Qualys Cloud Platform 1.33 (CS) API Notification 1

Prabhas Gupte

Last updated on: May 31, 2024

A new release of Qualys Cloud Platform 1.33 (CS) includes updated APIs which is targeted for release in May 2024. The specific day will differ depending on the platform. See platform release dates on the Qualys Status page. This API notification provides an early preview into the upcoming APIs, allowing you to identify use cases that can leverage these updated APIs.

What’s New

This release introduces new APIs for Kubernetes Clusters and Admission Controllers, allowing you to manage Clusters and Admission Controllers, view details, and update settings efficiently. Additionally, relevant APIs are updated to support centralized policies for Kubernetes Admission Controllers, enabling the creation and assignment of policies for enhanced control. CRS 1.0 is deprecated in this release, with associated APIs and documentation being phased out. Along with these, we have introduced new APIs to tag your Container Security assets.

Kubernetes Admission Controller

In this release, we have introduced new APIs to effectively work with your Kubernetes Clusters and Admission Controllers.

New API: Show a list of Kubernetes Clusters

GET /csapi/v1.3/k8sClusters

This API shows you a list of Kubernetes Clusters in your account.

New API: Show Details of a Kubernetes Cluster

GET /csapi/v1.3/k8sClusters/{clusterUid}

This API helps you see the details of the specified cluster.

New API: Update the Registry UUID of a Kubernetes Cluster

PUT /csapi/v1.3/k8sClusters/{clusterUid}

With this API, you can update the registry details of the specified k8s cluster.

New API: Show Details of a Kubernetes Admission Controller

GET /csapi/v1.3/k8sAdmissionControllers/{uuid}

This API shows you k8s Admission controller details of the specified uuid.

New API: Update Enforcement Action of a Kubernetes Admission Controller

PUT /csapi/v1.3/k8sAdmissionController/{uuid}

With this API, you can validate your action against the policies specified in the Admission Controller. You can update the enforcementAction parameter of the specified k8s admission controller to either allow your action to be passed, irrespective of the assigned policy, or you can validate the action against the assigned policy and based on that either allow or deny your action.

Centralized Policies for Kubernetes Admission Controller

With this release, you can now create and assign Centralized policy to your K8s Admission Controller. The following APIs are updated with this release.

Create a Centralized Policy

POST /csapi/v1.3/centralizedPolicy

With this release, a new policy type called K8S_Admission_Controller is introduced along with k8sFilters in the request to provide cluster and namespace details.

Show a list of Centralized Policies

GET /csapi/v1.3/centralizedPolicy

This API provides a list of all centralized policies present in your account. With this release, you can also see Kubernetes Admission Controller policies. You will see a new policyType called K8S_ADMISSION_CONTROLLER.

Show Details of a Centralized Policy

GET /csapi/v1.3/centralizedPolicy/{policyId}

With this release, a new policy type called K8S_Admission_Controller is introduced along with k8sFilters in the response to provide cluster and namespace details.

Delete a Centralized Policy

DELETE /csapi/v1.3/centralizedPolicy/{policyId}

With this API, now you can delete a Kubernetes Admission Controller type policies as well.

Update a Centralized Policy

PUT /csapi/v1.3/centralizedPolicy/{policyId}

With this API, you can mark a policy as Active or Inactive. You need to provide k8sFilters parameter in the request.

Show Details of the Default Centralized Policy

GET /csapi/v1.3/centralizedPolicy/defaultPolicy/{policyType}

This API shows details of the default centralized policy. It will now also support policies of K8S_ADMISSION_CONTROLLER type.

Update the Policy Mode of a Centralized Policy

PUT /csapi/v1.3/centralizedPolicy/{policyId}/mode

With this API, you can mark a Kubernetes Admission Controller policy as Active or Inactive.

CRS 1.0 Deprecation

With this release, Container Runtime Security (CRS) 1.0 is getting deprecated. Please refer to the CRS 1.0 End of Life Notification for more details.

This deprecation will also result in its associated CRS APIs getting deprecated. The following entities are getting deprecated along with this release.

Asset Tagging

With this release, you can assign and manage static tags of an asset (image, container). With the help of these static tags, you can categorize and organize your images and containers. The following APIs are introduced with this release.

New API: Assign Tags to an Asset

POST /csapi/v1.3/tag/assign

This API allows you to assign one or more tags to an image or a container.

New API: Assign Multiple Tags to Multiple Assets

POST /csapi/v1.3/tag/assign/bulk

This API allows you to assign one or more tags to multiple images or containers.

New API: Remove Tags Assigned to Assets

POST /csapi/v1.3/tag/remove

This API is used to remove one or more tags from an asset.

New API: Validate Asset Tags

POST /csapi/v1.3/tag/exist

This API is used to validate an asset tag.

Active Images

With this update, you can view the most recent update time of the images within your cluster. This enhancement is aimed at assisting you in prioritizing which images require vulnerability fixes. We have introduced a new input parameter named imageInUse in the APIs listed below. This parameter allows you to retrieve the images utilized within a specified timeframe. Additionally, the response now includes a lastUsedDate parameter, indicating the latest time the specified image was used.

Updated API: Fetch a List of Images in Your Account

GET /csapi/v1.3/images

Updated API: Fetch a List of Images (Bulk API)

GET /csapi/v1.3/images/list

Updated API: Fetch Image Details

GET /csapi/v1.3/images/{imageSha}

Please refer the detailed release note here: https://cdn2.qualys.com/docs/release-notes/qualys-container-security-1.33-api-release-notes.pdf

Share your Comments

Comments

Your email address will not be published. Required fields are marked *