Deploy in Kubernetes with RKE1 - Docker Runtime
This section explains deploying Kubernetes with "Rancher Kubernetes Engine 1 (RKE1)" using Docker runtime. It also assumes you have the sensor image: Obtain the Container Sensor Image
Modify the cssensor-ds.yml file
Modify the cssensor-ds.yml file (extracted from QualysContainerSensor.tar.xz) to provide values for the following parameters. In order for the yml file to work properly, ensure that you do not remove/comment the respective sections mentioned below. Note that you can download the yml file directly from https://github.com/Qualys/cs_sensor
Ensure all Kubernetes nodes have the latest Qualys sensor image from the URL provided.
- name: qualys-container-sensor
image: <CS Sensor image name in the docker hub/private registry>
args: ["--k8s-mode"]
If you want to deploy the sensor for CI/CD environment, provide the args value as:
args: ["--k8s-mode","--cicd-deployed-sensor"]
If you want to deploy a Registry Sensor, provide the args value as:
args: ["--k8s-mode","--registry-sensor"]
If you want to disable image scans for General Sensor, add the "--disableImageScan" parameter to args.
args: ["--k8s-mode", "--disableImageScan"]
If you want to disable container scans, add the "--disableContainerScan" parameter to args.
args: ["--k8s-mode", "--disableContainerScan"]
If you want to disable the SBOM generation or Asset Tracking Activity feature, add "--disable-features" parameter to args:
args: ["--k8s-mode", "--disable-features="SBOM", "--disable-features="sensor-asset-tracking"]
If you want the sensor to send messages to Qualys Enterprise TruRisk™ Platform after queing X messages, add the --qlys-asset-tracking-flush-threshold-count to args. Wherein X must range from 5 to 50.
args: ["--k8s-mode", "--qlys-asset-tracking-flush-threshold-count=20"]
If you want the sensor to send messages to Qualys Enterprise TruRisk™ Platform after X interval, add the --qlys-asset-tracking-flush-duration-in-seconds to args. Wherein X indicates time in secods and it must range from 10 to 3600.
args: ["--k8s-mode", "--qlys-asset-tracking-flush-duration-in-seconds=60"]
If you want to disable log4j vulnerability scanning on your container images, add the "--disable-log4j-scanning" parameter to args.
args: ["--k8s-mode", "--disable-log4j-scanning"]
If you want to disable log4j static detection for dynamic/static image scans, add the "--disable-log4j-static-detection" parameter to args.
args: ["--k8s-mode", "--disable-log4j-static-detection"]
If you want to optimize Image scans for General Sensor, add the "--optimize-image-scans" parameter to args.
args: ["--k8s-mode", "--optimize-image-scans"]
During an optimized scan using a General sensor, if you want the Sensor to include cluster metadata in the container scan changelist-db, use the "--populate-k8smetadata" parameter to args:
args: ["--k8s-mode", "--optimize-image-scans", "--storage-driver-type", "overlay2", "--log-level", "5", "--perform-sca-scan", "--populate-k8smetadata"]
If you have the SCA scanning feature, then you can enable SCA scanning for container images by adding the "--perform-sca-scan" parameter to args.
args: ["--k8s-mode", "--perform-sca-scan"]
By default, SCA scans run in online mode. You can choose to disable Internet access for the SCA scan and run the scan in offline mode. Note - We recommend you run the SCA scan in online mode. Quality of software package enumeration for Java substantially degrades when the SCA scan is run in offline mode. The remote maven repository may need to be consulted for an accurate package detection. This can affect accuracy of the vulnerability posture of the image.
args: ["--k8s-mode", "--perform-sca-scan" "--disallow-internet-access-for-sca"]
The default SCA scan command timeout is 5 minutes (300 seconds). You can overwrite the default timeout with a new value specified in seconds. For example, you may need to increase the SCA scan timeout when scanning large container images to ensure the SCA scan has time to finish.
Note: The "--sca-scan-timeout-in-seconds" parameter also applies to secret and malware detection.
args: ["--k8s-mode", "--perform-sca-scan" "--sca-scan-timeout-in-seconds=600"]
If you want to enable secret detection for container images, add the "--perform-secret-detection" parameter to args:
args: ["--k8s-mode", "--perform-secret-detection"]
If you want to enable malware detection for container images, add the "--perform-malware-detection" parameter to args:
args: ["--k8s-mode", "--registry-sensor", "--perform-secret-detection"]
If you want to assign tags to a sensor or sensor profile,
args: ["--k8s-mode", "----tag-sensor-profile"]
For more information, refer to Important Points Related to Sensor Tagging.
If you want print logs on the console, provide "--enable-console-logs" as an additional value in args.
If you want to change the log level, provide "--log-level", "<a number between 0 and 5>" as an additional value in args, e.g if you want logs in trace provide:
args: ["--k8s-mode", "--log-level", "5"]
If you want to disable the default log generation in qpa.log file, provide "--qlys-disable-default-logging-to-file" as an additional value in args.
args: ["--k8s-mode","--enable-console-logs","--qlys-disable-default-logging-to-file"]
To restrict the cpu usage to a certain value, change the following: (Optional)
Under resources specify the following:
resources:
limits:
cpu: "0.5" # Default CPU usage limit(20% of one core on the host).
For example, to limit the cpu usage to 5%, set resources:limits:cpu: "0.05". This limits the cpu usage to 5% of one core on the host. If there are multiple processors on a node, setting the resources:limits:cpu value applies the CPU limit to one core only.
For example, if you have 4 CPUs on the system and you want to set CPU limit as 20% of overall CPU capacity, then the CPU limit should be set to 0.8 i.e., 80% of one core only which becomes 20% of total CPU capacity.
To disable any CPU usage limit, set resources:limits:cpu value to 0.
Optionally, if you want to specify the memory resources for Container Sensor, you can specify it under resources. Recommended values for the Container Sensor’s memory requests and memory limits are:
resources:
limits:
cpu: "0.5" # Default CPU usage limit on each node for sensor
memory: "500Mi"
requests:
memory: "300Mi"
When either of the memory resource values (limits or requests) is specified for Container Sensor and “--use-kubectl” is supplied in args, we automatically apply both memory requests and memory limits to image scanning containers. Default values are 200Mi and 700Mi, respectively.
Additionally, you could overwrite one or both values by specifying the following variables under env. In this example, the values were changed to 300Mi and 800Mi.
- name: QUALYS_SCANNING_CONTAINER_MEMORYREQUESTMB
value: "300Mi"
- name: QUALYS_SCANNING_CONTAINER_MEMORYLIMITMB
value: "800Mi"
To change the default CPU limit for image scanning PODs, specify the following variables under env.
In this example, the values were changed to 300m and 150m. The default value for 'QUALYS_SCANNING_CONTAINER_CPULIMIT' is '200m' and QUALYS_SCANNING_CONTAINER_CPUREQUEST is '100m'.
- name: QUALYS_SCANNING_CONTAINER_CPULIMIT
value: "300m"
- name: QUALYS_SCANNING_CONTAINER_CPUREQUEST
value: "150m"
Under env specify the following:
Activation ID (Required)
- name: ACTIVATIONID
value: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Customer ID (Required)
- name: CUSTOMERID
value: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Specify proxy information, or remove if not required:
- name: qualys_https_proxy
value: proxy.localnet.com:3128
With each scan, we check the node status to see if the node is schedulable or not, and launch the scan only if the node is schedulable. If the node status indicates that the node is unschedulable, then we retry the scan after a default interval of 15 minutes. You can increase or decrease the time the sensor waits before retrying the scan by specifying a different scan retry interval in minutes.
- name: UNSCHEDULABLE_NODE_SCAN_RETRY_INTERVAL
value: "30"
Under volumes specify the proxy cert path, or remove if not required:
- name: proxy-cert-path
hostPath:
path: /root/cert/proxy-certificate.crt
type: File
Activation ID and Customer ID are required. Use the Activation ID and Customer ID from your subscription.
If you are using a proxy, ensure that all Kubernetes nodes have a valid certificate file for the sensor to communicate with the Container Management Server.
If you are not using a proxy and you have removed the above-mentioned parts, you can remove the following part from volumeMounts as well:
- mountPath: /etc/qualys/qpa/cert/custom-ca.crt
name: proxy-cert-path
Once you have modified the cssensor-ds.yml file, save it.
Create Qualys sensor DaemonSet in Rancher UI
Log in to the Rancher UI to create a Qualys sensor DaemonSet. Use the credentials that were set during the creation setup.
From the top menu select the Cluster and Project under which the DaemonSet for the Qualys sensor is to be deployed in Rancher.
You will be navigated to the Resources tab. Click the Import YAML button.
Click the Read from a file button, then browse for and select the cssensor-ds.yml file that you’ve modified.
Click the Import button.
On the Workloads page under kube-system namespace ensure that the qualys-container-sensor DaemonSet is deployed and active.
If you need to uninstall the Qualys Container Sensor, then under kube-system namespace, select the check box next to qualys-container-sensor and click Delete.
Launch sensor without persistent storage
You can run the sensor without using persistent storage on host. In this case data is not stored on host but stored at the /usr/local/qualys/qpa/data folder relative to the Sensor.
To launch sensor without persistent storage, modify the cssensor-ds.yml file and provide
"--sensor-without-persistent-storage" as an additional value in args.
args: ["--k8s-mode","--sensor-without-persistent-storage"]
It is recommended to use the "--enable-console-logs" option along with "--sensor-without-persistent-storage" to preserve the logs.
Under volumeMounts remove/comment the persistent-volume section.
volumeMounts:
- mountPath: /usr/local/qualys/qpa/data
name: persistent-volume
Under volumes remove/comment the persistent-volume section.
volumes:
- name: persistent-volume
hostPath:
path: /usr/local/qualys/sensor/data
type: DirectoryOrCreate