Deploy in Google Kubernetes Engine (GKE) with Autopilot Mode
Google Kubernetes Engine (GKE) Autopilot is a mode of operation for of GKE that simplifies Kubernetes cluster management by automatically handling infrastructure tasks. Qualys Container Security (QCS) supports both the QCS Sensor, which performs dynamic vulnerability scanning, and the Cluster Sensor, which collects inventory data from GKE Autopilot clusters.
Currently, Qualys Container Security supports deployment of both the QCS Sensor and Cluster Sensor in GKE Autopilot environments. The Cluster Sensor does not perform Kubernetes Security Posture Management (KSPM) checks; it is primarily used for collecting cluster inventory.
Pre-requisites
Below are the pre-requisites to deploy QCS Sensor and Cluster Sensor on your GKE Autopilot cluster.
- A GKE Cluster in Autopilot mode where you want to deploy the QCS Sensor and Cluster Sensor.
- The latest version of Qualys Unified Helm Chart (qualys-tc 2.4.1 and above)
Sensor Installation on GKE Autopilot
You can install QCS Sensor and Cluster Sensor on GKE Autopilot using the Unified Helm Chart, by running 'helm install' or 'helm template' commands, or by updating values.yaml and running helm install or helm template commands.
Sensor Installation using 'helm install' or 'helm update' Command
Run the following command to install QCS Sensor and Cluster Sensor on GKE Autopilot Cluster using helm install or helm template command.
helm <install/template> qualys-helm-chart/qualys-tc \
--set global.customerId=<Customer ID> \
--set global.activationId=<Activation ID> \
--set global.clusterInfoArgs.cloudProvider=GCP \
--set global.clusterInfoArgs.GCP.krn=<GCP KRN> \
--set global.cmsqagPublicUrl=<Qualys POD URL> \
--set clusterSensor.enabled=true \
--set global.gatewayUrl=<Qualys Gateway URL> \
--set clusterSensor.hostNetwork=false \
--set qcsSensor.enabled=true \
--set qcsSensor.qualys.image=docker.io/qualys/qcs-sensor:1.38.0-1 \
--set global.gkeAutopilot.enabled=true \
--set qcsSensor.qualys.priorityClass.enabled=true \
--set qcsSensor.qualys.priorityClass.priorityClassName=qualys-daemonset-priority \
--set qcsSensor.qualys.priorityClass.priorityClassValue=900000000 \
--set qcsSensor.qualys.priorityClass.preemptionPolicy=Never \
--set qcsSensor.qualys.args.scanningPolicy=DynamicScanningOnly \
--namespace qualys \
--create-namespace \
--set global.gkeAutopilot.allowlistLabelForQcsSensor=qualys-qcs-sensor-v1.2.0 \
--set qcsSensor.qualys.args.enableConsoleLogs=true \
--set qcsSensor.qualys.args.withoutPersistentStorage=true
(Optional. To install a Registry sensor) --set qcsSensor.qualys.args.registrySensor=true
The Registry Sensor is offered as a part of QCS Sensor.
Alternatively, you can also add flags in qualys-tc > values.yaml.
# set gkeAutopilot.enabled, and allowlistLabelForQcsSensor
gkeAutopilot:
enabled: true
allowlistLabelForQcsSensor: qualys-qcs-sensor-v1.2.0
'...-v.1.2.0' value mentioned in allowlistLabelForQcsSensor is release-specific. Ensure that you mention the latest version in the label. To check the latest AllowlistLabel version, run this command - kubectl get workloadallowlist
In Google Kubernetes Engine (GKE) Autopilot, the AllowlistSynchronizer is a Custom Resource Definition (CRD) that helps manage and sync allowlists for workloads provided by Autopilot partners. It functions as a controller that retrieves and applies allowlist files from a Google-managed repository, ensuring that only authorized partner workloads are permitted to run in your GKE Autopilot clusters.
Ensure that qualys-container-security AllowlistSynchronizer is created in your GKE cluster. You can check AllowlistSynchronizer in you environment by running - kubectl get AllowlistSynchronizer
If you are installing QCS sensor using ‘helm template’ command on GKE Autopilot environment, make sure qualys-container-security AllowlistSynchronizer is synced with your GKE cluster before deploying QCS Sensor.