Admission Controller: Installation

To use the admission controller after it is installed, see Admission Controller.

Understanding the Admission Controller

Kubernetes' admission controllers help you define and customize which requests are allowed on your cluster. An admission controller intercepts and processes requests to the Kubernetes API prior to persistence of the object, but after the request is authenticated and authorized.

Image Scanning Capabilities: Sysdig's Admission Controller (UI-based) builds upon Kubernetes and enhances the capacity of the image scanner to check images for Common Vulnerabilities and Exposures (CVEs), misconfigurations, outdated images, etc., elevating the scan policies from detection to actual prevention. Container images that do not fulfill the configured admission policies will be rejected from the cluster before being assigned to a node and allowed to run.

Kubernetes Audit Logging Capabilities (SaaS only): Enable the features.k8sAuditDetections=true option to use Kubernetes audit logging features with the admission controller. (See also: Kubernetes Audit Logging.)

AC_Assignments.png

Main Features

  • Granular admission policies: Defining a global policy per cluster, but also at the level of particular namespaces or image paths (i.e. registries) Registry and repository whitelist

  • Only allow images that pass the scanning evaluation criteria

  • Only allow images that have been evaluated recently

  • Only allow images that have been scanned before creation is requested to Kubernetes

  • Registry and repository whitelist

  • Scan unscanned requested images immediately (optional)

Enable in Sysdig Labs (for Image Scanning)

  1. Log in to Sysdig Secure as administrator and select Settings|User Profile.

  2. Under Sysdig Labs, enable the Admission Controller feature and click Save.

    AC_Labs.png

    The links to the Admission Controller pages will appear under Image Scanning in the left-hand navigation.

Installation

The component must be installed on each cluster where you want to use it.

Note

If you have installed the CLI-based version of the Admission Controller, the UI-based version is not backwards-compatible. You will need to uninstall the old version and install the UI-based version instead.

Prerequisites

  • Helm 3

  • Kubernetes 1.16 or higher

Install the Admission Controller

  1. Make sure kubectl is pointing to the target cluster where the Admission Controller will be installed.

  2. Add and synchronize the Helm repository:

    helm repo add sysdig
    https://charts.sysdig.com
    helm repo update
    
  3. Install the Admission Controller on the target cluster, e.g.:

    helm install sysdig-admission-controller \
    --create-namespace \
    --namespace sysdig-admission-controller \
    --set sysdig.secureAPIToken=$SYSDIG_API_TOKEN \
    --set clusterName=$CLUSTER_NAME \
    --set sysdig.url=http://$SYSDIG_SECURE_ENDPOINT \
    --set features.k8sAuditDetections=true \
    sysdig/admission-controller  
  4. Check that installation was successful in the Sysdig UI. Log in to Sysdig Secure and select Image Scanning>Admission Controller|Policy Assignments.

    AC_disabled2.png

    By default, the cluster shows Connected (healthy), but Disabled (grey dot right of the name). Admission Controllers are disabled by default to avoid accidentally blocking deployment.

Installation Parameters

  • sysdig.secureAPIToken: Sysdig Secure API token as found in the Sysdig UI under Settings/User Profile. Note that this user must have administrator rights.

  • clusterName: User-defined name for this cluster that will appear in the admission controller interface in Sysdig's backend. The cluster name needs to match the agent cluster name.

  • Sysdig.url: Sysdig endpoint. Default https://secure.sysdig.com is for the us-east region.

    For us-west use https://us2.app.sysdig.com

    For European Union, use https://eu1.app.sysdig.com See also SaaS Regions and IP Ranges.

  • features.k8sAuditDetections: true/false. Set true to enable Kubernetes audit logging via the Admission Controller. See also: Kubernetes Audit Logging (legacy installation) and Select the Policy Type (Kubernetes Audit Policies)

For more information: See the full Admission Controller Helm chart documentation.

Note

To use the admission controller after it is installed, see Admission Controller.

Upgrades

Upgrading from Scanning-Only Admission Controller

If you already have the Sysdig Admission Controller installed and want to upgrade:

helm upgrade \
--namespace sysdig-admission-controller \
--set features.k8sAuditDetections=true \
--reuse-values \
sysdig-admission-controller sysdig/admission-controller

Note

For those customers who already have the Admission Controller AND already enabled Kubernetes audit logging via the legacy method, you can still install/upgrade to the new Admission Controller. Just be sure to set features.k8sAuditDetections=falseto avoid collecting and displaying duplicate events.

How to Uninstall the CLI-based Version

Note

If you have installed the CLI-based version of the Admission Controller, the UI-based version is not backwards-compatible. You will need to uninstall the old version and install the UI-based version instead.

Deploy the following:

$ helm uninstall -n sysdig-admission-controller sysdig-admission-controller