Cloud Connector

This chart deploys the Sysdig Cloud connector on your Kubernetes cluster to enable threat-detection and image scanning capabilities for the main three providers; AWS, GCP and Azure

Installing the Chart

Add Sysdig Helm charts repository and deploy the chart:

$ helm repo add sysdig https://charts.sysdig.com

$ helm install --create-namespace -n cloud-connector cloud-connector -f values.yaml sysdig/cloud-connector

Configuration

The following table lists the configurable parameters of the Sysdig Cloud connector chart and their default values:

Parameter Description Default
replicaCount Amount of replicas for Cloud Connector 1
image.repository The image repository to pull from sysdiglabs/cloud-connector
image.tag The image tag (immutable tags are recommended) latest pinned version
image.pullPolicy The image pull policy IfNotPresent
imagePullSecrets The image pull secrets []
nameOverride Chart name override ` `
fullnameOverride Chart full name override ` `
serviceAccount.create Create the service account true
serviceAccount.annotations Extra annotations for serviceAccount {}
serviceAccount.name Use this value as serviceAccount Name ` `
rbac.create Create and use RBAC resources true
podSecurityContext Configure deployment PSP’s { capabilities: drop: - ALL readOnlyRootFileSystem: true runAsNonRoot: true }
securityContext Configure securityContext {}
service.type Use this type as service ClusterIP
service.port Configure port for the service 5000
service.labels Additional labels to specify for the service {}
resources Configure resource requests and limits {}
nodeSelector Configure nodeSelector for scheduling {}
nodeSelector Configure nodeSelector for scheduling {}
tolerations Tolerations for scheduling []
affinity Configure affinity rules {}
telemetryDeploymentMethod Configure deployment source for inner telemetry helm
extraEnvVars Extra environment variables to be set []
aws.accessKeyId AWS Credentials AccessKeyID ` `
aws.secretAccessKey AWS Credentials: SecretAccessKey ` `
aws.region AWS Region ` `
gcp.credentials GCP Credentials JSON ` `
azure.eventHubConnectionString Azure EventHub Connection String ` `
azure.eventGridEventHubConnectionString Azure Eveng Grid EventHub Connection String ` `
tenantId Azure service principal tenant id  
clientId Azure service principal client id  
clientSecret Azure service principal client secret  
sysdig.url Sysdig Secure URL https://secure.sysdig.com
sysdig.secureAPIToken API Token to access Sysdig Secure ` `
sysdig.verifySSL Verify SSL certificate true
existingSecretName Provide an existing secret name (see details in values.yaml) instead of creating a new one from provided values ` `
rules Rules Section for Cloud Connector []
ingestors Thread-Detection event ingestion configuration (config) []
scanners Scanning capabilities configuration (config) []
notifiers Notifiers Section for Cloud Connector []
bruteForceDetection.duration Time window for a bruteforce attack try 24h
bruteForceDetection.maximumTries Maximum number of tries for given time window 10

Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,

$ helm install my-release \
    --set sysdig.secureAPIToken=YOUR-KEY-HERE \
    sysdig/cloud-connector

Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,

$ helm install my-release -f values.yaml sysdig/cloud-connector

Configuration Detail

Ingestors

Where to ingest events from

ingestors:
  #  - aws-cloudtrail-sns-sqs: # Receives CloudTrail events from an SQS queue using the SNS paylaod
  #      queueURL:
  #      assumeRole: # organizational usage, assumeRole to fetch S3 elements

  #
  #  - aws-cloudtrail-s3-sns-sqs: # Receives CloudTrail events using s3 events as triggers
  #      queueURL:
  #      assumeRole: # organizational usage, assumeRole to fetch S3 elements


  #  - gcp-auditlog-pubsub-http: # Receives GCP AuditLog from a PubSub topic streamed over an HTTP Endpoint
  #      url:

  #
  #  - gcp-gcr-pubsub-http: # Receives GCR events from a PubSub topic streamed over an HTTP Endpoint
  #      url:

  #
  #  - azure-event-hub:
  #      subscriptionID: 00000000-1111-2222-3333-444444444444

  #
  #  - azure-event-grid:
  #      subscriptionID: 00000000-1111-2222-3333-444444444444

Scanners

Trigger scanners when a new image is detected

scanners:
#  - aws-ecr: # Scan images when a new image is pushed to AWS ECR
#      codeBuildProject:
#      secureAPITokenSecretName:
#      masterOrganizationRole:
#      organizationRolePerAccount:

#  - aws-ecs: # Scan images when a new image is detected in a ECS cluster
#      codeBuildProject:
#      secureAPITokenSecretName:
#      masterOrganizationRole:
#      organizationRolePerAccount:

#  - gcp-gcr: # Scan images when a new image is pushed to GCP GCR
#      project:
#      secureAPITokenSecretName:
#      serviceAccount:

#  - gcp-cloud-run: # Scan images when a new image is detected from GCP CloudRun
#      project:
#      secureAPITokenSecretName:
#      serviceAccount:
#
#
#  - azure-acr: {} # Scan images when a new image is pushed to Azure container registry

#  - azure-aci: # Scan images when a new image is detected in container instance group
#      subscriptionID: 00000000-1111-2222-3333-444444444444
#      resourceGroup: sfc-resourcegroup # resource group of azure container registry
#      containerRegistry: sfccontainerregistry # container registry name where to run the scan

Usage examples

Check live examples present in our different Terraform Modules: