Sysdig Deploy

Use the sysdig-deploy Helm chart to install Sysdig Secure and/or Sysdig Monitor in a Kubernetes environment.

Introduction

This chart deploys various Sysdig components into your Kubernetes cluster.

Currently included components:

Prerequisites

Installation

NOTE: Below are the legacy instructions for installing the sysdig-deploy chart. For more detailed installation instructions go here:

  1. Add the Sysdig Helm repo:

    helm repo add sysdig https://charts.sysdig.com/
    
  2. Collect the following values:

    • ACCESS_KEY: This is your Sysdig access key
    • SAAS_REGION: The Sysdig SAAS region the agents will connect to. Use one of the following values:
      • "us1"
      • "us2"
      • "us3"
      • "us4"
      • "eu1"
      • "au1"
      • "custom": For on-prem installations, use custom and override the endpoints for each component. For more information, see Configuration.
    • CLUSTER_NAME: An identifier for your cluster
  3. Create a namespace for the Sysdig agent:

    kubectl create ns sysdig-agent
    
  4. Do one of the following:

    • Using the release name sysdig-agent, run the following snippet to install the release into the namespace sysdig-agent:

      helm install sysdig-agent --namespace sysdig-agent \
      --set global.sysdig.accessKey=<ACCESS_KEY> \
      --set global.sysdig.region=<SAAS_REGION> \
      --set nodeAnalyzer.secure.vulnerabilityManagement.newEngineOnly=true \
      --set global.kspm.deploy=true \
      --set nodeAnalyzer.nodeAnalyzer.benchmarkRunner.deploy=false \
      --set global.clusterConfig.name=<CLUSTER_NAME> \
      sysdig/sysdig-deploy
      

      GKE Autopilot: GKE Autopilot environments require an additional configuration parameter, agent.gke.autopilot=true, to install the Sysdig agent:

      helm install sysdig-agent --namespace sysdig-agent \
      --set global.sysdig.accessKey=<ACCESS_KEY> \
      --set global.sysdig.region=<SAAS_REGION> \
      --set nodeAnalyzer.secure.vulnerabilityManagement.newEngineOnly=true \
      --set global.kspm.deploy=true \
      --set nodeAnalyzer.nodeAnalyzer.benchmarkRunner.deploy=false \
      --set global.clusterConfig.name=<CLUSTER_NAME> \
      --set agent.gke.autopilot=true \
      sysdig/sysdig-deploy
      
    • Install with a values file.

      To do so, create a new file values.sysdig.yaml:

       global:
         sysdig:
           accessKey: ACCESS_KEY
           region: SAAS_REGION
         clusterConfig:
           name: CLUSTER_NAME
      

      and install it with:

       helm install -n sysdig-agent sysdig sysdig/sysdig-deploy -f values.sysdig.yaml
      

Migrating from sysdig chart

To easily migrate from the previous sysdig chart to the new unified sysdig-deploy chart, use the migration helper script from this repo. This script will help re-map your existing values from the sysdig chart, allowing you to deploy this chart with the exact same configuration.

Note: unlike the previous chart, this chart only supports Helm 3. If you have not already done so, please upgrade your Helm version to 3.x to use this chart.

Requirements:

Save the user-values from the currently deployed version of the sysdig chart:

helm get values -n sysdig-agent sysdig-agent -o yaml > values.old.yaml

Note: the migration script has a dependency on pyyaml, which can be installed with

pip install pyyaml

Run the migration script and redirect the output to a new file. For example, if the old values were saved to values.old.yaml:

python scripts/migrate_values.py values.old.yaml > values.new.yaml

Now the sysdig chart can be removed and replaced with the sysdig-deploy chart.

helm delete -n sysdig-agent sysdig-agent

helm repo update
helm install -n sysdig-agent sysdig sysdig/sysdig-deploy -f values.new.yaml

Differences between sysdig and sysdig-deploy

There are several differences in the agent and node-analyzer components in the new chart compared to the old one. The majority of the differences are in the metadata names and labels.

Upgrading

Refresh the sysdig helm repo to get the latest chart.

helm repo update

Get the currently deployed values and save them to values.sysdig.yaml.

helm get values -n sysdig-agent sysdig-agent -o yaml > values.sysdig.yaml

Upgrade to the latest version of the chart:

helm upgrade -n sysdig-agent sysdig-agent sysdig/sysdig-deploy -f values.sysdig.yaml

Configuration

The following table lists the configurable parameters of the sysdig-deploy chart and their default values. The sysdig-deploy chart itself only has select parameters that are used by multiple subcharts, and those are used to enable/disable selected subcharts. If you need additional configuration values, those are available in the various READMEs of the individual subcharts (admission-controller, agent, node-analyzer, kspm-collector and rapid-response).

Parameter Description Default
global.clusterConfig.name Identifier for this cluster ""
global.sysdig.accessKey Sysdig Agent Access Key ""
global.sysdig.accessKeySecret The name of a Kubernetes secret containing an ‘access-key’ entry ""
global.sysdig.secureAPIToken API Token to access Sysdig Secure ""
global.sysdig.secureAPITokenSecret The name of a Kubernetes secret containing API Token to access Sysdig Secure ""
global.sysdig.region The SaaS region for these agents. Possible values: "us1", "us2", "us3", "us4", "eu1", "au1", and "custom". See Regions and IP Ranges for more information "us1"
global.sysdig.tags Sets the global tags which can override agent tags {}
global.imageRegistry Container image registry ``
global.proxy.httpProxy Sets http_proxy on the Agent container ""
global.proxy.httpsProxy Sets https_proxy on the Agent container ""
global.proxy.noProxy Sets no_proxy on the Agent container ""
global.kspm.deploy Enables Sysdig KSPM node analyzer & KSPM collector false
global.agentConfigmapName Sets a configmap name that is used to mount the agent configmap to fetch the cluster name and agent tags "sysdig-agent"
global.gke.autopilot If true, overrides the configuration to values for GKE Autopilot clusters false
admissionController Config specific to the Sysdig AdmissionController {}
admissionController.enabled Enable the admission controller component in this chart false
agent Config specific to the Sysdig Agent {}
agent.enabled Enable the agent component in this chart true
nodeAnalyzer Config specific to the Sysdig nodeAnalyzer {}
nodeAnalyzer.enabled Enable the nodeAnalyzer component in this chart true
nodeAnalyzer.secure.enabled Enable Sysdig Secure true
nodeAnalyzer.secure.vulnerabilityManagement.newEngineOnly Enable only the new vulnerability management engine false
nodeAnalyzer.nodeAnalyzer.apiEndpoint nodeAnalyzer apiEndpoint ""
nodeAnalyzer.nodeAnalyzer.benchmarkRunner.deploy Deploy the Benchmark Runner Scanner true
nodeAnalyzer.nodeAnalyzer.runtimeScanner.deploy Deploy the Runtime Scanner false
kspmCollector Config specific to the Sysdig KSPM Collector {}
kspmCollector.apiEndpoint kspmCollector apiEndpoint ""
rapidResponse Config specific to Sysdig Rapid Response {}
rapidResponse.enabled Enable Rapid Response component in this chart ""

AdmissionController

For configuration values of the admission-controller, see the admission-controller subchart README. Prefix all the specific configurations with admissionController. to apply them to the chart.

Example: override sysdig url variable for admissionController chart

As a command line parameter:

helm install sysdig sysdig/sysdig-deploy \
    --set global.sysdig.accessKey=ACCESS_KEY \
    --set global.sysdig.secureAPIToken=SECURE_API_TOKEN \
    --set global.clusterConfig.name=CLUSTER_NAME \
    --set admissionController.enabled=true

As a values file:

global:
  clusterConfig:
    name: CLUSTER_NAME
  sysdig:
    accessKey: ACCESS_KEY
    secureAPIToken: SECURE_API_TOKEN
admissionController:
  enabled: true
  sysdig:
    url: URL

Agent

For configuration values of the agent, see the Agent subchart README. Prefix all the specific configurations with agent. to apply them to the chart.

Example: override proxy variable for Agent chart

As a command line parameter:

helm install sysdig sysdig/sysdig-deploy \
    --namespace sysdig-agent \
    --set global.sysdig.accessKey=ACCESS_KEY \
    --set global.sysdig.region=SAAS_REGION \
    --set global.clusterConfig.name=CLUSTER_NAME \
    --set global.proxy.httpProxy=PROXY_URL \
    --set agent.proxy.httpProxy=OVERRIDE_PROXY_URL

As a values file:

global:
  sysdig:
    accessKey: ACCESS_KEY
    region: SAAS_REGION
  clusterConfig:
    name: CLUSTER_NAME
  proxy:
    httpProxy: PROXY_URL

agent:
  proxy:
    httpProxy: OVERRIDE_PROXY_URL

NodeAnalyzer

For configuration values of the node-analyzer, see the node-analyzer subchart README. Prefix all the specific configurations with nodeAnalyzer. to apply them to the chart.

Example: override apiEndpoint variable for nodeAnalyzer chart

As a command line parameter:

helm install sysdig sysdig/sysdig-deploy \
    --set global.sysdig.accessKey=ACCESS_KEY \
    --set agent.collectorSettings.collectorHost=COLLECTOR_ENDPOINT \
    --set nodeAnalyzer.nodeAnalyzer.apiEndpoint=API_ENDPOINT

As a values file:

global:
  sysdig:
    accessKey: ACCESS_KEY

agent:
  enabled: false
  collectorSettings:
    collectorHost: COLLECTOR_ENDPOINT

nodeAnalyzer:
  nodeAnalyzer:
    apiEndpoint: API_ENDPOINT

KSPM Collector

For configuration values of the kspm-collector, see the kspm-collector subchart README. Prefix all the specific configurations with kspmCollector. to apply them to the chart.

Example: override apiEndpoint variable for kspmCollector chart

As a command line parameter:

helm install sysdig sysdig/sysdig-deploy \
    --set global.sysdig.accessKey=ACCESS_KEY \
    --set kspmCollector.apiEndpoint=API_ENDPOINT

As a values file:

global:
  sysdig:
    accessKey: ACCESS_KEY

kspmCollector:
  apiEndpoint: API_ENDPOINT

Rapid Response

For configuration values of rapid-response, see the rapid-response subchart README. Prefix all the specific configurations with rapidResponse. to apply them to the chart.

Example: Enable the Rapid Response component and define the passphrase for it

As a command line parameter:

helm install sysdig sysdig/sysdig-deploy \
    --set global.sysdig.accessKey=ACCESS_KEY \
    --set rapidResponse.enabled=true \
    --set rapidResponse.rapidResponse.passphrase=THIS_IS_A_SECRET_PASSPHRASE

As a values file:

global:
  sysdig:
    accessKey: ACCESS_KEY

rapidResponse:
  enabled: true
  rapidResponse:
    passphrase: THIS_IS_A_SECRET_PASSPHRASE

Pod Security Policy & Pod Security Admission

For example, adding the following labels to the namespace that is running Agent pods:

apiVersion: v1
kind: Namespace
metadata:
  name: sysdig-agent
  labels:
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/audit-version: latest
    pod-security.kubernetes.io/warn: privileged
    pod-security.kubernetes.io/warn-version: latest

Running helm unit tests

The sysdiglabs/charts repository uses the following helm unittest plugin: https://github.com/quintush/helm-unittest

Before running the tests make sure the chart dependencies are updated

helm dependency update

You can test the changes to your chart by running the test suites as follows:

helm unittest --helm3 .

The helm unit tests are in the tests folder. It is recommended to add new tests as new features are added here.