Admission Controller

This chart deploys the Sysdig Admission Controller on a Kubernetes cluster using the Helm package manager.

Overview

Sysdig Admission Controller provides Audit Logging and optional Image Scanning capabilities to secure your Kubernetes environment.

Use the sysdig-deploy parent chart to deploy the Admission Controller and any other subcomponents. Do not deploy subcharts directly.

To deploy the Admission Controller, follow the installation instructions given in Install Kubernetes Audit Logging.

Use Cases

Kubernetes Audit Logging

This chart is primarily responsible for enabling Kubernetes audit logging so that Sysdig Secure can audit the following:

For deployment instructions, including common deployment configurations related to proxies and certificates, see Install Kubernetes Audit Logging.

(Legacy Option) Image Scanning Using Scanning Engine V1

If you use the Legacy Scanning Engine instead of the new Vulnerability Management engine in Sysdig Secure, you can deploy the admission-controller chart with old scanning options enabled and use admission controller policies to reject container images that do not fulfill the policy requirements from the cluster before being scheduled.

This option is enabled by default unless you specify --scanner.enabled=false .

Verify the Integrity and Origin

Sysdig Helm charts are signed so you can confirm the integrity and origin of each chart. To do so:

  1. Import the Public Key:

    $ curl -o "/tmp/sysdig_public.gpg" "https://charts.sysdig.com/public.gpg"
    $ gpg --import /tmp/sysdig_public.gpg
    
  2. Verify the chart by appending the --verify flag to the install, upgrade, and pull helm commands.

Configuration

Using the Key-Value Pair

Specify each parameter using the --set key=value[,key=value] argument to the helm installcommand.

For example:

helm upgrade --install admission-controller sysdig/admission-controller \
    --create-namespace -n sysdig-admission-controller --version=0.16.3  \
    --set sysdig.secureAPIToken=YOUR-KEY-HERE,clusterName=YOUR-CLUSTER-NAME

Using values.yaml

The values.yaml file specifies the values for the admission controller configuration parameters. You can add the configuration to the values.yaml file, then use it in the helm install command.

For example:

helm upgrade --install admission-controller sysdig/admission-controller \
     --create-namespace -n sysdig-admission-controller --version=0.16.3  \
    --values values.yaml

See the default values.yaml file for more information.

Configuration Parameters

The following table lists the configurable parameters of the admission-controller chart and their default values.

Parameter Description Default
global.clusterConfig The global cluster configuration options. {}
global.sysdig.secureAPIToken The global API token to access Sysdig Secure. ""
global.sysdig.secureAPITokenSecret The global secret with API Token to access Sysdig Secure. ""
global.sysdig.region The global Sysdig Secure region. "us1"
global.sysdig.accessKey The global Access Key to access Sysdig Secure. ""
global.proxy Global HTTP Proxy settings. {}
global.image.pullSecrets   []
global.image.pullPolicy   IfNotPresent
global.ssl.ca.certs For outbound connections (secure backend, proxy,…) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. []
global.ssl.ca.keyName Filename that is used when creating the secret. Required if cert is provided.
global.ssl.ca.existingCaSecret Provide the name of an existing Secret that contains the CA required
global.ssl.ca.existingCaSecretKeyName Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set.
global.ssl.ca.existingCaConfigMap Provide the name of an existing ConfigMap that contains the CA required
global.ssl.ca.existingCaConfigMapKeyName Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set.
clusterName required
The cluster Name which appear on Secure UI
""
namespace The namespace to install components. An optional field. If not specified, it will default to the release namespace.
IMPORTANT: Ensure that a namespace is already exist, otherwise installation will fail.
""
sysdig.secureAPIToken required
The API Token to access Sysdig Secure.

If neither this value nor sysdig.existingSecureAPITokenSecret is configured, you are required to provide the deployment with the SECURE_API_TOKEN (and AUTH_BEARER_TOKEN if the scanner is enabled) environment variable. Overrides the global.sysdig.secureAPIToken parameter.
""
sysdig.existingSecureAPITokenSecret required
The existing secret with API Token to access Sysdig Secure.
Alternatively, specify the name of a Kubernetes secret containing SECURE_API_TOKEN and AUTH_BEARER_TOKEN entry if you’re also enabling scanner.
If neither this value nor sysdig.secureAPIToken is configured, you are required to provide the deployment with the SECURE_API_TOKEN (and AUTH_BEARER_TOKEN if the scanner is enabled) environment variable.
""
sysdig.accessKey required for KSPM Admission Controller
Access Key to access Sysdig Secure.

Either this value or sysdig.existingAccessKeySecret is required Overrides global.sysdig.accessKey
""
sysdig.existingAccessKeySecret Alternatively, specify the name of a Kubernetes secret containing an ‘access-key’ entry. Overrides global.sysdig.existingAccessKeySecret ""
sysdig.apiEndpoint Sysdig URL.
- The default for the us-east region is secure.sysdig.com.
- For us-west use us2.app.sysdig.com
- For European Union, use eu1.app.sysdig.com
- For APAC, use app.au1.sysdig.com
- For US4 (our west Google cloud region) use app.us4.sysdig.com
- For on-prem, your own enpoints
""
features.k8sAuditDetections Enable Kubernetes Audit detections with Falco rules. true
features.kspmAdmissionController Enable KSPM Admission Controller false
features.k8sAuditDetectionsRules Admission Webhook Configuration rules for the Audit Detections [{"apiGroups":["","apps","autoscaling","batch","networking.k8s.io","rbac.authorization.k8s.io","extensions"],"apiVersions":["*"],"operations":["*"],"resources":["*/*"],"scope":"*"}]
verifySSL Used for outbound connections, such as Secure backend and proxy.
Specifies whether to verify SSL on HTTPS connections.
true
nameOverride The chart name override. ""
fullnameOverride The chart full name override. ""
labels Additional labels. It applies to both scanner and webhook. {}
serviceAccounts.webhook.create Creates the service account. true
serviceAccounts.webhook.annotations The additional annotations for serviceAccount. {}
serviceAccounts.webhook.name Use this value as serviceAccount Name. ""
serviceAccounts.scanner.create Creates the service account. true
serviceAccounts.scanner.annotations The additional annotations for serviceAccount. {}
serviceAccounts.scanner.name Use this value as serviceAccount Name. ""
podMonitors.webhook.enabled Enable the webhook PodMonitor to scrape metrics. false
podMonitors.webhook.labels Specifies the labels on the webhook PodMonitor. {}
podMonitors.webhook.annotations The annotations on the webhook PodMonitor. {}
podMonitors.scanner.enabled Enable the scanner PodMonitor to scrape metrics. false
podMonitors.scanner.labels Specifies the labels on the scanner PodMonitor. {}
podMonitors.scanner.annotations The annotatons on the scanner PodMonitor {}
webhook.v2.nats.insecure Allow insecure TLS certificates in backend connection to NATS service false
webhook.v2.nats.url Override the NATS service connection URL ""
webhook.v2.service.type Use this type as webhook service ClusterIP
webhook.v2.service.port Configure port for the V2 webhook service 6443
webhook.v2.http.port HTTP serve port where the requests will be served from 6443
webhook.v2.image.registry The KSPM Admission Controller image registry quay.io
webhook.v2.image.repository The KSPM Admission Controller image repository sysdig/secure-admission-controller
webhook.v2.image.tag The KSPM Admission Controller image tag 1.27.3
webhook.v2.image.digest Specifies the image digest value. If set, this value is used instead of the tag value
webhook.v2.image.pullPolicy The PullPolicy for KSPM Admission Controller image
webhook.name The service name for Webhook deployment webhook
webhook.vm.enabled   false
webhook.replicaCount The number of replicas for webhook. Deprecated, use webhook.autoscaling.minReplicas and webhook.autoscaling.maxReplicas instead. 1
webhook.image.registry The webhook image registry quay.io
webhook.image.repository The webhook image repository sysdig/admission-controller
webhook.image.pullPolicy The PullPolicy for Webhook image
webhook.image.tag Overrides the default image tag. If not specified, it defaults to appVersion in Chart.yaml
webhook.image.digest Specifies the image digest value. If set, this value is used instead of the tag value
webhook.labels Specifies the additional labels; applies to webhook only. {}
webhook.service.type Use this type as webhook service. ClusterIP
webhook.service.port Configure port for the webhook service. 443
webhook.rbac.create Enable the creation of ClusterRoles and the binding of these roles. true
webhook.httpProxy The HTTP Proxy settings for webhook.
Set to http(s)://proxyIp:proxyPort if the connections to Sysdig Secure requires a proxy.
""
webhook.httpsProxy The HTTPS Proxy settings for webhook.
Set to http(s)://proxyIp:proxyPort if the connection to Sysdig Secure requires a proxy.
""
webhook.noProxy List of hosts, IPs, or IPs in CIDR format that should not go through the proxy. Sysdig includes “kubernetes” service and typical 10.0.0.0/8 services. kubernetes,10.0.0.0/8
webhook.podAnnotations The webhook pod annotations. If empty, some annotations are automatically generated for prometheus scraping. {}
webhook.podSecurityContext The Pod Security context for webhook.If empty, some security context are automatically generated. {}
webhook.securityContext Configure securityContext for webhook. If empty, some security context are automatically generated. {}
webhook.hostNetwork Specifies if the webhook should be started in hostNetwork mode.
This field is required if you are using a custom CNI where the managed control plane nodes are unable to initiate network connections to the pods, for example, using Calico CNI plugin on EKS.
This is not required or recommended in most contexts.
false
webhook.imagePullSecrets The image pull secrets for webhook. []
webhook.resources Resource request and limits for webhook. {"limits":{"cpu":"250m","memory":"256Mi"},"requests":{"cpu":"100m","memory":"256Mi"}}
webhook.autoscaling.minReplicas The minimum replicas to use while autoscaling the webhook. 2
webhook.autoscaling.maxReplicas The maximum replicas to use while autoscaling the webhook. 5
webhook.autoscaling.targetCPUUtilizationPercentage The target CPU to use when the number of replicas must be increased. 80
webhook.timeoutSeconds The number of seconds for the request to time out. 5
webhook.nodeSelector Configure nodeSelector for scheduling for webhook. {}
webhook.priorityClassName The priorityClassName configuration for the webhook.
webhook.tolerations Tolerations for scheduling for webhook. []
webhook.affinity Configure affinity rules for webhook. {}
webhook.denyOnError Deny request when an error happened evaluating request. false
webhook.dryRun Dry Run request false
webhook.logLevel Specifies the log level. The valid values are error, info, debug, trace. info
webhook.ssl.reuseTLSSecret Reuse existing TLS Secret during chart upgrade. false
webhook.ssl.ca.cert Used for outbound connections, such as Secure backend and proxy.
Used also for inbound connections to serve HttpRequests as Kubernetes Webhook.
A PEM-encoded x509 certificate authority.
""
webhook.ssl.ca.certs For outbound connections (secure backend, proxy,…) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. []
webhook.ssl.ca.keyName Filename that is used when creating the secret. Required if cert is provided.
webhook.ssl.ca.existingCaSecret Provide the name of an existing Secret that contains the CA required
webhook.ssl.ca.existingCaSecretKeyName Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set.
webhook.ssl.ca.existingCaConfigMap Provide the name of an existing ConfigMap that contains the CA required
webhook.ssl.ca.existingCaConfigMapKeyName Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set.
webhook.customEntryPoint The custom entrypoint for the webhook
Remember to provide the webhook valid arguments with --tls_cert_file and --tls_private_key_file.
default: /bin/webhook --tls_cert_file /cert/tls.crt --tls_private_key_file /cert/tls.key
[]
webhook.http.port The HTTP serve port where the requests will be served from. 5000
scc.create Enable the creation of Security Context Constraints in Openshift. true
scanner.enabled If you only want the Kubernetes Audit Log functionality then disable this option and it will disable the Admission Controller Scanning Policy functionality. true
scanner.name The service name for Scanner deployment. scanner
scanner.replicaCount The amount of replicas for scanner. 1
scanner.image.registry The Scanner image registry. quay.io
scanner.image.repository The Scanner image repository. sysdig/inline-scan-service
scanner.image.pullPolicy The PullPolicy for Scanner image.
scanner.image.tag The Scanner image tag. 0.0.16
scanner.image.digest Specify the image digest value. If set, this value is used instead of the tag value.
scanner.labels Specifies additional labels. It applies to Scanner only. {}
scanner.service.port Configure port for the webhook service. 8080
scanner.authWithSecureToken Authenticate with Secure token. false
scanner.httpProxy The HTTP Proxy settings for Scanner.
Set to http(s)://proxyIp:proxyPort if the connection to Sysdig Secure requires a proxy.
""
scanner.httpsProxy The HTTPS Proxy settings for Scanner.
Set to http(s)://proxyIp:proxyPort if connection to Sysdig Secure requires a proxy.
""
scanner.noProxy Specifies the list of hosts, IPs, or IPs in CIDR format that should not go through the proxy. Sysdig includes “kubernetes” service and typical 10.0.0.0/8 services. kubernetes,10.0.0.0/8
scanner.podAnnotations Specifies the Scanner pod annotations. {"prometheus.io/path":"/metrics","prometheus.io/port":"8080","prometheus.io/scrape":"true"}
scanner.psp.create Specifies whether to create a psp policy and role / role-binding. false
scanner.podSecurityContext The PSPs for scanner {}
scanner.verifyRegistryTLS Verify the TLS on image pull from registries. true
scanner.dockerCfgSecretName The Docker config secret. Use a provided secret containing a .dockercfg for registry authentication (i.e. Openshift internal registry). ""
scanner.securityContext Configure securityContext for scanner. {"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true}
scanner.imagePullSecrets The image pull secrets for Scanner. []
scanner.resources Specifies resource requests and limits for Scanner. {}
scanner.nodeSelector Configure nodeSelector for scheduling for the Scanner. {}
scanner.priorityClassName Specifies the priorityClassName configuration for the Scanner.
scanner.tolerations Specifies the sheduling tolerations for the Scanner. []
scanner.affinity Configure affinity rules for the Scanner. {}
scanner.ssl.ca.cert For outbound connections, such as Secure backend and proxy.
A PEM-encoded x509 certificate authority.
""
scanner.ssl.ca.certs For outbound connections, for example, the Secure backend and proxy. A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. []
scanner.ssl.ca.keyName A filename that is used when creating the secret. Required if cert is provided.
scanner.ssl.ca.existingCaSecret Provide the name of an existing Secret that contains the CA required
scanner.ssl.ca.existingCaSecretKeyName Provide the filename that is defined inside the existing Secret. Required if existingCaSecret is set.
scanner.ssl.ca.existingCaConfigMap Provide the name of an existing ConfigMap that contains the CA required
scanner.ssl.ca.existingCaConfigMapKeyName Provide the filename that is defined inside the existing ConfigMap. Required if existingCaConfigMap is set.
scanner.customEntryPoint Custom entrypoint for the scanner.
Remember to provide the scanner valid arguments with --server_port and optionally --auth_secure_token
default: /inline-scan-service --server_port=8080
[]

Examples