Deploy Sensor on Kubernetes Multi-node Cluster

In Kubernetes (K8s), the QCS General Sensor is deployed as a DaemonSet. This ensures one sensor pod runs on every node in a cluster. This is required because the sensor scans containers locally on each host or node. This topic explains how you can deploy Qualys Container Security Sensor (qcs-sensor) on a multi-node cluster installed in Kubernetes (K8s).

Prerequisites

Before you start QCS Sensor deployment in a multi-node cluster in K8s, make sure you have access to below entities.

Kubernetes

Kubernetes (latest version)

• A multi‑node worker cluster (not single‑node Minikube)
• kubectl configured with cluster-admin privileges

Qualys

• Qualys subscription with Container Security (CS) enabled
• Access to:
  • Activation ID
  • Customer ID
  • Qualys Enterprise TruRisk™ Platform 

Cluster Networking

• Whitelisted Qualys Enterprise TruRisk™ Platform [Outbound HTTPS (443) access]
• DNS resolution enabled for Qualys endpoints

How to install Qualys CS Sensor on multi-node cluster?

Follow the steps mentioned below to install Qualys Container Security Sensor on a multi-node cluster in K8s.

1. Download QCS Sensor from Qualys Enterprise TruRisk™ Platform > Container Security > Configurations > Sensors > Download Sensor.
   ??Need more details along with SS??
2. Prepare DaemonSet YAML.
3. Deploy the DaemonSet YAML.
4. Verify the deployment.

How to prepare DaemonSet YAML?

You need to edit the YAML file provided with CS Sensor tar. Make sure you have the following details in the DaemonSet Yaml.

Namespace
kind: Namespace
metadata:
  name: qualys

Service Account + RBAC

• ServiceAccount
• Role or ClusterRole
• RoleBinding or ClusterRoleBinding

These provide permissions to:

• Monitor pods
• Launch scan containers
• Clean up resources
  

Container Specification
containers:
  - name: qualys-container-sensor
    image: <qualys-sensor-image>
    args: ["--k8s-mode"]

Optional flags:
--registry-sensor: registry scanning
--cicd-deployed-sensor: CI/CD mode
--use-kubectl: use native K8s jobs
For more information, refer to CS Sensor Deploymnet Help.

Environment variables
env:
  - name: ACTIVATIONID
    value: <your-activation-id>
  - name: CUSTOMERID
    value: <your-customer-id>
  - name: POD_URL
    value: <your-pod-url>

Resource configuration 
resources:
  limits:
    cpu: "0.5"
    memory: "500Mi"
  requests:
    memory: "300Mi"

Host access (important for scanning)

Make sure you have:

• Access to Docker socket
• Persistent storage mounted

How to deploy DaemonSet YAML?

Run on Kubernetes master:

kubectl create -f cssensor-ds.yml

This will:

• Create namespace 'qualys'
• Deploy the DaemonSet
• Automatically schedule 1 sensor pod per node

Verify deployment

Check the pods and DaemonSet present in 'qualys' namespace. 

Run the following commands,

1. Check pods:
   kubectl get pods -n qualys -o wide
   Expected output??
   This provides a list Kubernetes pods in the 'qualys' namespace with extended details.
2. Check DaemonSet:
   kubectl get ds -n qualys
   Expected output??
   This verifies that the Qualys sensor DaemonSet is correctly deployed and running on all intended K8s nodes.
   Same number of pods and nodes indicates successful deployment of the DaemonSet.
3. Verify that newly installed sensor instances are appearing on Qualys Enterprise TruRisk™ Platform > Container Security account under Assets > Sensors.
   This ensures