Cloud Connector

This chart deploys the Sysdig Cloud connector on your Kubernetes cluster to enable threat-detection and image scanning capabilities for the main three providers; AWS, GCP and Azure

Installing the Chart

Add Sysdig Helm charts repository and deploy the chart:

$ helm repo add sysdig https://charts.sysdig.com

$ helm install --create-namespace -n cloud-connector cloud-connector -f values.yaml sysdig/cloud-connector

Configuration

The following table lists the configurable parameters of the Sysdig Cloud connector chart and their default values:

Parameter	Description	Default
`replicaCount`	Amount of replicas for Cloud Connector	`1`
`image.repository`	The image repository to pull from	`sysdiglabs/cloud-connector`
`image.tag`	The image tag (immutable tags are recommended)	`latest pinned version`
`image.pullPolicy`	The image pull policy	`IfNotPresent`
`imagePullSecrets`	The image pull secrets	`[]`
`nameOverride`	Chart name override	` `
`fullnameOverride`	Chart full name override	` `
`serviceAccount.create`	Create the service account	`true`
`serviceAccount.annotations`	Extra annotations for serviceAccount	`{}`
`serviceAccount.name`	Use this value as serviceAccount Name	` `
`rbac.create`	Create and use RBAC resources	`true`
`podSecurityContext`	Configure deployment PSP’s	`{ capabilities: drop: - ALL readOnlyRootFileSystem: true runAsNonRoot: true }`
`securityContext`	Configure securityContext	`{}`
`service.type`	Use this type as service	`ClusterIP`
`service.port`	Configure port for the service	`5000`
`service.labels`	Additional labels to specify for the service	`{}`
`resources`	Configure resource requests and limits	`{}`
`nodeSelector`	Configure nodeSelector for scheduling	`{}`
`nodeSelector`	Configure nodeSelector for scheduling	`{}`
`tolerations`	Tolerations for scheduling	`[]`
`affinity`	Configure affinity rules	`{}`
`telemetryDeploymentMethod`	Configure deployment source for inner telemetry	`helm`
`extraEnvVars`	Extra environment variables to be set	`[]`
`aws.accessKeyId`	AWS Credentials AccessKeyID	` `
`aws.secretAccessKey`	AWS Credentials: SecretAccessKey	` `
`aws.region`	AWS Region	` `
`gcp.credentials`	GCP Credentials JSON	` `
`azure.eventHubConnectionString`	Azure EventHub Connection String	` `
`azure.eventGridEventHubConnectionString`	Azure Eveng Grid EventHub Connection String	` `
`tenantId`	Azure service principal tenant id
`clientId`	Azure service principal client id
`clientSecret`	Azure service principal client secret
`sysdig.url`	Sysdig Secure URL	`https://secure.sysdig.com`
`sysdig.secureAPIToken`	API Token to access Sysdig Secure	` `
`sysdig.verifySSL`	Verify SSL certificate	`true`
`existingSecretName`	Provide an existing secret name (see details in values.yaml) instead of creating a new one from provided values	` `
`rules`	Rules Section for Cloud Connector	`[]`
`ingestors`	Thread-Detection event ingestion configuration (config)	`[]`
`scanners`	Scanning capabilities configuration (config)	`[]`
`notifiers`	Notifiers Section for Cloud Connector	`[]`
`bruteForceDetection.duration`	Time window for a bruteforce attack try	`24h`
`bruteForceDetection.maximumTries`	Maximum number of tries for given time window	`10`

Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,

$ helm install my-release \
    --set sysdig.secureAPIToken=YOUR-KEY-HERE \
    sysdig/cloud-connector

Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,

$ helm install my-release -f values.yaml sysdig/cloud-connector

Configuration Detail

Ingestors

Where to ingest events from

ingestors:
  #  - aws-cloudtrail-sns-sqs: # Receives CloudTrail events from an SQS queue using the SNS paylaod
  #      queueURL:
  #      assumeRole: # organizational usage, assumeRole to fetch S3 elements

  #
  #  - aws-cloudtrail-s3-sns-sqs: # Receives CloudTrail events using s3 events as triggers
  #      queueURL:
  #      assumeRole: # organizational usage, assumeRole to fetch S3 elements


  #  - gcp-auditlog-pubsub-http: # Receives GCP AuditLog from a PubSub topic streamed over an HTTP Endpoint
  #      url:

  #
  #  - gcp-gcr-pubsub-http: # Receives GCR events from a PubSub topic streamed over an HTTP Endpoint
  #      url:

  #
  #  - azure-event-hub:
  #      subscriptionID: 00000000-1111-2222-3333-444444444444

  #
  #  - azure-event-grid:
  #      subscriptionID: 00000000-1111-2222-3333-444444444444

Scanners

Trigger scanners when a new image is detected

scanners:
#  - aws-ecr: # Scan images when a new image is pushed to AWS ECR
#      codeBuildProject:
#      secureAPITokenSecretName:
#      masterOrganizationRole:
#      organizationRolePerAccount:

#  - aws-ecs: # Scan images when a new image is detected in a ECS cluster
#      codeBuildProject:
#      secureAPITokenSecretName:
#      masterOrganizationRole:
#      organizationRolePerAccount:

#  - gcp-gcr: # Scan images when a new image is pushed to GCP GCR
#      project:
#      secureAPITokenSecretName:
#      serviceAccount:

#  - gcp-cloud-run: # Scan images when a new image is detected from GCP CloudRun
#      project:
#      secureAPITokenSecretName:
#      serviceAccount:
#
#
#  - azure-acr: {} # Scan images when a new image is pushed to Azure container registry

#  - azure-aci: # Scan images when a new image is detected in container instance group
#      subscriptionID: 00000000-1111-2222-3333-444444444444
#      resourceGroup: sfc-resourcegroup # resource group of azure container registry
#      containerRegistry: sfccontainerregistry # container registry name where to run the scan

Usage examples

Check live examples present in our different Terraform Modules: