Deploy in Kubernetes using Helm Charts
Helm is the package manager for Kubernetes and Helm Charts can be used to deploy the Container Security Sensor in Kubernetes.
Before you begin:
–Ensure that you have the following application versions:
- Kubernetes:
- Kubernetes 1.17+
- Helm v3.x.x
- RedHat OpenShift:
- OpenShift v4.0+ (The default container engine is CRI-O.)
–Know your runtime.
Get the details of your container runtime by running the following command:
kubectl get nodes -o wide
Helm Chart Support for Qualys Container Security Sensor Versions
| Sensor Version | Helm Chart Version |
| 1.34.0 | 1.13.0 |
Install the Helm Chart
1Download the Qualys Helm chart from the following location:
’https://artifacthub.io/packages/helm/qualys-helm-chart/qcs-sensor’
2Install the Helm chart using the following command:
helm install [NAME] [CHART] [flags]
For example,
helm install qcs-sensor-demo qcs-sensor --namespace qualys --create-namespace
3Configure the parameters for the Qualys helm chart. Specify each parameter using the
’--set key=value[,key=value]’ argument to ’helm install’.
For example,
helm install qcs-sensor-demo qcs-sensor --namespace qualys --set containerd.enabled=true
A command line parameter value takes precedence over the parameter value from values.yaml.
Configuration Parameters for the Helm Chart
The following are the configurable parameters for the Helm chart:
Disables the image scans for the General sensor.
| Parameter | Mandatory/Optional | Description | Default Value |
| containerd.enabled | Enable only one runtime environment. | Set to true, if the container runtime is containerd. | true |
| containerd.socketPath | Optional | The path of the mounted volume for the containerd socket. | /var/run/containerd/containerd.sock |
| crio.enabled | Enable only one runtime environment. | Set to true, if the container runtime is CRI-O. | false |
| crio.socketPath | Optional | The path of the mounted volume for the CRI-O socket. | /var/run/crio/crio.sock |
| docker.enabled | Enable only one runtime environment. | Set to true, if the container runtime is docker. | false |
| docker.socketPath | Optional | The path of the mounted volume for the docker socket. | /var/run/docker.sock |
| docker.tlsVerify.enabled | Optional | Enables the TLS authentication. The value should be 0 or 1. | false |
| docker.tlsVerify.tlsCertPath | Optional (Mandatory if DOCKER_TLS_VERIFY=1 is defined.) | Provide the path of the client certificate directory. | - |
| docker.tlsVerify.dockerHost | Optional (Mandatory if DOCKER_TLS_VERIFY=1 is defined.) | Specify the address on which the docker daemon is configured to listen. | - |
| docker.tlsVerify.dockerHostValue | Optional | Specify the loopback IPv4 address or hostname, and port <IPv4 address or hostname>:<port#>. | - |
| openshift | Optional | Set to true, if deploying in OpenShift. | false |
| qualys.createNamespace | Optional | Set to true, if you want to create a new custom namespace. | false |
| qualys.namespace | Optional | Provide the namespace to be used. Use the same namespace in values.yaml and on command line when using the helm install command. | qualys |
| qualys.customerID | Mandatory | Provide the Qualys customer id. | - |
| qualys.activationID | Mandatory | Provide the Qualys activation id. | - |
| qualys.pod_url | Mandatory | Provide the URL of a Qualys POD. | - |
| qualys.containerLaunchTimeout | Optional | Speicfy the launch timeout for the scanning container in minutes. | 10 |
| qualys.image | Optional | Specify the name of the Container Security sensor image in the private/dockerhub registry. | qualys/qcs-sensor:1.16.0-0 |
| qualys.imagePullPolicy | Optional | Specify how to pull (download) the specified image. | IfNotPresent |
| qualys.cpu | Optional | Specify the CPU usage limit in percentage for the sensor. Range: 0-100. | 0.5 (50% per core on the host) |
| qualys.args.withoutPersistentStorage | Optional | Runs the sensor without using the persistent storage on the host. | false |
| qualys.args.enableConsoleLogs | Optional | Prints logs on the console. | false |
| qualys.args.cicdDeployedSensor | Optional | Runs the sensor in a CI/CD environment. | false |
| qualys.args.registrySensor | Optional | Runs the sensor to list and scan the registry assets. | false |
| qualys.args.concurrentScan | Optional | Specify the number of docker/registry asset scans to run in parallel. Range: 1-20. | 4 |
| qualys.args.disableLog4jScanning | Optional | Disables the log4j vulnerability scanning for container images. | false |
| qualys.args.disableLog4jStaticDetection | Optional | Disables the log4j static detection for dynamic/static image scans. | false |
| qualys.args.logFilePurgeCount | Optional | The maximum number of sensor log files to archive. | 5 |
| qualys.args.logFileSize | Optional | The maximum size for a sensor log file in bytes. You can specify "<digit><K/M/>", where K is kilobytes and M is megabytes. | 10M |
| qualys.args.logLevel | Optional | Sets the logging level for sensor. It determines the type of sensor data you want to log. Specify a value from 0 to 5. 0= Error, 1= Warning, 3= Information, 4= Verbose, 5= Trace | 3 (Information) |
| qualys.args.maskEnvVariable | Optional | Masks the environment variables for images and containers. | false |
| qualys.args.optimizeImageScans | Optional | Optimizes the image scans for the General sensor. It is available for the General sensor type only. | false |
| qualys.args.disableImageScan | Optional | Disables the image scans for the General sensor. | false |
| qualys.args.disableContainerScan | Optional | Disables the container scans for the General sensor. | false |
| qualys.readOnly | Optional | Runs the sensor in read-only mode. | - |
| qualys.tolerations.enabled | Optional | Allows the DaemonSet runnable on master nodes. | false |
| qualys.tolerations.toleration.key | Optional | Specify the toleration key. | - |
| qualys.tolerations.toleration.operator | Optional | Specify the toleration operator. | - |
| qualys.tolerations.toleration.value | Optional | Specify the toleration value. | - |
| qualys.tolerations.toleration.effect | Optional | Specify the toleration effect. | - |
| qualys.proxy.enabled | Optional | Set to true, if a proxy is required to connect to the Qualys cloud. | false |
| qualys.proxy.proxyvalue | Optional | Specify the IPv4/IPv6 address or FQDN of the proxy server. | - |
| qualys.proxy.proxycertpath | Optional | Specify the path of the proxy certificate file. proxycertpath is applicable only if the proxy has a valid certificate file. | - |
| qualys.sensorContResources.enabled | Optional | Specifies the memory resources for the Sensor container. | false |
| qualys.sensorContResources.memoryLimit | Optional | Specify the memory usage limit for the sensor container. | - |
| qualys.sensorContResources.memoryRequest | Optional | Specify the memory usage request for the sensor container. | - |
| qualys.scanningContResources.cpuLimit | Optional | Specify the CPU usage limit for the scanning container. | 200m |
| qualys.scanningContResources.cpuRequest | Optional | Specify the CPU usage request for the scanning container. | 100m |
| qualys.scanningContResources.memoryRequest | Optional | Specify the memory usage request for the scanning container. | - |
| qualys.args.tagSensorProfile | Optional | Specify the tag value to the sensor | - |
| qualys.persistentvolhostpath | Optional | Specify the directory where the sensor will store the files. | /usr/local/qualys/sensor/data |
| qualys.persistentVolumeClaim.enabled | Optional | Requests for a storage of a specific size from the gross persistent volume. | false |
| qualys.persistentVolumeClaim.storageClassName | Mandatory if `qualys.persistentVolumeClaim.enabled` is `true`. | Specify the storage class name used by Kubernetes PersistentVolume. | - |
| qualys.persistentVolumeClaim.storage | Mandatory if `qualys.persistentVolumeClaim.enabled` is `true`. |
Specify the storage memory required. For example, 1Gi for the general/cicd sensor and 10Gi for the registry sensor. |
- |
| qualys.priorityClass.enabled | Optional | Set to true, if you want to use the priority and preemption on PODs. | false |
| qualys.priorityClass.priorityClassName | Optional | Specify the priority class name used in DaemonSet. | - |
| qualys.priorityClass.priorityClassValue | Optional | Specify the value that determines the priority. For example, "1000000". Enter an integer less than or equal to 1 billion (1000000000). The higher the value, the higher the priority. Values are relative to the values of other priority classes in the cluster. Reserve very high numbers for system critical pods that you don't want to be preempted (removed). | - |
| qualys.priorityClass.preemptionPolicy | Optional | Specify the preemption policy for a POD. | - |
| qualys.priorityClass.globalDefault | Optional | Indicates that the value of this PriorityClass should be used for PODs without a priorityClassName. | - |
Namespace Usage
–To create a new custom namespace, use the following command:
helm install qcs-sensor-demo qcs-sensor --set qualys.createNamespace=true --set qualys.namespace=namespace_name -n namespace_name --create-namespace
–To see an existing namespace, use the following command:
helm install qcs-sensor-demo qcs-sensor --set qualys.namespace=existing_namespace_name -n existing_namespace_name
–To use the default (Qualys) namespace, use the following command
helm install qcs-sensor-demo qcs-sensor -n qualys
Upgrade the Helm Chart
Use the following command to upgrade the chart:
helm upgrade [RELEASE] [CHART] [flags]
Where, [RELEASE] is the release name and [CHART] is the chart path.
For example,
helm upgrade qcs-sensor-demo qcs-sensor --namespace qualys
Uninstall the Helm Chart
Use the following command to uninstall the chart:
helm uninstall RELEASE_NAME [...] [flags]
For example,
helm uninstall qcs-sensor-demo --namespace qualys