Cloud Run

QScan can be deployed as a Google Cloud Run Worker Pool. Worker pools are long-running instances suited for background processing workloads like QScan.

Prerequisites

Google Cloud project with Cloud Run API enabled
gcloud CLI with beta components installed
Secrets stored in Google Secret Manager

CPU Configuration

Create a worker.yaml file:

apiVersion: run.googleapis.com/v1
kind: WorkerPool
metadata:
  annotations:
    run.googleapis.com/launch-stage: BETA
    run.googleapis.com/scalingMode: manual
    run.googleapis.com/manualInstanceCount: "1"
  name: qscan-worker
spec:
  template:
    metadata:
      annotations:
        run.googleapis.com/execution-environment: gen2
        run.googleapis.com/cpu-throttling: "false"
    spec:
      containers:
        - name: qscan-worker
          image: us-docker.pkg.dev/qpoint-edge/public/qscan:latest
          env:
            - name: NUM_POLLERS
              value: "2"
            - name: NUM_SCANNERS
              value: "2"
            - name: LOG_LEVEL
              value: "info"
            - name: LOG_ENCODING
              value: "json"
            - name: METRICS_PORT
              value: "8080"
            - name: REGISTRATION_TOKEN
              valueFrom:
                secretKeyRef:
                  key: latest
                  name: qscan-registration-token
          livenessProbe:
            httpGet:
              path: /
              port: 8080
            initialDelaySeconds: 5
            periodSeconds: 10
          resources:
            limits:
              cpu: 6000m
              memory: 24Gi
          startupProbe:
            httpGet:
              path: /
              port: 8080
            initialDelaySeconds: 5
            periodSeconds: 30
            failureThreshold: 5

Deploy with:

gcloud beta run worker-pools replace worker.yaml --region=us-central1

GPU Configuration

For GPU-accelerated scanning, modify the resource limits:

          resources:
            limits:
              cpu: 4000m
              memory: 16Gi
              nvidia.com/gpu: "1"

GPU support in Cloud Run requires a region that offers GPU instances. Check the Cloud Run GPU documentation for available regions and GPU types.

Secret Manager

Store sensitive values in Google Secret Manager and reference them in your worker configuration:

echo -n "your-registration-token" | \
  gcloud secrets create qscan-registration-token --data-file=-

echo -n "your-s3-access-key" | \
  gcloud secrets create qscan-s3-access-key --data-file=-

Reference secrets in the worker YAML using secretKeyRef:

            - name: REGISTRATION_TOKEN
              valueFrom:
                secretKeyRef:
                  key: latest
                  name: qscan-registration-token

Ensure the Cloud Run service account has the roles/secretmanager.secretAccessor role.

Updating the Image

To update the QScan image without modifying the full configuration:

gcloud beta run worker-pools update qscan-worker \
  --image=us-docker.pkg.dev/qpoint-edge/public/qscan:latest \
  --region=us-central1

PreviousKubernetes NextConfiguration

Last updated 1 day ago

hashtagPrerequisites

hashtagCPU Configuration

hashtagGPU Configuration

hashtagSecret Manager

hashtagUpdating the Image

Prerequisites

CPU Configuration

GPU Configuration

Secret Manager

Updating the Image