Cluster Shield
Sysdig Cluster Shield.
This chart deploys the Sysdig Cluster Shield in your Kubernetes cluster.
Introduction
This chart deploys the Sysdig Cluster Shield as a Deployment on a Kubernetes cluster using the Helm package manager.
Prerequisites
- Helm 3.6
- Sysdig AccessKey
- Sysdig Secure API Token
- Sysdig Secure API URL
- Sysdig Secure Collector
Installing the Chart
To install the chart create a values.yaml file. Set your values and decide which features you would like to enable.
cluster_shield:
cluster_config:
name: <your-cluster-name>
features:
admission_control:
enabled: true
audit:
enabled: true
container_vulnerability_management:
enabled: true
posture:
enabled: true
sysdig_endpoint:
api_url: <your-api-url>
secure_api_token: <your-secure-api-token>
access_key: <your-access-key>
Then, to install it with the release name sysdig-cluster-shield, run:
$ helm upgrade --install --atomic --create-namespace \
-n sysdig-agent \
-f values.yaml \
sysdig-cluster-shield \
sysdig/cluster-shield
The command deploys the Sysdig Cluster Shield on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation.
Tip: List all releases using
helm list
Uninstalling the Chart
To uninstall/delete the sysdig-cluster-shield:
$ helm uninstall sysdig-cluster-shield -n sysdig-agent
The command removes all the Kubernetes components associated with the chart and deletes the release.
Configuration
The following table lists the configurable parameters of the cluster-shield chart and their default values.
| Parameter | Description | Default |
|---|---|---|
| global.clusterConfig.name | The name of the cluster. Make sure to set a unique value for all the clusters being inspected. | "" |
| global.proxy.httpProxy | Sets the HTTP Proxy address. | |
| global.proxy.httpsProxy | Sets the HTTPS Proxy address. | |
| global.proxy.noProxy | Sets IPs/URLs that should not pass trough a Proxy Server. | 127.0.0.1,localhost,.local,.internal |
| global.image.pullSecrets | The pull secrets used for the Cluster Shield container image | [] |
| global.image.pullPolicy | The pull policy for the Cluster Shield container image | IfNotPresent |
| global.sysdig.accessKeySecret | An existing secret containing the Sysdig Agent Access Key | |
| global.sysdig.accessKey | The Sysdig Agent Access Key | |
| global.sysdig.apiHost | The Sysdig Agent API Hostname | |
| global.sysdig.region | Region name for Sysdig. When no region is suitable (e.g. on-premise installations) set the value to “custom” | "custom" |
| global.sysdig.secureAPITokenSecret | An existing secret containing the Secure API token to access Sysdig Secure. (needed only with on-premise installations) | |
| global.sysdig.secureAPIToken | The Secure API token to access Sysdig Secure. (needed only with on-premise installations) | |
| global.sysdig.tags | Tags you want to apply to the metadata sent to the Sysdig BE. They are used for instance as additional labels to the KSM metrics, with format `agent_tag_ |
{} |
| global.gke.autopilot | If true, overrides the Cluster Shield configuration to run on GKE Autopilot clusters. | false |
| global.imageRegistry | The image registry configuration | |
| global.sslVerifyCertificate | Define if the certificate should be verified | true |
| global.ssl.ca.certs | A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] |
| global.ssl.ca.keyName | Filename that is used when creating the secret. Required if certs is provided. | null |
| global.ssl.ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required | null |
| global.ssl.ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret | null |
| global.ssl.ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | null |
| global.ssl.ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap | null |
| cluster_shield.cluster_config.name | The name of the cluster. Make sure to set a unique value for all the clusters being inspected. | |
| cluster_shield.cluster_config.tags | Tags you want to apply to the metadata sent to the Sysdig BE. They are used for instance as additional labels to the KSM metrics, with format `agent_tag_ |
{} |
| cluster_shield.log_level | The log level for the Cluster Shield application | warn |
| cluster_shield.monitoring_port | The port that the Cluster Shield will use to expose probes and metrics | 8080 |
| cluster_shield.sysdig_endpoint.access_key | The Sysdig Agent Access Key | |
| cluster_shield.sysdig_endpoint.api_url | The Sysdig Agent API URL | |
| cluster_shield.sysdig_endpoint.secure_api_token | The Sysdig Secure API Token | |
| cluster_shield.sysdig_endpoint.region | Region name for Sysdig. When no region is suitable (e.g. on-premise installations) set the value to “custom” | |
| cluster_shield.kubernetes.root_namespace | The system namespace of your Kubernetes cluster | kube-system |
| cluster_shield.features.admission_control.enabled | Enable the admission control feature | false |
| cluster_shield.features.admission_control.deny_on_error | Deny the admission of the pod if an error occurs | false |
| cluster_shield.features.admission_control.dry_run | Enable the dry run mode | true |
| cluster_shield.features.admission_control.timeout | The timeout for the admission control feature | 5 |
| cluster_shield.features.admission_control.http_port | The port that will be used to expose admission control endpoints | 8443 |
| cluster_shield.features.admission_control.excluded_namespaces | The list of namespaces to exclude from the admission control feature | [] |
| cluster_shield.features.admission_control.container_vulnerability_management.enabled | Enable the container vulnerability management feature on the admission control | false |
| cluster_shield.features.audit.enabled | Enable the Kubernetes Audit feature | false |
| cluster_shield.features.audit.http_port | The port that will be used to expose the audit endpoints | 6443 |
| cluster_shield.features.audit.timeout | The timeout for the audit feature | 5 |
| cluster_shield.features.audit.excluded_namespaces | The list of namespaces to exclude from the audit feature | [] |
| cluster_shield.features.audit.webhook_rules | List of rules used to determine if a request should be audited | [{"apiGroups":["","apps","autoscaling","batch","networking.k8s.io","rbac.authorization.k8s.io","extensions"],"apiVersions":["*"],"operations":["*"],"resources":["*/*"],"scope":"*"}] |
| cluster_shield.features.posture.enabled | Enable the posture feature | false |
| cluster_shield.features.container_vulnerability_management.enabled | Enable the container vulnerability management feature | false |
| cluster_shield.features.container_vulnerability_management.in_use.enabled | Allows to retrieve the list of running packages. | true |
| cluster_shield.features.container_vulnerability_management.in_use.integration_enabled | Allows to store the list of running packages to Sysdig backend. | false |
| cluster_shield.features.container_vulnerability_management.local_cluster.registry_secrets | Restrict access to specific Docker secrets when Cluster Scanner is running. The default behavior is listing all secrets. | [] |
| cluster_shield.features.container_vulnerability_management.platform_services_enabled | Define if the platform services are enabled | true |
| cluster_shield.features.container_vulnerability_management.registry_ssl.verify | If set to false it allows insecure connections to registries, Such as for registries with self-signed or private certificates. | true |
| cluster_shield.features.kubernetes_metadata.enabled | Enable the Kubernetes Metadata feature | false |
| ca.certs | A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] |
| ca.keyName | Filename that is used when creating the secret. Required if certs is provided. | null |
| ca.existingCaSecret | Provide the name of an existing Secret that contains the CA required | null |
| ca.existingCaSecretKeyName | Provide the filename that is defined inside the existing Secret | null |
| ca.existingCaConfigMap | Provide the name of an existing ConfigMap that contains the CA required | null |
| ca.existingCaConfigMapKeyName | Provide the filename that is defined inside the existing ConfigMap | null |
| run_command | The command executed by the Cluster Shield POD | "run-all-namespaced" |
| image.registry | The Sysdig Registry Scanner image registry. | quay.io |
| image.repository | The Cluster Shield container image repository | sysdig/cluster-shield |
| image.pullPolicy | The Cluster Shield container image pull policy | |
| proxy.httpProxy | Sets the HTTP Proxy address. | |
| proxy.httpsProxy | Sets the HTTPS Proxy address. | |
| proxy.noProxy | Sets IPs/URLs that should not pass trough a Proxy Server. | |
| imagePullSecrets | The Cluster Shield container image pull secrets | [] |
| probes.liveness.initialDelaySeconds | The liveness probe initial delay | 5 |
| probes.liveness.periodSeconds | The liveness probe period | 5 |
| probes.readiness.initialDelaySeconds | The readiness probe initial delay | 10 |
| probes.readiness.periodSeconds | The readiness probe period | 5 |
| podAnnotations | Additional pod annotations | {} |
| podLabels | Additional pod labels | {} |
| service.type | The Cluster Shield service type | ClusterIP |
| service.monitoring_port | The Service port used to expose probes and metrics | |
| service.admission_control_port | The Service port used to expose admission control endpoints | |
| service.audit_port | The Service port used to expose audit endpoints | |
| serviceAccount.create | Specifies whether a service account should be created | true |
| serviceAccount.name | The name of the service account to use. | |
| serviceAccount.labels | Additional service account labels | {} |
| serviceAccount.annotations | Additional service account annotations | {} |
| resources | {} |
|
| priorityClassName | Set Cluster Shield deployment priorityClassName | |
| createPriorityClass | Specifies whether a PriorityClass should be created | false |
| priorityClassValue | Set Cluster Shield deployment priorityClassValue | 10 |
| nodeSelector | Node labels for pod assignment | {} |
| tolerations | Tolerations for pod assignment | [] |
| affinity | Affinity for pod assignment | {} |
| replicaCount | The number of replicas for the Cluster Shield deployment | 2 |
| updateStrategy.type | The update strategy for the Cluster Shield deployment | RollingUpdate |
| updateStrategy.rollingUpdate | The rolling update strategy for the Cluster Shield deployment | {} |
| onPremCompatibilityVersion | Optional parameter used to check the compatibility of cluster-shield component versions with the on-premised backend version. If you are running an on-prem version of the Sysdig backend, you MUST set this parameter with the version of Sysdig backend you are using. If you are runinng on SaaS, do NOT provide this parameter. | |
| hostNetwork | Specifies if Cluster Shield should be started in hostNetwork mode. This field is required if you are using a custom CNI where the control plane nodes are unable to initiate network connections to the pods, for example, using Calico CNI plugin on EKS. | false |
| dnsPolicy | Define Cluster Shield Pods DNS Policy | |
| existingTLSSecret.name | Provide the name of an existing Secret that contains the TLS certificate required | |
| existingTLSSecret.tlsCertName | Provide the certificate filename that is defined inside the existing Secret (default tls.crt) | |
| existingTLSSecret.tlsCertKeyName | Provide the certificate key filename that is defined inside the existing Secret (default tls.key) | |
| existingTLSSecret.caCertName | Provide the certificate authority filename that is defined inside the existing Secret (default ca.crt) | |
| env | Optional parameter used to add environment variables to the Cluster Shield pods | [] |
| volumes | Optional parameter to specify additional host volumes for the Cluster Shield pods | [] |
| volumeMounts | Optional parameter to specify additional volume mounts for the Cluster Shield pods | [] |
Running helm unit tests
The sysdiglabs/charts repository uses the following helm unittest plugin: https://github.com/quintush/helm-unittest
You can test the changes to your chart by running the test suites as follows:
make test
The helm unit tests are in the tests folder. It is recommended to add new tests as new features are added here.