Cloud Connector
Cloud Connector - This chart deploys the Sysdig Cloud connector on your Kubernetes cluster to enable threat-detection and image scanning.
TL;DR;
$ helm repo add sysdig https://charts.sysdig.com
$ helm repo update
$ helm upgrade --install cloud-connector sysdig/cloud-connector \
--create-namespace -n cloud-connector --version=0.7.24 \
--set sysdig.secureAPIToken=SECURE_API_TOKEN
Introduction
This chart deploys the Sysdig Cloud Connector on a Kubernetes cluster using the Helm package manager to enable threat-detection and image scanning capabilities for the main three providers: AWS, GCP and Azure.
Prerequisites
- Helm 3
- Sysdig Secure API Token
Installing the Chart
To install the chart with the release name cloud-connector
:
$ helm upgrade --install cloud-connector sysdig/cloud-connector -n cloud-connector --version=0.7.24
The command deploys the Sysdig Cloud Connector on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation.
Tip: List all releases using
helm list -A
Uninstalling the Chart
To uninstall/delete the cloud-connector
:
$ helm uninstall cloud-connector -n cloud-connector
The command removes all the Kubernetes components associated with the chart and deletes the release.
Configuration
The following table lists the configurable parameters of the cloud-connector
chart and their default values.
Parameter | Description | Default |
---|---|---|
replicaCount | Amount of replicas for Cloud Connector | 1 |
image.repository | The image repository to pull from. | quay.io/sysdig/cloud-connector |
image.pullPolicy | The image pull policy. | IfNotPresent |
image.tag | The image tag (immutable tags are recommended). Overrides the image tag whose default is the chart appVersion. |
|
imagePullSecrets | The image pull secrets | [] |
nameOverride | Chart name override | "" |
fullnameOverride | Chart full name override | "" |
serviceAccount.create | Create the service account | true |
serviceAccount.annotations | Extra annotations for serviceAccount | {} |
serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
podAnnotations | Pod annotations | {"prometheus.io/path":"/metrics","prometheus.io/port":"5000","prometheus.io/scrape":"true"} |
podSecurityContext | Configure deployment PSP’s | {} |
securityContext | Configure securityContext | {"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true} |
service.type | Use this type as service | ClusterIP |
service.port | Configure port for the service | 80 |
service.labels | Additional labels to specify for the service | {} |
resources | Configure resource requests and limits | {} |
nodeSelector | Configure nodeSelector for scheduling | {} |
tolerations | Tolerations for scheduling | [] |
affinity | Configure affinity rules | {} |
telemetryDeploymentMethod | Configure deployment source for inner telemetry | "helm" |
extraEnvVars | Extra environment variables to be set | [] |
aws.accessKeyId | AWS Credentials AccessKeyID | "" |
aws.secretAccessKey | AWS Credentials: SecretAccessKey | "" |
aws.region | AWS Region | "" |
gcpCredentials | GCP Credentials JSON | "" |
azure.eventHubConnectionString | Azure EventHub Connection String | "" |
azure.eventGridEventHubConnectionString | Azure Event Grid EventHub Connection String | "" |
azure.tenantId | Azure service principal tenant id | "" |
azure.clientId | Azure service principal client id | "" |
azure.clientSecret | Azure service principal client secret | "" |
azure.region | Azure region | "" |
sysdig.url | Sysdig Secure URL | "https://secure.sysdig.com" |
sysdig.secureAPIToken | API Token to access Sysdig Secure | "" |
sysdig.verifySSL | Verify SSL certificate | true |
existingSecretName | Provide an existing secret name (see details in ‘templates/secret.yaml’) for the entries it uses. | "" |
rules | Rules Section for Cloud Connector | [] |
ingestors | Thread-Detection event ingestion configuration (config) | [] |
scanners | Scanning capabilities configuration (config) | [] |
bruteForceDetection.enabled | Enable Brute Force detection | true |
bruteForceDetection.duration | Time window for a bruteforce attack try | 24h |
bruteForceDetection.maximumTries | Maximum number of tries for given time window | 10 |
Specify each parameter using the --set key=value[,key=value]
argument to helm upgrade --install
. For example:
$ helm upgrade --install cloud-connector sysdig/cloud-connector \
--create-namespace -n cloud-connector --version=0.7.24 \
--set sysdig.secureAPIToken=YOUR-KEY-HERE
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example:
$ helm upgrade --install cloud-connector sysdig/cloud-connector \
--create-namespace -n cloud-connector --version=0.7.24 \
--values values.yaml
Examples
Configuration Detail
Ingestors
Where to ingest events from
ingestors:
# - aws-cloudtrail-sns-sqs: # Receives CloudTrail events from an SQS queue using the SNS paylaod
# queueURL:
# assumeRole: # organizational usage, assumeRole to fetch S3 elements
# concurrentDownloads: 4
#
# - aws-cloudtrail-s3-sns-sqs: # Receives CloudTrail events using s3 events as triggers
# queueURL:
# assumeRole: # organizational usage, assumeRole to fetch S3 elements
# concurrentDownloads: 4
#
# - eks: # Enables K8s audit log for EKS clusters
# cluster: # EKS cluster name to secure
# interval: 60s
# tags:
#
# - gcp-auditlog: # Polls for GCP auditlog events from StackDriver API
# project:
# interval: 90s
#
# - gcp-auditlog-pubsub: # Receives GCP AuditLog from a PubSub topic
# project:
# subscription:
#
# - gcp-gcr-pubsub: # Receives GCP GCR from a PubSub topic
# project:
# subscription:
#
# - gcp-auditlog-pubsub-http: # Receives GCP AuditLog from a PubSub topic streamed over an HTTP Endpoint
# url:
#
# - gcp-gcr-pubsub-http: # Receives GCR events from a PubSub topic streamed over an HTTP Endpoint
# url:
#
# - azure-event-hub:
# subscriptionID: 00000000-1111-2222-3333-444444444444
#
# - azure-event-grid:
# subscriptionID: 00000000-1111-2222-3333-444444444444
Scanners
Trigger scanners when a new image is detected
scanners:
# - gcp-gcr: # Scan images when a new image is pushed to GCP GCR
# project:
# secureAPITokenSecretName:
# serviceAccount:
#
# - gcp-cloud-run: # Scan images when a new image is detected from GCP CloudRun
# project:
# secureAPITokenSecretName:
# serviceAccount:
#
# - aws-ecr: # Scan images when a new image is pushed to AWS ECR
# codeBuildProject:
# secureAPITokenSecretName:
# masterOrganizationRole:
# organizationRolePerAccount:
#
# - aws-ecs: # Scan images when a new image is detected in a ECS cluster
# codeBuildProject:
# secureAPITokenSecretName:
# masterOrganizationRole:
# organizationRolePerAccount:
#
# - azure-acr: {} # Scan images when a new image is pushed to Azure container registry
#
# - azure-aci: # Scan images when a new image is detected in container instance group
# subscriptionID: 00000000-1111-2222-3333-444444444444
# resourceGroup: sfc-resourcegroup # resource group of azure container registry
# containerRegistry: sfccontainerregistry # container registry name where to run the scan
Usage examples
Check live examples present in our different Terraform Modules:
- Single Account Deployment for AWS in K8s
- Single Project Deployment for GCP in K8s
- Single Subscription Deployment for Azure in K8s
Troubleshooting
Q: How do I enable debug
logs?
A: By editing the configmap and killing pod(s)/deployment so it restart
data:
cloud-connector.yaml: |
< logging: info
> logging: debug