Admission Controller
This chart deploys the Sysdig Admission Controller on a Kubernetes cluster using the Helm package manager.
Overview
Sysdig Admission Controller provides Audit Logging and optional Image Scanning capabilities to secure your Kubernetes environment.
Use the sysdig-deploy parent chart to deploy the Admission Controller and any other subcomponents. Do not deploy subcharts directly.
To deploy the Admission Controller, follow the installation instructions given in Install Kubernetes Audit Logging.
Use Cases
Kubernetes Audit Logging
This chart is primarily responsible for enabling Kubernetes audit logging so that Sysdig Secure can audit the following:
- Creation and destruction of pods, services, deployments, and DaemonSets.
- Creating, updating, and removing ConfigMaps or secrets.
- Attempts at subscribing to the changes to any endpoint.
For deployment instructions, including common deployment configurations related to proxies and certificates, see Install Kubernetes Audit Logging.
(Legacy Option) Image Scanning Using Scanning Engine V1
If you use the Legacy Scanning Engine instead of the new Vulnerability Management engine in Sysdig Secure, you can deploy the admission-controller chart with old scanning options enabled and use admission controller policies to reject container images that do not fulfill the policy requirements from the cluster before being scheduled.
This option is enabled by default unless you specify --scanner.enabled=false .
Verify the Integrity and Origin
Sysdig Helm charts are signed so you can confirm the integrity and origin of each chart. To do so:
-
Import the Public Key:
$ curl -o "/tmp/sysdig_public.gpg" "https://charts.sysdig.com/public.gpg" $ gpg --import /tmp/sysdig_public.gpg -
Verify the chart by appending the
--verifyflag to theinstall,upgrade, andpullhelm commands.
Configuration
Using the Key-Value Pair
Specify each parameter using the --set key=value[,key=value] argument to the helm installcommand.
For example:
helm upgrade --install admission-controller sysdig/admission-controller \
--create-namespace -n sysdig-admission-controller --version=0.16.10 \
--set sysdig.secureAPIToken=YOUR-KEY-HERE,clusterName=YOUR-CLUSTER-NAME
Using values.yaml
The values.yaml file specifies the values for the admission controller configuration parameters. You can add the configuration to the values.yaml file, then use it in the helm install command.
For example:
helm upgrade --install admission-controller sysdig/admission-controller \
--create-namespace -n sysdig-admission-controller --version=0.16.10 \
--values values.yaml
See the default values.yaml file for more information.
Configuration Parameters
The following table lists the configurable parameters of the admission-controller chart and their default values.
| Parameter | Description | Default |
|---|---|---|
| global.clusterConfig | The global cluster configuration options. | {} |
| global.sysdig.secureAPIToken | The global API token to access Sysdig Secure. | "" |
| global.sysdig.secureAPITokenSecret | The global secret with API Token to access Sysdig Secure. | "" |
| global.sysdig.region | The global Sysdig Secure region. | "us1" |
| global.sysdig.accessKey | The global Access Key to access Sysdig Secure. | "" |
| global.proxy | Global HTTP Proxy settings. | {} |
| global.image.pullSecrets | [] |
|
| global.image.pullPolicy | IfNotPresent |
|
| global.ssl.ca.certs | For outbound connections (secure backend, proxy,…) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] |
| global.ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. | |
| global.ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required | |
| global.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. | |
| global.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | |
| global.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. | |
| clusterName | required The cluster Name which appear on Secure UI |
"" |
| namespace | The namespace to install components. An optional field. If not specified, it will default to the release namespace. IMPORTANT: Ensure that a namespace is already exist, otherwise installation will fail. |
"" |
| sysdig.secureAPIToken | required The API Token to access Sysdig Secure. If neither this value nor sysdig.existingSecureAPITokenSecret is configured, you are required to provide the deployment with the SECURE_API_TOKEN (and AUTH_BEARER_TOKEN if the scanner is enabled) environment variable. Overrides the global.sysdig.secureAPIToken parameter. |
"" |
| sysdig.existingSecureAPITokenSecret | required The existing secret with API Token to access Sysdig Secure. Alternatively, specify the name of a Kubernetes secret containing SECURE_API_TOKEN and AUTH_BEARER_TOKEN entry if you’re also enabling scanner. If neither this value nor sysdig.secureAPIToken is configured, you are required to provide the deployment with the SECURE_API_TOKEN (and AUTH_BEARER_TOKEN if the scanner is enabled) environment variable. |
"" |
| sysdig.accessKey | required for KSPM Admission Controller Access Key to access Sysdig Secure. Either this value or sysdig.existingAccessKeySecret is required Overrides global.sysdig.accessKey |
"" |
| sysdig.existingAccessKeySecret | Alternatively, specify the name of a Kubernetes secret containing an ‘access-key’ entry. Overrides global.sysdig.existingAccessKeySecret |
"" |
| sysdig.apiEndpoint | Sysdig URL. - The default for the us-east region is secure.sysdig.com. - For us-west use us2.app.sysdig.com - For European Union, use eu1.app.sysdig.com - For APAC, use app.au1.sysdig.com - For US4 (our west Google cloud region) use app.us4.sysdig.com - For on-prem, your own enpoints |
"" |
| features.k8sAuditDetections | Enable Kubernetes Audit detections with Falco rules. | true |
| features.kspmAdmissionController | Enable KSPM Admission Controller | false |
| features.k8sAuditDetectionsRules | Admission Webhook Configuration rules for the Audit Detections | [{"apiGroups":["","apps","autoscaling","batch","networking.k8s.io","rbac.authorization.k8s.io","extensions"],"apiVersions":["*"],"operations":["*"],"resources":["*/*"],"scope":"*"}] |
| verifySSL | Used for outbound connections, such as Secure backend and proxy. Specifies whether to verify SSL on HTTPS connections. |
true |
| nameOverride | The chart name override. | "" |
| fullnameOverride | The chart full name override. | "" |
| labels | Additional labels. It applies to both scanner and webhook. | {} |
| serviceAccounts.webhook.create | Creates the service account. | true |
| serviceAccounts.webhook.annotations | The additional annotations for serviceAccount. | {} |
| serviceAccounts.webhook.name | Use this value as serviceAccount Name. | "" |
| serviceAccounts.scanner.create | Creates the service account. | true |
| serviceAccounts.scanner.annotations | The additional annotations for serviceAccount. | {} |
| serviceAccounts.scanner.name | Use this value as serviceAccount Name. | "" |
| podMonitors.webhook.enabled | Enable the webhook PodMonitor to scrape metrics. | false |
| podMonitors.webhook.labels | Specifies the labels on the webhook PodMonitor. | {} |
| podMonitors.webhook.annotations | The annotations on the webhook PodMonitor. | {} |
| podMonitors.scanner.enabled | Enable the scanner PodMonitor to scrape metrics. | false |
| podMonitors.scanner.labels | Specifies the labels on the scanner PodMonitor. | {} |
| podMonitors.scanner.annotations | The annotatons on the scanner PodMonitor | {} |
| webhook.v2.nats.insecure | Allow insecure TLS certificates in backend connection to NATS service | false |
| webhook.v2.nats.url | Override the NATS service connection URL | "" |
| webhook.v2.service.type | Use this type as webhook service | ClusterIP |
| webhook.v2.service.port | Configure port for the V2 webhook service | 6443 |
| webhook.v2.http.port | HTTP serve port where the requests will be served from | 6443 |
| webhook.v2.image.registry | The KSPM Admission Controller image registry | quay.io |
| webhook.v2.image.repository | The KSPM Admission Controller image repository | sysdig/secure-admission-controller |
| webhook.v2.image.tag | The KSPM Admission Controller image tag | 1.27.5 |
| webhook.v2.image.digest | Specifies the image digest value. If set, this value is used instead of the tag value | |
| webhook.v2.image.pullPolicy | The PullPolicy for KSPM Admission Controller image | |
| webhook.name | The service name for Webhook deployment | webhook |
| webhook.vm.enabled | false |
|
| webhook.replicaCount | The number of replicas for webhook. Deprecated, use webhook.autoscaling.minReplicas and webhook.autoscaling.maxReplicas instead. |
1 |
| webhook.image.registry | The webhook image registry | quay.io |
| webhook.image.repository | The webhook image repository | sysdig/admission-controller |
| webhook.image.pullPolicy | The PullPolicy for Webhook image | |
| webhook.image.tag | Overrides the default image tag. If not specified, it defaults to appVersion in Chart.yaml | |
| webhook.image.digest | Specifies the image digest value. If set, this value is used instead of the tag value | |
| webhook.labels | Specifies the additional labels; applies to webhook only. | {} |
| webhook.service.type | Use this type as webhook service. | ClusterIP |
| webhook.service.port | Configure port for the webhook service. | 443 |
| webhook.rbac.create | Enable the creation of ClusterRoles and the binding of these roles. | true |
| webhook.httpProxy | The HTTP Proxy settings for webhook. Set to http(s)://proxyIp:proxyPort if the connections to Sysdig Secure requires a proxy. |
"" |
| webhook.httpsProxy | The HTTPS Proxy settings for webhook. Set to http(s)://proxyIp:proxyPort if the connection to Sysdig Secure requires a proxy. |
"" |
| webhook.noProxy | List of hosts, IPs, or IPs in CIDR format that should not go through the proxy. Sysdig includes “kubernetes” service and typical 10.0.0.0/8 services. | kubernetes,10.0.0.0/8 |
| webhook.podAnnotations | The webhook pod annotations. If empty, some annotations are automatically generated for prometheus scraping. | {} |
| webhook.podSecurityContext | The Pod Security context for webhook.If empty, some security context are automatically generated. | {} |
| webhook.securityContext | Configure securityContext for webhook. If empty, some security context are automatically generated. | {} |
| webhook.hostNetwork | Specifies if the webhook should be started in hostNetwork mode. This field is required if you are using a custom CNI where the managed control plane nodes are unable to initiate network connections to the pods, for example, using Calico CNI plugin on EKS. This is not required or recommended in most contexts. |
false |
| webhook.imagePullSecrets | The image pull secrets for webhook. | [] |
| webhook.resources | Resource request and limits for webhook. | {"limits":{"cpu":"250m","memory":"256Mi"},"requests":{"cpu":"100m","memory":"256Mi"}} |
| webhook.pdb.minAvailable | Specifies the minimum number of pods that must remain available during disruptions (such as updates or maintenance). | 1 |
| webhook.autoscaling.enabled | Whether the autocaling feature is enabled or not. | true |
| webhook.autoscaling.minReplicas | The minimum replicas to use while autoscaling the webhook. | 2 |
| webhook.autoscaling.maxReplicas | The maximum replicas to use while autoscaling the webhook. | 5 |
| webhook.autoscaling.targetCPUUtilizationPercentage | The target CPU to use when the number of replicas must be increased. | 80 |
| webhook.timeoutSeconds | The number of seconds for the request to time out. | 5 |
| webhook.nodeSelector | Configure nodeSelector for scheduling for webhook. | {} |
| webhook.priorityClassName | The priorityClassName configuration for the webhook. | |
| webhook.tolerations | Tolerations for scheduling for webhook. | [] |
| webhook.affinity | Configure affinity rules for webhook. | {} |
| webhook.denyOnError | Deny request when an error happened evaluating request. | false |
| webhook.dryRun | Dry Run request | false |
| webhook.logLevel | Specifies the log level. The valid values are error, info, debug, trace. | info |
| webhook.ssl.reuseTLSSecret | Reuse existing TLS Secret during chart upgrade. | false |
| webhook.ssl.ca.cert | Used for outbound connections, such as Secure backend and proxy. Used also for inbound connections to serve HttpRequests as Kubernetes Webhook. A PEM-encoded x509 certificate authority. |
"" |
| webhook.ssl.ca.certs | For outbound connections (secure backend, proxy,…) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] |
| webhook.ssl.ca.keyName | Filename that is used when creating the secret. Required if cert is provided. | |
| webhook.ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required | |
| webhook.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. | |
| webhook.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | |
| webhook.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. | |
| webhook.customEntryPoint | The custom entrypoint for the webhook Remember to provide the webhook valid arguments with --tls_cert_file and --tls_private_key_file. default: /bin/webhook --tls_cert_file /cert/tls.crt --tls_private_key_file /cert/tls.key |
[] |
| webhook.http.port | The HTTP serve port where the requests will be served from. | 5000 |
| scc.create | Enable the creation of Security Context Constraints in Openshift. | true |
| scanner.enabled | (Deprecated) If you only want the Kubernetes Audit Log functionality then disable this option and it will disable the Admission Controller Scanning Policy functionality. | false |
| scanner.name | The service name for Scanner deployment. | scanner |
| scanner.replicaCount | The amount of replicas for scanner. | 1 |
| scanner.image.registry | The Scanner image registry. | quay.io |
| scanner.image.repository | The Scanner image repository. | sysdig/inline-scan-service |
| scanner.image.pullPolicy | The PullPolicy for Scanner image. | |
| scanner.image.tag | The Scanner image tag. | 0.0.16 |
| scanner.image.digest | Specify the image digest value. If set, this value is used instead of the tag value. | |
| scanner.labels | Specifies additional labels. It applies to Scanner only. | {} |
| scanner.service.port | Configure port for the webhook service. | 8080 |
| scanner.authWithSecureToken | Authenticate with Secure token. | false |
| scanner.httpProxy | The HTTP Proxy settings for Scanner. Set to http(s)://proxyIp:proxyPort if the connection to Sysdig Secure requires a proxy. |
"" |
| scanner.httpsProxy | The HTTPS Proxy settings for Scanner. Set to http(s)://proxyIp:proxyPort if connection to Sysdig Secure requires a proxy. |
"" |
| scanner.noProxy | Specifies the list of hosts, IPs, or IPs in CIDR format that should not go through the proxy. Sysdig includes “kubernetes” service and typical 10.0.0.0/8 services. | kubernetes,10.0.0.0/8 |
| scanner.podAnnotations | Specifies the Scanner pod annotations. | {"prometheus.io/path":"/metrics","prometheus.io/port":"8080","prometheus.io/scrape":"true"} |
| scanner.psp.create | Specifies whether to create a psp policy and role / role-binding. | false |
| scanner.podSecurityContext | The PSPs for scanner | {} |
| scanner.verifyRegistryTLS | Verify the TLS on image pull from registries. | true |
| scanner.dockerCfgSecretName | The Docker config secret. Use a provided secret containing a .dockercfg for registry authentication (i.e. Openshift internal registry). |
"" |
| scanner.securityContext | Configure securityContext for scanner. | {"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true} |
| scanner.imagePullSecrets | The image pull secrets for Scanner. | [] |
| scanner.resources | Specifies resource requests and limits for Scanner. | {} |
| scanner.nodeSelector | Configure nodeSelector for scheduling for the Scanner. | {} |
| scanner.priorityClassName | Specifies the priorityClassName configuration for the Scanner. | |
| scanner.tolerations | Specifies the sheduling tolerations for the Scanner. | [] |
| scanner.affinity | Configure affinity rules for the Scanner. | {} |
| scanner.ssl.ca.cert | For outbound connections, such as Secure backend and proxy. A PEM-encoded x509 certificate authority. |
"" |
| scanner.ssl.ca.certs | For outbound connections, for example, the Secure backend and proxy. A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] |
| scanner.ssl.ca.keyName | A filename that is used when creating the secret. Required if cert is provided. | |
| scanner.ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required | |
| scanner.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set. | |
| scanner.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | |
| scanner.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set. | |
| scanner.customEntryPoint | Custom entrypoint for the scanner. Remember to provide the scanner valid arguments with --server_port and optionally --auth_secure_token default: /inline-scan-service --server_port=8080 |
[] |
Examples
- Default
values.yaml - Find some examples of these values