Deploy in Kubernetes with RKE2 - Containerd Runtime

This section assumes you have the sensor image: Obtain the Container Sensor Image.

Modify the cssensor-containerd.yml file

Modify the cssensor-containerd.yml file (extracted from QualysContainerSensor.tar.xz) to provide values for the following parameters. In order for the yml file to work properly, ensure that you do not remove/comment the respective sections mentioned below. Note that you can download the yml file directly from https://github.com/Qualys/cs_sensor

Ensure all Kubernetes nodes have the latest Qualys sensor image from the URL provided.

containers:

- name: qualys-container-sensor

 image: <CS Sensor image name in the docker hub/private registry>

 args: ["--k8s-mode", "--container-runtime", "containerd"]

 

If you want to deploy the sensor for CI/CD environment provide the args value as:

args: ["--k8s-mode","--container-runtime", "containerd", "--cicd-deployed-sensor"]

 

If you want to deploy a Registry Sensor provide the args value as:

args: ["--k8s-mode", "--container-runtime", "containerd", "--registry-sensor"]

 

If you want to disable image scans for General Sensor, add the "--disableImageScan" parameter to args.

args: ["--k8s-mode", "--container-runtime", "containerd", "--disableImageScan"]

 

If you want to disable container scans, add the "--disableContainerScan" parameter to args.

args: ["--k8s-mode", "--container-runtime", "containerd", "--disableContainerScan"]

 

If you want to disable log4j vulnerability scanning on your container images, add the "--disable-log4j-scanning" parameter to args.

args: ["--k8s-mode", "--container-runtime", "containerd", "--disable-log4j-scanning"]

 

If you want to disable log4j static detection for dynamic/static image scans, add the "--disable-log4j-static-detection" parameter to args.

args: ["--k8s-mode", "--container-runtime", "containerd", "--disable-log4j-static-detection"]

 

If you want to optimize Image scans for General Sensor, add the "--optimize-image-scans" parameter to args.

args: ["--k8s-mode", "--container-runtime", "containerd", "--optimize-image-scans"]

 

If you have the SCA scanning feature, then you can enable SCA scanning for container images by adding the "--perform-sca-scan" parameter to args.

args: ["--k8s-mode", "--container-runtime", "containerd", "--perform-sca-scan"]

 

By default, SCA scans run in online mode. You can choose to disable Internet access for the SCA scan and run the scan in offline mode. Note - We recommend you run the SCA scan in online mode. Quality of software package enumeration for Java substantially degrades when the SCA scan is run in offline mode. The remote maven repository may need to be consulted for an accurate package detection. This can affect accuracy of the vulnerability posture of the image.

args: ["--k8s-mode", "--container-runtime", "containerd", "--perform-sca-scan" "--disallow-internet-access-for-sca"]

 

The default SCA scan command timeout is 5 minutes (300 seconds). You can overwrite the default timeout with a new value specified in seconds. For example, you may need to increase the SCA scan timeout when scanning large container images to ensure the SCA scan has time to finish.

The --sca-scan-timeout-in-seconds parameter also applies to secret and malware detection.

args: ["--k8s-mode", "--container-runtime", "containerd", "--perform-sca-scan" "--sca-scan-timeout-in-seconds=600"]

 

If you want to enable secret detection for container images, add the "--perform-secret-detection" parameter to args:

args: ["--k8s-mode", "--container-runtime", "containerd", "--perform-secret-detection"]

 

If you want to enable malware detection for container images, add the "--perform-malware-detection" parameter to args:

args: ["--k8s-mode", "--container-runtime", "containerd", "--registry-sensor", "--perform-secret-detection"]

 

If you want print logs on the console, provide "--enable-console-logs" as an additional value in args.

To restrict the cpu usage to a certain value, change the following: (Optional)

Under resources specify the following:

resources:

  limits:

  cpu: "0.5" # Default CPU usage limit(20% of one core on the host).

 

For example, for limiting the cpu usage to 5%, set resources:limits:cpu: "0.05". This limits the cpu usage to 5% of one core on the host. If there are multiple processors on a node, setting the resources:limits:cpu value applies the CPU limit to one core only.

For example, if you have 4 CPUs on the system and you want to set CPU limit as 20% of overall CPU capacity, then the CPU limit should be set to 0.8 i.e., 80% of one core only which becomes 20% of total CPU capacity.

To disable any CPU usage limit, set resources:limits:cpu value to 0.

Optionally, if you want to specify the memory resources for Container Sensor, you can specify it under resources. Recommended values for the Container Sensor’s memory requests and memory limits are:

  resources:

    limits:

      cpu: "0.5" # Default CPU usage limit on each node for sensor

      memory: "500Mi"

    requests:

      memory: "300Mi"

 

When either of the memory resource values (limits or requests) is specified for Container Sensor and “--use-kubectl” is supplied in args, we automatically apply both memory requests and memory limits to image scanning containers. Default values are 200Mi and 700Mi, respectively.

Additionally, you could overwrite one or both values by specifying the following variables under env. In this example, the values were changed to 300Mi and 800Mi.

  - name: QUALYS_SCANNING_CONTAINER_MEMORYREQUESTMB

    value: "300Mi"

  - name: QUALYS_SCANNING_CONTAINER_MEMORYLIMITMB

    value: "800Mi"

 

Under env specify the following:

Activation ID (Required)

- name: ACTIVATIONID

 value: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

 

Customer ID (Required)

- name: CUSTOMERID

 value: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

 

Specify proxy information, or remove if not required:

- name: qualys_https_proxy

 value: proxy.localnet.com:3128

 

With each scan, we check the node status to see if the node is schedulable or not, and launch the scan only if the node is schedulable. If the node status indicates that the node is unschedulable, then we retry the scan after a default interval of 15 minutes. You can increase or decrease the time the sensor waits before retrying the scan by specifying a different scan retry interval in minutes.

- name: UNSCHEDULABLE_NODE_SCAN_RETRY_INTERVAL

 value: "30"

 

Under volumes specify the proxy cert path, or remove if not required:

- name: proxy-cert-path

 hostPath:

     path: /root/cert/proxy-certificate.crt

     type: File

 

Activation ID and Customer ID are required. Use the Activation ID and Customer ID from your subscription.

If you are using a proxy, ensure that all Kubernetes nodes have a valid certificate file for the sensor to communicate with the Container Management Server.

If you are not using a proxy and you have removed the above-mentioned parts, you can remove the following part from volumeMounts as well:

- mountPath: /etc/qualys/qpa/cert/custom-ca.crt         

  name: proxy-cert-path

 

Under volumes specify the volume path of Containerd socket.

volumes:

       - name: socket-volume

       hostPath:

           path: /run/k3s/containerd/containerd.sock

           type: Socket

 

Once you have modified the cssensor-containerd.yml file, save it.

 

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.