Update the sensor deployed in Kubernetes
You can update the Container Sensor DaemonSet to the latest version in Kubernetes. This information applies to Amazon Elastic Container Service for Kubernetes (Amazon EKS), Google Kubernetes Engine (GKE), and Azure Kubernetes Service (AKS).
Ensure that the Container Sensor has read and write access to the persistent storage and the docker daemon socket.
Perform the following steps on Kubernetes master for updating the Container Sensor.
Ensure the Container Sensor DaemonSet is running in the Kubernetes environment.
If you already have Qualys Container Sensor running in a namespace other than 'qualys', then you must first uninstall the sensor from the other namespace. Use the new yml extracted from the latest QualysContainerSensor.tar.xz or you can download the yml file directly from https://github.com/Qualys/cs_sensor.
Deploy fresh Qualys Container Sensor in 'qualys' namespace. You should use the same path for persistent storage as earlier deployment under hostpath for persistent-volume:
- name: persistent-volume
hostPath:
path: /usr/local/qualys/sensor/data
type: DirectoryOrCreate
Download the QualysContainerSensor.tar.xz file from Qualys Cloud Provider on Kubernetes master.
Untar the sensor package:
sudo tar -xvf QualysContainerSensor.tar.xz
Copy the Sensor version from the version-info file (extracted from QualysContainerSensor.tar.xz).
Modify the cssensor-ds.yml file
Modify the cssensor-ds.yml file (extracted from QualysContainerSensor.tar.xz) to provide values for the following parameters. In order for the yml file to work properly, ensure that you do not remove/comment the respective sections mentioned below. Note that you can download the yml file directly from https://github.com/Qualys/cs_sensor
Ensure all Kubernetes nodes have the latest Qualys sensor image from the URL provided.
containers:
- name: qualys-container-sensor
image: <CS Sensor image name in the docker hub/private registry>
args: ["--k8s-mode"]
The image value must be in the format:
registryurl/qualys/sensor:<version-info>
If you want to deploy the sensor for CI/CD environment provide the args value as:
args: ["--k8s-mode","--cicd-deployed-sensor","--log-level","5","--log-filesize","5M","--log-filepurgecount","4"]
If you want to deploy a Registry Sensor provide the args value as:
args: ["--k8s-mode","--registry-sensor","--log-level","5","--log-filesize","5M","--log-filepurgecount","4"]
The values for "--log-level", "--log-filesize" and "--log-filepurgecount" in the args values above are only samples. Specify appropriate values for your needs.
If you want print logs on the console, provide "--enable-console-logs" as an additional value in args.
To restrict the cpu usage to a certain value, change the following: (Optional)
Under resources specify the following:
resources:
limits:
cpu: "0.5" # Default CPU usage limit(50% of one core on the host).
For example, to limit the cpu usage to 5%, set resources:limits:cpu: "0.05". This limits the cpu usage to 5% of one core on the host.
If there are multiple processors on a node, setting the resources:limits:cpu value applies the CPU limit to one core only.
For example, if you have 4 CPUs on the system and you want to set CPU limit as 20% of overall CPU capacity, then the CPU limit should be set to 0.8 i.e., 80% of one core only which becomes 20% of total CPU capacity.
To disable any CPU usage limit, set resources:limits:cpu value to 0.
Under env specify the following:
Activation ID (Required: Use the same Activation ID provided in the existing Container Sensor DaemonSet that you are upgrading)
- name: ACTIVATIONID
value: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Customer ID (Required: Use the same Customer ID provided in the existing Container Sensor DaemonSet that you are upgrading)
- name: CUSTOMERID
value: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Specify proxy information, or remove if not required:
- name: qualys_https_proxy
value: proxy.localnet.com:3128
Under volumes specify the proxy cert path, or remove if not required:
- name: proxy-cert-path
hostPath:
path: /root/cert/proxy-certificate.crt
type: File
Activation ID and Customer ID are required. Use the Activation ID and Customer ID from your subscription.
If you are using a proxy, ensure that all Kubernetes nodes have a valid certificate file for the sensor to communicate with the Container Management Server.
If you are not using a proxy and you have removed the above mentioned parts, you can remove the following part from volumeMounts as well:
- mountPath: /etc/qualys/qpa/cert/custom-ca.crt
name: proxy-cert-path
Once you have modified cssensor-ds.yml, save the file, and then perform docker login to the registry on Kubernetes master before running the update script (k8s-rolling-update.sh).
For example:
docker login mycloudregistry.com
The registry should be accessible from all Kubernetes nodes and the Kubernetes master from where the update is being performed.
To update the Container Sensor DaemonSet to the latest version, run the following command on Kubernetes master:
./k8s-rolling-update.sh Registry_Url=mycloudregistry.com
k8s-rolling-update.sh will do docker load, docker tag and docker push to the registry.
Setting up the Priority to your POD
Prioritizing PODs is more helpful in case of resource contention. You can assign the highest priority to your POD using PriorityClass parameter.
To assign priority to your pod, follow the steps mentioned below.
1. Open the Sensor Deployment file (.yml).
2. Locate the below lines of code in the file.
#- kind: PriorityClass
# apiVersion: scheduling.k8s.io/v1
# metadata:
# name: qualys-priority-class
# value: 0
# preemptionPolicy: PreemptLowerPriority
# description: Priority class for daemonset
and
#priorityClassName: qualys-priority-class
3. Uncomment the above mentioned lines of code by removing the “#” present preceding the lines.
4. You can change the PriorityClass value as per your requirement.