Cloud Connector
Overview
This chart deploys Sysdig Cloud Connector on your Kubernetes cluster, enabling Threat Detection and Image Scanning for the AWS, GCP, and Azure Cloud providers.
Use Cloud Connector only if your Sysdig representative recommends it to you. For the official installation instruction, see Install Sysdig Secure for Cloud .
Prerequisites
- Helm v3.6
- Sysdig Secure API Token
Installation
To install the chart:
helm repo add sysdig https://charts.sysdig.com
helm repo update
helm upgrade --install cloud-connector sysdig/cloud-connector \
--create-namespace -n cloud-connector --version=0.8.8 \
--set sysdig.secureAPIToken=<SECURE_API_TOKEN>
The command deploys the Sysdig Cloud Connector on the Kubernetes cluster with the default configuration. The configuration section lists the additional parameters that can be configured during installation.
Tip: Use
helm list -Ato list all the releases.
Configuration
You can use the Helm chart to update the default Cloud Connector configurations by using either of the following:
- Using the key-value pair:
--set sysdig.settings.key = value values.yamlfile
Using the Key-Value Pair
Specify each parameter using the --set key=value[,key=value] argument to the helm installcommand.
For example:
helm upgrade --install cloud-connector sysdig/cloud-connector \
--create-namespace -n cloud-connector --version=0.8.8 \
--set sysdig.secureAPIToken=<SECURE_API_TOKEN>
Using values.yaml
The values.yaml file specifies the values for the agent configuration parameters. You can add the configuration to the values.yaml file, then use it in the helm install command.
For example:
helm upgrade --install cloud-connector sysdig/cloud-connector \
--create-namespace -n cloud-connector --version=0.8.8 \
--values values.yaml
See the default values.yaml file for more information.
Verify the integrity and origin
Sysdig Helm Charts are signed so users can verify the integrity and origin of each chart, the steps are as follows:
Import the Public Key
$ curl -o "/tmp/sysdig_public.gpg" "https://charts.sysdig.com/public.gpg"
$ gpg --import /tmp/sysdig_public.gpg
Verify the chart
To check the integrity and the origin of the charts you can now append the --verify flag to the install, upgrade and pull helm commands.
Configuration Parameters
The following table lists the configurable parameters of the cloud-connector chart and their default values.
| Parameter | Description | Default |
|---|---|---|
| replicaCount | The number of replicas for the Cloud Connector. | 1 |
| image.repository | Sets the image repository to pull from. | quay.io/sysdig/cloud-connector |
| image.pullPolicy | Sets the image pull policy. | IfNotPresent |
| image.tag | Sets the image tag. Immutable tags are recommended. Overrides the image tag whose default is the chart appVersion. | |
| imagePullSecrets | Specifies the image pull secrets. | [] |
| nameOverride | Specifies the chart name override. | "" |
| fullnameOverride | Specifies the chart full name override. | "" |
| serviceAccount.create | Creates the service account. | true |
| serviceAccount.annotations | Specifies the additional annotations for serviceAccount. | {} |
| serviceAccount.name | Sets the name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
"" |
| podAnnotations | Pod annotations | {"prometheus.io/path":"/metrics","prometheus.io/port":"5000","prometheus.io/scrape":"true"} |
| podSecurityContext | Enables deployment PSPs. | {} |
| securityContext | Enables securityContext. | {"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true} |
| service.type | Uses this type as a service. | ClusterIP |
| service.port | Enables the port for the service. | 80 |
| service.labels | Specifies the additional labels for the service. | {} |
| resources | Enables resource requests and limits. | {} |
| nodeSelector | Enables nodeSelector for scheduling. | {} |
| tolerations | Sets tolerations for scheduling. | [] |
| affinity | Enables affinity rules. | {} |
| telemetryDeploymentMethod | Enables deployment source for inner telemetry. | "helm" |
| extraEnvVars | Specifies additional environment variables to be set. | [] |
| aws.accessKeyId | Specifies the AWS Credentials AccessKeyID. | "" |
| aws.secretAccessKey | Specifies the AWS Credentials: SecretAccessKey. |
"" |
| aws.region | Specifies the AWS Region. | "" |
| gcpCredentials | Specifies the GCP credentials in JSON. | "" |
| azure.eventHubConnectionString | Specifies the Azure EventHub connection string. | "" |
| azure.eventGridEventHubConnectionString | Specifies the Azure Event Grid EventHub connection string. | "" |
| azure.tenantId | Specifies the Azure service principal tenant ID. | "" |
| azure.clientId | Specifies the Azure service principal client ID. | "" |
| azure.clientSecret | Specifies the Azure service principal client secret. | "" |
| azure.region | Specifies the Azure region. | "" |
| sysdig.url | Specifies the Sysdig Secure URL. | "https://secure.sysdig.com" |
| sysdig.secureAPIToken | Specifies the API Token to access Sysdig Secure. | "" |
| sysdig.verifySSL | Verifies the SSL certificate. | true |
| existingSecretName | Provides an existing secret name for the entries it uses. See templates/secret.yaml for more information. |
"" |
| rules | Specifies the Rules Section for Cloud Connector. | [] |
| ingestors | Specifies configuration for the threat detection event ingestion. See ingestors for more information. | [] |
| scanners | Specifies configuration for scanning capabilities. See scanners for more information. | [] |
| bruteForceDetection.enabled | Enables Brute Force detection. | true |
| bruteForceDetection.duration | Specifies a time window for a bruteforce attack try. | 24h |
| bruteForceDetection.maximumTries | Specifies the maximum number of tries for a given time window. | 10 |
Examples
Ingestors
Specifies where to ingest the events:
ingestors:
# - aws-cloudtrail-sns-sqs: # Receives CloudTrail events from an SQS queue using the SNS paylaod
# queueURL:
# assumeRole: # organizational usage, assumeRole to fetch S3 elements
# concurrentDownloads: 4
#
# - aws-cloudtrail-s3-sns-sqs: # Receives CloudTrail events using s3 events as triggers
# queueURL:
# assumeRole: # organizational usage, assumeRole to fetch S3 elements
# concurrentDownloads: 4
#
# - eks: # Enables K8s audit log for EKS clusters
# cluster: # EKS cluster name to secure
# interval: 60s
# tags:
#
# - gcp-auditlog: # Polls for GCP auditlog events from StackDriver API
# project:
# interval: 90s
#
# - gcp-auditlog-pubsub: # Receives GCP AuditLog from a PubSub topic
# project:
# subscription:
#
# - gcp-gcr-pubsub: # Receives GCP GCR from a PubSub topic
# project:
# subscription:
#
# - gcp-auditlog-pubsub-http: # Receives GCP AuditLog from a PubSub topic streamed over an HTTP Endpoint
# url:
#
# - gcp-gcr-pubsub-http: # Receives GCR events from a PubSub topic streamed over an HTTP Endpoint
# url:
#
# - azure-event-hub:
# subscriptionID: 00000000-1111-2222-3333-444444444444
#
# - azure-event-grid:
# subscriptionID: 00000000-1111-2222-3333-444444444444
Scanners
Specifies the trigger scanners when a new image is detected:
scanners:
# - gcp-gcr: # Scan images when a new image is pushed to GCP GCR
# project:
# secureAPITokenSecretName:
# serviceAccount:
#
# - gcp-cloud-run: # Scan images when a new image is detected from GCP CloudRun
# project:
# secureAPITokenSecretName:
# serviceAccount:
#
# - aws-ecr: # Scan images when a new image is pushed to AWS ECR
# codeBuildProject:
# secureAPITokenSecretName:
# masterOrganizationRole:
# organizationRolePerAccount:
#
# - aws-ecs: # Scan images when a new image is detected in a ECS cluster
# codeBuildProject:
# secureAPITokenSecretName:
# masterOrganizationRole:
# organizationRolePerAccount:
#
# - azure-acr: {} # Scan images when a new image is pushed to Azure container registry
#
# - azure-aci: # Scan images when a new image is detected in container instance group
# subscriptionID: 00000000-1111-2222-3333-444444444444
# resourceGroup: sfc-resourcegroup # resource group of azure container registry
# containerRegistry: sfccontainerregistry # container registry name where to run the scan
Usage Examples
See additional examples in the Terraform modules:
- Single Account Deployment for AWS in K8s
- Single Project Deployment for GCP in K8s
- Single Subscription Deployment for Azure in K8s
Troubleshooting
Enable debug Logs
To enable debug logs, edit the ConfigMap and terminate the pod or deployment.
data:
cloud-connector.yaml: |
< logging: info
> logging: debug
Uninstall the Chart
To uninstall the cloud-connector:
$ helm uninstall cloud-connector -n cloud-connector
The command removes all the Kubernetes components associated with the chart and deletes the release artifacts.