Deploy in Google Kubernetes Engine (GKE) with Autopilot Mode
Google Kubernetes Engine (GKE) Autopilot is a mode of operation for Google Kubernetes Engine (GKE), and its services. It simplifies Kubernetes cluster management by handling the infrastructure management automatically for you. CS sensor (QCS Sensor) supports vulnerability Dynamic scanning of your GKE Autopilot cluster.
Pre-requisites
Below are the pre-requisites to deploy QCS Sensor on your GKE Autopilot cluster.
- A GKE Cluster in Autopilot mode where you want to deploy the QCS Sensor
- The latest version of Qualys Unified Helm Chart (qualys-tc 2.4.1 and above)
Sensor Installation on GKE Autopilot
You can install CS Sensors on GKE Autopilot using Unified Helm Chart, by running 'helm install' or 'helm template' commands, or by updating values.yaml and running helm install or helm template commands.
Sensor Installation using 'helm install' or 'helm update' Command
Run the following command to install CS Sensor on GKE Autopilot Cluster using helm install
or helm template
command.
helm <install/template> qualys-helm-chart/qualys-tc \
--set global.customerId=<Customer ID> \
--set global.activationId=<Activation ID> \
--set global.clusterInfoArgs.cloudProvider=GCP \
--set global.clusterInfoArgs.GCP.krn=<GCP KRN> \
--set global.cmsqagPublicUrl=<Qualys POD URL> \
--set clusterSensor.enabled=true \
--set global.gatewayUrl=<Qualys Gateway URL> \
--set clusterSensor.hostNetwork=false \
--set qcsSensor.enabled=true \
--set qcsSensor.qualys.image=docker.io/qualys/qcs-sensor:1.38.0-1 \
--set global.gkeAutopilot.enabled=true \
--set qcsSensor.qualys.priorityClass.enabled=true \
--set qcsSensor.qualys.priorityClass.priorityClassName=qualys-daemonset-priority \
--set qcsSensor.qualys.priorityClass.priorityClassValue=900000000 \
--set qcsSensor.qualys.priorityClass.preemptionPolicy=Never \
--set qcsSensor.qualys.args.scanningPolicy=DynamicScanningOnly \
--namespace qualys \
--create-namespace \
--set global.gkeAutopilot.allowlistLabelForQcsSensor=qualys-qcs-sensor-v1.2.0 \
--set qcsSensor.qualys.args.enableConsoleLogs=true \
--set qcsSensor.qualys.args.withoutPersistentStorage=true
(Optional. To install Registry sensor) --set qcsSensor.qualys.args.registrySensor=true
Alternatively, you can also add flags in qualys-tc > values.yaml.
# set gkeAutopilot.enabled, and allowlistLabelForQcsSensor
gkeAutopilot:
enabled: true
allowlistLabelForQcsSensor: qualys-qcs-sensor-v1.2.0
'...-v.1.2.0' value mentioned in allowlistLabelForQcsSensor
is release-specific. Ensure that you mention the latest version in the label. To check the latest AllowlistLabel version, run this command - kubectl get workloadallowlist
In Google Kubernetes Engine (GKE) Autopilot, the AllowlistSynchronizer is a Custom Resource Definition (CRD) that helps manage and sync allowlists for workloads provided by Autopilot partners. It functions as a controller that retrieves and applies allowlist files from a Google-managed repository, ensuring that only authorized partner workloads are permitted to run in your GKE Autopilot clusters.
Ensure that qualys-container-security AllowlistSynchronizer is created in your GKE cluster. You can check AllowlistSynchronizer in you environment by running - kubectl get AllowlistSynchronizer
If you are installing QCS sensor using ‘helm template
’ command on GKE Autopilot environment, make sure qualys-container-security
AllowlistSynchronizer is synced with your GKE cluster before deploying QCS Sensor.