Obtain the Container Sensor Image
The first step for any Kubernetes deployment is to obtain the sensor image. You can download QualysContainerSensor.tar.xz from the Qualys Enterprise TruRisk™ Platform.
OR
You can use the latest Qualys Container Sensor image - qualys/qcs-sensor:latest - from Docker Hub - https://hub.docker.com/u/qualys.
Download from Qualys Enterprise TruRisk™ Platform
Download the sensor on a Linux computer with Docker installed on it.
You can download sensor deployment templates either from the Qualys Enterprise TruRisk™ Platform or from GitHub directly at https://github.com/Qualys/cs_sensor. To get details on how to use the sensor templates, follow the deployment steps outlined in the sections that follow.
|
Orchestration Platform |
Container Runtime |
Sensor Template |
|
AWS ECS |
Docker |
cssensor-aws-ecs.json |
|
Kubernetes (Cloud, On-Prem) |
Docker |
cssensor-ds.yml |
|
Kubernetes (Cloud, On-Prem) |
Docker |
cssensor-ds_pv_pvc.yml |
|
Kubernetes (Cloud, On-Prem) |
Containerd |
cssensor-containerd-ds.yml |
|
Kubernetes (Cloud, On-Prem) |
CRI-O |
cssensor-crio-ds.yml |
|
Docker Swarm |
Docker |
cssensor-swarm-ds.yml |
|
Red Hat OpenShift |
Docker |
cssensor-openshift-ds.yml |
|
Red Hat OpenShift |
CRI-O |
cssensor-openshift-crio-ds.yml |
CRI-O Runtime is supported by the General (host) sensor and Registry sensor. It is not supported by the CI/CD sensor.
After downloading the file, untar the sensor package using this command:
sudo tar -xvf QualysContainerSensor.tar.xz
To Load the Images in Docker Runtime Environment
Push the Qualys sensor image to a repository common to all nodes in the Kubernetes cluster using these commands:
sudo docker load -i qualys-sensor.tar
sudo docker tag <IMAGE NAME/ID> <URL to push image to the repository>
sudo docker push <URL to push image to the repository>
For example:
sudo docker load -i qualys-sensor.tar
sudo docker tag c3fa63a818df mycloudregistry.com/container-sensor:qualys-sensor-xxx
sudo docker push mycloudregistry.com/container-sensor:qualys-sensor-xxx
Do not use these examples as is. Replace the registry/image path with your own.
To Load the Images in Containerd Runtime Environment
Push the Qualys sensor image to a repository common to all nodes in the Kubernetes cluster using these commands:
ctr -n=k8s.io images import qualys-sensor.tar
ctr images tag <IMAGE NAME/ID> <URL to push image to the repository>
ctr images push <URL to push image to the repository>
For example:
ctr -n=k8s.io images import qualys-sensor.tar
ctr images tag c3fa63a818df mycloudregistry.com/container-sensor:qualys-sensor-xxx
ctr images push mycloudregistry.com/container-sensor:qualys-sensor-xxx
Do not use these examples as is. Replace the registry/image path with your own.
To load the images in CRI-O Runtime environment:
Push the Qualys sensor image to a repository common to all nodes in the Kubernetes cluster using these commands:
podman load -i qualys-sensor.tar
podman tag <IMAGE NAME/ID> <URL to push image to the repository>
podman push <URL to push image to the repository>
For example:
podman load -i qualys-sensor.tar
podman tag c3fa63a818df mycloudregistry.com/container-sensor:qualys-sensor-xxx
podman push mycloudregistry.com/container-sensor:qualys-sensor-xxx
Do not use these examples as is. Replace the registry/image path with your own.
Get Sensor Image from Docker Hub
Use the latest Qualys Container Sensor image - qualys/qcs-sensor:latest - from Docker Hub. The Container Security Sensor on Docker Hub is available as:
qualys/qcs-sensor:<tag>
qualys/qcs-sensor:latest
Look up the most recent tag in Docker Hub. The Docker Hub Qualys Container Sensor image can be pushed to your private registry or used directly. Ensure that from all Kubernetes nodes the Docker Hub/private registry (where the CS Sensor image is published) is accessible.