Shield
Sysdig Shield.
This chart deploys the Sysdig Host & Cluster Shield in your Kubernetes cluster.
Introduction
This chart deploys the Sysdig Shield as a Deployment on a Kubernetes cluster using the Helm package manager.
Prerequisites
- Helm 3.6
- Sysdig AccessKey
- Sysdig Secure API Token
- Sysdig Secure API URL
- Sysdig Secure Collector
Installing the Chart
To install the chart create a values.yaml file. Set your values and decide which features you would like to enable.
cluster_config:
name: <your-cluster-name>
sysdig_endpoint:
access_key: <your-access-key>
api_url: <your-api-url>
collector:
host: <your-collector-hostname>
port: <your-collector-port>
Then, to install it with the release name sysdig, run:
$ helm upgrade --install --atomic --create-namespace \
-n sysdig-agent \
-f values.yaml \
sysdig \
sysdig/shield
The command deploys the Sysdig Shield on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation.
Tip: List all releases using
helm list
Uninstalling the Chart
To uninstall/delete the sysdig:
$ helm uninstall sysdig -n sysdig-agent
The command removes all the Kubernetes components associated with the chart and deletes the release.
Configuration
The following table lists the configurable parameters of the shield chart and their default values.
| Parameter | Description | Default |
|---|---|---|
| cluster_config.name | The name of the cluster | |
| cluster_config.cluster_domain | The domain of the cluster | cluster.local |
| cluster_config.cluster_type | The type of the cluster (Accepted Values: gke-autopilot, generic) | generic |
| cluster_config.root_namespace | The root namespace of the cluster | kube-system |
| cluster_config.tags | Tags you want to apply to the metadata sent to the Sysdig Backend. | {} |
| sysdig_endpoint.region | The region where the Sysdig Secure instance is located | custom |
| sysdig_endpoint.api_url | The URL of the Sysdig Secure API (required only when region is custom) | |
| sysdig_endpoint.collector.host | The hostname of the Sysdig Secure collector (required only when region is custom) | |
| sysdig_endpoint.collector.port | The port of the Sysdig Secure collector (required only when region is custom) | |
| sysdig_endpoint.access_key | The access key for the Sysdig Secure instance | |
| sysdig_endpoint.access_key_existing_secret | The access key for the Sysdig Secure instance (existing secret) | |
| sysdig_endpoint.secure_api_token | The API token for the Sysdig Secure instance | |
| sysdig_endpoint.secure_api_token_existing_secret | The API token for the Sysdig Secure instance (existing secret) | |
| features.admission_control.enabled | Enable the admission control feature | false |
| features.admission_control.failure_policy | The policy to apply when a request is denied | Ignore |
| features.admission_control.dry_run | Enable the dry run mode | true |
| features.admission_control.timeout | The timeout for the admission control feature | 10 |
| features.admission_control.http_port | The port that will be used to expose admission control endpoints | 8443 |
| features.admission_control.excluded_namespaces | The list of namespaces that will be excluded from the admission control | [] |
| features.admission_control.container_vulnerability_management.enabled | Enable the container vulnerability management feature on the admission control | false |
| features.kubernetes_metadata.enabled | Enable the Kubernetes Metadata feature on cluster shield | true |
| features.posture.host_posture.enabled | false |
|
| features.posture.cluster_posture.enabled | Enable the posture feature on cluster shield | false |
| features.vulnerability_management.host_vulnerability_management.enabled | false |
|
| features.vulnerability_management.container_vulnerability_management.enabled | Enable the container vulnerability management feature on cluster shield | false |
| features.vulnerability_management.container_vulnerability_management.local_cluster.registry_secrets | Restrict access to specific Docker secrets when Cluster Scanner is running. The default behavior is listing all secrets. | [] |
| features.vulnerability_management.container_vulnerability_management.platform_services_enabled | Define if the platform services are enabled | true |
| features.vulnerability_management.container_vulnerability_management.registry_ssl.verify | If set to false it allows insecure connections to registries, Such as for registries with self-signed or private certificates. | true |
| features.vulnerability_management.in_use.enabled | Allows to retrieve the list of running packages. | false |
| features.vulnerability_management.in_use.integration_enabled | Allows to store the list of running packages to Sysdig backend. | false |
| features.detections.drift_control.enabled | false |
|
| features.detections.malware_control.enabled | false |
|
| features.detections.ml_policies.enabled | false |
|
| features.detections.kubernetes_audit.enabled | Enable the Kubernetes Audit feature on cluster shield | false |
| features.detections.kubernetes_audit.timeout | The timeout for the audit feature | 10 |
| features.detections.kubernetes_audit.http_port | The port that will be used to expose the audit endpoints | 6443 |
| features.detections.kubernetes_audit.excluded_namespaces | The list of namespaces that will be excluded from the audit feature | [] |
| features.detections.kubernetes_audit.webhook_rules | List of rules used to determine if a request should be audited | [{"apiGroups":["","apps","autoscaling","batch","networking.k8s.io","rbac.authorization.k8s.io","extensions"],"apiVersions":["*"],"operations":["*"],"resources":["*/*"],"scope":"*"}] |
| features.investigations.activity_audit.enabled | false |
|
| features.investigations.live_logs.enabled | false |
|
| features.investigations.network_security.enabled | false |
|
| features.investigations.audit_tap.enabled | false |
|
| features.investigations.captures.enabled | false |
|
| features.investigations.event_forwarder.enabled | false |
|
| features.investigations.event_forwarder.integrations | [] |
|
| features.investigations.event_forwarder.transmit_message_types | [] |
|
| features.respond.rapid_response.enabled | false |
|
| features.respond.response_actions.enabled | false |
|
| features.monitor.app_checks.enabled | false |
|
| features.monitor.java_management_extensions.enabled | false |
|
| features.monitor.prometheus.enabled | false |
|
| features.monitor.prometheus.prometheus_yaml | The content of the prometheus.yaml file | {} |
| features.monitor.statsd.enabled | false |
|
| host_windows.enabled | Enable the host shield for Windows | false |
| host_windows.additional_settings.monitoring_port | 8081 |
|
| host_windows.agent_runtime_additional_settings | Additional settings to be passed to the agent-runtime component (overrides dragent.yaml generated by helm) | {} |
| host_windows.image.registry | The registry where the host shield images are stored | quay.io |
| host_windows.image.repository | The repository where the host shield images are stored | sysdig |
| host_windows.image.name | The image name for the host shield | host-shield |
| host_windows.image.tag | The tag for the host shield images | 0.7.1 |
| host_windows.image.pull_policy | The pull policy for the host shield images | IfNotPresent |
| host_windows.image.pull_secrets | The pull secrets for the host shield images | [] |
| host_windows.resources.limits.cpu | The CPU limit for the host shield | 1000m |
| host_windows.resources.limits.memory | The memory limit for the host shield | 1Gi |
| host_windows.resources.requests.cpu | The CPU request for the host shield | 250m |
| host_windows.resources.requests.memory | The memory request for the host shield | 384Mi |
| host_windows.workload_annotations | The annotations for the host shield workloads (metadata.annotations) | {} |
| host_windows.workload_labels | The labels for the host shield workloads (metadata.labels) | {} |
| host_windows.pod_annotations | The annotations for the host shield pods (spec.template.metadata.annotations) | {} |
| host_windows.pod_labels | The labels for the host shield pods (spec.template.metadata.labels) | {} |
| host_windows.node_selector.kubernetes.io/os | windows |
|
| host_windows.affinity | The affinity for the host shield | {"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"kubernetes.io/arch","operator":"In","values":["amd64"]},{"key":"kubernetes.io/os","operator":"In","values":["windows"]}]}]}}} |
| host_windows.update_strategy.type | The update strategy | RollingUpdate |
| host_windows.update_strategy.rollingUpdate | {} |
|
| host_windows.env | The custom environment variables for the host shield | [] |
| host_windows.volumes | The custom volumes for the host shield | [] |
| host_windows.volume_mounts | The custom volume mounts for the host shield | [] |
| host.driver | The driver to use for the host agent (Accepted Values: kmod, legacy_ebpf, universal_ebpf) | kmod |
| host.additional_settings | Additional settings to be passed to host-shield (overrides dragent.yaml generated by helm) | {} |
| host.security_context | Allows overriding the Security Context of the Agent pod(s). Primarily intended resolving targeted incidents and debugging | {} |
| host.image.registry | The registry where the host shield images are stored | quay.io |
| host.image.repository | The repository where the host shield images are stored | sysdig |
| host.image.kmodule_name | The image name for the host shield kmodule drive | agent-kmodule |
| host.image.shield_name | The image name for the host shield | agent-slim |
| host.image.tag | The tag for the host shield images | 13.8.1 |
| host.image.pull_policy | The pull policy for the host shield images | IfNotPresent |
| host.image.pull_secrets | The pull secrets for the host shield images | [] |
| host.priority_class.create | Create a priority class for the host shield | false |
| host.priority_class.name | The name of the priority class (if create is set to false, this will be used as the name of the existing priority class) | |
| host.priority_class.value | The value of the priority class | 10 |
| host.priority_class.labels | The labels for the priority class | {} |
| host.priority_class.annotations | The annotations for the priority class | {} |
| host.privileged | Sets the host shield to run in privileged mode | true |
| host.rbac.create | Create the RBAC resources for the host shield | true |
| host.rbac.service_account_name | The name of the service account for the host shield (if create is set to false, this will be used as the name of the existing service account) | |
| host.rbac.labels | The labels for the service account | {} |
| host.rbac.annotations | The annotations for the service account | {} |
| host.resources.kmodule.limits.cpu | The CPU limit for the kmodule | 1000m |
| host.resources.kmodule.limits.memory | The memory limit for the kmodule | 1Gi |
| host.resources.kmodule.requests.cpu | The CPU request for the kmodule | 250m |
| host.resources.kmodule.requests.memory | The memory request for the kmodule | 384Mi |
| host.resources.shield.limits.cpu | The CPU limit for the host shield | 1000m |
| host.resources.shield.limits.memory | The memory limit for the host shield | 1Gi |
| host.resources.shield.requests.cpu | The CPU request for the host shield | 250m |
| host.resources.shield.requests.memory | The memory request for the host shield | 384Mi |
| host.workload_annotations | The annotations for the host shield workloads (metadata.annotations) | {} |
| host.workload_labels | The labels for the host shield workloads (metadata.labels) | {} |
| host.pod_annotations | The annotations for the host shield pods (spec.template.metadata.annotations) | {} |
| host.pod_labels | The labels for the host shield pods (spec.template.metadata.labels) | {} |
| host.node_selector | The node selector for the host shield | {} |
| host.tolerations | The tolerations for the host shield | [{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/controlplane","operator":"Equal","value":"true"},{"effect":"NoExecute","key":"node-role.kubernetes.io/etcd","operator":"Equal","value":"true"},{"effect":"NoExecute","key":"CriticalAddonsOnly","operator":"Equal","value":"true"}] |
| host.affinity | The affinity for the host shield | {"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"kubernetes.io/arch","operator":"In","values":["amd64","arm64","ppc64le","s390x"]},{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]}}} |
| host.probes.readiness.initialDelaySeconds | The readiness probe initial delay | 90 |
| host.probes.readiness.periodSeconds | The readiness probe period | 10 |
| host.probes.readiness.failureThreshold | The readiness probe failure threshold | 9 |
| host.probes.liveness.initialDelaySeconds | The liveness probe initial delay | 90 |
| host.probes.liveness.periodSeconds | The liveness probe period | 10 |
| host.probes.liveness.failureThreshold | The readiness probe failure threshold | 9 |
| host.update_strategy.type | The update strategy | RollingUpdate |
| host.update_strategy.rollingUpdate | {} |
|
| host.env | The custom environment variables for the host shield | [] |
| host.volumes | The custom volumes for the host shield | [] |
| host.volume_mounts | The custom volume mounts for the host shield | [] |
| host.dns_policy | The dns policy for the host shield | |
| cluster.image.registry | The registry where the cluster shield image is stored | quay.io |
| cluster.image.repository | The repository where the cluster shield image is stored | sysdig/cluster-shield |
| cluster.image.tag | The tag for the cluster shield image | 1.10.0 |
| cluster.image.pull_policy | The pull policy for the cluster shield image | IfNotPresent |
| cluster.image.pull_secrets | The pull secrets for the cluster shield image | [] |
| cluster.run_mode | The mode in which the cluster shield should run (Accepted Values: single-process, multi-process) | multi-process |
| cluster.priority_class.create | Create a priority class for the cluster shield | false |
| cluster.priority_class.name | The name of the priority class (if create is set to false, this will be used as the name of the existing priority class) | |
| cluster.priority_class.value | The value of the priority class | 10 |
| cluster.priority_class.labels | The labels for the priority class | {} |
| cluster.priority_class.annotations | The annotations for the priority class | {} |
| cluster.rbac.create | Create the RBAC resources for the cluster shield | true |
| cluster.rbac.service_account_name | The name of the service account for the cluster shield (if create is set to false, this will be used as the name of the existing service account) | |
| cluster.rbac.labels | The labels for the service account | {} |
| cluster.rbac.annotations | The annotations for the service account | {} |
| cluster.service.type | The Cluster Shield service type | ClusterIP |
| cluster.service.labels | Additional service labels | {} |
| cluster.service.annotations | Additional service annotations | {} |
| cluster.security_context | The default security context of the cluster shield pods | {} |
| cluster.validatingwebhookconfiguration.create | Create the validatingwebhookconfiguration resources for the cluster shield | true |
| cluster.tls_certificates.create | Create the TLS certificates for the cluster shield | true |
| cluster.tls_certificates.secret_name | The name of the secret that contains the TLS certificates | |
| cluster.resources.requests.cpu | The CPU request for the cluster shield | 500m |
| cluster.resources.requests.memory | The memory request for the cluster shield | 512Mi |
| cluster.resources.limits.cpu | The CPU limit for the cluster shield | 1500m |
| cluster.resources.limits.memory | The memory limit for the cluster shield | 1536Mi |
| cluster.workload_annotations | The annotations for the cluster shield workloads (metadata.annotations) | {} |
| cluster.workload_labels | The labels for the cluster shield workloads (metadata.labels) | {} |
| cluster.pod_annotations | The annotations for the cluster shield pods (spec.template.metadata.annotations) | {} |
| cluster.pod_labels | The labels for the cluster shield pods (spec.template.metadata.labels) | {} |
| cluster.node_selector | The node selector for the cluster shield | {} |
| cluster.tolerations | The tolerations for the cluster shield | [] |
| cluster.affinity | The affinity for the cluster shield | {} |
| cluster.additional_settings.log_level | info |
|
| cluster.additional_settings.monitoring_port | 8080 |
|
| cluster.enable_prometheus_scraping | Automatically adds the Prometheus annotations to the Cluster Shield pods | true |
| cluster.probes.readiness.initialDelaySeconds | The readiness probe initial delay | 10 |
| cluster.probes.readiness.periodSeconds | The readiness probe period | 5 |
| cluster.probes.readiness.failureThreshold | The readiness probe failure threshold | 9 |
| cluster.probes.liveness.initialDelaySeconds | The liveness probe initial delay | 5 |
| cluster.probes.liveness.periodSeconds | The liveness probe period | 5 |
| cluster.probes.liveness.failureThreshold | The readiness probe failure threshold | 9 |
| cluster.replica_count | The number of replicas for the cluster shield | 2 |
| cluster.update_strategy.type | The update strategy | RollingUpdate |
| cluster.update_strategy.rollingUpdate | {} |
|
| cluster.host_network | Specifies if Cluster Shield should be started in hostNetwork mode. This field is required if you are using a custom CNI where the control plane nodes are unable to initiate network connections to the pods, for example, using Calico CNI plugin on EKS. | false |
| cluster.dns_policy | Define Cluster Shield Pods DNS Policy | |
| cluster.env | The custom environment variables for cluster shield | [] |
| cluster.volumes | The custom volumes for cluster shield | [] |
| cluster.volume_mounts | The custom volume mounts for cluster shield | [] |
| ssl.verify | Enable SSL verification | true |
| ssl.ca.certs | For outbound connections (secure backend, proxy,…) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] |
| ssl.ca.key_name | Filename that is used when creating the secret. Required if cert is provided. | |
| ssl.ca.existing_ca_secret | Provide the name of an existing Secret that contains the CA required | |
| ssl.ca.existing_ca_secret_key_name | Provide the filename that is defined inside the existing Secret | |
| proxy.http_proxy | HTTP proxy to use for all HTTP requests | |
| proxy.http_proxy_existing_secret | Provide the name of an existing Secret that contains the HTTP proxy | |
| proxy.https_proxy | HTTPS proxy to use for all HTTPS requests | |
| proxy.https_proxy_existing_secret | Provide the name of an existing Secret that contains the HTTPS proxy | |
| proxy.no_proxy | No proxy hosts and ips | |
| proxy.no_proxy_existing_secret | Provide the name of an existing Secret that contains the no proxy hosts | |
| extra_capabilities_api_versions | Additional .APIVersions in .Capabilities, e.g. “security.openshift.io/v1” | [] |
| workload_annotations | Additional annotations for the all the workloads (metadata.annotations) | {} |
| workload_labels | Additional labels for the all the workloads (metadata.labels) | {} |
| pod_annotations | Additional annotations for all the pods (spec.template.metadata.annotations) | {} |
| pod_labels | Additional labels for all the pods (spec.template.metadata.labels) | {} |
| node_selector | The node selector for the all the workloads | {} |
| tolerations | The tolerations for the all the workloads | [] |
| affinity | The affinity for the all the workloads | {} |
| env | The environment variables for the all the workloads | [] |
| volumes | The volumes to mount for all the workloads | [] |
| volume_mounts | The volume mounts for all the workloads | [] |
| name_override | Overrides the default resource identifier ex. sysdig- |
|
| fullname_override | Overrides the default full resource identifier ex. |
|
| on_prem_version | Optional parameter used to check the compatibility of shield component versions with the on-premised backend version. If you are running an on-prem version of the Sysdig backend, you MUST set this parameter with the version of Sysdig backend you are using. If you are runinng on SaaS, do NOT provide this parameter. | |