Chart: Sysdig Agent

Overview

Use the sysdig-deploy parent chart to deploy the Sysdig Agent and any other subcomponents. Do not deploy subcharts directly.

To deploy the Sysdig Agent, follow the installation instructions given on the Sysdig Documentation website:

Sysdig Monitor

Sysdig Secure | Sysdig Secure + Sysdig Monitor

On-Premises

Verify the Integrity and Origin

Sysdig Helm Charts are signed so you can verify the integrity and origin of each chart. To verify the chart:

Import the Public Key

$ curl -o "/tmp/sysdig_public.gpg" "https://charts.sysdig.com/public.gpg"
$ gpg --import /tmp/sysdig_public.gpg

Verify the Chart

To check the integrity and the origin of the charts you can now append the --verify flag to the install, upgrade, and pull helm commands.

Configuration

You can use the Helm chart to update the default agent configurations by using either of the following:

Using the Key-Value Pair

Specify each parameter using the --set key=value[,key=value] argument to the helm installcommand.

For example:

$ helm install --namespace sysdig-agent sysdig-agent \
    --set sysdig.accessKey=<YOUR-ACCESS-KEY>,sysdig.settings.tags="role:webserver\,location:europe" \
    sysdig/agent

Using values.yaml

The values.yaml file specifies the values for the agent configuration parameters. You can add the configuration to the values.yaml file, then use it in the helm install command.

For example, to enable Prometheus metrics scraping:

  1. Add the following to the values.yaml file:

    sysdig:
      accessKey: <YOUR-ACCESS-KEY>
      settings:
        prometheus:
          enabled: true
          histograms: true
    

    Tip: You can use the default values.yaml file.

  2. Run the following:

    helm install --namespace sysdig-agent sysdig-agent -f values.yaml sysdig/agent
    

Configuration Parameters

The following table lists the configurable parameters of the Sysdig chart and their default values.

Parameter Description Default
global.clusterConfig.name Sets a unique name to the cluster. You can then use the cluster name to identify events using the kubernetes.cluster.name tag. quay.io
global.sysdig.accessKey Specify your Sysdig Agent Access Key. Either accessKey or accessKeySecret is required
global.sysdig.accessKeySecret An alternative to using the Sysdig Agent access key. Specify the name of a Kubernetes secret containing an access-key entry. Either accessKey or accessKeySecret is required
global.sysdig.region The SaaS region for these agents. Possible values: "us1", "us2", "us3", "us4", "eu1", "au1", and "custom" "us1"
global.proxy.httpProxy Sets http_proxy on the agent container. ""
global.proxy.httpsProxy Sets https_proxy on the agent container. ""
global.proxy.noProxy Sets no_proxy on the agent container. ""
global.gke.autopilot If true, overrides the agent configuration to run on GKE Autopilot clusters. false
global.image.pullSecrets Global pull secrets. []
global.image.pullPolicy Global pull policy. `IfNotPresent`
namespace Overrides the global namespace setting and release namespace for components. ""
image.registry Sysdig Agent image registry. quay.io
image.repository Sets the image repository to pull the agent image from. sysdig/agent
image.tag Specifies the image tag to pull from the repository. 12.16.0
image.digest Specifies the image digest to pull from the repository. ` `
image.pullPolicy Specifies the Image pull policy. IfNotPresent
image.pullSecrets Specifies the image pull secrets. nil
resourceProfile Specifies the Sysdig Agent resource profile. small
resources.requests.cpu Specifies the CPU requested to run in a node ` `
resources.requests.memory Specifies the memory requested to run in a node. ` `
resources.limits.cpu Specifies the CPU limit. ` `
resources.limits.memory Specifies the memory limit. ` `
collectorSettings.collectorHost Specifies the IP address or hostname of the collector. ` `
collectorSettings.collectorPort Specifies the port number for the TCP connection of the collector service. 6443
collectorSettings.ssl Specifies whether the collector accepts SSL. true
collectorSettings.sslVerifyCertificate Set this parameter to false if you don’t want to verify SSL certificate. true
gke.autopilot If true, overrides the agent configuration to run on GKE Autopilot clusters. false
gke.autopilot.createPriorityClass If true, required PriorityClass will be created to ensure that the agent pods are scheduled in GKE Autopilot. The parameter uses the name provided by the priorityClassName parameter. false
gke.ephemeralStorage Specifies the amount of ephemeral storage to provide to the agent container in GKE Autopilot clusters. 500Mi
rbac.create If true, RBAC resources will be created and used. true
scc.create Creates OpenShift’s Security Context constraint. true
psp.create Creates Pod Security Policy to allow the agent running in clusters with PSP enabled. true
serviceAccount.create Creates serviceAccount. true
serviceAccount.name Use this value as serviceAccountName. ` `
createPriorityClass Specify whether or not to create a priority class for the agent. false
priorityClassName Sets the priority class for the agent daemonset. ""
priorityClassValue Sets the priority class value for the agent daemonset. 10
daemonset.deploy Deploys the agent daemonset. true
daemonset.env Specifies the environment variables for the agent container. Provide as map of VAR: val {}
daemonset.updateStrategy.type Specifies the updateStrategy for updating the daemonset. RollingUpdate
daemonset.updateStrategy.rollingUpdate.maxUnavailable The maximum number of pods that can be unavailable during the update process  
daemonset.updateStrategy.rollingUpdate.maxSurge The maximum number of nodes with an existing available DaemonSet pod that can have an updated DaemonSet pod during an update  
daemonset.nodeSelector Specifies the Node Selector. {}
daemonset.arch Specifies the allowed architectures for scheduling. [ amd64, arm64, s390x ]
daemonset.os Specifies the allowed operating systems for scheduling. [ linux ]
daemonset.affinity Specifies node affinities. Overrides daemonset.arch and daemonset.os values. {}
daemonset.annotations Specifies the custom annotations for daemonset. {}
daemonset.labels Specifies the custom labels for daemonset as a multi-line templated string map or as YAML.  
daemonset.probes.initialDelay Specifies the initial delay for the deamonset readiness probe. 90
daemonset.probes.periodDelay Specifies the period delay for the daemonset readiness probe. 3
daemonset.kmodule.env Sets the environment variables for the kernel module image builder. Provide as map of VAR: val {}
slim.enabled Uses the slim based Sysdig Agent image. true
slim.image.repository Specifies the slim agent image repository. sysdig/agent-slim
slim.kmoduleImage.repository Specifies the repository to pull the kernel module image builder from. sysdig/agent-kmodule
slim.kmoduleImage.digest Specifies the image digest to pull. ` `
slim.resources.requests.cpu Specifies the CPU requested for building the kernel module. 250m
slim.resources.requests.memory Specifies the memory requested for building the kernel module. 348Mi
slim.resources.limits.cpu Specifies the CPU limit for building the kernel module 1000m
slim.resources.limits.memory Specifies the memory limit for building the kernel module. 512Mi
ebpf.enabled Enables eBPF support for Sysdig instead of sysdig-probe kernel module. false
ebpf.kind Define which eBPF driver to use, can be legacy_ebpf or universal_ebpf legacy_ebpf
privileged Run the Sysdig Agent container as privileged. When set to false, eBPF must be enabled and the agent version must be >= 13.3.0 true
clusterName Sets a unique cluster name which is used to identify events with the kubernetes.cluster.name tag. Overrides global.clusterConfig.name. ` `
sysdig.accessKey Your Sysdig Agent Access Key. Overrides global.sysdig.accessKey Either accessKey or existingAccessKeySecret is required
sysdig.existingAccessKeySecret Specifies the name of a Kubernetes secret containing an access-key entry. Overrides global.sysdig.existingAccessKeySecret Either accessKey or existingAccessKeySecret is required
sysdig.disableCaptures Disables capture functionality. See https://docs.sysdig.com/en/disable-captures.html. false
sysdig.settings Provides additional settings that are given in the dragent.yamlfile. {}
logPriority Sets both agent console and file logging priorities. Possible values are: "info", "debug". Mutually exclusive with sysdig.settings.log. ` `
localForwarder.enabled Enable the Agent Local Forwarder false
localForwarder.transmitMessageTypes Message types to forward from the Agent to the Agent Local Forwarder [POLICY_EVENTS, SECURE_AUDIT]
localForwarder.integrations List of configurations for how and where the Agent Local Forwarder should forward messages []
secure.enabled Enables Sysdig Secure. true
monitor.enabled Enables Sysdig Monitor. true
auditLog.enabled Enables Kubernetes audit log support for Sysdig Secure. false
auditLog.auditServerUrl Specifies the URL where Sysdig Agent listens for the Kubernetes audit log events. 0.0.0.0
auditLog.auditServerPort Specifies the port where Sysdig Agent listens for the Kubernetes audit log events. 7765
auditLog.dynamicBackend.enabled Deploys the Audit Sink where Sysdig listens for Kubernetes audit log events. false
tolerations Specifies the tolerations for scheduling. <pre>node-role.kubernetes.io/master:NoSchedule,
node-role.kubernetes.io/control-plane:NoSchedule</pre>
leaderelection.enable Enables the agent leader election algorithm. false
prometheus.file Specifies the file to configure promscrape. false
prometheus.yaml Configures the Prometheus metric collection. Performs relabelling and filtering. ` `
extraVolumes.volumes Specifies the additional volumes to mount in the sysdig agent to pass new secrets or configmaps []
extraVolumes.mounts Specifies the mount points for additional volumes []
extraSecrets Allows passing extra secrets that can be mounted via extraVolumes []
proxy.httpProxy Sets http_proxy on the agent container. Overrides the proxy setting from global.proxy. ""
proxy.httpsProxy Sets https_proxy on the agent container. Overrides the proxy setting from global.proxy. ""
proxy.noProxy Sets no_proxy on the agent container. Overrides the proxy setting from global.proxy. ""
windows.enabled Enable Daemonset for Windows agents. false
windows.nodeSelector Nodeselector for Windows agents. {}
windows.image.registry Windows Agent image registry. quay.io
windows.image.repository Sets the image repository to pull the Windows agent image from. sysdig/agent-windows
windows.image.tag Specifies the image tag to pull from the repository. latest
windows.image.pullPolicy Specifies the Image pull policy for the Windows Agent Image. IfNotPresent
image.pullSecrets Specifies the image pull secrets for the Windows Agent Image. nil
windows.resources.requests.cpu Specifies the CPU requested to run in a Windows node. ` `
windows.resources.requests.memory Specifies the memory requested to run in a Windows node. ` `
windows.resources.limits.cpu Specifies the CPU limit for Windows Agents. ` `
resources.limits.memory Specifies the memory limit for Windows Agents. ` `
windows.affinity Specifies node affinities for Windows Agents. {}
windows.tolerations Specifies the tolerations for scheduling of Windows Agents. <pre>node-role.kubernetes.io/master:NoSchedule,
node-role.kubernetes.io/control-plane:NoSchedule</pre>