Agent Install: Kubernetes

This document describes how to install a Sysdig agent container in a Kubernetes environment. This document assumes you will run the agent container as a Kubernetes pod, which then enables the Sysdig agent automatically to detect and monitor your Kubernetes environment.

It is relevant for any platform where Kubernetes is deployed, including Amazon environments (EKS, EC2, ECS), Azure Container Service (AKS), Google Kubernetes Engine (GKE), Red Hat OpenShift, and IBM Cloud Kubernetes Service (IKS).

You use DaemonSets to deploy agents on every node in your Kubernetes environment. Once deployed, Sysdig Monitor automatically begins monitoring all of your hosts, apps, pods, and services and automatically connects to the Kubernetes API server to pull relevant metadata about the environment. If licensed, Sysdig Secure launches with default policies that you can view and configure to suit your needs. You can access the front-end web interfaces for Sysdig Monitor and Sysdig Secure immediately.

Prerequisites

  • A supported distribution. See Host Requirements for Agent Installation for details.

  • Kubernetes v 1.9+: The agent installation on Kubernetes requires using DaemonSets, which were not available in early versions of Kubernetes.

  • Sysdig account and access key: Request a trial or full account at Sysdig.com and click the Activate Account button. You create a Sysdig user name and password.

    The Getting Started Wizard provides an access key.

Runtime Support: CRI-O and Containerd

By default, Sysdig agents deployed in Kubernetes automatically detect metadata from containerd and CRI-O (in addition to Docker), as long as the prerequisites are fulfilled.

After reviewing the information on this page, continue with the Sysdig agent installation steps: Kubernetes Agent Installation Steps.

Containerd Support

As of agent version 0.88.1, the Sysdig agent will automatically detect containerd metadata (as well as any Docker metadata) in your environment, as long as the Prerequisites are fulfilled.

Prerequisites

  • Agent version: Sysdig agent version 0.88.1 or higher

    NOTE: If you are upgrading from an earlier version of the agent, you must also download the latest sysdig-agent-daemonset-v2.yaml from GitHub.

  • Configuration parameter: In the agent config file, new_k8s: true must be set.

    See Enable Kube State Metrics and Cluster Name below for details on editing the config file.

  • Kubernetes-only: The containerd API must support CRI (a Kubernetes runtime interface).

Results in the Sysdig Monitor UI

If the Sysdig agent detects containerd metadata, it will be reported in the front end as follows:

  • Explore/Dashboard views: The icon next to container-specific items (container.name, container.id, etc.) shows whether it's a Docker or containerd object.

    373574647.jpg
  • Spotlight: Updated for containerd display.

  • Events: Containerd events die and oom are enabled by default.

    Events create and exit are also supported.

    373574641.jpg

CRI-O Support

The Sysdig agent will automatically detect CRI-O metadata (as well as any Docker and/or containerd metadata) in your environment, as long as the Prerequisites are fulfilled.

Prerequisites

  • Platform version: Sysdig SaaS March 2019or higher

  • Agent version: Sysdig agent 0.89.4 March 27, 2019or higher0.89.4 March 27, 2019

    NOTE: If you are upgrading from an earlier version of the agent, you must also download the latest sysdig-agent-daemonset-v2.yamlfrom GitHub.

  • Configuration parameter: In the agent config file, new_k8s: true must be set.

    See Enable Kube State Metrics and Cluster Name below for details on editing the config file.

  • Kubernetes-only: The API must support CRI (a Kubernetes runtime interface).

Results in the Sysdig Monitor UI

  • Events: There are no CRI-O events, so the Events pane remains unchanged.

  • Explore/Dashboard views: The icon next to container-specific items (container.name, container.id, etc.) shows CRI-O type.

  • Supported Metrics: By default, the same metrics are supported for CRI-O as for Docker and containerd, except for image id ( container.image.id ).

Enable Image ID Metrics with cri: extra_queries

Note

As of agent version 0.92.1, this setting is enabled by default.

To enable image id metrics, edit the agent configuration file dragent.yaml to contain the following:

cri:
  extra_queries: true

See Understanding the Agent Config Files for more information on editing dragent.yaml.

Complete the Installation

Choose the appropriate link to complete the installation steps:

Steps for Kubernetes (Vanilla) (All environments except IKS, GKE, or those using OpenShift.)

Steps for GKE

Steps for OpenShift