cssensor-containerd-ds.yml

kind: List
apiVersion: v1
items:
  # Create custom namespace qualys
  - kind: Namespace
    apiVersion: v1
    metadata:
      name: qualys
  # Service Account
  - kind: ServiceAccount
    apiVersion: v1
    metadata:
      name: qualys-service-account
      namespace: qualys
  # Role for all permission to qualys namespace
  - kind: Role
    # if k8s version is 1.17 and earlier then change apiVersion to "rbac.authorization.k8s.io/v1beta1"
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: qualys-reader-role
      namespace: qualys
    rules:
    - apiGroups: ["","batch"]
      resources: ["pods","jobs"]
      verbs: ["get", "list", "watch","create", "delete", "deletecollection"]
    - apiGroups: [""]
      resources: ["pods/attach", "pods/exec"]
      verbs: ["create"]  
  # ClusterRole for read permission to whole cluster
  - kind: ClusterRole
    # if k8s version is 1.17 and earlier then change apiVersion to "rbac.authorization.k8s.io/v1beta1"
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: qualys-cluster-reader-role
    rules:
    - apiGroups: [""]
      resources: ["pods/exec"]
      verbs: ["create"]
    - apiGroups: [""]
      resources: ["nodes", "pods", "pods/status", "replicationcontrollers/status", "nodes/status"]
      verbs: ["get"]
    - apiGroups: ["apps"]
      resources: ["replicasets/status", "daemonsets/status", "deployments/status", "statefulsets/status"]
      verbs: ["get"]
    - apiGroups: ["batch"]
      resources: ["jobs/status", "cronjobs/status"]
      verbs: ["get"]
  # RoleBinding to assign permissions in qualys-reader-role to qualys-service-account 
  - kind: RoleBinding
    # if k8s version is 1.17 and earlier then change apiVersion to "rbac.authorization.k8s.io/v1beta1"
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: qualys-reader-rb
      namespace: qualys
    subjects:
    - kind: ServiceAccount
      name: qualys-service-account
      namespace: qualys
    roleRef:
      kind: Role
      name: qualys-reader-role 
      apiGroup: rbac.authorization.k8s.io      
  # ClusterRoleBinding to assign permissions in qualys-cluster-reader-role to qualys-service-account 
  - kind: ClusterRoleBinding
    # if k8s version is 1.17 and earlier then change apiVersion to "rbac.authorization.k8s.io/v1beta1"
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: qualys-cluster-reader-rb
    subjects:
    - kind: ServiceAccount
      name: qualys-service-account
      namespace: qualys
    roleRef:
      kind: ClusterRole
      name: qualys-cluster-reader-role 
      apiGroup: rbac.authorization.k8s.io
  # Qualys Container Sensor pod with 
  - apiVersion: apps/v1
    kind: DaemonSet
    metadata:
      name: qualys-container-sensor
      namespace: qualys
      labels:
        k8s-app: qualys-cs-sensor
    spec:
      selector:
        matchLabels:
          name: qualys-container-sensor
      updateStrategy:
          type: RollingUpdate
      template:
        metadata:
          labels:
            name: qualys-container-sensor
        spec:
          #tolerations:
          # this toleration is to have the daemonset runnable on master nodes
          # remove it if want your masters to run sensor pod
          #- key: node-role.kubernetes.io/master
          #  effect: NoSchedule
          serviceAccountName: qualys-service-account 
          containers:
          - name: qualys-container-sensor
            image: qualys/qcs-sensor:latest
            imagePullPolicy : IfNotPresent
            resources:
              limits:
                cpu: "0.2" # Default CPU usage limit on each node for sensor.
            args: ["--k8s-mode", "--container-runtime", "containerd"]
            env:
            - name: CUSTOMERID
              value: __customerId
            - name: ACTIVATIONID
              value: __activationId
            - name: POD_URL
              value: 
            - name: QUALYS_SCANNING_CONTAINER_LAUNCH_TIMEOUT
              value: "10"
# uncomment(and indent properly) below section if proxy is required to connect Qualys Cloud
            #- name: qualys_https_proxy
            #  value: <proxy FQDN or Ip address>:<port#>
            - name: QUALYS_POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: QUALYS_POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            volumeMounts:
            - mountPath: /var/run/containerd/containerd.sock
              name: socket-volume
              readOnly: true
            - mountPath: /usr/local/qualys/qpa/data
              name: persistent-volume
            - mountPath: /usr/local/qualys/qpa/data/conf/agent-data
              name: agent-volume
# uncomment(and indent properly) below section if proxy(with CA cert) required to connect Qualys Cloud
            #- mountPath: /etc/qualys/qpa/cert/custom-ca.crt
            #  name: proxy-cert-path              
            securityContext:
              allowPrivilegeEscalation: false
          volumes:
            - name: socket-volume
              hostPath:
                path: /var/run/containerd/containerd.sock
                type: Socket
            - name: persistent-volume
              hostPath:
                path: /usr/local/qualys/sensor/data
                type: DirectoryOrCreate
            - name: agent-volume
              hostPath:
                path: /etc/qualys
                type: DirectoryOrCreate
# uncomment(and indent properly) below section if proxy(with CA cert) required to connect Qualys Cloud
            #- name: proxy-cert-path
            #  hostPath:
            #    path: <proxy certificate path>
            #    type: File                
          hostNetwork: true