application containers to ensure that there is always a Sensor deployed on the Docker Host. Perform the following steps for creating a DaemonSet for the Qualys sensor to be deployed in OpenShift.
Ensure that the Container Sensor has read and write access to the persistent storage and the docker daemon socket.
Download the QualysContainerSensor.tar.xz file from Qualys Cloud Portal on OpenShift master.
Untar the sensor package:
sudo tar -xvf QualysContainerSensor.tar.xz
Use the following commands to push the Qualys sensor image to a repository common to all nodes in the OpenShift cluster:
sudo docker load -i qualys-sensor.tar
sudo docker tag <IMAGE NAME/ID> <URL to push image to the repository>
sudo docker push <URL to push image to the repository>
For example:
sudo docker load -i qualys-sensor.tar
sudo docker tag c3fa63a818df mycloudregistry.com/container-sensor:qualys-sensor-xxx
sudo docker push mycloudregistry.com/container-sensor:qualys-sensor-xxx
Do not use the examples as is. Replace the registry/image path with your own.
Modify the cssensor-openshift-ds.yml file
Modify the cssensor-openshift-ds.yml file (extracted from QualysContainerSensor.tar.xz) to provide values for the following parameters.
You can also download the yml file directly from https://github.com/Qualys/cs_sensor.
In order for the yml file to work properly, ensure that you do not remove/comment on the respective sections mentioned below.
serviceAccountName:
qualysuser
Ensure that the serviceAccountName is provided in the pod declaration.
containers:
- name: qualys-container-sensor
image: <CS Sensor image name in the docker hub/private registry>
securityContext:
privileged: true
args: ["--k8s-mode"]
If you want to deploy the sensor for CI/CD environment, provide the args value as:
args: ["--k8s-mode","--cicd-deployed-sensor","--log-level","5","--log-filesize","5M","--log-filepurgecount","4"]
If you want to deploy a Registry Sensor, provide the args value as:
args: ["--k8s-mode","--registry-sensor","--log-level","5","--log-filesize","5M","--log-filepurgecount","4"]
The values for "--log-level", "--log-filesize" and "--log-filepurgecount" in the args above are only samples. Specify appropriate values for your needs.
If you want print logs on the console, provide "--enable-console-logs" as an additional value in args.
To restrict the cpu usage to a certain value, change the following: (Optional)
Under resources specify the following:
resources:
limits:
cpu: "0.5" # Default CPU usage limit (50% of one core on the host).
For example, for limiting the cpu usage to 5%, set resources:limits:cpu: "0.05". This limits the cpu usage to 5% of one core on the host.
If there are multiple processors on a node, setting the resources:limits:cpu value applies the CPU limit to one core only.
For example, if you have 4 CPUs on the system and you want to set CPU limit as 20% of overall CPU capacity, then the CPU limit should be set to 0.8 i.e., 80% of one core only which becomes 20% of total CPU capacity.
To disable any CPU usage limit, set resources:limits:cpu value to 0.
Under env specify the following:
Activation ID (Required)
- name: ACTIVATIONID
value: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Customer ID (Required)
- name: CUSTOMERID
value: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Specify proxy information, or remove if not required:
- name: qualys_https_proxy
value: proxy.localnet.com:3128
Uncomment and indent properly the proxy information, or keep it as is if not required:
- For the communication between the sensor and the backend (Container Management Service):
#- name: qualys_https_proxy
# value: <proxy FQDN or Ip address>:<port#>
- For a registry sensor version 1.21.0 or later used for a public registry:
#- name: https_proxy
# value: <proxy FQDN or Ip address>:<port#>
With each scan, we check the node status to see if the node is schedulable or not, and launch the scan only if the node is schedulable. If the node status indicates that the node is unschedulable, then we retry the scan after a default interval of 15 minutes. You can increase or decrease the time the sensor waits before retrying the scan by specifying a different scan retry interval in minutes.
- name: UNSCHEDULABLE_NODE_SCAN_RETRY_INTERVAL
value: "30"
Under volumes specify the proxy cert path, or remove if not required:
- name: proxy-cert-path
hostPath:
path: /root/cert/proxy-certificate.crt
Activation ID and Customer ID are required. Use the Activation ID and Customer ID from your subscription.
If you are using a proxy, ensure that all OpenShift nodes have a valid certificate file for the sensor to communicate with the Container Management Server.
If you are not using a proxy and you have removed the above mentioned parts, you can remove the following part from volumeMounts as well:
- mountPath: /etc/qualys/qpa/cert/custom-ca.crt
name: proxy-cert-path
Once you have modified the cssensor-openshift-ds.yml file, run the following command on OpenShift master to create a DaemonSet:
oc create -f cssensor-openshift-ds.yml
If you need to uninstall Qualys Container Sensor, run the following command on OpenShift master:
oc delete ds qualys-container-sensor -n kube-system
Launch Sensor without Persistent Storage
You can run the sensor without using persistent storage on host. In this case data is not stored on host but stored at the /usr/local/qualys/qpa/data folder relative to the Sensor.
To launch sensor without persistent storage, modify the cssensor-openshift-ds.yml file and provide "--sensor-without-persistent-storage" as an additional value in args.
args: ["--k8s-mode","--sensor-without-persistent-storage"]
It is recommended to use the "--enable-console-logs" option along with "--sensor-without-persistent-storage" to preserve the logs.
Under volumeMounts remove/comment the persistent-volume section.
volumeMounts:
- mountPath: /usr/local/qualys/qpa/data
name: persistent-volume
Under volumes remove/comment the persistent-volume section.
volumes:
- name: persistent-volume
hostPath:
path: /usr/local/qualys/sensor/data