Admission Controller

Sysdig Admission Controller - This chart deploys the Sysdig Admission Controller in your Kubernetes cluster.

TL;DR;

$ helm repo add sysdig https://charts.sysdig.com
$ helm repo update
$ helm install admission-controller sysdig/admission-controller --create-namespace -n admission-controller

Introduction

This chart deploys the Sysdig Admission Controller on a Kubernetes cluster using the Helm package manager.

Prerequisites

Installing the Chart

To install the chart with the release name admission-controller:

$ helm install admission-controller sysdig/admission-controller -n admission-controller

The command deploys the Sysdig Admission Controller on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation.

Tip: List all releases using helm list

Uninstalling the Chart

To uninstall/delete the admission-controller:

$ helm delete admission-controller -n admission-controller

The command removes all the Kubernetes components associated with the chart and deletes the release.

Configuration

The following table lists the configurable parameters of the admission-controller chart and their default values.

Parameter Description Default
sysdig.url The Sysdig URL prefix "https://secure.sysdig.com"
sysdig.secureAPIToken API Token to access Sysdig Secure ""
sysdig.existingSecureAPITokenSecret Existing secret with API Token to access Sysdig Secure Alternatively, specify the name of a Kubernetes secret containing ‘SECURE_API_TOKEN’ and ‘AUTH_BEARER_TOKEN’ entry if you’re also enabling scanner ""
clusterName Cluster Name which appear on Secure UI ""
features.k8sAuditDetections Enable K8s Audit detections with Falco rules false
features.k8sAuditDetectionsRules Admission Webhook Configuration rules for the Audit Detections [{"apiGroups":["","apps","autoscaling","batch","networking.k8s.io","rbac.authorization.k8s.io","extensions"],"apiVersions":["*"],"operations":["*"],"resources":["*/*"],"scope":"*"}]
verifySSL Verify SSL on HTTPS connections to Sysdig Secure true
nameOverride Chart name override ""
fullnameOverride Chart full name override ""
serviceAccounts.webhook.create Create the service account true
serviceAccounts.webhook.annotations Extra annotations for serviceAccount {}
serviceAccounts.webhook.name Use this value as serviceAccount Name ""
serviceAccounts.scanner.create Create the service account true
serviceAccounts.scanner.annotations Extra annotations for serviceAccount {}
serviceAccounts.scanner.name Use this value as serviceAccount Name ""
webhook.name Service name for Webhook deployment webhook
webhook.replicaCount Amount of replicas for webhook 1
webhook.image.registry Webhook image registry quay.io
webhook.image.repository Webhook image registry sysdig/admission-controller
webhook.image.pullPolicy PullPolicy for Webhook image IfNotPresent
webhook.image.tag Override the default image tag. If not specified, it defaults to appVersion in Chart.yaml ``
webhook.service.type Use this type as webhook service ClusterIP
webhook.service.port Configure port for the webhook service 443
webhook.httpProxy HTTP Proxy settings for webhook. Set to http://proxyIp:proxyPort in case connection to Sysdig Secure requires a proxy ""
webhook.httpsProxy HTTPS Proxy settings for webhook. Set to https://proxyIp:proxyPort in case connection to Sysdig Secure requires a proxy ""
webhook.noProxy List of hosts, IPs, or IPs in CIDR format that should not go through the proxy. We include “kubernetes” service and typical 10.0.0.0/8 services kubernetes,10.0.0.0/8
webhook.podAnnotations Webhook pod annotations {"prometheus.io/path":"/metrics","prometheus.io/port":"5000","prometheus.io/scheme":"https","prometheus.io/scrape":"true","sidecar.istio.io/inject":"false"}
webhook.podSecurityContext PSP’s for webhook {}
webhook.securityContext Configure securityContext for webhook {"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true}
webhook.hostNetwork Specifies if the webhook should be started in hostNetwork mode. This is required if using a custom CNI where the managed control plane nodes are unable to initiate network connections to the pods, for example using Calico CNI plugin on EKS. This is not required or recommended in most contexts. false
webhook.imagePullSecrets The image pull secrets for webhook []
webhook.resources Resource request and limits for webhook {}
webhook.timeoutSeconds Number of seconds for the request to time out 10
webhook.nodeSelector Configure nodeSelector for scheduling for webhook {}
webhook.tolerations Tolerations for scheduling for webhook []
webhook.affinity Configure affinity rules for webhook {}
webhook.denyOnError Deny request when an error happened evaluating request false
webhook.dryRun Dry Run request false
scanner.enabled Deploy the Inline Scanner Service true
scanner.name Service name for Scanner deployment scanner
scanner.replicaCount Amount of replicas for scanner 1
scanner.image.registry Scanner image registry quay.io
scanner.image.repository Scanner image repository sysdig/inline-scan-service
scanner.image.pullPolicy PullPolicy for Scanner image IfNotPresent
scanner.image.tag Scanner image tag 0.0.9
scanner.service.port Configure port for the webhook service 8080
scanner.authWithSecureToken Authenticate with Secure token false
scanner.httpProxy HTTP Proxy settings for scanner. Set to http://proxyIp:proxyPort in case connection to Sysdig Secure requires a proxy ""
scanner.httpsProxy HTTPS Proxy settings for scanner. Set to https://proxyIp:proxyPort in case connection to Sysdig Secure requires a proxy ""
scanner.noProxy List of hosts, IPs, or IPs in CIDR format that should not go through the proxy. We include “kubernetes” service and typical 10.0.0.0/8 services kubernetes,10.0.0.0/8
scanner.podAnnotations Scanner pod annotations {"prometheus.io/path":"/metrics","prometheus.io/port":"8080","prometheus.io/scrape":"true"}
scanner.psp.create Whether to create a psp policy and role / role-binding false
scanner.podSecurityContext PSP’s for scanner {}
scanner.verifyRegistryTLS Verify TLS on image pull from registries true
scanner.dockerCfgSecretName Docker config secret. Use a provided secret containing a .dockercfg for registry authentication (i.e. Openshift internal registry) ""
scanner.securityContext Configure securityContext for scanner {"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true}
scanner.imagePullSecrets The image pull secrets for scanner []
scanner.resources Resource requests and limits for scanner {}
scanner.nodeSelector Configure nodeSelector for scheduling for the scanner {}
scanner.tolerations Tolerations for scheduling for the scanner []
scanner.affinity Configure affinity rules for the scanner {}

Specify each parameter using the --set key=value[,key=value] argument to helm install. For example:

$ helm install admission-controller sysdig/admission-controller --create-namespace -n admission-controller  --set sysdig.secureAPIToken=YOUR-KEY-HERE,clusterName=YOUR-CLUSTER-NAME

Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example:

$ helm install admission-controller sysdig/admission-controller --create-namespace -n admission-controller --values values.yaml

Custom Admission Controller Rules to be detected

In case you don’t want to detect some resources you can create your custom rules. To achieve this, you can change the k8sAuditDetectionsRules variable in the values.yaml file. For example, if you want to filter out secrets from the AC you can try with these rules:]

- apiGroups:
  - ""
  apiVersions: [ "*" ]
  operations: [ "*" ]
  resources:
  - bindings
  - componentstatuses
  - configmaps
  - endpoints
  - events
  - limitranges
  - namespaces
  - nodes
  - persistentvolumeclaims
  - persistentvolumes
  - pods/*
  - podtemplates
  - replicationcontrollers
  - resourcequotas
  - serviceaccounts
  - services
  scope: "*"
- apiGroups:
  - apps
  - autoscaling
  - batch
  - networking.k8s.io
  - rbac.authorization.k8s.io
  - extensions
  apiVersions: [ "*" ]
  operations: [ "*" ]
  resources: [ "*/*" ]
  scope: "*"

On Prem deployment

Use the following command to deploy in an on-prem:

$ helm install  --create-namespace -n admission-controller admission-controller \
                --set sysdig.url=SECURE_URL \
                --set sysdig.secureAPIToken=SECURE_API_TOKEN \
                --set clusterName=CLUSTER_NAME \
                --set verifySSL=false \
                sysdig/admission-controller

Use verifySSL=false if you are using self signed certificates.