Chart: Node Analyzer
Overview
The Node Analyzer provides a method for deploying the components for the following Sysdig Secure features:
This chart adds the Sysdig Node Analyzer to all nodes in your cluster via a DaemonSet. The Node Analyzer is deployed by default unless you set the value nodeAnalyzer.deploy
to false
.
Use the sysdig-deploy parent chart to deploy Node Analyzer. Do not deploy subcharts directly.
For installation instructions, see Install Agent Components on Kubernetes.
Prerequisites
- Kubernetes 1.9+ with beta APIs enabled
Configuration
You can use the Helm chart to update the default agent configurations by using either of the following:
- Using the key-value pair:
--set sysdig.settings.key = value
values.yaml
file
Using the Key-Value Pair
Specify each parameter using the --set key=value[,key=value]
argument to the helm install
command.
For example:
helm install sysdig-agent --namespace sysdig-agent --create-namespace \
--set global.sysdig.accessKey=<ACCESS_KEY> \
--set global.sysdig.tags.role=webserver --set global.sysdig.tags.location=europe \
--set global.sysdig.region=<SAAS_REGION> \
--set nodeAnalyzer.secure.vulnerabilityManagement.newEngineOnly=true \
--set global.kspm.deploy=true \
--set nodeAnalyzer.nodeAnalyzer.benchmarkRunner.deploy=false \
--set nodeAnalyzer.nodeAnalyzer.hostScanner.deploy=true
--set global.clusterConfig.name=<CLUSTER_NAME> \
sysdig/sysdig-deploy
Using values.yaml
The values.yaml
file specifies the values for the node-analyzer
configuration parameters. You can add the configuration to the values.yaml
file, then use it in the helm install
command.
-
Add the following to the
values.yaml
file:global: sysdig: accessKey: <ACCESS_KEY> region: <SAAS_REGION> kspm: deploy: true clusterConfig: name: <CLUSTER_NAME> nodeAnalyzer: secure: vulnerabilityManagement: newEngineOnly: true nodeAnalyzer: benchmarkRunner: deploy: false hostScanner: deploy: true
Tip: You can use the default values.yaml file.
-
Run the following:
helm install -n sysdig-agent sysdig sysdig/sysdig-deploy -f values.sysdig.yaml
Verify the integrity and origin
Sysdig Helm Charts are signed so users can verify the integrity and origin of each chart, the steps are as follows:
Import the Public Key
$ curl -o "/tmp/sysdig_public.gpg" "https://charts.sysdig.com/public.gpg"
$ gpg --import /tmp/sysdig_public.gpg
Verify the Chart
To check the integrity and the origin of the charts, append the --verify
flag to the install
, upgrade
and pull
helm commands.
Configuration Parameters
The following table lists the configurable parameters of the Sysdig Node Analyzer chart and their default values.
Parameter | Description | Default |
---|---|---|
global.sysdig.region |
The region where Sysdig Secure is deployed. Valid options areus1 , us2 , us3 , us4 , eu1 , au1 , me2 , custom . |
us1 |
global.sysdig.tags |
The list of custom tags to be assigned to the components. | {} |
global.proxy.httpProxy |
Sets HTTP_PROXY on the Node Analyzer containers. |
"" |
global.proxy.httpsProxy |
Sets HTTPS_PROXY on the Node Analyzer containers. |
"" |
global.proxy.noProxy |
Sets NO_PROXY on the Node Analyzer containers. |
"" |
global.kspm.deploy |
Enables Sysdig KSPM node analyzer and KSPM collector. | false |
global.gke.autopilot |
If true,the agent configuration will be overridden to run on GKE Autopilot clusters. | false |
global.image.pullSecrets |
Sets the global pull secrets. | [] |
global.image.pullPolicy |
Sets the global pull policy. | `IfNotPresent` |
image.registry |
Sets the Sysdig Agent image registry. | quay.io |
gke.autopilot |
If true, the agent configuration will be overridden to run on GKE Autopilot clusters. | false |
rbac.create |
If true, RBAC resources will be created and used. | true |
scc.create |
Creates OpenShift’s Security Context constraint. | true |
psp.create |
Creates Pod Security Policy to allow the agent running in clusters with PSP enabled. | true |
clusterName |
Sets a unique cluster name which is used to identify events with the kubernetes.cluster.name tag. |
` ` |
namespace |
Overrides the global namespace setting and release namespace for components. | ` ` |
sysdig.accessKey |
Sets your Sysdig Agent Access Key. Either accessKey or existingAccessKeySecret is required. |
|
sysdig.existingAccessKeySecret |
An alternative to using the Sysdig Agent access key. Specify the name of a Kubernetes secret containing an access-key entry. Either accessKey or existingAccessKeySecret is required. |
|
secure.enabled |
Enables Sysdig Secure. | true |
secure.vulnerabilityManagement.newEngineOnly |
Enables only the new vulnerability management engine. | false |
daemonset.annotations |
Sets custom annotations for the DaemonSet. | {} |
daemonset.labels |
Sets NodeAnalyzer-specific labels as a multi-line templated string map or as YAML. | {} |
daemonset.updateStrategy.type |
Sets the updateStrategy for updating the DaemonSet. | RollingUpdate |
daemonset.updateStrategy.rollingUpdate.maxUnavailable |
Sets the maximum number of pods that can be unavailable during the update process. | 1 |
daemonset.updateStrategy.rollingUpdate.maxSurge |
Sets the maximum number of nodes with an existing available DaemonSet pod that can have an updated DaemonSet pod during an update. | `` |
nodeAnalyzer.deploy |
Deploys the Node Analyzer. | true |
nodeAnalyzer.apiEndpoint |
Specifies the Sysdig secure API endpoint, without the protocol. secure.sysdig.com |
` ` |
nodeAnalyzer.sslVerifyCertificate |
Set to false to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. |
|
nodeAnalyzer.debug |
Set to true to show debug logging, which is useful for troubleshooting. |
|
nodeAnalyzer.createPriorityClass |
Specify whether or not to create a priority class for the node analyzer components | false |
nodeAnalyzer.priorityClassName |
Sets the priority class name variable. | `` |
nodeAnalyzer.priorityClassValue |
Sets the priority class value for the node analyzer daemonset. | `` |
nodeAnalyzer.httpProxy |
Sets the HTTP proxy configuration variables. | |
nodeAnalyzer.httpsProxy |
Sets the HTTPS proxy configuration variables. | |
nodeAnalyzer.noProxy |
Sets noProxy configuration variables. |
|
nodeAnalyzer.natsMaxReconnect |
Sets natsMaxReconnect configuration variables. Set to -1 for unlimited reconnect attempts to NATS, or leave empty for default (60 attempts). |
0 |
nodeAnalyzer.natsMaxReconnectFailures |
Sets natsMaxReconnectFailures configuration variables. Set to -1 to disable, or leave empty for default (60 attempts). |
60 |
nodeAnalyzer.pullSecrets |
Sets the image pull secrets for the Node Analyzer containers. | nil |
nodeAnalyzer.extraVolumes.volumes |
Specifies additional volumes to mount in the Node Analyzer. For example, docker socket. | [] |
nodeAnalyzer.imageAnalyzer.deploy |
Deploys the Image Analyzer. | true |
nodeAnalyzer.imageAnalyzer.image.repository |
Sets the image repository to pull the Node Image Analyzer from. | sysdig/node-image-analyzer |
nodeAnalyzer.imageAnalyzer.image.tag |
Sets the image tag for the Node Image Analyzer to be pulled. | 0.1.35 |
nodeAnalyzer.imageAnalyzer.image.digest |
Sets the image digest to pull. | ` ` |
nodeAnalyzer.imageAnalyzer.image.pullPolicy |
Sets the Image pull policy for the Node Image Analyzer. | "" |
nodeAnalyzer.imageAnalyzer.http_proxy |
Sets HTTP_PROXY on the Image Analyzer container. |
"" |
nodeAnalyzer.imageAnalyzer.https_proxy |
Sets HTTPS_PROXY on the Image Analyzer container. |
"" |
nodeAnalyzer.imageAnalyzer.no_proxy |
Sets NO_PROXY on the Image Analyzer container. |
"" |
nodeAnalyzer.imageAnalyzer.dockerSocketPath |
Specifies the Docker socket path. | |
nodeAnalyzer.imageAnalyzer.criSocketPath |
Specifies the socket path to a CRI compatible runtime, such as CRI-O. | |
nodeAnalyzer.imageAnalyzer.containerdSocketPath |
Specifies the socket path to a CRI-Containerd daemon. | |
nodeAnalyzer.imageAnalyzer.extraVolumes.volumes (Deprecated) |
Specifies additional volumes to mount in the Node Image Analyzer. For example, docker socket. | [] |
nodeAnalyzer.imageAnalyzer.extraVolumes.mounts |
Specifies the mount points for additional volumes. | [] |
nodeAnalyzer.imageAnalyzer.resources.requests.cpu |
Specifies the Node Image Analyzer CPU requests per node. | 150m |
nodeAnalyzer.imageAnalyzer.resources.requests.memory |
Specifies the Node Image Analyzer Memory requests per node. | 512Mi |
nodeAnalyzer.imageAnalyzer.resources.limits.cpu |
Specifies the Node Image Analyzer CPU limit per node. | 500m |
nodeAnalyzer.imageAnalyzer.resources.limits.memory |
Specifies the Node Image Analyzer Memory limit per node. | 1536Mi |
nodeAnalyzer.imageAnalyzer.sslVerifyCertificate |
Set to false to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. |
|
nodeAnalyzer.imageAnalyzer.env |
Specifies the Extra environment variables that will be passed onto pods. | {} |
nodeAnalyzer.hostAnalyzer.deploy |
Deploys the Host Analyzer. | true |
nodeAnalyzer.hostAnalyzer.image.repository |
Specifies the image repository to pull the Host Analyzer from. | sysdig/host-analyzer |
nodeAnalyzer.hostAnalyzer.image.tag |
Set the image tag to pull the Host Analyzer. | 0.1.22 |
nodeAnalyzer.hostAnalyzer.image.digest |
Specifies the image digest to pull. | ` ` |
nodeAnalyzer.hostAnalyzer.image.pullPolicy |
Specifies the Image pull policy for the Host Analyzer. | "" |
nodeAnalyzer.hostAnalyzer.http_proxy |
Sets HTTP_PROXY on the Host Analyzer container. |
"" |
nodeAnalyzer.hostAnalyzer.https_proxy |
Sets HTTPS_PROXY on the Host Analyzer container. |
"" |
nodeAnalyzer.hostAnalyzer.no_proxy |
Sets NO_PROXY on the Host Analyzer container. |
"" |
nodeAnalyzer.hostAnalyzer.schedule |
Specifies the scanning schedule specification for the host analyzer expressed as a crontab. | @dailydefault |
nodeAnalyzer.hostAnalyzer.dirsToScan |
Specifies the list of directories to inspect during the scan. | /etc,/var/lib/dpkg,/usr/local,/usr/lib/sysimage/rpm,/var/lib/rpm,/lib/apk/db |
nodeAnalyzer.hostAnalyzer.maxSendAttempts |
Specifies the number of times the analysis collector is allowed to retry sending results. | 3 |
nodeAnalyzer.hostAnalyzer.resources.requests.cpu |
Specifies the Host Analyzer CPU requests per node. | 150m |
nodeAnalyzer.hostAnalyzer.resources.requests.memory |
Specifies the Host Analyzer Memory requests per node. | 512Mi |
nodeAnalyzer.hostAnalyzer.resources.limits.cpu |
Specifies the Host Analyzer CPU limit per node. | 500m |
nodeAnalyzer.hostAnalyzer.resources.limits.memory |
Specifies the Host Analyzer memory limit per node. | 1536Mi |
nodeAnalyzer.hostAnalyzer.sslVerifyCertificate |
Set to false to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. |
|
nodeAnalyzer.hostAnalyzer.env |
Specifies the extra environment variables that will be passed onto pods. | {} |
nodeAnalyzer.benchmarkRunner.deploy |
Deploys the Benchmark Runner. | true |
nodeAnalyzer.benchmarkRunner.image.repository |
Specifies the image repository to pull the Benchmark Runner from. | sysdig/compliance-benchmark-runner |
nodeAnalyzer.benchmarkRunner.image.tag |
Specifies the image tag for the Benchmark Runner to be pulled. | 1.1.1.4 |
nodeAnalyzer.benchmarkRunner.image.digest |
Specifies the image digest to pull. | ` ` |
nodeAnalyzer.benchmarkRunner.image.pullPolicy |
Specifies the image pull policy for the Benchmark Runner. | "" |
nodeAnalyzer.benchmarkRunner.http_proxy |
Sets HTTP_PROXY on the Benchmark Runner container. |
"" |
nodeAnalyzer.benchmarkRunner.https_proxy |
Sets HTTPS_PROXY on the Benchmark Runner container. |
"" |
nodeAnalyzer.benchmarkRunner.no_proxy |
Sets NO_PROXY on the Benchmark Runner container. |
"" |
nodeAnalyzer.benchmarkRunner.includeSensitivePermissions |
Grant the service account elevated permissions to run CIS Benchmark for OS4. | false |
nodeAnalyzer.benchmarkRunner.resources.requests.cpu |
Specifies the Benchmark Runner CPU requests per node. | 150m |
nodeAnalyzer.benchmarkRunner.resources.requests.memory |
Specifies the Benchmark Runner memory requests per node. | 128Mi |
nodeAnalyzer.benchmarkRunner.resources.limits.cpu |
Specifies the Benchmark Runner CPU limit per node. | 500m |
nodeAnalyzer.benchmarkRunner.resources.limits.memory |
Specifies the Benchmark Runner memory limit per node. | 256Mi |
nodeAnalyzer.benchmarkRunner.sslVerifyCertificate |
Set to false to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. |
|
nodeAnalyzer.benchmarkRunner.env |
Specifies the extra environment variables that will be passed onto pods. | {} |
nodeAnalyzer.hostScanner.debug |
Set to true to show debug logging, which is useful for troubleshooting. |
false |
nodeAnalyzer.hostScanner.deploy |
Deploys the Host Scanner. | unset |
nodeAnalyzer.hostScanner.dirsToScan |
Specifies the list of directories to inspect during the scan. | /etc,/var/lib/dpkg,/var/lib/rpm,/lib/apk/db,/bin,/sbin,/usr/bin,/usr/sbin,/usr/share,/usr/local,/usr/lib,/usr/lib64,/var/lib/google,/var/lib/toolbox,/var/lib/cloud |
nodeAnalyzer.hostScanner.additionalDirsToScan |
Sets the optional comma-separated list of directories in addition to the default ones. | ` ` |
nodeAnalyzer.hostScanner.env |
Specifies the extra environment variables that will be passed onto pods. | {} |
nodeAnalyzer.hostScanner.image.repository |
Specifies the image repository to pull the Host Scanner from. | sysdig/vuln-host-scanner |
nodeAnalyzer.hostScanner.image.tag |
Specifies the image tag to pull the Host Scanner. | 0.12.3 |
nodeAnalyzer.hostScanner.image.digest |
Specifies the image digest to pull. | ` ` |
nodeAnalyzer.hostScanner.image.pullPolicy |
Specifies the image pull policy for the Host Scanner. | "" |
nodeAnalyzer.hostScanner.http_proxy |
Sets HTTP_PROXY on the Host Scanner container. |
"" |
nodeAnalyzer.hostScanner.https_proxy |
Sets HTTPS_PROXY on the Host Scanner container. |
"" |
nodeAnalyzer.hostScanner.no_proxy |
Sets NO_PROXY on the Host Scanner container. |
"" |
nodeAnalyzer.hostScanner.prometheus.enabled |
Enables prometheus | false |
nodeAnalyzer.hostScanner.prometheus.port |
Overrides the default prometheus port | "" |
nodeAnalyzer.hostScanner.prometheus.endpoint |
Overrides the default prometheus metrics endpoint | "" |
nodeAnalyzer.hostScanner.resources.requests.cpu |
Specifies the Host Scanner CPU requests per node. | 150m |
nodeAnalyzer.hostScanner.resources.requests.memory |
Specifies the Host Scanner memory requests per node. | 512Mi |
nodeAnalyzer.hostScanner.resources.requests.ephemeral-storage |
Specifies the Host Scanner Storage requests per node. | 512Mi |
nodeAnalyzer.hostScanner.resources.limits.cpu |
Specifies the Host Scanner CPU limit per node. | 500m |
nodeAnalyzer.hostScanner.resources.limits.memory |
Specifies the Host Scanner memory limit per node. | 1Gi |
nodeAnalyzer.hostScanner.resources.limits.ephemeral-storage |
Specifies the Host Scanner Storage limit per node. | 1Gi |
nodeAnalyzer.hostScanner.sslVerifyCertificate |
Set to false to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. |
|
nodeAnalyzer.hostScanner.probesPort |
Specifies the port where readiness and liveness probes are exposed. | 7001 |
nodeAnalyzer.hostScanner.scanContainers.enabled |
Set to true to scan containers |
false |
nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath |
Specifies the path to docker socket | unix:///var/run/docker.sock |
nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath |
Specifies the path to podman socket | unix:///var/run/podman.sock |
nodeAnalyzer.runtimeScanner.debug |
Set to true to show debug logging, which is useful for troubleshooting. |
false |
nodeAnalyzer.runtimeScanner.deploy |
Deploys the Runtime Scanner. | false |
nodeAnalyzer.runtimeScanner.extraMounts |
Specifies a container engine custom socket path (docker, containerd, CRI-O). | |
nodeAnalyzer.runtimeScanner.storageClassName |
Specifies the Runtime Scanner storage class to use instead of emptyDir for ephemeral storage. | `` |
nodeAnalyzer.runtimeScanner.image.repository |
Specifies the image repository to pull the Runtime Scanner from. | sysdig/vuln-runtime-scanner |
nodeAnalyzer.runtimeScanner.image.tag |
Specifies the image tag to pull the Runtime Scanner. | 1.8.0 |
nodeAnalyzer.runtimeScanner.image.digest |
Specifies the image digest to pull. | ` ` |
nodeAnalyzer.runtimeScanner.image.pullPolicy |
Specifies the image pull policy for the Runtime Scanner. | "" |
nodeAnalyzer.runtimeScanner.http_proxy |
Sets HTTP_PROXY on the Runtime Scanner container. |
"" |
nodeAnalyzer.runtimeScanner.https_proxy |
Sets HTTPS_PROXY on the Runtime Scanner container. |
"" |
nodeAnalyzer.runtimeScanner.no_proxy |
Sets NO_PROXY on the Runtime Scanner container. |
"" |
nodeAnalyzer.runtimeScanner.resources.requests.cpu |
Specifies the Runtime Scanner CPU requests per node. | 150m |
nodeAnalyzer.runtimeScanner.resources.requests.memory |
Specifies the Runtime Scanner Memory requests per node. | 512Mi |
nodeAnalyzer.runtimeScanner.resources.requests.ephemeral-storage |
Specifies the Runtime Scanner Storage requests per node. | 2Gi |
nodeAnalyzer.runtimeScanner.resources.limits.cpu |
Specifies the Runtime Scanner CPU limit per node. | 1000m |
nodeAnalyzer.runtimeScanner.resources.limits.memory |
Specifies the Runtime Scanner memory limit per node. | 2Gi |
nodeAnalyzer.runtimeScanner.resources.limits.ephemeral-storage |
Specifies the Runtime Scanner Storage limit per node. | 4Gi |
nodeAnalyzer.runtimeScanner.sslVerifyCertificate |
Set to false to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. |
|
nodeAnalyzer.runtimeScanner.env |
Specifies the extra environment variables that will be passed onto pods. | {} |
nodeAnalyzer.runtimeScanner.settings.eveEnabled |
Enables Sysdig Eve | true |
nodeAnalyzer.runtimeScanner.eveConnector.image.repository |
Specifies the image repository to pull the Eve Connector from. | sysdig/eveclient-api |
nodeAnalyzer.runtimeScanner.eveConnector.image.tag |
Specifies the image tag for the Eve Connector to be pulled. | 1.1.4 |
nodeAnalyzer.runtimeScanner.eveConnector.deploy |
Enables Sysdig Eve Connector for third-party integrations. | false |
nodeAnalyzer.runtimeScanner.eveConnector.resources.requests.cpu |
Specifies the Eve Connector CPU requests per node. | 100m |
nodeAnalyzer.runtimeScanner.eveConnector.resources.requests.memory |
Specifies the Eve Connector memory requests per node. | 128Mi |
nodeAnalyzer.runtimeScanner.eveConnector.resources.limits.cpu |
Specifies the Eve Connector CPU limits per node. | 1000m |
nodeAnalyzer.runtimeScanner.eveConnector.resources.limits.memory |
Specifies the Eve Connector Memory limits per node. | 512Mi |
nodeAnalyzer.runtimeScanner.eveConnector.settings.replicas |
Specifies the Eve Connector deployment replicas. | 1 |
nodeAnalyzer.runtimeScanner.eveConnector.priorityClassName |
Specifies the name of an existing PriorityClass to use for the Eve Connector Deployment. | {} |
nodeAnalyzer.tolerations |
Specifies the tolerations for scheduling. | <pre>node-role.kubernetes.io/master:NoSchedule, node-role.kubernetes.io/control-plane:NoSchedule</pre> |
nodeAnalyzer.kspmAnalyzer.debug |
Set to true to show KSPM node analyzer debug logging, which is useful for troubleshooting. | false |
nodeAnalyzer.kspmAnalyzer.image.repository |
Specifies the image repository to pull the KSPM node analyzer from. | sysdig/kspm-analyzer |
nodeAnalyzer.kspmAnalyzer.image.tag |
Specifies the image tag for the KSPM node analyzer image to be pulled. | 1.44.9 |
nodeAnalyzer.kspmAnalyzer.image.digest |
Specifies the image digest to pull. | ` ` |
nodeAnalyzer.kspmAnalyzer.image.pullPolicy |
Specifies the The image pull policy for the KSPM node analyzer. | "" |
nodeAnalyzer.kspmAnalyzer.http_proxy |
Sets HTTP_PROXY on the KSPM Analyzer container. |
"" |
nodeAnalyzer.kspmAnalyzer.https_proxy |
Sets HTTPS_PROXY on the KSPM Analyzer container. |
"" |
nodeAnalyzer.kspmAnalyzer.no_proxy |
Sets NO_PROXY on the KSPM Analyzer container. |
"" |
nodeAnalyzer.kspmAnalyzer.resources.requests.cpu |
Specifies the KSPM node analyzer CPU requests per node. | 150m |
nodeAnalyzer.kspmAnalyzer.resources.requests.memory |
Specifies the KSPM node analyzer memory requests per node. | 256Mi |
nodeAnalyzer.kspmAnalyzer.resources.limits.cpu |
Specifies the KSPM node analyzer CPU limits per node. | 500m |
nodeAnalyzer.kspmAnalyzer.resources.limits.memory |
Specifies the KSPM node analyzer memory limits per node. | 1536Mi |
nodeAnalyzer.kspmAnalyzer.port |
Specifies the KSPM node analyzer port for health checks and results API. | 12000 |
nodeAnalyzer.kspmAnalyzer.readinessProbe.enabled |
Specifies whether KSPM node analyzer readinessProbe is enabled or not. | true |
nodeAnalyzer.kspmAnalyzer.sslVerifyCertificate |
Set to false to allow insecure connections to the Sysdig backend, such as an On-Prem deployment. |
|
nodeAnalyzer.kspmAnalyzer.livenessProbe.enabled |
Specifies whether the KSPM node analyzer livenessProbe is enabled or not. | true |
nodeAnalyzer.kspmAnalyzer.env |
Specifies the extra environment variables that will be passed onto pods. | {} |
nodeAnalyzer.nodeSelector |
Specifies the Node Selector. | {} |
nodeAnalyzer.affinity |
Specifies the Node affinities. | schedule on amd64 and linux |
nodeAnalyzer.bottlerocket.enabled |
Set to true to indicate that the node analyzer will be deployed on bottlerocket. |
false |
nodeAnalyzer.bottlerocket.apiClientPath |
Path to the apiclient binary inside Bottlerocket hosts. | /usr/bin/apiclient |
nodeAnalyzer.bottlerocket.apiServerSocketPath |
Path to the API socket inside Bottlerocket hosts. | /run/api.sock |
hostNetwork |
Allows to set hostNetwork | null |
dnsPolicy |
Allows to set dnsPolicy | null |