Chart: Node Analyzer

Overview

The Node Analyzer provides a method for deploying the components for the following Sysdig Secure features:

This chart adds the Sysdig Node Analyzer to all nodes in your cluster via a DaemonSet. The Node Analyzer is deployed by default unless you set the value nodeAnalyzer.deploy to false.

Use the sysdig-deploy parent chart to deploy Node Analyzer. Do not deploy subcharts directly.

For installation instructions, see Install Agent Components on Kubernetes.

Prerequisites

Configuration

You can use the Helm chart to update the default agent configurations by using either of the following:

Using the Key-Value Pair

Specify each parameter using the --set key=value[,key=value] argument to the helm installcommand.

For example:

helm install sysdig-agent --namespace sysdig-agent --create-namespace \
--set global.sysdig.accessKey=<ACCESS_KEY> \
--set global.sysdig.tags.role=webserver --set global.sysdig.tags.location=europe \
--set global.sysdig.region=<SAAS_REGION> \
--set nodeAnalyzer.secure.vulnerabilityManagement.newEngineOnly=true \
--set global.kspm.deploy=true \
--set nodeAnalyzer.nodeAnalyzer.benchmarkRunner.deploy=false \
--set nodeAnalyzer.nodeAnalyzer.hostScanner.deploy=true
--set global.clusterConfig.name=<CLUSTER_NAME> \
sysdig/sysdig-deploy

Using values.yaml

The values.yaml file specifies the values for the node-analyzer configuration parameters. You can add the configuration to the values.yaml file, then use it in the helm install command.

  1. Add the following to the values.yaml file:

     global:
      sysdig:
        accessKey: <ACCESS_KEY>
        region: <SAAS_REGION>
      kspm:
        deploy: true
      clusterConfig:
        name: <CLUSTER_NAME>
    nodeAnalyzer:
      secure:
        vulnerabilityManagement:
          newEngineOnly: true
      nodeAnalyzer:
        benchmarkRunner:
          deploy: false
        hostScanner:
          deploy: true
    

    Tip: You can use the default values.yaml file.

  2. Run the following:

    helm install -n sysdig-agent sysdig sysdig/sysdig-deploy -f values.sysdig.yaml
    

Verify the integrity and origin

Sysdig Helm Charts are signed so users can verify the integrity and origin of each chart, the steps are as follows:

Import the Public Key

$ curl -o "/tmp/sysdig_public.gpg" "https://charts.sysdig.com/public.gpg"
$ gpg --import /tmp/sysdig_public.gpg

Verify the Chart

To check the integrity and the origin of the charts, append the --verify flag to the install, upgrade and pull helm commands.

Configuration Parameters

The following table lists the configurable parameters of the Sysdig Node Analyzer chart and their default values.

Parameter Description Default
global.sysdig.region The region where Sysdig Secure is deployed. Valid options areus1, us2, us3, us4, eu1, au1, me2, custom. us1
global.sysdig.tags The list of custom tags to be assigned to the components. {}
global.proxy.httpProxy Sets HTTP_PROXY on the Node Analyzer containers. ""
global.proxy.httpsProxy Sets HTTPS_PROXY on the Node Analyzer containers. ""
global.proxy.noProxy Sets NO_PROXY on the Node Analyzer containers. ""
global.kspm.deploy Enables Sysdig KSPM node analyzer and KSPM collector. false
global.gke.autopilot If true,the agent configuration will be overridden to run on GKE Autopilot clusters. false
global.image.pullSecrets Sets the global pull secrets. []
global.image.pullPolicy Sets the global pull policy. `IfNotPresent`
image.registry Sets the Sysdig Agent image registry. quay.io
gke.autopilot If true, the agent configuration will be overridden to run on GKE Autopilot clusters. false
rbac.create If true, RBAC resources will be created and used. true
scc.create Creates OpenShift’s Security Context constraint. true
psp.create Creates Pod Security Policy to allow the agent running in clusters with PSP enabled. true
clusterName Sets a unique cluster name which is used to identify events with the kubernetes.cluster.name tag. ` `
namespace Overrides the global namespace setting and release namespace for components. ` `
sysdig.accessKey Sets your Sysdig Agent Access Key. Either accessKey or existingAccessKeySecret is required.  
sysdig.existingAccessKeySecret An alternative to using the Sysdig Agent access key. Specify the name of a Kubernetes secret containing an access-key entry. Either accessKey or existingAccessKeySecret is required.  
secure.enabled Enables Sysdig Secure. true
secure.vulnerabilityManagement.newEngineOnly Enables only the new vulnerability management engine. false
daemonset.annotations Sets custom annotations for the DaemonSet. {}
daemonset.labels Sets NodeAnalyzer-specific labels as a multi-line templated string map or as YAML. {}
daemonset.updateStrategy.type Sets the updateStrategy for updating the DaemonSet. RollingUpdate
daemonset.updateStrategy.rollingUpdate.maxUnavailable Sets the maximum number of pods that can be unavailable during the update process. 1
daemonset.updateStrategy.rollingUpdate.maxSurge Sets the maximum number of nodes with an existing available DaemonSet pod that can have an updated DaemonSet pod during an update. ``
nodeAnalyzer.deploy Deploys the Node Analyzer. true
nodeAnalyzer.apiEndpoint Specifies the Sysdig secure API endpoint, without the protocol. secure.sysdig.com ` `
nodeAnalyzer.sslVerifyCertificate Set to false to allow insecure connections to the Sysdig backend, such as an On-Prem deployment.  
nodeAnalyzer.debug Set to true to show debug logging, which is useful for troubleshooting.  
nodeAnalyzer.createPriorityClass Specify whether or not to create a priority class for the node analyzer components false
nodeAnalyzer.priorityClassName Sets the priority class name variable. ``
nodeAnalyzer.priorityClassValue Sets the priority class value for the node analyzer daemonset. ``
nodeAnalyzer.httpProxy Sets the HTTP proxy configuration variables.  
nodeAnalyzer.httpsProxy Sets the HTTPS proxy configuration variables.  
nodeAnalyzer.noProxy Sets noProxy configuration variables.  
nodeAnalyzer.natsMaxReconnect Sets natsMaxReconnect configuration variables. Set to -1 for unlimited reconnect attempts to NATS, or leave empty for default (60 attempts). 0
nodeAnalyzer.natsMaxReconnectFailures Sets natsMaxReconnectFailures configuration variables. Set to -1 to disable, or leave empty for default (60 attempts). 60
nodeAnalyzer.pullSecrets Sets the image pull secrets for the Node Analyzer containers. nil
nodeAnalyzer.extraVolumes.volumes Specifies additional volumes to mount in the Node Analyzer. For example, docker socket. []
nodeAnalyzer.imageAnalyzer.deploy Deploys the Image Analyzer. true
nodeAnalyzer.imageAnalyzer.image.repository Sets the image repository to pull the Node Image Analyzer from. sysdig/node-image-analyzer
nodeAnalyzer.imageAnalyzer.image.tag Sets the image tag for the Node Image Analyzer to be pulled. 0.1.36
nodeAnalyzer.imageAnalyzer.image.digest Sets the image digest to pull. ` `
nodeAnalyzer.imageAnalyzer.image.pullPolicy Sets the Image pull policy for the Node Image Analyzer. ""
nodeAnalyzer.imageAnalyzer.http_proxy Sets HTTP_PROXY on the Image Analyzer container. ""
nodeAnalyzer.imageAnalyzer.https_proxy Sets HTTPS_PROXY on the Image Analyzer container. ""
nodeAnalyzer.imageAnalyzer.no_proxy Sets NO_PROXY on the Image Analyzer container. ""
nodeAnalyzer.imageAnalyzer.dockerSocketPath Specifies the Docker socket path.  
nodeAnalyzer.imageAnalyzer.criSocketPath Specifies the socket path to a CRI compatible runtime, such as CRI-O.  
nodeAnalyzer.imageAnalyzer.containerdSocketPath Specifies the socket path to a CRI-Containerd daemon.  
nodeAnalyzer.imageAnalyzer.extraVolumes.volumes (Deprecated) Specifies additional volumes to mount in the Node Image Analyzer. For example, docker socket. []
nodeAnalyzer.imageAnalyzer.extraVolumes.mounts Specifies the mount points for additional volumes. []
nodeAnalyzer.imageAnalyzer.resources.requests.cpu Specifies the Node Image Analyzer CPU requests per node. 150m
nodeAnalyzer.imageAnalyzer.resources.requests.memory Specifies the Node Image Analyzer Memory requests per node. 512Mi
nodeAnalyzer.imageAnalyzer.resources.limits.cpu Specifies the Node Image Analyzer CPU limit per node. 500m
nodeAnalyzer.imageAnalyzer.resources.limits.memory Specifies the Node Image Analyzer Memory limit per node. 1536Mi
nodeAnalyzer.imageAnalyzer.sslVerifyCertificate Set to false to allow insecure connections to the Sysdig backend, such as an On-Prem deployment.  
nodeAnalyzer.imageAnalyzer.env Specifies the Extra environment variables that will be passed onto pods. {}
nodeAnalyzer.hostAnalyzer.deploy Deploys the Host Analyzer. true
nodeAnalyzer.hostAnalyzer.image.repository Specifies the image repository to pull the Host Analyzer from. sysdig/host-analyzer
nodeAnalyzer.hostAnalyzer.image.tag Set the image tag to pull the Host Analyzer. 0.1.23
nodeAnalyzer.hostAnalyzer.image.digest Specifies the image digest to pull. ` `
nodeAnalyzer.hostAnalyzer.image.pullPolicy Specifies the Image pull policy for the Host Analyzer. ""
nodeAnalyzer.hostAnalyzer.http_proxy Sets HTTP_PROXY on the Host Analyzer container. ""
nodeAnalyzer.hostAnalyzer.https_proxy Sets HTTPS_PROXY on the Host Analyzer container. ""
nodeAnalyzer.hostAnalyzer.no_proxy Sets NO_PROXY on the Host Analyzer container. ""
nodeAnalyzer.hostAnalyzer.schedule Specifies the scanning schedule specification for the host analyzer expressed as a crontab. @dailydefault
nodeAnalyzer.hostAnalyzer.dirsToScan Specifies the list of directories to inspect during the scan. /etc,/var/lib/dpkg,/usr/local,/usr/lib/sysimage/rpm,/var/lib/rpm,/lib/apk/db
nodeAnalyzer.hostAnalyzer.maxSendAttempts Specifies the number of times the analysis collector is allowed to retry sending results. 3
nodeAnalyzer.hostAnalyzer.resources.requests.cpu Specifies the Host Analyzer CPU requests per node. 150m
nodeAnalyzer.hostAnalyzer.resources.requests.memory Specifies the Host Analyzer Memory requests per node. 512Mi
nodeAnalyzer.hostAnalyzer.resources.limits.cpu Specifies the Host Analyzer CPU limit per node. 500m
nodeAnalyzer.hostAnalyzer.resources.limits.memory Specifies the Host Analyzer memory limit per node. 1536Mi
nodeAnalyzer.hostAnalyzer.sslVerifyCertificate Set to false to allow insecure connections to the Sysdig backend, such as an On-Prem deployment.  
nodeAnalyzer.hostAnalyzer.env Specifies the extra environment variables that will be passed onto pods. {}
nodeAnalyzer.benchmarkRunner.deploy Deploys the Benchmark Runner. true
nodeAnalyzer.benchmarkRunner.image.repository Specifies the image repository to pull the Benchmark Runner from. sysdig/compliance-benchmark-runner
nodeAnalyzer.benchmarkRunner.image.tag Specifies the image tag for the Benchmark Runner to be pulled. 1.1.1.4
nodeAnalyzer.benchmarkRunner.image.digest Specifies the image digest to pull. ` `
nodeAnalyzer.benchmarkRunner.image.pullPolicy Specifies the image pull policy for the Benchmark Runner. ""
nodeAnalyzer.benchmarkRunner.http_proxy Sets HTTP_PROXY on the Benchmark Runner container. ""
nodeAnalyzer.benchmarkRunner.https_proxy Sets HTTPS_PROXY on the Benchmark Runner container. ""
nodeAnalyzer.benchmarkRunner.no_proxy Sets NO_PROXY on the Benchmark Runner container. ""
nodeAnalyzer.benchmarkRunner.includeSensitivePermissions Grant the service account elevated permissions to run CIS Benchmark for OS4. false
nodeAnalyzer.benchmarkRunner.resources.requests.cpu Specifies the Benchmark Runner CPU requests per node. 150m
nodeAnalyzer.benchmarkRunner.resources.requests.memory Specifies the Benchmark Runner memory requests per node. 128Mi
nodeAnalyzer.benchmarkRunner.resources.limits.cpu Specifies the Benchmark Runner CPU limit per node. 500m
nodeAnalyzer.benchmarkRunner.resources.limits.memory Specifies the Benchmark Runner memory limit per node. 256Mi
nodeAnalyzer.benchmarkRunner.sslVerifyCertificate Set to false to allow insecure connections to the Sysdig backend, such as an On-Prem deployment.  
nodeAnalyzer.benchmarkRunner.env Specifies the extra environment variables that will be passed onto pods. {}
nodeAnalyzer.hostScanner.debug Set to true to show debug logging, which is useful for troubleshooting. false
nodeAnalyzer.hostScanner.deploy Deploys the Host Scanner. unset
nodeAnalyzer.hostScanner.dirsToScan Specifies the list of directories to inspect during the scan. /etc,/var/lib/dpkg,/var/lib/rpm,/lib/apk/db,/bin,/sbin,/usr/bin,/usr/sbin,/usr/share,/usr/local,/usr/lib,/usr/lib64,/var/lib/google,/var/lib/toolbox,/var/lib/cloud
nodeAnalyzer.hostScanner.additionalDirsToScan Sets the optional comma-separated list of directories in addition to the default ones. ` `
nodeAnalyzer.hostScanner.env Specifies the extra environment variables that will be passed onto pods. {}
nodeAnalyzer.hostScanner.image.repository Specifies the image repository to pull the Host Scanner from. sysdig/vuln-host-scanner
nodeAnalyzer.hostScanner.image.tag Specifies the image tag to pull the Host Scanner. 0.12.3
nodeAnalyzer.hostScanner.image.digest Specifies the image digest to pull. ` `
nodeAnalyzer.hostScanner.image.pullPolicy Specifies the image pull policy for the Host Scanner. ""
nodeAnalyzer.hostScanner.http_proxy Sets HTTP_PROXY on the Host Scanner container. ""
nodeAnalyzer.hostScanner.https_proxy Sets HTTPS_PROXY on the Host Scanner container. ""
nodeAnalyzer.hostScanner.no_proxy Sets NO_PROXY on the Host Scanner container. ""
nodeAnalyzer.hostScanner.prometheus.enabled Enables prometheus false
nodeAnalyzer.hostScanner.prometheus.port Overrides the default prometheus port ""
nodeAnalyzer.hostScanner.prometheus.endpoint Overrides the default prometheus metrics endpoint ""
nodeAnalyzer.hostScanner.resources.requests.cpu Specifies the Host Scanner CPU requests per node. 150m
nodeAnalyzer.hostScanner.resources.requests.memory Specifies the Host Scanner memory requests per node. 512Mi
nodeAnalyzer.hostScanner.resources.requests.ephemeral-storage Specifies the Host Scanner Storage requests per node. 512Mi
nodeAnalyzer.hostScanner.resources.limits.cpu Specifies the Host Scanner CPU limit per node. 500m
nodeAnalyzer.hostScanner.resources.limits.memory Specifies the Host Scanner memory limit per node. 1Gi
nodeAnalyzer.hostScanner.resources.limits.ephemeral-storage Specifies the Host Scanner Storage limit per node. 1Gi
nodeAnalyzer.hostScanner.sslVerifyCertificate Set to false to allow insecure connections to the Sysdig backend, such as an On-Prem deployment.  
nodeAnalyzer.hostScanner.probesPort Specifies the port where readiness and liveness probes are exposed. 7001
nodeAnalyzer.hostScanner.scanContainers.enabled Set to true to scan containers false
nodeAnalyzer.hostScanner.scanContainers.dockerSocketPath Specifies the path to docker socket unix:///var/run/docker.sock
nodeAnalyzer.hostScanner.scanContainers.podmanSocketPath Specifies the path to podman socket unix:///var/run/podman.sock
nodeAnalyzer.runtimeScanner.debug Set to true to show debug logging, which is useful for troubleshooting. false
nodeAnalyzer.runtimeScanner.deploy Deploys the Runtime Scanner. false
nodeAnalyzer.runtimeScanner.extraMounts Specifies a container engine custom socket path (docker, containerd, CRI-O).  
nodeAnalyzer.runtimeScanner.storageClassName Specifies the Runtime Scanner storage class to use instead of emptyDir for ephemeral storage. ``
nodeAnalyzer.runtimeScanner.image.repository Specifies the image repository to pull the Runtime Scanner from. sysdig/vuln-runtime-scanner
nodeAnalyzer.runtimeScanner.image.tag Specifies the image tag to pull the Runtime Scanner. 1.8.1
nodeAnalyzer.runtimeScanner.image.digest Specifies the image digest to pull. ` `
nodeAnalyzer.runtimeScanner.image.pullPolicy Specifies the image pull policy for the Runtime Scanner. ""
nodeAnalyzer.runtimeScanner.http_proxy Sets HTTP_PROXY on the Runtime Scanner container. ""
nodeAnalyzer.runtimeScanner.https_proxy Sets HTTPS_PROXY on the Runtime Scanner container. ""
nodeAnalyzer.runtimeScanner.no_proxy Sets NO_PROXY on the Runtime Scanner container. ""
nodeAnalyzer.runtimeScanner.resources.requests.cpu Specifies the Runtime Scanner CPU requests per node. 150m
nodeAnalyzer.runtimeScanner.resources.requests.memory Specifies the Runtime Scanner Memory requests per node. 512Mi
nodeAnalyzer.runtimeScanner.resources.requests.ephemeral-storage Specifies the Runtime Scanner Storage requests per node. 2Gi
nodeAnalyzer.runtimeScanner.resources.limits.cpu Specifies the Runtime Scanner CPU limit per node. 1000m
nodeAnalyzer.runtimeScanner.resources.limits.memory Specifies the Runtime Scanner memory limit per node. 2Gi
nodeAnalyzer.runtimeScanner.resources.limits.ephemeral-storage Specifies the Runtime Scanner Storage limit per node. 4Gi
nodeAnalyzer.runtimeScanner.sslVerifyCertificate Set to false to allow insecure connections to the Sysdig backend, such as an On-Prem deployment.  
nodeAnalyzer.runtimeScanner.env Specifies the extra environment variables that will be passed onto pods. {}
nodeAnalyzer.runtimeScanner.settings.eveEnabled Enables Sysdig Eve true
nodeAnalyzer.runtimeScanner.eveConnector.image.repository Specifies the image repository to pull the Eve Connector from. sysdig/eveclient-api
nodeAnalyzer.runtimeScanner.eveConnector.image.tag Specifies the image tag for the Eve Connector to be pulled. 1.1.4
nodeAnalyzer.runtimeScanner.eveConnector.deploy Enables Sysdig Eve Connector for third-party integrations. false
nodeAnalyzer.runtimeScanner.eveConnector.resources.requests.cpu Specifies the Eve Connector CPU requests per node. 100m
nodeAnalyzer.runtimeScanner.eveConnector.resources.requests.memory Specifies the Eve Connector memory requests per node. 128Mi
nodeAnalyzer.runtimeScanner.eveConnector.resources.limits.cpu Specifies the Eve Connector CPU limits per node. 1000m
nodeAnalyzer.runtimeScanner.eveConnector.resources.limits.memory Specifies the Eve Connector Memory limits per node. 512Mi
nodeAnalyzer.runtimeScanner.eveConnector.settings.replicas Specifies the Eve Connector deployment replicas. 1
nodeAnalyzer.runtimeScanner.eveConnector.priorityClassName Specifies the name of an existing PriorityClass to use for the Eve Connector Deployment. {}
nodeAnalyzer.tolerations Specifies the tolerations for scheduling. <pre>node-role.kubernetes.io/master:NoSchedule,
node-role.kubernetes.io/control-plane:NoSchedule</pre>
nodeAnalyzer.kspmAnalyzer.debug Set to true to show KSPM node analyzer debug logging, which is useful for troubleshooting. false
nodeAnalyzer.kspmAnalyzer.image.repository Specifies the image repository to pull the KSPM node analyzer from. sysdig/kspm-analyzer
nodeAnalyzer.kspmAnalyzer.image.tag Specifies the image tag for the KSPM node analyzer image to be pulled. 1.44.14
nodeAnalyzer.kspmAnalyzer.image.digest Specifies the image digest to pull. ` `
nodeAnalyzer.kspmAnalyzer.image.pullPolicy Specifies the The image pull policy for the KSPM node analyzer. ""
nodeAnalyzer.kspmAnalyzer.http_proxy Sets HTTP_PROXY on the KSPM Analyzer container. ""
nodeAnalyzer.kspmAnalyzer.https_proxy Sets HTTPS_PROXY on the KSPM Analyzer container. ""
nodeAnalyzer.kspmAnalyzer.no_proxy Sets NO_PROXY on the KSPM Analyzer container. ""
nodeAnalyzer.kspmAnalyzer.resources.requests.cpu Specifies the KSPM node analyzer CPU requests per node. 150m
nodeAnalyzer.kspmAnalyzer.resources.requests.memory Specifies the KSPM node analyzer memory requests per node. 256Mi
nodeAnalyzer.kspmAnalyzer.resources.limits.cpu Specifies the KSPM node analyzer CPU limits per node. 500m
nodeAnalyzer.kspmAnalyzer.resources.limits.memory Specifies the KSPM node analyzer memory limits per node. 1536Mi
nodeAnalyzer.kspmAnalyzer.port Specifies the KSPM node analyzer port for health checks and results API. 12000
nodeAnalyzer.kspmAnalyzer.readinessProbe.enabled Specifies whether KSPM node analyzer readinessProbe is enabled or not. true
nodeAnalyzer.kspmAnalyzer.sslVerifyCertificate Set to false to allow insecure connections to the Sysdig backend, such as an On-Prem deployment.  
nodeAnalyzer.kspmAnalyzer.livenessProbe.enabled Specifies whether the KSPM node analyzer livenessProbe is enabled or not. true
nodeAnalyzer.kspmAnalyzer.env Specifies the extra environment variables that will be passed onto pods. {}
nodeAnalyzer.nodeSelector Specifies the Node Selector. {}
nodeAnalyzer.affinity Specifies the Node affinities. schedule on amd64 and linux
nodeAnalyzer.bottlerocket.enabled Set to true to indicate that the node analyzer will be deployed on bottlerocket. false
nodeAnalyzer.bottlerocket.apiClientPath Path to the apiclient binary inside Bottlerocket hosts. /usr/bin/apiclient
nodeAnalyzer.bottlerocket.apiServerSocketPath Path to the API socket inside Bottlerocket hosts. /run/api.sock
hostNetwork Allows to set hostNetwork null
dnsPolicy Allows to set dnsPolicy null