Cloud Connector

Cloud Connector - This chart deploys the Sysdig Cloud connector on your Kubernetes cluster to enable threat-detection and image scanning.

TL;DR;

$ helm repo add sysdig https://charts.sysdig.com
$ helm repo update
$ helm upgrade --install cloud-connector sysdig/cloud-connector \
      --create-namespace -n cloud-connector --version=0.7.16  \
      --set sysdig.secureAPIToken=SECURE_API_TOKEN

Introduction

This chart deploys the Sysdig Cloud Connector on a Kubernetes cluster using the Helm package manager to enable threat-detection and image scanning capabilities for the main three providers: AWS, GCP and Azure.

Prerequisites

Installing the Chart

To install the chart with the release name cloud-connector:

$ helm upgrade --install cloud-connector sysdig/cloud-connector -n cloud-connector --version=0.7.16

The command deploys the Sysdig Cloud Connector on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation.

Tip: List all releases using helm list -A

Uninstalling the Chart

To uninstall/delete the cloud-connector:

$ helm uninstall cloud-connector -n cloud-connector

The command removes all the Kubernetes components associated with the chart and deletes the release.

Configuration

The following table lists the configurable parameters of the cloud-connector chart and their default values.

Parameter Description Default
replicaCount Amount of replicas for Cloud Connector 1
image.repository The image repository to pull from. quay.io/sysdig/cloud-connector
image.pullPolicy The image pull policy. IfNotPresent
image.tag The image tag (immutable tags are recommended). Overrides the image tag whose default is the chart appVersion.
imagePullSecrets The image pull secrets []
nameOverride Chart name override ""
fullnameOverride Chart full name override ""
serviceAccount.create Create the service account true
serviceAccount.annotations Extra annotations for serviceAccount {}
serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated using the fullname template ""
podAnnotations Pod annotations {"prometheus.io/path":"/metrics","prometheus.io/port":"5000","prometheus.io/scrape":"true"}
podSecurityContext Configure deployment PSP’s {}
securityContext Configure securityContext {"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true}
service.type Use this type as service ClusterIP
service.port Configure port for the service 80
service.labels Additional labels to specify for the service {}
resources Configure resource requests and limits {}
nodeSelector Configure nodeSelector for scheduling {}
tolerations Tolerations for scheduling []
affinity Configure affinity rules {}
telemetryDeploymentMethod Configure deployment source for inner telemetry "helm"
extraEnvVars Extra environment variables to be set []
aws.accessKeyId AWS Credentials AccessKeyID ""
aws.secretAccessKey AWS Credentials: SecretAccessKey ""
aws.region AWS Region ""
gcpCredentials GCP Credentials JSON ""
azure.eventHubConnectionString Azure EventHub Connection String ""
azure.eventGridEventHubConnectionString Azure Event Grid EventHub Connection String ""
azure.tenantId Azure service principal tenant id ""
azure.clientId Azure service principal client id ""
azure.clientSecret Azure service principal client secret ""
azure.region Azure region ""
sysdig.url Sysdig Secure URL "https://secure.sysdig.com"
sysdig.secureAPIToken API Token to access Sysdig Secure ""
sysdig.verifySSL Verify SSL certificate true
existingSecretName Provide an existing secret name (see details in ‘templates/secret.yaml’) for the entries it uses. ""
rules Rules Section for Cloud Connector []
ingestors Thread-Detection event ingestion configuration (config) []
scanners Scanning capabilities configuration (config) []
bruteForceDetection.enabled Enable Brute Force detection true
bruteForceDetection.duration Time window for a bruteforce attack try 24h
bruteForceDetection.maximumTries Maximum number of tries for given time window 10

Specify each parameter using the --set key=value[,key=value] argument to helm upgrade --install. For example:

$ helm upgrade --install cloud-connector sysdig/cloud-connector \
    --create-namespace -n cloud-connector --version=0.7.16 \
    --set sysdig.secureAPIToken=YOUR-KEY-HERE

Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example:

$ helm upgrade --install cloud-connector sysdig/cloud-connector \
    --create-namespace -n cloud-connector --version=0.7.16 \
    --values values.yaml

Examples

Configuration Detail

Ingestors

Where to ingest events from

ingestors:
#  - aws-cloudtrail-sns-sqs: # Receives CloudTrail events from an SQS queue using the SNS paylaod
#      queueURL:
#      assumeRole: # organizational usage, assumeRole to fetch S3 elements
#      concurrentDownloads: 4
#
#  - aws-cloudtrail-s3-sns-sqs: # Receives CloudTrail events using s3 events as triggers
#      queueURL:
#      assumeRole: # organizational usage, assumeRole to fetch S3 elements
#      concurrentDownloads: 4
#
#  - eks: # Enables K8s audit log for EKS clusters
#      cluster: # EKS cluster name to secure
#      interval: 60s
#      tags:
#
#  - gcp-auditlog: # Polls for GCP auditlog events from StackDriver API
#      project:
#      interval: 90s
#
#  - gcp-auditlog-pubsub: # Receives GCP AuditLog from a PubSub topic
#      project:
#      subscription:
#
#  - gcp-gcr-pubsub: # Receives GCP GCR from a PubSub topic
#      project:
#      subscription:
#
#  - gcp-auditlog-pubsub-http: # Receives GCP AuditLog from a PubSub topic streamed over an HTTP Endpoint
#      url:
#
#  - gcp-gcr-pubsub-http: # Receives GCR events from a PubSub topic streamed over an HTTP Endpoint
#      url:
#
#  - azure-event-hub:
#      subscriptionID: 00000000-1111-2222-3333-444444444444
#
#  - azure-event-grid:
#      subscriptionID: 00000000-1111-2222-3333-444444444444

Scanners

Trigger scanners when a new image is detected

scanners:
#  - gcp-gcr: # Scan images when a new image is pushed to GCP GCR
#      project:
#      secureAPITokenSecretName:
#      serviceAccount:
#
#  - gcp-cloud-run: # Scan images when a new image is detected from GCP CloudRun
#    project:
#      secureAPITokenSecretName:
#      serviceAccount:
#
#  - aws-ecr: # Scan images when a new image is pushed to AWS ECR
#      codeBuildProject:
#      secureAPITokenSecretName:
#      masterOrganizationRole:
#      organizationRolePerAccount:
#
#  - aws-ecs: # Scan images when a new image is detected in a ECS cluster
#      codeBuildProject:
#      secureAPITokenSecretName:
#      masterOrganizationRole:
#      organizationRolePerAccount:
#
#  - azure-acr: {} # Scan images when a new image is pushed to Azure container registry
#
#  - azure-aci: # Scan images when a new image is detected in container instance group
#      subscriptionID: 00000000-1111-2222-3333-444444444444
#      resourceGroup: sfc-resourcegroup # resource group of azure container registry
#      containerRegistry: sfccontainerregistry # container registry name where to run the scan

Usage examples

Check live examples present in our different Terraform Modules:

Troubleshooting

Q: How do I enable debug logs?

A: By editing the configmap and killing pod(s)/deployment so it restart

  data:
    cloud-connector.yaml: |
  <    logging: info
  >    logging: debug