cssensor-ds_pv_pvc.yml

kind: List
apiVersion: v1
items:
  - kind: Namespace
    apiVersion: v1
    metadata:
      name: qualys
  - kind: PersistentVolume
    apiVersion: v1
    metadata:
      name: qualys-sensor-pv-volume
      labels:
        type: local
    spec:
      storageClassName: manual
      capacity:
        storage: 5Gi
      accessModes:
        - ReadWriteOnce
      hostPath:
        path: "/mnt/data/"
  - kind: PersistentVolumeClaim
    apiVersion: v1
    metadata:
      name: qualys-sensor-pv-claim
      namespace: qualys
    spec:
      storageClassName: manual
      accessModes:
        - ReadWriteOnce
      resources:
        requests:
          storage: 1Gi
  # Service Account
  - kind: ServiceAccount
    apiVersion: v1
    metadata:
      name: qualys-service-account
      namespace: qualys
  # Role for read/write/delete permission to qualys namespace
  - kind: Role
    # if k8s version is 1.17 and earlier then change apiVersion to "rbac.authorization.k8s.io/v1beta1"
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: qualys-reader-role
      namespace: qualys
    rules:
    - apiGroups: ["","batch"]
      resources: ["pods","jobs"]
      verbs: ["get", "list", "watch","create", "delete", "deletecollection"]
    - apiGroups: [""]
      resources: ["pods/status"]
      verbs: ["get"]
    - apiGroups: [""]
      resources: ["pods/attach", "pods/exec"]
      verbs: ["create"]   
  - kind: ClusterRole
    # if k8s version is 1.17 and earlier then change apiVersion to "rbac.authorization.k8s.io/v1beta1"
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: qualys-cluster-reader-role
    rules:
    - apiGroups: [""]
      resources: ["nodes", "pods/status", "replicationcontrollers/status", "nodes/status"]
      verbs: ["get"]
    - apiGroups: ["apps"]
      resources: ["replicasets/status", "daemonsets/status", "deployments/status", "statefulsets/status"]
      verbs: ["get"]
    - apiGroups: ["batch"]
      resources: ["jobs/status", "cronjobs/status"]
      verbs: ["get"]
  # RoleBinding to assign permissions in qualys-reader-role to qualys-service-account
  - kind: RoleBinding
    # if k8s version is 1.17 and earlier then change apiVersion to "rbac.authorization.k8s.io/v1beta1"
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: qualys-reader-role-rb
      namespace: qualys
    subjects:
    - kind: ServiceAccount
      name: qualys-service-account
      namespace: qualys
    roleRef:
      kind: Role
      name: qualys-reader-role 
      apiGroup: rbac.authorization.k8s.io
  - kind: ClusterRoleBinding
    # if k8s version is 1.17 and earlier then change apiVersion to "rbac.authorization.k8s.io/v1beta1"
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: qualys-cluster-reader-rb
    subjects:
    - kind: ServiceAccount
      name: qualys-service-account
      namespace: qualys
    roleRef:
      kind: ClusterRole
      name: qualys-cluster-reader-role
      apiGroup: rbac.authorization.k8s.io
  # Qualys Container Sensor pod with
  - apiVersion: apps/v1
    kind: DaemonSet
    metadata:
      name: qualys-container-sensor
      namespace: qualys
      labels:
        k8s-app: qualys-cs-sensor
    spec:
      selector:
        matchLabels:
          name: qualys-container-sensor
      updateStrategy:
          type: RollingUpdate
      template:
        metadata:
          labels:
            name: qualys-container-sensor
        spec:
          #tolerations:
          # this toleration is to have the daemonset runnable on master nodes
          # remove it if want your masters to run sensor pod
          #- key: node-role.kubernetes.io/master
          #  effect: NoSchedule
          serviceAccountName: qualys-service-account
          containers:
          - name: qualys-container-sensor
            image: qualys/qcs-sensor:latest
            imagePullPolicy : IfNotPresent
            resources:
              limits:
                cpu: "0.2" # Default CPU usage limit on each node for sensor.
            args: ["--k8s-mode"]
            env:
            - name: CUSTOMERID
              value: __customerId
            - name: ACTIVATIONID
              value: __activationId
            - name: POD_URL
              value: 
            - name: QUALYS_SCANNING_CONTAINER_LAUNCH_TIMEOUT
              value: "10"
# uncomment(and indent properly) below section if using Docker HTTP socket with TLS
            #- name: DOCKER_TLS_VERIFY
            #  value: "1"
# uncomment(and indent properly) below section if proxy is required to connect Qualys Cloud
            #- name: qualys_https_proxy
            #  value: <proxy FQDN or Ip address>:<port#>
            - name: QUALYS_POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: QUALYS_POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace 
            volumeMounts:
            - mountPath: /var/run/docker.sock
              name: socket-volume
              readOnly: true
            - mountPath: /usr/local/qualys/qpa/data
              name: persistent-volume
            - mountPath: /usr/local/qualys/qpa/data/conf/agent-data
              name: agent-volume
# uncomment(and indent properly) below section if proxy(with CA cert) required to connect Qualys Cloud
            #- mountPath: /etc/qualys/qpa/cert/custom-ca.crt
            #  name: proxy-cert-path
# uncomment(and indent properly) below section if using Docker HTTP socket with TLS
            #- mountPath: /root/.docker
            #  name: tls-cert-path
            securityContext:
              allowPrivilegeEscalation: false
          volumes:
            - name: socket-volume
              hostPath:
                path: /var/run/docker.sock
                type: Socket
            - name: persistent-volume
              persistentVolumeClaim:
                claimName: qualys-sensor-pv-claim
            - name: agent-volume
              hostPath:
                path: /etc/qualys
                type: DirectoryOrCreate
# uncomment(and indent properly) below section if proxy(with CA cert) required to connect Qualys Cloud
            #- name: proxy-cert-path
            #  hostPath:
            #    path: <proxy certificate path>
            #    type: File
# uncomment(and indent properly) below section if using Docker HTTP socket with TLS
            #- name: tls-cert-path
            #  hostPath:
            #    path: <Path of directory of client certificates>
            #    type: Directory
          hostNetwork: true