diff --git a/cssensor-pvc-openshift-crio-ds.yml b/cssensor-pvc-openshift-crio-ds.yml new file mode 100644 index 0000000..fd84165 --- /dev/null +++ b/cssensor-pvc-openshift-crio-ds.yml @@ -0,0 +1,206 @@ +kind: List +apiVersion: v1 +items: + # Create custom namespace qualys + - kind: Namespace + apiVersion: v1 + metadata: + name: qualys + # Service Account + - kind: ServiceAccount + apiVersion: v1 + metadata: + name: qualys-service-account + namespace: qualys + #Persistent Volume + - kind: PersistentVolume + apiVersion: v1 + metadata: + name: qualys-sensor-pv-volume + labels: + type: local + spec: + storageClassName: manual + capacity: + storage: 5Gi + accessModes: + - ReadWriteOnce + hostPath: + path: "/mnt/data/" + - kind: PersistentVolumeClaim + apiVersion: v1 + metadata: + name: qualys-sensor-pv-claim + namespace: qualys + spec: + storageClassName: manual + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + # Role for all permission to qualys namespace + - kind: Role + apiVersion: rbac.authorization.k8s.io/v1 + metadata: + name: qualys-reader-role + namespace: qualys + rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["create", "delete", "deletecollection"] + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get","create", "delete", "deletecollection"] + - apiGroups: [""] + resources: ["pods/attach"] + verbs: ["create"] + # ClusterRole for read permission to whole cluster + - kind: ClusterRole + apiVersion: rbac.authorization.k8s.io/v1 + metadata: + name: qualys-cluster-reader-role + rules: + - apiGroups: [""] + resources: ["nodes", "pods/status", "replicationcontrollers/status", "nodes/status"] + verbs: ["get"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get","list","watch"] + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["create"] + - apiGroups: ["apps"] + resources: ["replicasets/status", "daemonsets/status", "deployments/status", "statefulsets/status"] + verbs: ["get"] + - apiGroups: ["batch"] + resources: ["jobs/status", "cronjobs/status"] + verbs: ["get"] + # RoleBinding to assign permissions in qualys-reader-role to qualys-service-account + - kind: RoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + metadata: + name: qualys-reader-rb + namespace: qualys + subjects: + - kind: ServiceAccount + name: qualys-service-account + namespace: qualys + roleRef: + kind: Role + name: qualys-reader-role + apiGroup: rbac.authorization.k8s.io + # ClusterRoleBinding to assign permissions in qualys-cluster-reader-role to qualys-service-account + - kind: ClusterRoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + metadata: + name: qualys-cluster-reader-rb + subjects: + - kind: ServiceAccount + name: qualys-service-account + namespace: qualys + roleRef: + kind: ClusterRole + name: qualys-cluster-reader-role + apiGroup: rbac.authorization.k8s.io + - kind: SecurityContextConstraints + apiVersion: security.openshift.io/v1 + metadata: + name: scc-qualys-sensor + allowHostDirVolumePlugin: true + allowHostNetwork: true + allowHostIPC: false + allowHostPID: false + allowHostPorts: false + allowPrivilegedContainer: false + readOnlyRootFilesystem: false + runAsUser: + type: RunAsAny + seLinuxContext: + type: RunAsAny + users: + - system:serviceaccount:qualys:qualys-service-account + # Qualys Container Sensor pod with + - apiVersion: apps/v1 + kind: DaemonSet + metadata: + name: qualys-container-sensor + namespace: qualys + labels: + k8s-app: qualys-cs-sensor + spec: + selector: + matchLabels: + name: qualys-container-sensor + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + name: qualys-container-sensor + spec: + #tolerations: + # this toleration is to have the daemonset runnable on master nodes + # remove it if want your masters to run sensor pod + #- key: node-role.kubernetes.io/master + # effect: NoSchedule + serviceAccountName: qualys-service-account + containers: + - name: qualys-container-sensor + image: qualys/qcs-sensor:latest + imagePullPolicy : IfNotPresent + resources: + limits: + cpu: "0.2" # Default CPU usage limit on each node for sensor. + args: ["--k8s-mode", "--container-runtime", "cri-o"] + env: + - name: CUSTOMERID + value: __customerID + - name: ACTIVATIONID + value: --activationID + - name: POD_URL + value: + - name: QUALYS_SCANNING_CONTAINER_LAUNCH_TIMEOUT + value: "10" +# uncomment(and indent properly) below section if proxy is required to connect Qualys Cloud + #- name: qualys_https_proxy + # value: : + - name: QUALYS_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: QUALYS_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - mountPath: /var/run/crio/crio.sock + name: socket-volume + readOnly: true + - mountPath: /usr/local/qualys/qpa/data + name: persistent-volume + - mountPath: /usr/local/qualys/qpa/data/conf/agent-data + name: agent-volume +# uncomment(and indent properly) below section if proxy(with CA cert) required to connect Qualys Cloud + #- mountPath: /etc/qualys/qpa/cert/custom-ca.crt + # name: proxy-cert-path + securityContext: + allowPrivilegeEscalation: false + volumes: + - name: socket-volume + hostPath: + path: /var/run/crio/crio.sock + type: Socket + - name: persistent-volume + persistentVolumeClaim: + claimName: qualys-sensor-pv-claim + - name: agent-volume + hostPath: + path: /etc/qualys + type: DirectoryOrCreate +# uncomment(and indent properly) below section if proxy(with CA cert) required to connect Qualys Cloud + #- name: proxy-cert-path + # hostPath: + # path: + # type: File + hostNetwork: true