Deploy in Google Kubernetes Engine (GKE) with Autopilot Mode

Google Kubernetes Engine (GKE) Autopilot is a mode of operation for Google Kubernetes Engine (GKE), and its services. It simplifies Kubernetes cluster management by handling the infrastructure management automatically for you. CS sensor (QCS Sensor) supports vulnerability Dynamic scanning of your GKE Autopilot cluster.

Pre-requisites

Below are the pre-requisites to deploy QCS Sensor on your GKE Autopilot cluster.

  • A GKE Cluster in Autopilot mode where you want to deploy the QCS Sensor
  • The latest version of Qualys Unified Helm Chart (qualys-tc 2.4.1 and above)

Sensor Installation on GKE Autopilot

You can install CS Sensors on GKE Autopilot using Unified Helm Chart, by running 'helm install' or 'helm template' commands, or by updating values.yaml and running helm install or helm template commands.

Sensor Installation using 'helm install' or 'helm update' Command

Run the following command to install CS Sensor on GKE Autopilot Cluster using helm install or helm template command.

helm <install/template> qualys-helm-chart/qualys-tc \
--set global.customerId=<Customer ID> \
--set global.activationId=<Activation ID> \
--set global.clusterInfoArgs.cloudProvider=GCP \
--set global.clusterInfoArgs.GCP.krn=<GCP KRN> \
--set global.cmsqagPublicUrl=<Qualys POD URL> \
--set clusterSensor.enabled=true \
--set global.gatewayUrl=<Qualys Gateway URL> \
--set clusterSensor.hostNetwork=false \
--set qcsSensor.enabled=true \
--set qcsSensor.qualys.image=docker.io/qualys/qcs-sensor:1.38.0-1 \
--set global.gkeAutopilot.enabled=true \
--set qcsSensor.qualys.priorityClass.enabled=true \
--set qcsSensor.qualys.priorityClass.priorityClassName=qualys-daemonset-priority \
--set qcsSensor.qualys.priorityClass.priorityClassValue=900000000 \
--set qcsSensor.qualys.priorityClass.preemptionPolicy=Never \
--set qcsSensor.qualys.args.scanningPolicy=DynamicScanningOnly \
--namespace qualys \
--create-namespace \
--set global.gkeAutopilot.allowlistLabelForQcsSensor=qualys-qcs-sensor-v1.2.0 \
--set qcsSensor.qualys.args.enableConsoleLogs=true \
--set qcsSensor.qualys.args.withoutPersistentStorage=true
 

(Optional. To install Registry sensor) --set qcsSensor.qualys.args.registrySensor=true

 

Alternatively, you can also add flags in qualys-tc > values.yaml.
# set gkeAutopilot.enabled, and allowlistLabelForQcsSensor
gkeAutopilot:
  enabled: true
  allowlistLabelForQcsSensor: qualys-qcs-sensor-v1.2.0 

'...-v.1.2.0' value mentioned in allowlistLabelForQcsSensor is release-specific. Ensure that you mention the latest version in the label. To check the latest AllowlistLabel version, run this command - kubectl get workloadallowlist

 

In Google Kubernetes Engine (GKE) Autopilot, the AllowlistSynchronizer is a Custom Resource Definition (CRD) that helps manage and sync allowlists for workloads provided by Autopilot partners. It functions as a controller that retrieves and applies allowlist files from a Google-managed repository, ensuring that only authorized partner workloads are permitted to run in your GKE Autopilot clusters.  

Ensure that qualys-container-security AllowlistSynchronizer is created in your GKE cluster. You can check AllowlistSynchronizer in you environment by running - kubectl get AllowlistSynchronizer

If you are installing QCS sensor using ‘helm template’ command on GKE Autopilot environment, make sure qualys-container-security AllowlistSynchronizer is synced with your GKE cluster before deploying QCS Sensor.