The topics in this section are designed for platform administrators who may install Sysdig Monitor and Secure on-premises, deploy and configure the agents, and configure, administer, and troubleshoot the environment.
Review the hardware components and software resources required to host the Sysdig Platform.
Installing Sysdig Platform On-Premises
When installing Sysdig Platform on-premises, follow the instructions
specific to your environment. Where available, the Installer tool is the
recommended option.
Set up secure access control for the on-prem deployments.
1 - Administration Settings
The Settings panel can be accessed from both Sysdig Monitor and Sysdig
Secure UIs, and by both administrator and non-admin users.
Access Settings Panel
Log in to Sysdig Monitor or Sysdig Secure.
Hover the mouse over the User menu in the lower left corner of the navigation bar.
The two ways to access the Settings links are displayed:
Quick links in the User menu, organized into their usage groups
The Settings gear symbol in the right corner of the User menu, which takes you to the Settings landing page.
The links displayed depend on whether you logged in with Admin or User priviledges. Administrators have rights to manage Users, Teams and Licenses which non-admin users do not see.
1.1 - User Profile and Password
Access the User Profile page to review and perform necessary actions:
Access the User Profile Page
Log in to Sysdig Monitor or Sysdig Secure and select Settings from the user menu.
Select User Profile.
Review settings and perform actions below.
Review User Email, Role, and Current Team
The current user’s login email address, current team, and role on that
team are listed in the User Profile section.
Change Admin Settings
This option is visible to admins only.
If logged on as Administrator, you can access Admin Settings on this
page which apply globally.
Hide Agent Install: Toggle this slider to hide the Agent Installation link in the Settings menu from non-admin users.
Use the Password Management fields to change this user’s password.
Required: Minimum 8 characters, not the last password used.
Recommended: We advise following
NIST’s most up-to-date
recommendations, with an emphasis on length and uniqueness.
Enable Beta Functions from Sysdig Labs
Toggle the feature settings listed under Sysdig Labs to enable/disable
specific beta functionalities to your installation. Data that has
already been stored will not be affected by beta toggles.
(If there are no beta features, Sysdig Labs will not be displayed.)
1.1.1 - Retrieve the Sysdig API Token
When using the Sysdig API with custom scripts or applications, an API
security token (specific to each user+team) must be supplied.
Log in to Sysdig Monitor or Sysdig Secure and select Settings from the user menu.
Select User Profile.
The Sysdig Monitor or Sysdig Secure API token
is displayed (depending on which interface and team you logged in
to).
You can Copy the token for use, or click the Reset Token button
to generate a new one.
When reset, the previous token issued will immediately become
invalid and you will need to make appropriate changes to your
programs or scripts.
1.2 - User and Team Administration
This page describes the concepts behind Sysdig’s users, teams, and role
permissions.
Understanding Sysdig Users
Users in Sysdig are identified by user name, email address, and password
or third-party authentication option.
Users are either:
Invited manually by an Administrator via the Sysdig UI
Authenticated through a third-party system
Entered directly in the Sysdig database through the Admin API, which
can bypass the invitation process if needed.
When invited, the new user is created in the Sysdig database upon the
user’s first successful login to the Sysdig UI. Before the user accepts
the invitation, enters a password, and logs in, they have a “pending”
status.
System-Based Privileges
From the outset, users in the Sysdig environment have one of three types
of system privileges
(Super) Admin: This is the administrator whose email address is
associated with the Sysdig billing account. This user has
administrator access to everything. Most relevant in on-prem
installations.
Administrator: Any administrator can grant Admin system
privileges to any user. Administrators are automatically members of
all teams.
Administrators can create/delete users; create/configure/delete
teams; create/delete notification channels; manage licenses; and
configure Agents from links in the Settings menu that are hidden
from non-admins.
User (non-admin): By default, new users have read/write
privileges to create, delete, and edit content in the Sysdig
interface. They do not see options in the Settings menu that are
restricted to Administrators.
User rights are further refined based on team and team role
assignments, as described below.
When a user is created, it is automatically assigned to a default
team (described below).
Notice that this default workflow grants all new users Edit access.
Understanding Sysdig Teams
Teams can be thought of as service-based access control. Teams are
created and assigned separately in Sysdig Monitor and Sysdig Secure.
Purpose of Teams
Organizing users into teams enables enforcing data-access security
policies while improving users’ workflows. There are different team
roles, each of which has read/write access to different aspects of the
app.
This limits the exposure of data to those who actually need it, and also
makes users more productive by focusing them on data that is relevant to
them.
In addition to users, Sysdig Monitor and Secure also support Team based service
accounts, which provide excellent automation capabilities. Each service account has
it’s own team role, which allows defining fine grained access, as well as expiry date for
added security.
The following are some potential use cases for Teams.
“Dev” vs “Prod”: Many organizations prefer to limit access to
production data. Permits isolating physical infrastructure and the
applications on top.
Microservices: Scoping data for individual dev teams to see
their own dashboards and field their own alerts. Permits team
creation based on logical isolation using orchestration or config
management metadata in Sysdig Monitor.
Platform as a Service: Where Ops teams need to see the entire
platform. Enabling certain people to see all data for all services
as well as the underlying hardware. This is perfect for managed
service providers who are managing a multi-tenant environment, or
devops teams using a similar model within their own organization.
Restricted environments: Limiting data access for security and
compliance. Certain services, such as authentication and billing,
may have a very specific set of individuals authorized to access
them.
Organizations that need to segment monitoring for efficiency:
Wide-ranging use case from very large organizations forming teams to
simplify access, to smaller orgs creating ephemeral troubleshooting
teams, to teams formed to optimize QA and Support access to system
data.
Operations Teams and Default Teams
Out of the box, the Sysdig Platform has one immutable team for each
product. Depending on licensing, an organization may use one or both:
Monitor Operations team
Secure Operations team
Key traits of the immutable Operations teams:
The teams cannot be deleted
Users in Operations teams have full visibility to all resources in
that product
Administrators must switch to the Operations team before changing
configuration settings for any team
Administrators create additional teams and can designate any team to
become the default team for that product. The number of teams
allowed in an environment is determined by
licensing.
Users entered in the Sysdig Monitor UI are auto-assigned to the Monitor
default team; users entered in the Sysdig Secure UI are auto-assigned to
the Secure default team.
If the Essentials tier is licensed, only the default teams and roles are
enabled. See Subscription
for more details.
If upgrading from Essentials to Enterprise,
Capture functionality will
become available. Users must go to Settings>Teams><Your Team> and
check the Enable Captures box. They must then log out and log in
again.
Team-Based Roles and Privileges
Users can be assigned roles that expand or limit their basic system
privileges on a per-team basis.
System Role
Team Role
Admin
Member of every team, with full permissions regardless of team assignment.
Can create/delete/configure all users.
Can create/delete/configure all teams.
Team Manager (Monitor)
Advanced User (Monitor)
Standard User (Monitor)
Non-Admin (Sysdig Monitor)
Can create/edit/delete dashboards, alerts, or other content + ability to add/delete team members or change team member permissions.
NOTE: Team Managers only have user administration rights within the specific team(s) for which they are designated Managers, however, Team Manager users will see a list of users and teams they are assigned to, regardless of the team they have logged in to.
Can create/edit/delete dashboards, alerts, or other content.
Equivalent to an Advanced User with no access to the Explore page (e.g. for developers who are not interested in Monitoring information).
Team Manager (Secure)
Advanced User (Secure)
Service Manager (Secure)
Standard User (Secure)
Non-Admin (Sysdig Secure)
Same permissions as the Advanced User + ability to add/delete team members or change team member permissions.
NOTE: Team Managers only have user administration rights within the specific team(s) for which they are designated Managers, however, Team Manager users will see a list of users and teams they are assigned to, regardless of the team they have logged in to.
Can access every Secure feature within the team scope in read and write mode. Advanced Users can create, delete, or update runtime policies, image scanning policies or any other content. The Advanced User cannot manage users.
Free Tier users are automatically assigned to Advanced User role.
Same as Standard User, plus ability to invite existing users to the team and manage the notifications channels assigned to the team.
Can push container images to the scanning queue, view image scanning results, and display the runtime security events within the team scope. Standard Users cannot access Benchmarks, Activity Audit, Policy definitions, or certain write functions within other Secure features.
For a granular view of all the RBAC setting for default user and team roles, see Detailed Role Permissions.
Custom Roles
If the default roles and permissions don’t meet the specific needs of your organization, you can create your own custom roles. See Manage Custom Roles.
How Team Membership Affects Users’ Experience of the UI
Team membership affects user experience of the Sysdig Monitor or Sysdig
Secure UIs in various ways.
At the highest level, the dashboards, alerts, and policy events you
see are limited by the settings of the team you are switched to.
In more detail, team settings affect the following:
Default landing page: The UI entry point is set on a per-team
basis.
Explore tab and dashboards: These are set per-team,
per-user and can be shared with the team.
On first login, all team members see the same Dashboards Assigned
to Me view. If a user changes those dashboards, only that user will
see the changes.
Dashboards created while part of a team are only visible to the user
when logged in to that team, and if shared, are only visible to
other team members.
Visible data: A team’s scope settings limit the data visible
to team members while they are switched to that team, even if a user
belongs to other teams with different settings that reveal
additional data. In Sysdig Secure, for example, only the policy
events that fired within your scope will be visible.
Alert and Event: These settings are team-wide. Any
member of a team can change the team’s alert settings, and any
additions or edits are visible to all members of the team.
Captures: Can only be taken on hosts/containers visible to team
members, and members see only the list of captures initiated by
other members who were switched to the current team.
API Token: Note that the Sysdig Monitor API Token found under
Settings > User Profile is unique per-user, per-team. See
User Profile and Password. This is
necessary to enable the generation of Custom Events via the API to
target a specific team.
Switching Teams in the UI
Users can switch between all teams to which they’ve been assigned, and
Administrators can switch between all teams that have been created.
To do so:
Click the user menu in the lower-left corner of the
navigation bar.
The assigned teams for this user are listed under Switch Teams.
NOTE: With version 3.6.0, you can also search for the teams in the
user menu.
Click another team name.
A popup window gives an overview of the new team-based view of the
environment. The UI changes according to the team settings.
Onboarding Best Practices
Plan teams and roles strategically to isolate access to data, customize
interfaces, and streamline workflows.
Start with some dashboards and alerts for given teams to get started
with
When a user logs in to a team for first time, they will see a
wizard introducing dashboards, alerts, etc. specific to that team.
Restricting New User Rights by Default
By default, new users (added manually or through a third-party
authenticator) are assigned Advanced User rights. If a administrator
wants to limit new users’ rights further, there are several ways to do
so.
Between sending the invitation and the user’s first log in, change
the user’s Role in the default Monitor team to Read User.
Note that there could theoretically be a lag in which the user would
briefly have had Edit status.
Integrate users into Sysdig via the Admin API and define read-only
permissions upon import.
Create a default team, in either Sysdig Monitor or Sysdig Secure,
with very limited scope and visibility. Manually assign users to
additional teams with broader permissions as needed.
Integrating Users and Teams via API
If you are working with Sysdig Support Engineers to provision users and
teams via the Sysdig API, note how the user and team role names within
the UI map to the API ROLE names.
User roles
Regular (non-admin) = ROLE_USER
Admin = ROLE_CUSTOMER
Team roles
Advanced user = ROLE_TEAM_EDIT
Standard user = ROLE_TEAM_STANDARD
View-only user = ROLE_TEAM_READ
Team manager = ROLE_TEAM_MANAGER
Service manager (Sysdig Secure only) = ROLE_TEAM_SERVICE_MANAGER
1.2.1 - Manage Users
This page describes how to add, delete, and configure user information
from within the Sysdig Monitor or Sysdig Secure UI.
Users added in Sysdig Monitor will appear in the full list of users for
both Sysdig Monitor and Sysdig Secure, if both products are in use.
However, users will not have log in access to Sysdig Secure until they
are added to a Sysdig Secure team.
Create a User
Only Admin users can configure user account information.
Log in to Sysdig Monitor or Sysdig Secure as administrator and
select Settings from the user menu.
Select Users.
Click the Add User link.
Enter the user’s email address, first name and last name:
Click Save to send the user invite, or click Cancel to discard
the user.
For on-premises environments, you may need to have pre-configured your SMTP parameters in your Replicated or Kubernetes installation configmap.
The new user will be added to the User Management table. Their status
will be listed as Pending until the invitation is accepted.
Admin privileges cannot be assigned until the invitation has been
accepted, and the user has logged into the interface for the first time.
They can, however, be added to additional teams or have team-based roles
assigned. For more information on configuring teams roles, refer to the
Manage Teams and Roles
documentation.
Edit User Information
To edit an existing user:
Log in to Sysdig Monitor or Sysdig Secure as administrator and
select Settings from the user menu.
Select Users.
Select the user from the User Management table.
Optional: Edit the first name / last name.
Optional: Toggle the Admin switch to enable/disable
administrator privileges.
Click Save to save the changes, or Cancel to revert the unsaved
changes.
User emails are read-only, and cannot be changed.
Delete a User
To delete an existing user:
Deleting a user cannot be undone. Any dashboards or explore groupings
that the user created for any team will be permanently deleted.
Log in to Sysdig Monitor or Sysdig Secure as administrator and
select Settings from the user menu. `
Select Users.
Select the user from the User Management table.
Click Delete User.
Click Yes, delete to confirm the change.
You can optionally delete the dashboards and artifacts that the user have created.
1.2.2 - Manage Teams, Roles, and Service Accounts
The use of teams provides a strategic way to organize groups, streamline
workflows, or protect data, as needed by an organization. Administrators
who design and implement teams should have in-depth knowledge of
organizational infrastructure and goals.
Only Advanced users can configure team permissions. Teams and roles must
be assigned separately in Sysdig Monitor and Sysdig Secure.
Log in to Sysdig Monitor or Sysdig Secure as administrator and
select Settings from the user menu.
Select Teams.
Click Add Team.
Configure the team options and click Save.
For more information on each configuration option, refer to Team Settings.
Ensure that the team names are unique in both Monitor and Secure
products. For example, if you attempt at creating a team in Secure with
the same name as one created in Monitor, you will see an error message
stating that a team with the same name already exists and you will be
prevented from creating the team.
Team Settings
Setting
Req’d
Description
Color
Yes
Assigns a color to the team to make them easier to identify quickly in a list.
Name
Yes
The name of the team as it will appear in the “Switch to” drop-down selector and other menus.
Description
No
Longer description for the team.
Default Team
No
If users are not assigned to any team, they will automatically be a part of this team if it’s turned on.
Default User Role
No
You can choose either Custom Roles or Sysig Team-Based Roles. If no specific choice is made, Advanced User will be automatically selected. Choose a different role from the drop-down menu to set a different default user role for this team.
Default Entry Point
Yes
Defaults to the Explore page; choose an alternate entry if needed.
Team Scope
Yes
Determines the highest level the data to which team members will have visibility.
Agent Metrics: If set to Host, Team members can see all Host-level and Container-level information. If set for Container, Team members can see only Container-level information.
Prometheus Remote Write Metrics: Visible if Prometheus Remote Write is enabled for your account. Use this option to determine what level of Prometheus Remote Write data that your Team members can view.
You can further limit what data team members can see by specifying tag/value expressions for metrics for each data source. The drop-down menu defaults to “is”, but can be changed to “is not”, “in”, “contains”, and etc. Complex policies can be created by clicking Add another to create AND chains of several expressions.
Note that making changes to the Team Scope settings can have a dramatic impact on what’s visualized in the Team’s Dashboards that are already configured, so you may want to carefully review these before/after your change.
Additional Permissions
Sysdig Capture: Enable this option to allow this team to take Sysdig Captures. Captures will only be visible to members of this team.
WARNING: Captures will include detailed information from every container on a host, regardless of the team’s Scope.
Infrastructure Events: Enable this option to allow this team to view ALL Infrastructure and Custom Events from every user and agent. Otherwise, this team will only see infrastructure events sent specifically to this team.
AWS Data: Enable this option to give this team access to AWS metrics and tags. All AWS data is made available, regardless of the team’s Scope.
Infrastructure Event: Enable this option to give this team access to infrastructure events.
Team Users
No
Click to select any non-Admin users to be immediately added to this Team. Admins are filtered out by default, since they are members of every team automatically.
Configure an Entry Page or Dashboard for a Team
Some Sysdig Monitor teams benefit from using a default entry point other
than the usual Explore page, as users who don’t need in-depth monitoring
information can onboard and navigate Sysdig Monitor more efficiently.
Use the Default Entry Point setting on the Team page, as shown in
Create a Team.
Note: If selecting a dashboard, open the secondary Dashboard drop-down
menu, or type the name of the dashboard to select it.
The dropdown is only populated with shared dashboards accessible by
anyone on the team.
Add and Configure Team Members
Users can be assigned to multiple teams. Team assignment is made from
the Team page (not the User page), and must be done by an Administrator
or Team Manager.
Users added in Sysdig Monitor will appear in the full list of users for
both Sysdig Monitor and Sysdig Secure, if both products are in use.
However, users will not have log in access to Sysdig Secure until they
are added to a Sysdig Secure team.
Assign a User to a Team
Log in to Sysdig Monitor or Sysdig Secure as administrator and
select Settings from the user menu.
Select Teams.
Select the relevant team from the list, or search for it with the
search box, and then select the relevant team.
In the Team Users section, click the Assign User button.
Select the user from the drop-down list, or search for it and then
select it.
Click the Role drop-down menu to select the user
role:
Optional: Repeat steps 3 to 5 for each additional user.
Click Save.
Assign a Team-Based Role to Users
Team Membership Roles permission is required for users to be able to modify team members role.
Note that the Advanced User permission can be further refined into
either a View-only user or a Team Manager.
Managers can add or delete members from a team, or toggle members'
rights between Edit, Read, or Manager.
Note that Admins have universal rights and are not designated as
Team Managers, Advanced Users, View-Only users, or Standard users.
Manager or Advanced User permissions can be assigned even to Pending
users; administrators do not have to wait for the user’s first login to
set these roles.
To assign a role to a user on a team:
Log in to Sysdig Monitor or Sysdig Secure as Administrator and
either create a team or select a team to edit.
Add a user or select a user from the list of team members.
Select the appropriate role from the
drop-down menu.
Reminder of the role privileges:
Admin: Member of every team with full permissions. Can
create/delete/configure all users and teams.
Team Manager: Advanced User privileges + ability to
add/delete team members or change team member permissions.
Advanced User:
In Sysdig Monitor: Read/write access to the components of the
application available to the team. Can create/edit/delete
dashboards, alerts, or other content.
In Sysdig Secure: Read/write access to the components of the
application available to the team. Can create, delete, or update
runtime policies, image scanning policies or any other content.
View-Only:
In Sysdig Monitor: Read access to the environment within team scope,
but cannot create, edit, or delete dashboards, alerts, or other
content.
In Sysdig Secure: Read access to every Secure feature in the team
scope, but cannot modify runtime policies, image scanning policies
or any other content.
Standard User:
In Sysdig Monitor: An Advanced User with no access to the Explore
page (e.g. for developers who are not interested in Monitoring
information).
In Sysdig Secure: Can send container images to the scanning queue,
view image scanning results, and display the runtime security events
within the team scope. Standard Users cannot access Benchmarks,
Activity Audit, Policy definitions, or certain write functions
within other Secure features.
Service Manager: Sysdig Secure only. Same as Standard User, plus
ability to invite existing users to the team and manage the
notifications channels assigned to the team.
Save edits.
Edit Team Configuration
To configure an existing team:
Log in to Sysdig Monitor or Sysdig Secure as administrator and
select Settings from the user menu.
Select Teams.
Select the relevant team from the list, or search for it with the
search box, and then select the relevant team.
Edit as needed, and click Save.
For more information regarding the configuration options, see Team Settings.
Delete a Team
When a team is deleted, some users may become “orphans”, as they are no
longer a part of any team. These users will be moved to the default
team.
The default team cannot be deleted. A new default team must be selected
before the old default team can be deleted.
To delete a created team:
Log in to Sysdig Monitor or Sysdig Secure as administrator and
select Settings from the user menu.
Select Teams.
Select the relevant team from the list, or search for it with the
search box, and then select the relevant team.
Click Delete Team, then Yes, delete to confirm the change.
Service Accounts
Service Accounts are team based and are available when editing a team.
Service Accounts can be used instead of users’ API keys to access Sysdig APIs by applications
or scripts. Service accounts are not bound to a user, but to a team. You can generate
as many team service accounts as needed. Each service account must have exactly one role.
Unlike users, service accounts have 0 permissions out of the box. They have
only the permissions coming from the role you assign to them.
In addition, these tokens are not retrievable after they are generated and
have a pre-defined retention time.
When creating a team-based Service account you need to define:
Name: Arbitrary token name
Role: Any role from the list of previously defined roles
Expiration: 14 days, 90 days, 6 months or 1 year (custom expiration is possible
via API only)
1.2.3 - Manage Custom Roles
A custom role is a admin-defined role which allows Sysdig administrators to bundle a set of permissions and allocate it to one or more users or teams. This page describes how to create and use custom roles.
Custom Roles is supported only on SaaS. The feature is not currently available for on-prem environments.
Understand Custom Roles
Custom roles give you the ability to provide granular access to users according to a selected list of permissions. If the default user and team roles don’t meet the specific needs of your organization, you can create your own custom roles. Select the permissions you want them to have based on the resource they should have the access to and bundle it together. Just like built-in Sysdig roles, you can assign custom roles to users and teams. Custom roles ensures that the users have only the permission they need and help prevent unwanted access to other resources.
Custom roles operate on concepts similar to roles-based access control system (RBAC).
Benefits of Using Custom Roles
Allow you to give access to a specific set of predefined dashboards to a group of users, who should not be able to view any additional data, nor change or share these dashboards.
Allow you to create a service account for Sysdig Secure that is not tied to a particular user but can be used to automate your CI/CD pipeline.
Give custom set of permissions to the CI/CD account
Give permission to create these accounts to a certain set of users
Allow you to identify the owner of a particular image so the security issue can be assigned to the actual team who owns the issue.
Create a team role that can only invite users but not actually manage the team.
Create a Custom Role
Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.
Select Roles.
Click New Role.
The New Role page is displayed.
Specify the following:
Role Name: A unique name to identify the role you create.
Role Description: A short explanation of the role that you have created.
Product: A filter that gives a fine-grained view of the product-specific features.
Select the features and do one of the following:
From the drop-down, select one of the following: No Access, Read Only, Full Access, Custom.
Click Customize to provide grant granular permissions to a sub-set of features. This is an alternative to clicking Custom from the drop-down.
Click Save New Role.
Assign a Custom Role to Teams
You can set up a custom role as the default user role for teams. To do so:
Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.
Select Teams.
Do one of the following:
Select the relevant team from the list of teams.
Click Add Team.
From the Default User Role drop-down, select one of the custom role you have created.
Click Customize to view and select granular permissions for each product features. Alternatively, use the drop-down to grant read access or full access to all the privileges simultaneously.
Sysdig Monitor
Category
Item
Permission
Description
Overview/Insights
Overview/Insights
Read
Access Overview/Advisor
Dashboards
Dashboard
Read
Access dashboards in scope of a team
Edit
Modify dashboards in scope of a team
Dashboard Metrics Data
Read
N/A
Explore/Metrics
Agent Console
View
Use Agent Console commands
Agent Console - Agent Status
Read
Use Agent Console commands which access agent status
Agent Console - Configuration
View
Use Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwords
Agent Console - Diagnostics
Read
Use Agent Console commands which access internal diagnostics of the agent
Agent Console - Network Calls
Exec
Use Agent Console commands which make network calls to remote pods and endpoints
Agent Console - Sensitive Configuration
View
Use Agent Console commands to view the configuration of the agent which does contain sensitive information like passwords. There are currently zero commands that implement this permission
Explore
Read
Metric querying with Explore
Edit
N/A
LiveLogs
View
Access LiveLogs feature
Shared Groupings with Team
Toggle
Share metrics grouping with the team
Alerts
Alert Events
Read
Access the events generated by triggered alerts in scope of a team
Edit
Acknowledge an event triggerred by an alert in the events feed in scope of a team
Alerts
Read
Access the alerts in scope of a team
Edit
Modify alerts in scope of a team
Events
Custom Events
Read
Access the infrastructure & other events created by Sysdig Agent or Sysdig API
Edit
Acknowledge the infrastructure and other events created by Sysdig Agent or Sysdig API
Captures / Investigate
Captures
View
View captures in the UI
Read
Access captures
Edit
Modify captures
Settings
API Access Token
View
View your API token
Read
Access users API token in scope of a team
Edit
Reset users API token in scope of a team
AWS Settings
Read
Access AWS settings
Agent Installation
Read
Get agent access key (required for agent installation)
Alert Downtimes
Read
List alert downtimes for the customer
Global Notification Channels
Read
Access global notification channels
Notification Channels
Read
Access notification channels in scope of a team
Edit
Modify notification channels in scope of a team
Service Accounts
Read
Access service accounts in scope of a team
Edit
Modify service accounts in scope of a team
Subscriptions
Read
Access customer subscription details
Sysdig Storage
Read
View Sysdig storage configuration
Team Agent Console Access Toggle
Read
See the agent console access settings for a team
Edit
Toggle access to agent console for a team
Team Captures Access Toggle
Read
See the capture settings for a team
Edit
Toggle access to captures for a team
Team Membership
Read
Access team members
Edit
Modify team members
Team Membership Roles
Edit
Modify team members role
Teams
Manage
Modify team settings without the ability to modify team membership for users
Users
Read
Access existing users data
Create
Invite new users
Users List
Read
See the list of users for a customer
Integrations
Custom Integrations
Read
Access custom integrations in spotlight
Edit
Modify custom integrations in spotlight
Infrastructure
Read
View discovered infrastructure
Integrations
Read
View discovered workload integrations
Monitoring Integrations
Validate
Change monitoring integration status to Pending Metrics
Edit
Change monitoring integration type or status
Providers
Read
N/A
Spotlight
Read
Access spotlight
Data Access Settings
Datastream
Read
Access data stream configuration
Groupings
Read
Access default and custom groupings
Edit
Create and edit custom groupings
Metadata
Read
N/A
Metrics Data
Read
Access metrics data
Metrics Descriptors
Read
Access metrics descriptors
PromQL Metadata
Read
Access Prometheus metrics and labels
Sysdig Secure
Category
Item
Permission
Description
Scanning
Image Import
Edit
Import scanning images
Scanning
Write
Modify scanning alerts and registry credentials
Read
Access scan results
Exec
Execute backend scanning
Scanning Alerts
Read
Access scanning alerts
Edit
Modify scanning alerts
Scanning Image Results
Read
List scanning images
Create
Create scanning events
Scanning Policies
Read
Access security policies
Edit
Modify security policies
Scanning Policy Assignments
Read
Access policy mappings
Edit
Create and modify policy mappings
Scanning Registry Credentials
Read
List container registries
Edit
Create and modify container registries configuration
Scanning Runtime
Edit
Query runtime containers API (API only, not enforced in UI)
Scanning Scheduled Reports
Read
View and download existing reports
Edit
Create and modify reports
Scanning Trusted Images
Read
Access the trusted images list
Edit
Modify the trusted images list
Scanning Untrusted Images
Read
Access the untrusted images list
Edit
Modify the untrusted images list
Scanning Vulnerability Exceptions
Read
Access vulnerability exceptions
Edit
Edit vulnerability exceptions
Posture
Benchmark Tasks
Read
Access scheduled benchmark taks
Edit
Create and modify scheduled benchmark adn compliance tasks
Benchmarks
Read
Access benchmark results
Compliance
Read
Access Compliance tasks and reports
Policies
Image profiling
Write
Write image profiles
Read
View existing image profiles
Exec
Execute image profiling
Policies
Read
Access policies
Edit
Modify policies
Policy Advisor
Write
Create PSP advisor simulation
Read
Read PSP advisor simulations
Exec
Execute PSP advisor simulation
Network Security
Network Security
Read
Access Kubernetes Network Security policy advisor
Integrations
Providers
Read
N/A
Settings
API Access Token
View
View your API token
Read
Access users API token in scope of a team
Edit
Reset users API token in scope of a team
AWS Settings
Read
Access AWS settings
Agent Installation
Read
Get agent access key (required for agent installation)
Cloud Accounts
Read
Access cloud accounts
Edit
Edit cloud accounts
Events Forwarder
Read
Access event forwarding configuration
Global Notification Channels
Read
Access global notification channels
Notification Channels
Read
Access notification channels in scope of a team
Edit
Modify notification channels in scope of a team
Service Accounts
Read
Access service accounts in scope of a team
Edit
Modify service accounts in scope of a team
Subscriptions
Read
Access customer subscription details
Sysdig Secure Settings
Edit
Modify Sysdig Secure configuration
Sysdig Storage
Read
View Sysdig storage configuration
Team Agent Console Access Toggle
Read
See the agent console access settings for a team
Edit
Toggle access to agent console for a team
Team Captures Access Toggle
Read
See the capture settings for a team
Edit
Toggle access to captures for a team
Team Membership
Read
Access team members
Edit
Modify team members
Teams
Manage
Modify team settings without the ability to modify team membership for users
Users
Read
Access existing users data
Create
Invite new users
Users List
Read
See the list of users for a customer
Captures / Investigate
Activity Audit Commands
Read
Access activity audit commands
Captures
View
View captures in the UI
Read
Access captures
Edit
Modify captures
Rapid Response
Exec
Use rapid response
Data Access Settings
Groupings
Read
Access default and custom groupings
Metrics Data
Read
Access metrics data
Metrics Descriptors
Read
Access metrics descriptors
Events
Policy Events
Read
Access policy events
1.2.4 - Detailed Role Permissions
When deciding whether to use default team roles or create a custom role, it can be helpful to review the RBAC permissions that Sysdig grants to the roles of Standard User, Advanced User, etc.
Sysdig Monitor
Standard User
categoryName
categoryDescription
description
action
itemDisplayName
itemDescription
Advisor
Manage access to Advisor
Access Advisor
READ
Advisor
OVERVIEWS
Advisor
Manage access to Advisor
Kubernetes API feature
READ
Kubernetes API
KUBERNETES_API_COMMANDS
Advisor
Manage access to Advisor
Access Live Logs feature
VIEW
Live Logs
LIVELOGS
Alerts
Manage access to Alerts
Acknowledge an event triggerred by an alert in the events feed in scope of a team
EDIT
Alert Events
ALERT_EVENTS
Alerts
Manage access to Alerts
Access the events generated by triggered alerts in scope of a team
READ
Alert Events
ALERT_EVENTS
Alerts
Manage access to Alerts
Modify alerts in scope of a team
EDIT
Alerts
ALERTS
Alerts
Manage access to Alerts
Access the alerts in scope of a team
READ
Alerts
ALERTS
Captures / Investigate
Manage access to Captures / Investigate
Modify captures
EDIT
Captures
CAPTURES
Captures / Investigate
Manage access to Captures / Investigate
Access captures
READ
Captures
CAPTURES
Captures / Investigate
Manage access to Captures / Investigate
View captures in the UI
VIEW
Captures
CAPTURES
Dashboards
Manage access to dashboards
N/A
READ
Dashboard Metrics Data
DASHBOARD_METRICS_DATA
Dashboards
Manage access to dashboards
Modify dashboards in scope of a team
EDIT
Dashboards
DASHBOARDS
Dashboards
Manage access to dashboards
Access dashboards in scope of a team
READ
Dashboards
DASHBOARDS
Data Access Settings
Manage access to Data Settings
Access data stream configuration
READ
Datastream
DATASTREAM
Data Access Settings
Manage access to Data Settings
Create and edit custom groupings
EDIT
Groupings
GROUPINGS
Data Access Settings
Manage access to Data Settings
Access default and custom groupings
READ
Groupings
GROUPINGS
Data Access Settings
Manage access to Data Settings
Access metrics data
READ
Metrics Data
METRICS_DATA
Data Access Settings
Manage access to Data Settings
Access metrics descriptors
READ
Metrics Descriptors
METRICS_DESCRIPTORS
Data Access Settings
Manage access to Data Settings
Access Prometheus metrics and labels
READ
PromQL Metadata
PROMQL_METADATA
Events
Manage access to Events
Acknowledge the infrastructure and other events created by Sysdig Agent or Sysdig API
EDIT
Custom Events
Infrastructure events or events created via API
Events
Manage access to Events
Access the infrastructure and other events created by Sysdig Agent or Sysdig API
READ
Custom Events
Infrastructure events or events created via API
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands
VIEW
Agent Console
AGENT_CLI
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands which access agent status
READ
Agent Console - Agent Status
AGENT_STATUS
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwords
VIEW
Agent Console - Configuration
AGENT_CONFIGURATION
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands which make network calls to remote pods and endpoints
EXEC
Agent Console - Network Calls
AGENT_REMOTE_NETWORK_CALLS
Integrations
N/A
Modify custom integrations in spotlight
EDIT
Custom Integrations
Integrations created by the user manually, before the system automatic detection triggered
Integrations
N/A
Access custom integrations in spotlight
READ
Custom Integrations
Integrations created by the user manually, before the system automatic detection triggered
Integrations
N/A
Access Helm-renderer component
READ
Helm Renderer
HELM_RENDERER
Integrations
N/A
View discovered infrastructure
READ
Infrastructure
INFRASTRUCTURE
Integrations
N/A
View discovered workload integrations
READ
Integrations
INTEGRATIONS
Integrations
N/A
Change monitoring integration type or status
EDIT
Monitoring Integrations
PROMCAT_INTEGRATIONS
Integrations
N/A
Access monitoring integration type or status
READ
Monitoring Integrations
PROMCAT_INTEGRATIONS
Integrations
N/A
Change monitoring integration status to Pending Metrics
VALIDATE
Monitoring Integrations
PROMCAT_INTEGRATIONS
Integrations
N/A
N/A
READ
Providers
PROVIDERS
Integrations
N/A
Access spotlight
READ
Spotlight
SPOTLIGHT
Settings
N/A
Get agent access key (required for agent installation)
READ
Agent Installation
AGENT_INSTALLATION
Settings
N/A
List alert downtimes for the customer
READ
Alert Downtimes
DOWNTIMES
Settings
N/A
Reset users API token in scope of a team
EDIT
API Access Token
API_TOKEN
Settings
N/A
Access users API token in scope of a team
READ
API Access Token
API_TOKEN
Settings
N/A
View your API token
VIEW
API Access Token
API_TOKEN
Settings
N/A
Access AWS settings
READ
AWS Settings
AWS_SETTINGS
Settings
N/A
Access event forwarding configuration
READ
Events Forwarder
EVENTS_FORWARDER
Settings
N/A
Access global notification channels
READ
Global Notification Channels
GLOBAL_NOTIFICATION_CHANNELS
Settings
N/A
Access notification channels in scope of a team
READ
Notification Channels
NOTIFICATION_CHANNELS
Settings
N/A
Access service accounts in scope of a team
READ
Service Accounts
SERVICE_ACCOUNTS
Settings
N/A
Access customer subscription details
READ
Subscriptions
SUBSCRIPTIONS
Settings
N/A
View Sysdig storage configuration
READ
Sysdig Storage
SYSDIG_STORAGE
View Only
Advisor
Manage access to Advisor
Access Advisor
READ
Advisor
OVERVIEWS
Advisor
Manage access to Advisor
Kubernetes API feature
READ
Kubernetes API
KUBERNETES_API_COMMANDS
Advisor
Manage access to Advisor
Access Live Logs feature
VIEW
Live Logs
LIVELOGS
Alerts
Manage access to Alerts
Access the events generated by triggered alerts in scope of a team
READ
Alert Events
ALERT_EVENTS
Alerts
Manage access to Alerts
Access the alerts in scope of a team
READ
Alerts
ALERTS
Captures / Investigate
Manage access to Captures / Investigate
Access captures
READ
Captures
CAPTURES
Captures / Investigate
Manage access to Captures / Investigate
View captures in the UI
VIEW
Captures
CAPTURES
Dashboards
Manage access to dashboards
N/A
READ
Dashboard Metrics Data
DASHBOARD_METRICS_DATA
Dashboards
Manage access to dashboards
Access dashboards in scope of a team
READ
Dashboards
DASHBOARDS
Data Access Settings
Manage access to Data Settings
Access data stream configuration
READ
Datastream
DATASTREAM
Data Access Settings
Manage access to Data Settings
Create and edit custom groupings
EDIT
Groupings
GROUPINGS
Data Access Settings
Manage access to Data Settings
Access default and custom groupings
READ
Groupings
GROUPINGS
Data Access Settings
Manage access to Data Settings
Access metrics data
READ
Metrics Data
METRICS_DATA
Data Access Settings
Manage access to Data Settings
Access metrics descriptors
READ
Metrics Descriptors
METRICS_DESCRIPTORS
Data Access Settings
Manage access to Data Settings
Access Prometheus metrics and labels
READ
PromQL Metadata
PROMQL_METADATA
Events
Manage access to Events
Access the infrastructure and other events created by Sysdig Agent or Sysdig API
READ
Custom Events
Infrastructure events or events created via API
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands
VIEW
Agent Console
AGENT_CLI
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands which access agent status
READ
Agent Console - Agent Status
AGENT_STATUS
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwords
VIEW
Agent Console - Configuration
AGENT_CONFIGURATION
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands which make network calls to remote pods and endpoints
EXEC
Agent Console - Network Calls
AGENT_REMOTE_NETWORK_CALLS
Explore / Metrics
Manage access to Explore / Metrics
Metric querying with Explore
READ
Explore
EXPLORE
Integrations
N/A
Access custom integrations in spotlight
READ
Custom Integrations
Integrations created by the user manually, before the system automatic detection triggered
Integrations
N/A
N/A
READ
File Storage Config
FILE_STORAGE_CONFIG
Integrations
N/A
Access Helm-renderer component
READ
Helm Renderer
HELM_RENDERER
Integrations
N/A
View discovered infrastructure
READ
Infrastructure
INFRASTRUCTURE
Integrations
N/A
View discovered workload integrations
READ
Integrations
INTEGRATIONS
Integrations
N/A
Access monitoring integration type or status
READ
Monitoring Integrations
PROMCAT_INTEGRATIONS
Integrations
N/A
Change monitoring integration status to Pending Metrics
VALIDATE
Monitoring Integrations
PROMCAT_INTEGRATIONS
Integrations
N/A
N/A
READ
Providers
PROVIDERS
Integrations
N/A
Access spotlight
READ
Spotlight
SPOTLIGHT
Settings
N/A
Get agent access key (required for agent installation)
READ
Agent Installation
AGENT_INSTALLATION
Settings
N/A
List alert downtimes for the customer
READ
Alert Downtimes
DOWNTIMES
Settings
N/A
Access users API token in scope of a team
READ
API Access Token
API_TOKEN
Settings
N/A
View your API token
VIEW
API Access Token
API_TOKEN
Settings
N/A
Access AWS settings
READ
AWS Settings
AWS_SETTINGS
Settings
N/A
Access event forwarding configuration
READ
Events Forwarder
EVENTS_FORWARDER
Settings
N/A
Access global notification channels
READ
Global Notification Channels
GLOBAL_NOTIFICATION_CHANNELS
Settings
N/A
Access notification channels in scope of a team
READ
Notification Channels
NOTIFICATION_CHANNELS
Settings
N/A
Access service accounts in scope of a team
READ
Service Accounts
SERVICE_ACCOUNTS
Settings
N/A
Access customer subscription details
READ
Subscriptions
SUBSCRIPTIONS
Settings
N/A
View Sysdig storage configuration
READ
Sysdig Storage
SYSDIG_STORAGE
Team Manager
categoryName
categoryDescription
description
action
itemDisplayName
itemDescription
Advisor
Manage access to Advisor
Access Advisor
READ
Advisor
OVERVIEWS
Advisor
Manage access to Advisor
Kubernetes API feature
READ
Kubernetes API
KUBERNETES_API_COMMANDS
Advisor
Manage access to Advisor
Access Live Logs feature
VIEW
Live Logs
LIVELOGS
Alerts
Manage access to Alerts
Acknowledge an event triggerred by an alert in the events feed in scope of a team
EDIT
Alert Events
ALERT_EVENTS
Alerts
Manage access to Alerts
Access the events generated by triggered alerts in scope of a team
READ
Alert Events
ALERT_EVENTS
Alerts
Manage access to Alerts
Modify alerts in scope of a team
EDIT
Alerts
ALERTS
Alerts
Manage access to Alerts
Access the alerts in scope of a team
READ
Alerts
ALERTS
Captures / Investigate
Manage access to Captures / Investigate
Modify captures
EDIT
Captures
CAPTURES
Captures / Investigate
Manage access to Captures / Investigate
Access captures
READ
Captures
CAPTURES
Captures / Investigate
Manage access to Captures / Investigate
View captures in the UI
VIEW
Captures
CAPTURES
Dashboards
Manage access to dashboards
N/A
READ
Dashboard Metrics Data
DASHBOARD_METRICS_DATA
Dashboards
Manage access to dashboards
Modify dashboards in scope of a team
EDIT
Dashboards
DASHBOARDS
Dashboards
Manage access to dashboards
Access dashboards in scope of a team
READ
Dashboards
DASHBOARDS
Data Access Settings
Manage access to Data Settings
Create and edit custom groupings
EDIT
Groupings
GROUPINGS
Data Access Settings
Manage access to Data Settings
Access default and custom groupings
READ
Groupings
GROUPINGS
Data Access Settings
Manage access to Data Settings
Access metrics data
READ
Metrics Data
METRICS_DATA
Data Access Settings
Manage access to Data Settings
Access metrics descriptors
READ
Metrics Descriptors
METRICS_DESCRIPTORS
Data Access Settings
Manage access to Data Settings
Access Prometheus metrics and labels
READ
PromQL Metadata
PROMQL_METADATA
Events
Manage access to Events
Acknowledge the infrastructure and other events created by Sysdig Agent or Sysdig API
EDIT
Custom Events
Infrastructure events or events created via API
Events
Manage access to Events
Access the infrastructure and other events created by Sysdig Agent or Sysdig API
READ
Custom Events
Infrastructure events or events created via API
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands
VIEW
Agent Console
AGENT_CLI
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands which access agent status
READ
Agent Console - Agent Status
AGENT_STATUS
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwords
VIEW
Agent Console - Configuration
AGENT_CONFIGURATION
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands which make network calls to remote pods and endpoints
EXEC
Agent Console - Network Calls
AGENT_REMOTE_NETWORK_CALLS
Explore / Metrics
Manage access to Explore / Metrics
N/A
EDIT
Explore
EXPLORE
Explore / Metrics
Manage access to Explore / Metrics
Metric querying with Explore
READ
Explore
EXPLORE
Explore / Metrics
Manage access to Explore / Metrics
Share metrics grouping with the team
TOGGLE
Shared Groupings with Team
GROUPINGS_TEAM_SHARING
Integrations
N/A
Modify custom integrations in spotlight
EDIT
Custom Integrations
Integrations created by the user manually, before the system automatic detection triggered
Integrations
N/A
Access custom integrations in spotlight
READ
Custom Integrations
Integrations created by the user manually, before the system automatic detection triggered
Integrations
N/A
Access Helm-renderer component
READ
Helm Renderer
HELM_RENDERER
Integrations
N/A
View discovered infrastructure
READ
Infrastructure
INFRASTRUCTURE
Integrations
N/A
View discovered workload integrations
READ
Integrations
INTEGRATIONS
Integrations
N/A
Change monitoring integration type or status
EDIT
Monitoring Integrations
PROMCAT_INTEGRATIONS
Integrations
N/A
Access monitoring integration type or status
READ
Monitoring Integrations
PROMCAT_INTEGRATIONS
Integrations
N/A
Change monitoring integration status to Pending Metrics
VALIDATE
Monitoring Integrations
PROMCAT_INTEGRATIONS
Integrations
N/A
N/A
READ
Providers
PROVIDERS
Integrations
N/A
Access spotlight
READ
Spotlight
SPOTLIGHT
Settings
N/A
Get agent access key (required for agent installation)
READ
Agent Installation
AGENT_INSTALLATION
Settings
N/A
List alert downtimes for the customer
READ
Alert Downtimes
DOWNTIMES
Settings
N/A
Reset users API token in scope of a team
EDIT
API Access Token
API_TOKEN
Settings
N/A
Access users API token in scope of a team
READ
API Access Token
API_TOKEN
Settings
N/A
View your API token
VIEW
API Access Token
API_TOKEN
Settings
N/A
Access AWS settings
READ
AWS Settings
AWS_SETTINGS
Settings
N/A
Access event forwarding configuration
READ
Events Forwarder
EVENTS_FORWARDER
Settings
N/A
Access global notification channels
READ
Global Notification Channels
GLOBAL_NOTIFICATION_CHANNELS
Settings
N/A
Modify notification channels in scope of a team
EDIT
Notification Channels
NOTIFICATION_CHANNELS
Settings
N/A
Access notification channels in scope of a team
READ
Notification Channels
NOTIFICATION_CHANNELS
Settings
N/A
Modify service accounts in scope of a team
EDIT
Service Accounts
SERVICE_ACCOUNTS
Settings
N/A
Access service accounts in scope of a team
READ
Service Accounts
SERVICE_ACCOUNTS
Settings
N/A
Access customer subscription details
READ
Subscriptions
SUBSCRIPTIONS
Settings
N/A
View Sysdig storage configuration
READ
Sysdig Storage
SYSDIG_STORAGE
Settings
N/A
Modify team settings without the ability to modify team membership for users
MANAGE
Teams
TEAMS
Advanced User
categoryDescription
description
action
itemDisplayName
itemDescription
Manage access to Advisor
Access Advisor
READ
Advisor
OVERVIEWS
Manage access to Advisor
Kubernetes API feature
READ
Kubernetes API
KUBERNETES_API_COMMANDS
Manage access to Advisor
Access Live Logs feature
VIEW
Live Logs
LIVELOGS
Manage access to Alerts
Acknowledge an event triggerred by an alert in the events feed in scope of a team
EDIT
Alert Events
ALERT_EVENTS
Manage access to Alerts
Access the events generated by triggered alerts in scope of a team
READ
Alert Events
ALERT_EVENTS
Manage access to Alerts
Modify alerts in scope of a team
EDIT
Alerts
ALERTS
Manage access to Alerts
Access the alerts in scope of a team
READ
Alerts
ALERTS
Manage access to Captures / Investigate
Modify captures
EDIT
Captures
CAPTURES
Manage access to Captures / Investigate
Access captures
READ
Captures
CAPTURES
Manage access to Captures / Investigate
View captures in the UI
VIEW
Captures
CAPTURES
Manage access to dashboards
N/A
READ
Dashboard Metrics Data
DASHBOARD_METRICS_DATA
Manage access to dashboards
Modify dashboards in scope of a team
EDIT
Dashboards
DASHBOARDS
Manage access to dashboards
Access dashboards in scope of a team
READ
Dashboards
DASHBOARDS
Manage access to Data Settings
Create and edit custom groupings
EDIT
Groupings
GROUPINGS
Manage access to Data Settings
Access default and custom groupings
READ
Groupings
GROUPINGS
Manage access to Data Settings
Access metrics data
READ
Metrics Data
METRICS_DATA
Manage access to Data Settings
Access metrics descriptors
READ
Metrics Descriptors
METRICS_DESCRIPTORS
Manage access to Data Settings
Access Prometheus metrics and labels
READ
PromQL Metadata
PROMQL_METADATA
Manage access to Events
Acknowledge the infrastructure and other events created by Sysdig Agent or Sysdig API
EDIT
Custom Events
Infrastructure events or events created via API
Manage access to Events
Access the infrastructure and other events created by Sysdig Agent or Sysdig API
READ
Custom Events
Infrastructure events or events created via API
Manage access to Explore / Metrics
Use Agent Console commands
VIEW
Agent Console
AGENT_CLI
Manage access to Explore / Metrics
Use Agent Console commands which access agent status
READ
Agent Console - Agent Status
AGENT_STATUS
Manage access to Explore / Metrics
Use Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwords
VIEW
Agent Console - Configuration
AGENT_CONFIGURATION
Manage access to Explore / Metrics
Use Agent Console commands which make network calls to remote pods and endpoints
EXEC
Agent Console - Network Calls
AGENT_REMOTE_NETWORK_CALLS
Manage access to Explore / Metrics
N/A
EDIT
Explore
EXPLORE
Manage access to Explore / Metrics
Metric querying with Explore
READ
Explore
EXPLORE
Manage access to Explore / Metrics
Share metrics grouping with the team
TOGGLE
Shared Groupings with Team
GROUPINGS_TEAM_SHARING
N/A
Modify custom integrations in spotlight
EDIT
Custom Integrations
Integrations created by the user manually, before the system automatic detection triggered
N/A
Access custom integrations in spotlight
READ
Custom Integrations
Integrations created by the user manually, before the system automatic detection triggered
N/A
Access Helm-renderer component
READ
Helm Renderer
HELM_RENDERER
N/A
View discovered infrastructure
READ
Infrastructure
INFRASTRUCTURE
N/A
View discovered workload integrations
READ
Integrations
INTEGRATIONS
N/A
Change monitoring integration type or status
EDIT
Monitoring Integrations
PROMCAT_INTEGRATIONS
N/A
Access monitoring integration type or status
READ
Monitoring Integrations
PROMCAT_INTEGRATIONS
N/A
Change monitoring integration status to Pending Metrics
VALIDATE
Monitoring Integrations
PROMCAT_INTEGRATIONS
N/A
N/A
READ
Providers
PROVIDERS
N/A
Access spotlight
READ
Spotlight
SPOTLIGHT
N/A
Get agent access key (required for agent installation)
READ
Agent Installation
AGENT_INSTALLATION
N/A
List alert downtimes for the customer
READ
Alert Downtimes
DOWNTIMES
N/A
Reset users API token in scope of a team
EDIT
API Access Token
API_TOKEN
N/A
Access users API token in scope of a team
READ
API Access Token
API_TOKEN
N/A
View your API token
VIEW
API Access Token
API_TOKEN
N/A
Access AWS settings
READ
AWS Settings
AWS_SETTINGS
N/A
Access event forwarding configuration
READ
Events Forwarder
EVENTS_FORWARDER
N/A
Access global notification channels
READ
Global Notification Channels
GLOBAL_NOTIFICATION_CHANNELS
N/A
Modify notification channels in scope of a team
EDIT
Notification Channels
NOTIFICATION_CHANNELS
N/A
Access notification channels in scope of a team
READ
Notification Channels
NOTIFICATION_CHANNELS
N/A
Access service accounts in scope of a team
READ
Service Accounts
SERVICE_ACCOUNTS
N/A
Access customer subscription details
READ
Subscriptions
SUBSCRIPTIONS
N/A
View Sysdig storage configuration
READ
Sysdig Storage
SYSDIG_STORAGE
Sysdig Secure Team Roles
Standard User
categoryName
categoryDescription
description
action
itemDisplayName
itemDescription
Advisor
Manage access to Advisor
Kubernetes API feature
READ
Kubernetes API
KUBERNETES_API_COMMANDS
Advisor
Manage access to Advisor
Access Live Logs feature
VIEW
Live Logs
LIVELOGS
Alerts
Manage access to Alerts
Access the alerts in scope of a team
READ
Alerts
ALERTS
Captures / Investigate
Manage access to Captures / Investigate
Access captures
READ
Captures
CAPTURES
Captures / Investigate
Manage access to Captures / Investigate
View captures in the UI
VIEW
Captures
CAPTURES
Data Access Settings
Manage access to Data Settings
Create and edit custom groupings
EDIT
Groupings
GROUPINGS
Data Access Settings
Manage access to Data Settings
Access default and custom groupings
READ
Groupings
GROUPINGS
Data Access Settings
Manage access to Data Settings
Access metrics data
READ
Metrics Data
METRICS_DATA
Data Access Settings
Manage access to Data Settings
Access metrics descriptors
READ
Metrics Descriptors
METRICS_DESCRIPTORS
Events
Manage access to Events
Access the infrastructure and other events created by Sysdig Agent or Sysdig API
READ
Custom Events
Infrastructure events or events created via API
Events
Manage access to Events
Access policy events
READ
Policy Events
POLICY_EVENTS
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands
VIEW
Agent Console
AGENT_CLI
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands which access agent status
READ
Agent Console - Agent Status
AGENT_STATUS
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwords
VIEW
Agent Console - Configuration
AGENT_CONFIGURATION
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands which make network calls to remote pods and endpoints
EXEC
Agent Console - Network Calls
AGENT_REMOTE_NETWORK_CALLS
Explore / Metrics
Manage access to Explore / Metrics
Metric querying with Explore
READ
Explore
EXPLORE
Explore / Metrics
Manage access to Explore / Metrics
Share metrics grouping with the team
TOGGLE
Shared Groupings with Team
GROUPINGS_TEAM_SHARING
Integrations
N/A
Access Helm-renderer component
READ
Helm Renderer
HELM_RENDERER
Integrations
N/A
View discovered infrastructure
READ
Infrastructure
INFRASTRUCTURE
Integrations
N/A
Access monitoring integration type or status
READ
Monitoring Integrations
PROMCAT_INTEGRATIONS
Integrations
N/A
N/A
READ
Providers
PROVIDERS
Posture
N/A
Access CSPM results
READ
CSPM
CSPM_RESULTS
Scanning
Manage access to Scanning
Import scanning images
EDIT
Image Import
SECURE_IMPORT_IMAGES
Scanning
Manage access to Scanning
Read scan results
READ
Scanning
SCANNING
Scanning
Manage access to Scanning
Access scanning alerts
READ
Scanning Alerts
SECURE_ALERTS
Scanning
Manage access to Scanning
Create scanning events
CREATE
Scanning Image Results
SECURE_IMAGES
Scanning
Manage access to Scanning
List scanning images
READ
Scanning Image Results
SECURE_IMAGES
Scanning
Manage access to Scanning
Query runtime containers API
EDIT
Scanning Runtime
SECURE_QUERY_CONTAINERS
Scanning
Manage access to Scanning
View and download existing reports
READ
Scanning Scheduled Reports
SECURE_REPORTS
Scanning
Manage access to Scanning
Access the trusted images list
READ
Scanning Trusted Images
SECURE_WHITELIST_IMAGES
Scanning
Manage access to Scanning
Access the untrusted images list
READ
Scanning Untrusted Images
SECURE_BLACKLIST_IMAGES
Scanning
Manage access to Scanning
Access vulnerability exceptions
READ
Scanning Vulnerability Exceptions
SECURE_WHITELIST
Settings
N/A
Get agent access key (required for agent installation)
READ
Agent Installation
AGENT_INSTALLATION
Settings
N/A
Reset users API token in scope of a team
EDIT
API Access Token
API_TOKEN
Settings
N/A
Access users API token in scope of a team
READ
API Access Token
API_TOKEN
Settings
N/A
View your API token
VIEW
API Access Token
API_TOKEN
Settings
N/A
Access AWS settings
READ
AWS Settings
AWS_SETTINGS
Settings
N/A
Access cloud accounts
READ
Cloud Accounts
CLOUD_ACCOUNTS
Settings
N/A
Access global notification channels
READ
Global Notification Channels
GLOBAL_NOTIFICATION_CHANNELS
Settings
N/A
Access IAC results
READ
IAC
IAC
Settings
N/A
Access notification channels in scope of a team
READ
Notification Channels
NOTIFICATION_CHANNELS
Settings
N/A
Access service accounts in scope of a team
READ
Service Accounts
SERVICE_ACCOUNTS
Settings
N/A
Access customer subscription details
READ
Subscriptions
SUBSCRIPTIONS
Settings
N/A
Modify Sysdig Secure configuration
EDIT
Sysdig Secure Settings
SECURE_SETTINGS
Settings
N/A
View Sysdig storage configuration
READ
Sysdig Storage
SYSDIG_STORAGE
Service Manager
categoryName
categoryDescription
description
action
itemDisplayName
itemDescription
Advisor
Manage access to Advisor
Kubernetes API feature
READ
Kubernetes API
KUBERNETES_API_COMMANDS
Advisor
Manage access to Advisor
Access Live Logs feature
VIEW
Live Logs
LIVELOGS
Alerts
Manage access to Alerts
Access the alerts in scope of a team
READ
Alerts
ALERTS
Captures / Investigate
Manage access to Captures / Investigate
Access captures
READ
Captures
CAPTURES
Captures / Investigate
Manage access to Captures / Investigate
View captures in the UI
VIEW
Captures
CAPTURES
Data Access Settings
Manage access to Data Settings
Create and edit custom groupings
EDIT
Groupings
GROUPINGS
Data Access Settings
Manage access to Data Settings
Access default and custom groupings
READ
Groupings
GROUPINGS
Data Access Settings
Manage access to Data Settings
Access metrics data
READ
Metrics Data
METRICS_DATA
Data Access Settings
Manage access to Data Settings
Access metrics descriptors
READ
Metrics Descriptors
METRICS_DESCRIPTORS
Events
Manage access to Events
Access the infrastructure and other events created by Sysdig Agent or Sysdig API
READ
Custom Events
Infrastructure events or events created via API
Events
Manage access to Events
Access policy events
READ
Policy Events
POLICY_EVENTS
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands
VIEW
Agent Console
AGENT_CLI
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands which access agent status
READ
Agent Console - Agent Status
AGENT_STATUS
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwords
VIEW
Agent Console - Configuration
AGENT_CONFIGURATION
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands which make network calls to remote pods and endpoints
EXEC
Agent Console - Network Calls
AGENT_REMOTE_NETWORK_CALLS
Explore / Metrics
Manage access to Explore / Metrics
Metric querying with Explore
READ
Explore
EXPLORE
Explore / Metrics
Manage access to Explore / Metrics
Share metrics grouping with the team
TOGGLE
Shared Groupings with Team
GROUPINGS_TEAM_SHARING
Integrations
N/A
Access Helm-renderer component
READ
Helm Renderer
HELM_RENDERER
Integrations
N/A
View discovered infrastructure
READ
Infrastructure
INFRASTRUCTURE
Integrations
N/A
Access monitoring integration type or status
READ
Monitoring Integrations
PROMCAT_INTEGRATIONS
Integrations
N/A
N/A
READ
Providers
PROVIDERS
Posture
N/A
Access CSPM results
READ
CSPM
CSPM_RESULTS
Scanning
Manage access to Scanning
Import scanning images
EDIT
Image Import
SECURE_IMPORT_IMAGES
Scanning
Manage access to Scanning
Execute backend scanning
EXEC
Scanning
SCANNING
Scanning
Manage access to Scanning
Read scan results
READ
Scanning
SCANNING
Scanning
Manage access to Scanning
Modify scanning alerts and registry credentials
WRITE
Scanning
SCANNING
Scanning
Manage access to Scanning
Modify scanning alerts
EDIT
Scanning Alerts
SECURE_ALERTS
Scanning
Manage access to Scanning
Access scanning alerts
READ
Scanning Alerts
SECURE_ALERTS
Scanning
Manage access to Scanning
Create scanning events
CREATE
Scanning Image Results
SECURE_IMAGES
Scanning
Manage access to Scanning
List scanning images
READ
Scanning Image Results
SECURE_IMAGES
Scanning
Manage access to Scanning
Access policy mappings
READ
Scanning Policy Assignments
SECURE_MAPPINGS
Scanning
Manage access to Scanning
Query runtime containers API
EDIT
Scanning Runtime
SECURE_QUERY_CONTAINERS
Scanning
Manage access to Scanning
View and download existing reports
READ
Scanning Scheduled Reports
SECURE_REPORTS
Scanning
Manage access to Scanning
Access the trusted images list
READ
Scanning Trusted Images
SECURE_WHITELIST_IMAGES
Scanning
Manage access to Scanning
Access the untrusted images list
READ
Scanning Untrusted Images
SECURE_BLACKLIST_IMAGES
Scanning
Manage access to Scanning
Access vulnerability exceptions
READ
Scanning Vulnerability Exceptions
SECURE_WHITELIST
Settings
N/A
Get agent access key (required for agent installation)
READ
Agent Installation
AGENT_INSTALLATION
Settings
N/A
Reset users API token in scope of a team
EDIT
API Access Token
API_TOKEN
Settings
N/A
Access users API token in scope of a team
READ
API Access Token
API_TOKEN
Settings
N/A
View your API token
VIEW
API Access Token
API_TOKEN
Settings
N/A
Access AWS settings
READ
AWS Settings
AWS_SETTINGS
Settings
N/A
Access cloud accounts
READ
Cloud Accounts
CLOUD_ACCOUNTS
Settings
N/A
Access global notification channels
READ
Global Notification Channels
GLOBAL_NOTIFICATION_CHANNELS
Settings
N/A
Access IAC results
READ
IAC
IAC
Settings
N/A
Modify notification channels in scope of a team
EDIT
Notification Channels
NOTIFICATION_CHANNELS
Settings
N/A
Access notification channels in scope of a team
READ
Notification Channels
NOTIFICATION_CHANNELS
Settings
N/A
Access service accounts in scope of a team
READ
Service Accounts
SERVICE_ACCOUNTS
Settings
N/A
Access customer subscription details
READ
Subscriptions
SUBSCRIPTIONS
Settings
N/A
Modify Sysdig Secure configuration
EDIT
Sysdig Secure Settings
SECURE_SETTINGS
Settings
N/A
View Sysdig storage configuration
READ
Sysdig Storage
SYSDIG_STORAGE
Settings
N/A
Invite other users to the teams
EDIT
Team Membership
TEAM_MEMBERSHIP
Settings
N/A
Access team members
READ
Team Membership
TEAM_MEMBERSHIP
Settings
N/A
Modify team members roles
EDIT
Team Membership Roles
TEAM_MEMBERSHIP_ROLE
Settings
N/A
Modify team settings without the ability to modify team membership for users
MANAGE
Teams
TEAMS
Settings
N/A
N/A
READ
Teams
TEAMS
Settings
N/A
Access existing users data
READ
Users
USERS
View Only
categoryName
categoryDescription
description
action
itemDisplayName
itemDescription
Advisor
Manage access to Advisor
Kubernetes API feature
READ
Kubernetes API
KUBERNETES_API_COMMANDS
Advisor
Manage access to Advisor
Access Live Logs feature
VIEW
Live Logs
LIVELOGS
Alerts
Manage access to Alerts
Access the alerts in scope of a team
READ
Alerts
ALERTS
Captures / Investigate
Manage access to Captures / Investigate
Access activity audit commands
READ
Activity Audit Commands
COMMANDS
Captures / Investigate
Manage access to Captures / Investigate
Access captures
READ
Captures
CAPTURES
Captures / Investigate
Manage access to Captures / Investigate
View captures in the UI
VIEW
Captures
CAPTURES
Data Access Settings
Manage access to Data Settings
Create and edit custom groupings
EDIT
Groupings
GROUPINGS
Data Access Settings
Manage access to Data Settings
Access default and custom groupings
READ
Groupings
GROUPINGS
Data Access Settings
Manage access to Data Settings
Access metrics data
READ
Metrics Data
METRICS_DATA
Data Access Settings
Manage access to Data Settings
Access metrics descriptors
READ
Metrics Descriptors
METRICS_DESCRIPTORS
Events
Manage access to Events
Access the infrastructure and other events created by Sysdig Agent or Sysdig API
READ
Custom Events
Infrastructure events or events created via API
Events
Manage access to Events
Access policy events
READ
Policy Events
POLICY_EVENTS
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands
VIEW
Agent Console
AGENT_CLI
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands which access agent status
READ
Agent Console - Agent Status
AGENT_STATUS
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwords
VIEW
Agent Console - Configuration
AGENT_CONFIGURATION
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands which make network calls to remote pods and endpoints
EXEC
Agent Console - Network Calls
AGENT_REMOTE_NETWORK_CALLS
Explore / Metrics
Manage access to Explore / Metrics
Metric querying with Explore
READ
Explore
EXPLORE
Integrations
N/A
Access Helm-renderer component
READ
Helm Renderer
HELM_RENDERER
Integrations
N/A
View discovered infrastructure
READ
Infrastructure
INFRASTRUCTURE
Integrations
N/A
Access monitoring integration type or status
READ
Monitoring Integrations
PROMCAT_INTEGRATIONS
Integrations
N/A
N/A
READ
Providers
PROVIDERS
INTERNAL_UNCATEGORIZED
INTERNAL_UNCATEGORIZED
N/A
READ
Audit Policies
SECURE_AUDIT_POLICIES
Network Security
N/A
Access Kubernetes Network Security policy advisor
READ
Network Security
NETSEC
Policies
N/A
View existing image profiles
READ
Image profiling
PROFILING
Policies
N/A
Access policies
READ
Policies
POLICIES
Policies
N/A
Read PSP advisor simulations
READ
Policy Advisor
PADVISOR
Posture
N/A
Access scheduled benchmark taks
READ
Benchmark Tasks
BENCHMARK_TASKS
Posture
N/A
Access benchmark results
READ
Benchmarks
BENCHMARKS
Posture
N/A
Access Compliance tasks and reports
READ
Compliance
COMPLIANCE
Posture
N/A
Access CSPM results
READ
CSPM
CSPM_RESULTS
Scanning
Manage access to Scanning
Read scan results
READ
Scanning
SCANNING
Scanning
Manage access to Scanning
Access scanning alerts
READ
Scanning Alerts
SECURE_ALERTS
Scanning
Manage access to Scanning
List scanning images
READ
Scanning Image Results
SECURE_IMAGES
Scanning
Manage access to Scanning
Access security policies
READ
Scanning Policies
SECURE_POLICY
Scanning
Manage access to Scanning
Access policy mappings
READ
Scanning Policy Assignments
SECURE_MAPPINGS
Scanning
Manage access to Scanning
List container registries
READ
Scanning Registry Credentials
SECURE_REGISTRY
Scanning
Manage access to Scanning
Query runtime containers API
EDIT
Scanning Runtime
SECURE_QUERY_CONTAINERS
Scanning
Manage access to Scanning
View and download existing reports
READ
Scanning Scheduled Reports
SECURE_REPORTS
Scanning
Manage access to Scanning
Access the trusted images list
READ
Scanning Trusted Images
SECURE_WHITELIST_IMAGES
Scanning
Manage access to Scanning
Access the untrusted images list
READ
Scanning Untrusted Images
SECURE_BLACKLIST_IMAGES
Scanning
Manage access to Scanning
Access vulnerability exceptions
READ
Scanning Vulnerability Exceptions
SECURE_WHITELIST
Settings
N/A
Get agent access key (required for agent installation)
READ
Agent Installation
AGENT_INSTALLATION
Settings
N/A
Reset users API token in scope of a team
EDIT
API Access Token
API_TOKEN
Settings
N/A
Access users API token in scope of a team
READ
API Access Token
API_TOKEN
Settings
N/A
View your API token
VIEW
API Access Token
API_TOKEN
Settings
N/A
Access AWS settings
READ
AWS Settings
AWS_SETTINGS
Settings
N/A
Access cloud accounts
READ
Cloud Accounts
CLOUD_ACCOUNTS
Settings
N/A
Access global notification channels
READ
Global Notification Channels
GLOBAL_NOTIFICATION_CHANNELS
Settings
N/A
Access IAC results
READ
IAC
IAC
Settings
N/A
Access notification channels in scope of a team
READ
Notification Channels
NOTIFICATION_CHANNELS
Settings
N/A
Access service accounts in scope of a team
READ
Service Accounts
SERVICE_ACCOUNTS
Settings
N/A
Access customer subscription details
READ
Subscriptions
SUBSCRIPTIONS
Settings
N/A
Modify Sysdig Secure configuration
EDIT
Sysdig Secure Settings
SECURE_SETTINGS
Settings
N/A
View Sysdig storage configuration
READ
Sysdig Storage
SYSDIG_STORAGE
Team Manager
categoryName
categoryDescription
description
action
itemDisplayName
itemDescription
Advisor
Manage access to Advisor
Kubernetes API feature
READ
Kubernetes API
KUBERNETES_API_COMMANDS
Advisor
Manage access to Advisor
Access Live Logs feature
VIEW
Live Logs
LIVELOGS
Alerts
Manage access to Alerts
Modify alerts in scope of a team
EDIT
Alerts
ALERTS
Alerts
Manage access to Alerts
Access the alerts in scope of a team
READ
Alerts
ALERTS
Captures / Investigate
Manage access to Captures / Investigate
Access activity audit commands
READ
Activity Audit Commands
COMMANDS
Captures / Investigate
Manage access to Captures / Investigate
Modify captures
EDIT
Captures
CAPTURES
Captures / Investigate
Manage access to Captures / Investigate
Access captures
READ
Captures
CAPTURES
Captures / Investigate
Manage access to Captures / Investigate
View captures in the UI
VIEW
Captures
CAPTURES
Captures / Investigate
Manage access to Captures / Investigate
Use rapid response
EXEC
Rapid Response
RAPID_RESPONSE
Data Access Settings
Manage access to Data Settings
Access data stream configuration
READ
Datastream
DATASTREAM
Data Access Settings
Manage access to Data Settings
Create and edit custom groupings
EDIT
Groupings
GROUPINGS
Data Access Settings
Manage access to Data Settings
Access default and custom groupings
READ
Groupings
GROUPINGS
Data Access Settings
Manage access to Data Settings
Access metrics data
READ
Metrics Data
METRICS_DATA
Data Access Settings
Manage access to Data Settings
Access metrics descriptors
READ
Metrics Descriptors
METRICS_DESCRIPTORS
Events
Manage access to Events
Access the infrastructure and other events created by Sysdig Agent or Sysdig API
READ
Custom Events
Infrastructure events or events created via API
Events
Manage access to Events
Access policy events
READ
Policy Events
POLICY_EVENTS
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands
VIEW
Agent Console
AGENT_CLI
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands which access agent status
READ
Agent Console - Agent Status
AGENT_STATUS
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwords
VIEW
Agent Console - Configuration
AGENT_CONFIGURATION
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands which make network calls to remote pods and endpoints
EXEC
Agent Console - Network Calls
AGENT_REMOTE_NETWORK_CALLS
Explore / Metrics
Manage access to Explore / Metrics
N/A
EDIT
Explore
EXPLORE
Explore / Metrics
Manage access to Explore / Metrics
Metric querying with Explore
READ
Explore
EXPLORE
Explore / Metrics
Manage access to Explore / Metrics
Share metrics grouping with the team
TOGGLE
Shared Groupings with Team
GROUPINGS_TEAM_SHARING
Integrations
N/A
Access Helm-renderer component
READ
Helm Renderer
HELM_RENDERER
Integrations
N/A
View discovered infrastructure
READ
Infrastructure
INFRASTRUCTURE
Integrations
N/A
Access monitoring integration type or status
READ
Monitoring Integrations
PROMCAT_INTEGRATIONS
Integrations
N/A
N/A
READ
Providers
PROVIDERS
INTERNAL_UNCATEGORIZED
INTERNAL_UNCATEGORIZED
N/A
READ
Audit Policies
SECURE_AUDIT_POLICIES
Network Security
N/A
Access Kubernetes Network Security policy advisor
READ
Network Security
NETSEC
Policies
N/A
Execute image profiling
EXEC
Image profiling
PROFILING
Policies
N/A
View existing image profiles
READ
Image profiling
PROFILING
Policies
N/A
Write image profiles
WRITE
Image profiling
PROFILING
Policies
N/A
Modify policies
EDIT
Policies
POLICIES
Policies
N/A
Access policies
READ
Policies
POLICIES
Policies
N/A
Execute PSP advisor simulation
EXEC
Policy Advisor
PADVISOR
Policies
N/A
Read PSP advisor simulations
READ
Policy Advisor
PADVISOR
Policies
N/A
Create PSP advisor simulation
WRITE
Policy Advisor
PADVISOR
Posture
N/A
Create and modify scheduled benchmark adn compliance tasks
EDIT
Benchmark Tasks
BENCHMARK_TASKS
Posture
N/A
Access scheduled benchmark taks
READ
Benchmark Tasks
BENCHMARK_TASKS
Posture
N/A
Access benchmark results
READ
Benchmarks
BENCHMARKS
Posture
N/A
Access Compliance tasks and reports
READ
Compliance
COMPLIANCE
Posture
N/A
Access CSPM results
READ
CSPM
CSPM_RESULTS
Scanning
Manage access to Scanning
Import scanning images
EDIT
Image Import
SECURE_IMPORT_IMAGES
Scanning
Manage access to Scanning
Execute backend scanning
EXEC
Scanning
SCANNING
Scanning
Manage access to Scanning
Read scan results
READ
Scanning
SCANNING
Scanning
Manage access to Scanning
Modify scanning alerts and registry credentials
WRITE
Scanning
SCANNING
Scanning
Manage access to Scanning
Modify scanning alerts
EDIT
Scanning Alerts
SECURE_ALERTS
Scanning
Manage access to Scanning
Access scanning alerts
READ
Scanning Alerts
SECURE_ALERTS
Scanning
Manage access to Scanning
Create scanning events
CREATE
Scanning Image Results
SECURE_IMAGES
Scanning
Manage access to Scanning
List scanning images
READ
Scanning Image Results
SECURE_IMAGES
Scanning
Manage access to Scanning
Modify security policies
EDIT
Scanning Policies
SECURE_POLICY
Scanning
Manage access to Scanning
Access security policies
READ
Scanning Policies
SECURE_POLICY
Scanning
Manage access to Scanning
Create and modify policy mappings
EDIT
Scanning Policy Assignments
SECURE_MAPPINGS
Scanning
Manage access to Scanning
Access policy mappings
READ
Scanning Policy Assignments
SECURE_MAPPINGS
Scanning
Manage access to Scanning
Create and modify container registries configuration
EDIT
Scanning Registry Credentials
SECURE_REGISTRY
Scanning
Manage access to Scanning
List container registries
READ
Scanning Registry Credentials
SECURE_REGISTRY
Scanning
Manage access to Scanning
Query runtime containers API
EDIT
Scanning Runtime
SECURE_QUERY_CONTAINERS
Scanning
Manage access to Scanning
Create and modify reports
EDIT
Scanning Scheduled Reports
SECURE_REPORTS
Scanning
Manage access to Scanning
View and download existing reports
READ
Scanning Scheduled Reports
SECURE_REPORTS
Scanning
Manage access to Scanning
Modify the trusted images list
EDIT
Scanning Trusted Images
SECURE_WHITELIST_IMAGES
Scanning
Manage access to Scanning
Access the trusted images list
READ
Scanning Trusted Images
SECURE_WHITELIST_IMAGES
Scanning
Manage access to Scanning
Modify the untrusted images list
EDIT
Scanning Untrusted Images
SECURE_BLACKLIST_IMAGES
Scanning
Manage access to Scanning
Access the untrusted images list
READ
Scanning Untrusted Images
SECURE_BLACKLIST_IMAGES
Scanning
Manage access to Scanning
Edit vulnerability exceptions
EDIT
Scanning Vulnerability Exceptions
SECURE_WHITELIST
Scanning
Manage access to Scanning
Access vulnerability exceptions
READ
Scanning Vulnerability Exceptions
SECURE_WHITELIST
Settings
N/A
Get agent access key (required for agent installation)
READ
Agent Installation
AGENT_INSTALLATION
Settings
N/A
Reset users API token in scope of a team
EDIT
API Access Token
API_TOKEN
Settings
N/A
Access users API token in scope of a team
READ
API Access Token
API_TOKEN
Settings
N/A
View your API token
VIEW
API Access Token
API_TOKEN
Settings
N/A
Access AWS settings
READ
AWS Settings
AWS_SETTINGS
Settings
N/A
Access cloud accounts
READ
Cloud Accounts
CLOUD_ACCOUNTS
Settings
N/A
Access global notification channels
READ
Global Notification Channels
GLOBAL_NOTIFICATION_CHANNELS
Settings
N/A
Access IAC results
READ
IAC
IAC
Settings
N/A
Modify notification channels in scope of a team
EDIT
Notification Channels
NOTIFICATION_CHANNELS
Settings
N/A
Access notification channels in scope of a team
READ
Notification Channels
NOTIFICATION_CHANNELS
Settings
N/A
Modify service accounts in scope of a team
EDIT
Service Accounts
SERVICE_ACCOUNTS
Settings
N/A
Access service accounts in scope of a team
READ
Service Accounts
SERVICE_ACCOUNTS
Settings
N/A
Access customer subscription details
READ
Subscriptions
SUBSCRIPTIONS
Settings
N/A
Modify Sysdig Secure configuration
EDIT
Sysdig Secure Settings
SECURE_SETTINGS
Settings
N/A
View Sysdig storage configuration
READ
Sysdig Storage
SYSDIG_STORAGE
Settings
N/A
Modify team settings without the ability to modify team membership for users
MANAGE
Teams
TEAMS
Advanced User
categoryName
categoryDescription
description
action
itemDisplayName
itemDescription
Advisor
Manage access to Advisor
Kubernetes API feature
READ
Kubernetes API
KUBERNETES_API_COMMANDS
Advisor
Manage access to Advisor
Access Live Logs feature
VIEW
Live Logs
LIVELOGS
Alerts
Manage access to Alerts
Modify alerts in scope of a team
EDIT
Alerts
ALERTS
Alerts
Manage access to Alerts
Access the alerts in scope of a team
READ
Alerts
ALERTS
Captures / Investigate
Manage access to Captures / Investigate
Access activity audit commands
READ
Activity Audit Commands
COMMANDS
Captures / Investigate
Manage access to Captures / Investigate
Modify captures
EDIT
Captures
CAPTURES
Captures / Investigate
Manage access to Captures / Investigate
Access captures
READ
Captures
CAPTURES
Captures / Investigate
Manage access to Captures / Investigate
View captures in the UI
VIEW
Captures
CAPTURES
Captures / Investigate
Manage access to Captures / Investigate
Use rapid response
EXEC
Rapid Response
RAPID_RESPONSE
Data Access Settings
Manage access to Data Settings
Access data stream configuration
READ
Datastream
DATASTREAM
Data Access Settings
Manage access to Data Settings
Create and edit custom groupings
EDIT
Groupings
GROUPINGS
Data Access Settings
Manage access to Data Settings
Access default and custom groupings
READ
Groupings
GROUPINGS
Data Access Settings
Manage access to Data Settings
Access metrics data
READ
Metrics Data
METRICS_DATA
Data Access Settings
Manage access to Data Settings
Access metrics descriptors
READ
Metrics Descriptors
METRICS_DESCRIPTORS
Events
Manage access to Events
Access the infrastructure and other events created by Sysdig Agent or Sysdig API
READ
Custom Events
Infrastructure events or events created via API
Events
Manage access to Events
Access policy events
READ
Policy Events
POLICY_EVENTS
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands
VIEW
Agent Console
AGENT_CLI
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands which access agent status
READ
Agent Console - Agent Status
AGENT_STATUS
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands to view the configuration of the agent which does not contain sensitive information like passwords
VIEW
Agent Console - Configuration
AGENT_CONFIGURATION
Explore / Metrics
Manage access to Explore / Metrics
Use Agent Console commands which make network calls to remote pods and endpoints
EXEC
Agent Console - Network Calls
AGENT_REMOTE_NETWORK_CALLS
Explore / Metrics
Manage access to Explore / Metrics
N/A
EDIT
Explore
EXPLORE
Explore / Metrics
Manage access to Explore / Metrics
Metric querying with Explore
READ
Explore
EXPLORE
Explore / Metrics
Manage access to Explore / Metrics
Share metrics grouping with the team
TOGGLE
Shared Groupings with Team
GROUPINGS_TEAM_SHARING
Integrations
N/A
Access Helm-renderer component
READ
Helm Renderer
HELM_RENDERER
Integrations
N/A
View discovered infrastructure
READ
Infrastructure
INFRASTRUCTURE
Integrations
N/A
Access monitoring integration type or status
READ
Monitoring Integrations
PROMCAT_INTEGRATIONS
Integrations
N/A
N/A
READ
Providers
PROVIDERS
Network Security
N/A
Access Kubernetes Network Security policy advisor
READ
Network Security
NETSEC
Policies
N/A
Execute image profiling
EXEC
Image profiling
PROFILING
Policies
N/A
View existing image profiles
READ
Image profiling
PROFILING
Policies
N/A
Write image profiles
WRITE
Image profiling
PROFILING
Policies
N/A
Modify policies
EDIT
Policies
POLICIES
Policies
N/A
Access policies
READ
Policies
POLICIES
Policies
N/A
Execute PSP advisor simulation
EXEC
Policy Advisor
PADVISOR
Policies
N/A
Read PSP advisor simulations
READ
Policy Advisor
PADVISOR
Policies
N/A
Create PSP advisor simulation
WRITE
Policy Advisor
PADVISOR
Posture
N/A
Create and modify scheduled benchmark adn compliance tasks
EDIT
Benchmark Tasks
BENCHMARK_TASKS
Posture
N/A
Access scheduled benchmark taks
READ
Benchmark Tasks
BENCHMARK_TASKS
Posture
N/A
Access benchmark results
READ
Benchmarks
BENCHMARKS
Posture
N/A
Access Compliance tasks and reports
READ
Compliance
COMPLIANCE
Posture
N/A
Access CSPM results
READ
CSPM
CSPM_RESULTS
Scanning
Manage access to Scanning
Import scanning images
EDIT
Image Import
SECURE_IMPORT_IMAGES
Scanning
Manage access to Scanning
Execute backend scanning
EXEC
Scanning
SCANNING
Scanning
Manage access to Scanning
Read scan results
READ
Scanning
SCANNING
Scanning
Manage access to Scanning
Modify scanning alerts and registry credentials
WRITE
Scanning
SCANNING
Scanning
Manage access to Scanning
Modify scanning alerts
EDIT
Scanning Alerts
SECURE_ALERTS
Scanning
Manage access to Scanning
Access scanning alerts
READ
Scanning Alerts
SECURE_ALERTS
Scanning
Manage access to Scanning
Create scanning events
CREATE
Scanning Image Results
SECURE_IMAGES
Scanning
Manage access to Scanning
List scanning images
READ
Scanning Image Results
SECURE_IMAGES
Scanning
Manage access to Scanning
Modify security policies
EDIT
Scanning Policies
SECURE_POLICY
Scanning
Manage access to Scanning
Access security policies
READ
Scanning Policies
SECURE_POLICY
Scanning
Manage access to Scanning
Create and modify policy mappings
EDIT
Scanning Policy Assignments
SECURE_MAPPINGS
Scanning
Manage access to Scanning
Access policy mappings
READ
Scanning Policy Assignments
SECURE_MAPPINGS
Scanning
Manage access to Scanning
Create and modify container registries configuration
EDIT
Scanning Registry Credentials
SECURE_REGISTRY
Scanning
Manage access to Scanning
List container registries
READ
Scanning Registry Credentials
SECURE_REGISTRY
Scanning
Manage access to Scanning
Query runtime containers API
EDIT
Scanning Runtime
SECURE_QUERY_CONTAINERS
Scanning
Manage access to Scanning
Create and modify reports
EDIT
Scanning Scheduled Reports
SECURE_REPORTS
Scanning
Manage access to Scanning
View and download existing reports
READ
Scanning Scheduled Reports
SECURE_REPORTS
Scanning
Manage access to Scanning
Modify the trusted images list
EDIT
Scanning Trusted Images
SECURE_WHITELIST_IMAGES
Scanning
Manage access to Scanning
Access the trusted images list
READ
Scanning Trusted Images
SECURE_WHITELIST_IMAGES
Scanning
Manage access to Scanning
Modify the untrusted images list
EDIT
Scanning Untrusted Images
SECURE_BLACKLIST_IMAGES
Scanning
Manage access to Scanning
Access the untrusted images list
READ
Scanning Untrusted Images
SECURE_BLACKLIST_IMAGES
Scanning
Manage access to Scanning
Edit vulnerability exceptions
EDIT
Scanning Vulnerability Exceptions
SECURE_WHITELIST
Scanning
Manage access to Scanning
Access vulnerability exceptions
READ
Scanning Vulnerability Exceptions
SECURE_WHITELIST
Settings
N/A
Get agent access key (required for agent installation)
READ
Agent Installation
AGENT_INSTALLATION
Settings
N/A
Reset users API token in scope of a team
EDIT
API Access Token
API_TOKEN
Settings
N/A
Access users API token in scope of a team
READ
API Access Token
API_TOKEN
Settings
N/A
View your API token
VIEW
API Access Token
API_TOKEN
Settings
N/A
Access AWS settings
READ
AWS Settings
AWS_SETTINGS
Settings
N/A
Access cloud accounts
READ
Cloud Accounts
CLOUD_ACCOUNTS
Settings
N/A
Access global notification channels
READ
Global Notification Channels
GLOBAL_NOTIFICATION_CHANNELS
Settings
N/A
Access IAC results
READ
IAC
IAC
Settings
N/A
Modify notification channels in scope of a team
EDIT
Notification Channels
NOTIFICATION_CHANNELS
Settings
N/A
Access notification channels in scope of a team
READ
Notification Channels
NOTIFICATION_CHANNELS
Settings
N/A
Access service accounts in scope of a team
READ
Service Accounts
SERVICE_ACCOUNTS
Settings
N/A
Access customer subscription details
READ
Subscriptions
SUBSCRIPTIONS
Settings
N/A
Modify Sysdig Secure configuration
EDIT
Sysdig Secure Settings
SECURE_SETTINGS
Settings
N/A
View Sysdig storage configuration
READ
Sysdig Storage
SYSDIG_STORAGE
1.2.5 - Group Mappings
Group mappings allow you to connect groups from your identity provider (IdP) to the roles and teams associated with your Sysdig account. You can create mapping at any time, but it can only be used if a compatible Single Sign On (SSO) authentication is enabled in Sysdig. Group mapping is currently supported only with SAML 2.0 SSO.
Group mapping is beneficial to:
Manage permissions for and access to Sysdig resources from your organization’s IdP itself.
For example, to allow your Analytics team to access a set of Dashboards, you can create a group named Analytics and grant group members access only to the dashboards they need access to.
Update or completely remove user access to Sysdig resources as soon as it’s updated in the IdP.
As an admin, you can
Enter one or more IdP groups and assign a custom role and map teams.
Map a group to one of more teams, or all the teams.
Select a user role for each group individually.
When group mapping is enabled:
Group mapping will ignore the users that are manually set as administrators, allowing them to perform administrator functions without having the mapping permissions overwriting their existing permissions.
If a user does not belong to any of the mapped groups, or the mapping is misconfigured, the user will be assigned to the default team with the default role.
If user creation is disabled while group mapping is enabled, non-existing users will not be created. However, the team and role information associated with the existing users will be processed on each login.
Enable Group Mapping
To enable groups mapping in Sysdig Secure or Sysdig Monitor:
Navigate to Settings > Authentication.
Select SAML from Connection Settings.
Enable Group Mapping.
Specify the Group Attribute Name.
It is the configurable metadata of an IdP group that is used in the SAML assertion statement. Sysdig uses this SAML attribute to identify the group and determine associated permissions. This value is processed on every login attempt to read the groups that the user belongs to.
Click Save Settings.
Add a Mapping
You can map a group to one role and one or more teams.
Navigate to Settings > Group Mappings.
Enter the Group ID.
This is the unique name assigned to the group on the IdP side.
Select a role from the Role drop-down.
You can select only one role for a group maaping. Ensure that the roles aren’t conflicting with each other because the mapping will not work if there are conflicting roles for a user.
Select one of more teams from the Teams drop-down.
Optionally, add additional mapping by clicking Add Group and repeating the same steps.
Click Save.
1.3 - Notifications Management
Alerts are used in Sysdig
Monitor when Event thresholds have been crossed, and in Sysdig Secure
when Policy violations have occurred. Alerts can be sent over a variety
of supported notification channels.
Notification Management describes how to add, edit, or delete a variety
of notification channel types, and how to disable or delete
notifications when they are not needed, for example, during scheduled
downtime.
1.3.1 - Set Up Notification Channels
Alerts are used in Sysdig
Monitor when Event thresholds have been crossed, and in Sysdig Secure
when Policy violations have occurred. Alerts can be sent over a variety
of supported notification channels.
In the Settings panel of either Sysdig Monitor or Sysdig Secure, set
up the notification channels to be used for alerting.
Notification channel management can be finessed by role-based
access
as follows:
Notification channels can now be “global” or limited to a particular
team
Global channels can be managed by admins and can be viewed/used by
other roles, while team-limited channels are available only to team
members
Team Manager , Advanced User, and Service Manager (Secure)
roles can create/update/delete team-scoped notification channels,
they can also read and use the global ones
Standard and View Only roles can read team-limited and global
notification channels
Admins will be able to create global notification channels and
migrate channels from “global” to “team-limited”, and also from one
team to another.
Add a Notification Channel
To add a new notification channel:
Log in to Sysdig Monitor or Sysdig Secure as administrator and
select Settings from the user menu.
Select Notification Channels.
The Notifications main page is displayed:
Click Add Notification Channel +, and select the desired
notification channel.
Follow the channel-specific steps to complete the configuration
process:
After you have set up a notification channel, it will appear as an available option to be assigned when you Add an Alert.
Edit a Notification Channel
To edit a notification channel:
Log in to Sysdig Monitor or Sysdig Secure as administrator and
select Settings.
Select Notification Channels.
Locate the target channel and click the Edit button.
Make the edits and click Done Editing to save the changes.
Test a Notification Channel
To test a notification channel:
Log in to Sysdig Monitor or Sysdig Secure as administrator and
select Settings.
Select Notification Channels.
Select the three dots next to a created Notification Channel and
click Test Channel.
If a notification is not received within 10 minutes, the notification
channel is not working, and the configuration should be reviewed.
Report Unsuccessful Notification Attempts
When an unsuccessful notification has been attempted on a given notification channel, [Sysdig Events](/en/docs/Sysdig Monitor/Events/Event Types/#sysdig-events) are generated to warn you about it. At the fifth failed notification attempt, the notification channel will be disabled and a corresponding Sysdig Event will be generated. To view the list of Sysdig Events:
Log in to Sysdig Monitor and select Events.
On the Events page, select Sysdig from the All Types drop-down.
1.3.1.1 - Amazon SNS Notifications
Sysdig Monitor integrates easily with AWS Simple Notification Service
(SNS).
On the AWS side:
To automatically push Sysdig Monitor alerts to the SNS topic of your
choice:
From the AWS
console, open the
SNS management console
In the Create topic section, Create a new topic (if needed).
The topic’s Name, ARN, (optional) Display name, and Topic owner’s
AWS account ID are displayed in the Details section.
Select the topic on the list.
Expand Access policy - optional.
Select Basic (By default).
Under Define who can publish messages to the topic, select
Only the specified AWS accounts and enter the Sysdig Monitor
account ID: 273107874544 (US-East Only).
For on-premises environments, you may need to have pre-configured your
SMTP parameters in your
Replicated or
Kubernetes
installation configmap.
1.3.1.3 - Team Email Notifications
You can notify all the users of a team when an alert is triggered. Sysdig allows you to create a new notification channel where you can select a team from a list of existing ones as the target of the channel.
To send an alert notification via email to a team, you must first set up the team email notification channel. To do so, complete steps 1-3 in Set Up a Notification Channel, then:
Select Team Email.
Enter the relevant details for the email notification:
Select the Team Name and specify a Channel Name to identify the channel you are creating.
From Shared With drop-down, choose whether to apply this channel globally
(All Teams) or to a specific team from the drop-down.
Click Save.
If you enabled Test notification, a test email will be sent.
Have your PagerDuty credentials available (account, password, and
service).
Have the base user role of Manager. With a PagerDuty base user role of Manager, you can auto-fetch
the service information during the Sysdig/PagerDuty integration
process.
Check your team and base user permissions. If your PagerDuty team permissions are Manager but base user
permissions are Responder or lower, you can enter the necessary
data in the Sysdig UI manually.
Base user roles in the PagerDuty UI.
Configure PagerDuty
To launch the process from the Sysdig UI, complete steps 1-3 in Set
Up Notification
Channels and select
PagerDuty.
Do one of the following:
Select Auto-fetch when prompted. Ensure that you have the base user role of
Manager or higher in PagerDuty.
Select Manual and enter the necessary configuration parameter. Skip to Step 5 for details.
Once you complete the pre-configuration, the PagerDuty Integration screen is displayed.
Do one of the following:
Enter the email and password associated with your PagerDuty
account, and click Sign In.
Enter the appropriate PagerDuty subdomain for single sign-on and click
Sign In Using Your Identity Provider.
A PagerDuty service selection screen is displayed.
Option 1: If you have never integrated before, you are prompted
to choose a PagerDuty Servicename.
Option 2: If at least one service has already been integrated,
you can select that one.
Click Connect.
Once integration is authorized, the Sysdig page for a new PagerDuty
notification channel is displayed, with the information auto-filled.
From Shared With, choose whether to apply this channel globally
(All Teams) or to a specific team from the drop-down.
Do one of the following:
Confirm the auto-populated information and click Save.
If you chose Manual entry in Step 2, then type the information and
click Save.
You can now Add an
Alert
to use PagerDuty notifications.
Known Issues
There is a known issue whereby changing a notification from
“Acknowledged” to “Unacknowledged” does not update correctly in
PagerDuty.
What occurs:
Event has triggered Notification, Notification is sent to PagerDuty.
Open Event and click on “Acknowledge” button in Sysdig.
Notification is sent to PagerDuty, and status is changed to
“Acknowledged.”
Open Event and click on “UnAcknowledge” button in Sysdig.
Status is not changed in PagerDuty. It remains “Acknowledged” rather
than changing to “Triggered” in PagerDuty.
You will be prompted to log in to your Slack account.
Select a Slack channel from the drop-down list to be used for notifications and click Authorize.
Determine whether to apply this channel globally (All Teams) or to a specific team.
Complete configuration as desired and click Save.
Optionally, click Test to check if the slack notification works as expected.
You can now configure an alert to use Slack notifications.
For on-prem installations, use the Webhook method to configure a Slack notification channel by specifying the webhook URL and a unique name for the Slack channel.
Customize Notifications
The abilility to configure sections is currently available only in Monitor.
You can customize the sections that will be included in the messages sent to each configured Slack channel. This gives you the ability the fine tune the contents of Slack messages according to your preferences.
Copy/paste your OpsGenie integration API key and add a Channel Name,
Enablement, and Notification toggles as appropriate.
From Shared With: Choose whether to apply this channel globally
(All Teams) or to a specific team from the drop-down.
Click Save.
1.3.1.8 - Microsoft Teams Notifications
Sysdig Monitor supports sending an alert
notification
to Microsoft teams. Microsoft Teams has different types of integrations
for third-party applications, of which Sysdig supports Incoming
Webhooks.
About Incoming Webhooks
Incoming Webhooks are a type of Connector in Teams that provide
a simple way for an external app to share content in team channels. They
are often used as tracking and notification tools. Microsoft Teams
provides a unique URL to which you can send a JSON payload with the
message that you want to POST, typically in a card format. Cards are UI
containers that contain content and actions related to a single topic
and are a way to present message data in a consistent way.
You will need to enter the URL that you copied from the Connector.
Sysdig will format a message by using a custom card template and send it
to the channel. The message will show up as a new notification in the
Microsoft application.
Prerequisites
Have the destination URL handy. You can copy it from the
Connectors > Incoming Webhook window on the Microsoft
Teams UI. For more information, see Add an incoming webhook to a
Teams
channel.
Webhooks via HTTPS work only if a signed or valid certificate is in
use.
Enter the Prometheus Alert Manager channel configuration options:
URL: The destination URL to which notifications will be
sent.
Channel Name: Add a meaningful name, such as Prometheus channel.
Enabled: Toggle on and off notifications.
Notification options: Toggle for notifications when alerts
are resolved or acknowledged.
Test notification: Toggle to be notified that the configured
URL is working.
Shared With: Choose whether to apply this channel globally
(All Teams) or to a specific team from the drop-down.
Allow insecure connections: Enable if you want to skip the
TLS verification.
Custom headers: Add custom headers to your alert
notification. If your alertmanager channel requires additional headers you
specify them by using a custom header.
When the channel is created, you can use it on any alerts you create.
When the alert fires, the notification will be sent as a POST in JSON format to your webhook endpoint.
For testing purposes, you can use a third-party site to create a temporary endpoint to see exactly what a Sysdig alert will send in any specific notification.
Configure Custom Headers Programmatically
Alert notifications, by default, follow a standard format. However, some integrations require additional headers which you can append to the alert format by using a custom header entry.
For example, some applications uses token-based authentication, which requires an entry for the bearer token. This entry is not included in the default alert template built into Sysdig, but you can add it using a custom header.
The following example adds two custom headers:
Use the curl command to retrieve all configured notification channels:
curl -X GET https://app.sysdigcloud.com/api/notificationChannels -H 'Authorization: Bearer API-KEY'
Now that the custom API endpoint in ServiceNow is created, you can
configure Sysdig alerts to use a custom webhook to trigger the
ServiceNow integration.
API URL: your instance name URL
Name: ServiceNow (or whatever name you’d like for this Sysdig alert
webhook)
Notify when OK: Optional
Notify when Resolved: Optional
Test Notification: Use this toggle and/or set up a test alert as
described in the following section.
Test Integration
To test if this ServiceNow integration is set up and working correctly,
you can set up a test alert to trigger.
For example, you could create an alert for CPU usage:
In ServiceNow, navigate to System Log >All to see a sample
triggered webhook.
1.3.1.11 - Configure a Custom Webhook Channel
Sysdig Monitor supports using a custom webhook notification channel to send custom alert notifications to any destination. This is often useful for having Sysdig create alerts with custom tools or other webhook-based applications for which Sysdig does not yet have a native integration.
The custom webhook notification channel allows you to customize payload from within Sysdig Monitor based on alert properties by dynamically referencing alert variables and scope labels. To create the payload, Sysdig provides you with the Sysdig Templating Language that allows for variable interpolation and basic conditional logic.
The new Custom Webhook with customizable payload option is currently available only in Monitor. Sysdig Secure users can continue using the Webhook channel.
When the channel is created, you can use it on any alerts that you create.
When the alert fires, the notification will be sent as an HTTP request of the specified method in JSON format to your webhook endpoint.
For testing purposes, you can use a third-party site to create a temporary endpoint to see exactly what a Sysdig alert will send in any specific notification.
Method and Headers
HTTP Method: You can choose an HTTP method for the request to be sent.
POST: Used for the creating resources.
PUT: Used for the editing an existing resource.
PATCH: Used for partial modifying an existing resource.
DELETE: Used for deleting a resource.
Content Type: For the custom webhook channel, application/json will always be the value of the content-type header for the request, even if this header does not appear on the headers list.
Allow insecure connections: Check this option to skip TLS verification over HTTPS.
Custom headers: Add custom headers to your alert notification.
If your webhook integrations require additional headers you specify them by using a custom header.
For example, Ansible uses token-based authentication, which requires an entry for the bearer token. This entry is not included in the default header, but you can add it using a custom header, such as Authorization: Bearer mytoken. Use this component to specify suitable header names and header values.
Note that any Content type, Accept, and User-Agent header specified in this component will be discarded, as the default header value of Content-type:application/json cannot be overridden.
Payload
Editor: The custom webhook channel allows you to fully customize the JSON payload that you want to send. The content of the editor represents the request body of the HTTP call you are sending to the third-party webhook. The data must be a valid JSON document. Systems that receive webhook alerts can parse the data and take action based on the contents.
When triggered, the webhook channel allows dynamic referencing to properties of the alert and event which were created using the Sysdig Templating Language. Using the same system, basic conditional logic can also be written.
Configure Test Notification
As an alternative to sending a test notification upon creating the channel, you can also test the channel on the fly before creating it. Use the Configure Test Notification editor to do so.
In the editor, you can pick a variety of scenarios, ranging from different severity alerts to alert types, and trigger a test notification to the destination webhook URL.
Build Payloads
Use the Sysdig Templating Language to customize your payload using variable interpolation and basic conditional logic:
Reference alert variables with {{@alert_, for instance {{@alert_name}}
Reference event variables with {{@event_, for instance {{@event_state}}
Use conditional logic with {{#if_, for instance {{#if_metric_alert}}{{/if}}
Reference labels with {{@event_labels}} for all, or specifically with for instance {{@event_labels.kube_cluster_name}}
See Reference for all the allowed syntax parameters.
Any text not matching the above keywords is accepted and dynamically rendered when the alert is triggered.
For more information, browse the on-screen documentation and examples that is provided in the form of snippets next to the code editor.
Use Case: Integrate with Trello
This section helps you create a custom webhook channel and integrate with Trello. When a configured alert triggers in the channel, a new Trello card is created with information about the escalation.
Create a Trello board on your account and ensure that you create at least one list on it.
Perform the following request in order to obtain the id of one the lists existing on the board:
$ curl --request GET --url 'https://api.trello.com/1/boards/<boardId>/lists?key=<key>&token=<token>
Where boardId is the ID present on the URL in the browser when accessing the board’s main page, and key and token are the authentication requirements obtained in step 2.
Method: Make sure that you select the POST method.
Editor: Type the following content on the editor and define the structure of the card you want to create:
{"name":"Escalation: {{@alert_name}} on {{@event_labels.kube_cluster_name}}","desc":"{{@event_body}}","pos":"top"}
This snippet creates a card whose name suggests that an escalation for the given alert name is just triggered. It also informs on which cluster the incident occurred by accessing directly the kube_cluster_name variable from within event_labels. Note that in order to reference this variable, the original alert that was fired needs to group or filter by this variable.
For the description field, provide the standard Sysdig event body, which is similar to the default message produced by an email notification channel.
"pos": "top" indicates that you want this new card to be created on top.
Testing
Experiment with different testing configurations to see how the resulting card appears to the recipient.
Save
Save the channel and configure an alert that triggers on it.
Reference
Sysdig Templating Language is composed of two tipes of constructs: statements and variables.
Both of them are accessed from within {{ }} brackets, which are the only special characters in the payload that you define. Everything else is interpreted as plain text and passed along as is.
Statements
Statements allow you to perform basic conditional logic. The common use case would be sending a different alerting JSON payload in case of a high severity alert, such as:
Whenever an alert triggers on this notification channel, the template is evaluated. In the presence of a high severity alert, the following payload is sent:
{"code":"incident"}
Whereas for all other cases, the following is sent:
{"code":"warning"}
Statements thus allow for conditional rendering of different sections of the payload.
All statements
if_severity_high
Conditional statement that matches an alert that was set with high severity.
if_severity_medium
Conditional statement that matches an alert that was set with medium severity.
if_severity_low
Conditional statement that matches an alert that was set with low severity.
if_severity_info
Conditional statement that matches an alert that was set with info severity
if_metric_alert
Conditional statement that matches a metric alert.
if_downtime_alert
Conditional statement that matches a downtime alert.
if_prometheus_alert
Conditional statement that matches a prometheus alert.
if_event_alert
Conditional statement that matches an event alert.
if_anomaly_alert
Conditional statement that matches an anomaly detection alert.
if_outlier_alert
Conditional statement that matches an outlier alert.
if_resolved_event
Conditional statement that matches an event which has been resolved.
if_main_threshold
Conditional statement that matches an event triggered on a main alert threshold.
if_warning_threshold
Conditional statement that matches an event triggered on a warning alert threshold.
Variables
Variables allow you to access alert and event properties. These are dynamically substituted upon rendering with the underlying properties of the configured alert or triggered event.
Variables of type string are automatically escaped, but enclose them in quotes in order to generate a valid JSON payload.
Alert Variables
alert_id
Type: Number.
The auto-generated unique alert identifier.
Example: 1.
alert_name
Type: String.
The configured alert name.
Example: High CPU Usage alert
alert_description
Type: String.
The configured alert description.
Example: Alert for when cpu load goes over 75%.
alert_scope
Type: String.
The configured alert scope.
Example: kube_pod_name in ('backend-api')
alert_severity
Type: String.
The configured alert severity label.
Possible values: HIGH, MEDIUM, LOW, NONE.
Example: HIGH.
alert_group_by
Type: JSON String Array.
A JSON String array with all the labels on which the alert has been grouped by.
Possible values: MAIN for main condition triggering events, WARNING for warning condition triggering events.
1.3.1.12 - Configure a Webhook Channel
Sysdig Secure supports sending an alert notification to a destination, such as a website, custom application, and so on for which Sysdig does not have a native integration. Do this using a Webhook channel.
The new Custom Webhook with customizable payload option is currently available only in Monitor.
Prerequisites
Webhooks via HTTPS only work if a signed/valid certificate is in
use.
URL: The destination URL to which notifications will be
sent.
Channel Name: Add a meaningful name, such as Ansible,
PagerDuty, OpsGenie, and so on.
Enabled: Toggle on and off notifications.
Notification options: Toggle for notifications when alerts
are resolved or acknowledged.
Test notification: Toggle to be notified that the configured
URL is working.
Shared With: Choose whether to apply this channel globally
(All Teams) or to a specific team from the drop-down.
Allow insecure connections: Enable if you want to skip the
TLS verification.
Custom headers: Add custom headers to your alert
notification.
If your webhook integrations require additional headers you
specify them by using a custom header.
For example, Ansible uses token-based authentication, which
requires an entry for the bearer token. This entry is not
included in the default header, but you can add it using a
custom header.
Custom Data: Specify the custom data you want to attach to
the alert notification. The data must be a valid JSON document.
This information will be included in the request body of the
HTTP call. Systems that receive these webhook alerts can parse
the data and take action based on the contents.
Click Save.
When the channel is created, you can use it on any
alerts
you create.
Then, when the alert fires, the notification will be sent as a POST in
JSON format to your webhook endpoint. (See Alert Output, below.)
For testing purposes, you can use a third-party site to create a
temporary endpoint to see exactly what a Sysdig alert will send in any
specific notification.
Configure Custom Headers and Custom Data Programmatically
By default, alert notifications follow a standard format (see
Description of POST Data, below).
However, some integrations require additional headers and/or data, which
you can append to the alert format using a custom header or custom data
entry.
For example, Ansible uses token-based authentication, which requires an
entry for the bearer token. This entry is not included in the default
alert template built into Sysdig, but you can add it using a custom
header.
In addition to the Webhook UI
option,
you can do this from the command line, as described below.
additionalHeaders is usually used for authentication
customData is used to add values to the alert
After it has been created via the API, any manipulation will mangle the
notification channel. Use with care.
Sample Use Case
This example adds two custom headers and defines additional custom data,
as well as the format for that data.
Use the curl command to retrieve all configured notification
channels:
curl -X GET https://app.sysdigcloud.com/api/notificationChannels -H 'Authorization:Bearer API-KEY'
Alerts that use a custom webhook for notification send a JSON-format
with the following data.
Description of POST Data
{"timestamp": 1620222000000000,// Time when the alert triggered in microseconds"timespan": 60000000,// duration of the alert in microseconds (how long the value should be true before triggering)"alert": {"severity": 2,// severity from 0 to 7, use severityLabel for a human readable version"editUrl": "https://app-staging.sysdigcloud.com/#/alerts/21998727",// alert edit URL"severityLabel": "Medium",// human readable version of severity"subject": "CPU temp is High on homebridge:9100 is Triggered",// Alert subject"scope": null,// scope of the alert if set from the UI"name": "CPU temp is High",// name of the alert"description": null,// description, not used ATM"id": 21998727,// alert id"body": "CPU temp is High on homebridge:9100 is Triggered\n\n\nEvent Generated:\n\nSeverity: Medium\n Metric:\n node_hwmon_temp_celsius = 65.8121\nSegment:\n instance = 'homebridge:9100'\nScope:\n Everywhere\n\nTime: 05/05/2021 01:40 PM UTC\nState: Triggered\nNotification URL: https://app-staging.sysdigcloud.com/#/events/notifications/l:2419200/14918845/details\n\n------\n\nTriggered by Alert:\n\nName: CPU temp is High\nTeam: Monitor Operations\nScope:\n Everywhere\nSegment by: instance\nWhen: avg(avg(node_hwmon_temp_celsius)) > 40\nFor at least: 1 m\nAlert URL: https://app-staging.sysdigcloud.com/#/alerts/21998727\n\n\n"},"event": {"id": 14918845,// id of the generated event"url": "https://app-staging.sysdigcloud.com/#/events/notifications/l:604800/14918845/details"// url of the event in the feed},"state": "ACTIVE",// status of the alert, can be ACTIVE or OK"resolved": true,"entities": [// list of entities that triggered the alert, at the moment we send a notification per entity, so this array will always contain a single object{"entity": "instance = 'homebridge:9100'",// segment that triggered"metricValues": [// value of the metric at the time of triggering{"metric": "node_hwmon_temp_celsius","aggregation": "avg","groupAggregation": "avg","value": 65.812167}]}],"endEntities": [// list of entities when the alert was resolved (same as "entities"){"entity": "instance = 'homebridge:9100'","metricValues": [{"metric": "node_hwmon_temp_celsius","aggregation": "avg","groupAggregation": "avg","value": 39.812167}]}],"condition": "avg(avg(node_hwmon_temp_celsius)) > 40",// alert condition in string form"source": "Sysdig Cloud",// source of the event"labels": {// list of labels associated to this event (they strongly depend on the segmentation and scope of the alert)"instance": "homebridge:9100"}}
Example of Failure
$ curl -X GET https://app.sysdigcloud.com/api/notificationChannels -H 'authorization:Bearer dc1a42cc-2a5a-4661-b4d9-4ba835fxxxxx'{"timestamp":1543419336542,"status":401,"error":"Unauthorized","message":"Bad credentials","path":"/api/notificationChannels"}
Example of Success
$ curl -X GET https://app.sysdigcloud.com/api/notificationChannels -H 'Authorization:Bearer dc1a42cc-2a5a-4661-b4d9-4ba835fxxxxx'{"notificationChannels":[{"id":18968,"version":2,"createdOn":1543418691000,"modifiedOn":1543419020000,"type":"WEBHOOK","enabled":true,"sendTestNotification":false,"name":"robin-webhook-test","options":{"notifyOnOk":true,"url":"https://postb.in/6dtwzz7l","notifyOnResolve":true}}]}$
The webhook feature is used to integrate the following channels:
Sysdig Monitor allows you to send alerts to Google Chat using webhook integration. For example, you can configure an alert to notify on-call personnel on Google Chat when a Kubernetes cluster in your infrastructure goes down.
You require a Google Workspace account with access to Google Chat in order to integrate Sysdig Monitor webhook with Google Chat service.
Configure Google Chat:
To automatically push Sysdig Monitor alerts to the Google Chat, register the web hook in the Google Chat space you want to receive messages, then copy the URL:
Shared With: Choose whether to apply this channel globally
(All Teams) or to a specific team from the drop-down.
Click Save.
1.3.1.14 - Configure IBM Cloud Functions Channel
Sysdig supports automatically sending alert notifications to an IBM
Cloud
Functions
Channel. You generally use it for the following use cases.
Configure an IBM Functions as a new notification channel in Sysdig
Monitor.
Pass extra parameters to IBM Functions.
Modify an IBM Functions.
Delete an IBM Functions.
The following notification channel types are supported:
Public (with or without X-Require-Whisk-Auth header)
Private (using IAM token)
To configure IBM Cloud Functions Channel:
Log in to the Sysdig UI and select IBM Cloud Functions Channel
by completing steps 1-3 as described in Set Up a Notification
Channel.
Specify the channel URL.
You can specify one of the following channel types.
Public: The public channels are of type IBM Web
Action.
They require no authentication and can be used to implement HTTP
handlers that respond with headers, status code, and body
content of different types.
Channel Name: A unique name to identify the channel.
Enable the channel and desired notification types:
Enabled: The toggle button to enable or disable the IBM
channel.
Notify when Resolved: Send a new notification when the alert
condition is no longer triggered. Enable or disable the
notification toggle as appropriate.
Notify when Acknowledged: Send a new notification when the
alert is manually acknowledged by a user. Enable or disable the
notification toggle as appropriate.
Test notification: Send a notification when the changes are
saved. Enable or disable the notification toggle as appropriate.
Shared With: Choose whether to apply this channel globally (All
Teams) or to a specific team from the drop-down.
Additional Parameters: Specify optional parameters to pass to
the function. For example, name: jane is passed to the action as
{name: "Jane"}.
Configure a Public Channel
Specify the following:
Whisk Auth Token (optional): Optionally provide the Whisk
authentication token. If you specify one, the public channel (web
action) can only be invoked by requests that provide appropriate
authentication credentials. See Securing web
actions
for more details.
Channel Name: A unique name to identify the channel.
Enable the channel and desired notification types:
Enabled: The toggle button to enable or disable the IBM
channel.
Notify when Resolved: Send a new notification when the alert
condition is no longer triggered. Enable or disable the
notification toggle as appropriate.
Notify when Acknowledged: Send a new notification when the
alert is manually acknowledged by a user. Enable or disable the
notification toggle as appropriate.
Test notification: Send a notification when the changes are
saved. Enable or disable the notification toggle as appropriate.
Shared With: Choose whether to apply this channel globally (All
Teams) or to a specific team from the drop-down.
Additional Parameters: Specify optional parameters to pass to
the function. For example, hostname: BLR is passed to the action
as {hostname: "BLR"}. The URL would be
/demo/hello.http?hostname=BLR.
1.3.2 - Disable or Delete a Notification Channel
Temporarily Disable a Notification Channel
To temporarily disable a notification channel:
Log in to Sysdig Monitor or Sysdig Secure as administrator and
select Settings.
Select Notification Channels.
Toggle the Enabled slider to off.
Mute Notifications During Downtime
Administrators can choose to turn off all alert events and notifications
if desired, for example, during a scheduled system downtime.
Muting notifications affects all channels globally. When muting is
switched on, no notifications will be sent through any configured
channel. You can choose whether to notify specific channels that
notifications are temporarily disabled. Muting and re-enabling
notifications is a MANUAL process.
Log in to Sysdig Monitor or Sysdig Secure as administrator and
select Settings.
Select Notification Channels.
Select the Downtime toggle.
Optional: check the Yes box to Notify Channels when
prompted, and select the desired channels.
At this time, only Email and Slack channels can be notified when
downtime is started/stopped.
Delete a Notification Channel
Log in to Sysdig Monitor or Sysdig Secure as administrator and
select Settings.
Select Notification Channels.
Select the three dots next to a created channel and click
Delete Channel.
Configure an Alert Start-Up Delay (On-Premises Only)
Sysdig alert jobs begin immediately at start-up. However, in instances
where Sysdig goes down unexpectedly, or without proper shutdown/startup
procedures implemented, data can be missing, triggering alert
notifications.
A start-up delay in alert jobs can be configured in on-premises
environments, by setting the draios.alerts.startupDelay parameter. The
parameter requires a duration value; the example below shows a duration
of 10 minutes:
draios.alerts.startupDelay=10m
This parameter can be configured for either Replicated or Kubernetes
environments:
For Replicated environments, add the parameter to the Sysdig
application JVM options list. For more information, refer to the
Sysdig Install with
Replicated
documentation.
For Kubernetes environments, add the parameter to the
**sysdigcloud.jvm.worker.options **parameter in the configmap.
For more information on editing the configmap refer to the
On-Premises
Installation
documentation.
1.3.3 - Troubleshooting Notification Channels
Sysdig will notify you when a notification channel is failing and is unable to deliver notifications.
These will be sent via two mediums:
Internal Event
Email
The message will include details of why the channel is failing.
After 5 failed attempts, the notification channel will be automatically disabled.
What Causes a Notification Failure?
Notification failure occurs when the system attempts to deliver a notification and receives any 4xx HTTP errors, with the exception of the following: 409 CONFLICT, 408 TIMEOUT, 423 LOCKED, 429 TOO MANY REQUESTS.
Mediums
Email
You will receive a delivery failure notice via an email titled, “Warning: Notification attempt [Attempt #] of 5 through channel [Channel Name] failed”, will be sent to all the admins users.
Internal Event
1.4 - AWS: Integrate AWS Account and CloudWatch Metrics (Optional)
When the Sysdig agent is installed in an AWS environment, the Sysdig
Platform can collect both general metadata and various types of
CloudWatch metrics.
Here are the different ways to integrate an AWS account into Sysdig:
By manually entering an AWS access key and secret key, and manually
managing/rotating them as needed
By passing a parameter that allows Sysdig to autodetect an AWS ECS
role and its permissions, passing an “implicit key” (On-Prem only).
The implicit option requires no manual key rotation as AWS handles
those permissions behind the scenes.
Using AWS Role
delegation. Role
delegation is an alternative to the existing integration methods
using the access keys. This method is considered secure as sharing
developer access keys with third-parties is not recommended by
Amazon.
The Sysdig Monitor UI includes links to help easily integrate CloudWatch
metrics into Sysdig Monitor, as described below.
After integrating with an AWS account, data will become visible in the
Sysdig UI after a 10-15 minute delay.
Entry Point in the Sysdig UI
The Sysdig interface prompts you to perform this integration from the
administrator’s Settings menu.
Access from the Settings Menu
Once an agent has been installed, log in to Sysdig Monitor or Sysdig
Secure as administrator to perform integration steps or review/modify
existing AWS settings.
Log in to Sysdig Monitor or Sysdig Secure as administrator and
select Settings from the user menu.
Choose AWS Accounts.
A page showing manual key integration, with access key and secret
key fields displayed.
NOTE: If there is no AWS integration yet then click on ADD and
provide the access key and secret key.
Integrate AWS Account Manually
Have your AWS EC2 account details available. Integration begins on the
AWS side and is completed in the Sysdig Monitor UI.
In AWS
Create an IAM Policy for Sysdig Access
You could use the existing IAMReadOnly policy instead, but creating a
Sysdig-specific policy provides more granular access control, the
activity can be easily distinguished in CloudTrail, and it is considered
best practice.
In AWS, select IAM and create a policy to be used for Sysdig.
(Sample policy name: SysdigMonitorPolicy.)
Select ‘Attach existing policies directly’, search for and then
select the newly created policy (Sample policy name:
SysdigMonitorPolicy.)
Select ‘Create User’ option.
Copy and save the resulting access key and secret key (Note: the
Secret is only displayed once, so make sure to download the
credentials file or store the key securely that you can reference
again.)
In the Sysdig Monitor UI
Enter the Access and Secret Key
Log in to Sysdig Monitor or Sysdig Secure as the administrator and
select Settings from the user menu.
Select AWS.
Add an account by entering the User Access Key and
Secret Key, then clicking Save.
The credentials will be listed with a Status of OK checked.
Should an Error occur, double-check the credentials entered.
Mis-typing is the most common cause of errors.
Enable CloudWatch Integration
Navigate to the AWS page in the Sysdig Monitor UI, if you are
not already there.
Toggle the CloudWatch Integration Status to Enabled.
Sysdig Monitor will poll the CloudWatch API every five minutes. Note
that this incurs additional charges from AWS.
After integrating with an AWS account, data will become visible in the
Sysdig UI after a 10-15 minute delay.
Refetch Credentials
If the integrated AWS account changes on the AWS side, an Error will
be listed in the Credentials Status on the Settings > AWS page.
Use the Refetch Now button to re-establish the integration.
Integrate AWS Account Using the Implicit Key (On-Prem Only)
If Sysdig is installed in an EC2 instance, you can take advantage of the
existing EC2 IAM role of that instance. This can simplify
administration, as you do not have to manually rotate public and private
keys provided to the Sysdig backend.
Use Implicit Key
Prerequisites
Have your on-premises Sysdig platform installed in an AWS EC2 instance
that has a proper IAM role.
For this option, you cannot use the AWS Integration step in the Welcome
Wizard.
To enable implicit key, you must set the following parameter:
-Ddraios.providers.aws.implicitProvider=true
Use the parameter either during initial installation, or, if you already
entered keys manually, to switch to an implicit key.
If switching, you must then restart the api, worker, and collector
components in the backend.
In the Settings > AWS page, the former credentials will be overwritten
it will show implicit key.
Enablement steps depend on whether you are using Kubernetes or
Replicated as your orchestrator.
Kubernetes
Edit the config.yaml to add to the following entries (in the
Data section of config.yaml):
Sysdig is designed to collect metadata for particular AWS services,
which are reflected in the IAM policy
code.
The services are:
DynamoDB
EC2 hosts
ECS
Elasticache
RDS
SQS
When you implement the code and integration steps as described above, it
will trigger two types of collection: first the metadata for each
service is collected, and then Sysdig will poll for the metrics about
the metadata returned. So, if the service is not enabled in your
environment, no metadata (and no metrics) are collected about it. If it
is enabled, but you do not want to poll metrics, then delete the lines
of code related to that service from the IAM policy. This will avoid
potential unwanted AWS API requests and potential AWS charges.
Security Groups
If you have an on-premises Sysdig Backend, and have restricted outbound
security groups, you may need to allow HTTPS & DNS access in order for
the Sysdig Backend components to make connection to the Amazon APIs. As
Amazon API endpoints are referenced by name and have a large number of
IP’s, this may need to be full 0.0.0.0/0 outbound access for HTTPS &
DNS.
Retrieving CloudWatch Data for Particular AWS Regions
To enable metrics collection from only certain AWS regions in your
environment, it is necessary to open a ticket with Sysdig Support. See
Contact Support for
details.
Related Information
For information on the resulting AWS services visible in Sysdig Monitor,
see the AWS-related information in the Metrics Dictionary
(also available from within the Sysdig Monitor UI).
Create a Sysdig-specific IAM policy to be used for granting programmatic access to Sysdig. Copy the code snippet and paste into this policy. It enables Sysdig to collect metadata and CloudWatch metrics from the services.
CloudWatch Metric Streams
Sysdig requires additional permissions to collect additional metadata from and display the correct status for the AWS CloudWatch Metric Stream integration. If you are setting up CloudWatch Metric Steams manually and you prefer authenticating using the access keys, use the following policy:
Creating a Sysdig-specific IAM policy enables Sysdig to collect metadata and
CloudWatch metrics from the following services, as applicable to your
environment:
This section describes how to configure Sysdig Monitor to utilize the
Amazon Web Service (AWS) AssumeRole functionality and authorize Sysdig
Monitor to discover cloud assets, grab CloudWatch metrics from your AWS
account, and utilize custom S3 bucket for storing captures. Upon
integrating with an AWS role, you can delegate access to AWS resources
that are not associated with your Sysdig AWS account.
Setting up cross-account access through roles eliminates the need to
create individual IAM users in each account. In addition, users don’t
have to sign out of one account and sign in to another in order to
access resources in different AWS accounts.
Role delegation is an alternative to the existing integration method
using the access keys. This method is considered secure as sharing
developer access keys with third-parties is not recommended by Amazon.
Prerequisites and Guidelines
This topic assumes that you have the following ready and you are
familiar with AWS.
API endpoint. In this topic, it is referred to as {{host}}
SaaS: See SaaS Regions and IP
Ranges and identify
the correct domain URL associated with your Sysdig application
and region. For example, in US East, the endpoints are:
For other regions, the format is https://<region>.app.sysdig.com.
Replace <region> with the region where your Sysdig
application is hosted. For example, for Sysdig Monitor in the
EU, you use
https://eu1.app.sysdig.com.
On-Prem: Depends on the on-prem deployment.
Administrator privileges to configure AWS integration
API client. Examples in this topic use curl
AWS account ID
SaaS: The default AWS account ID is 273107874544 (US East
region). For other regions, check AWS account
IDs .
On-Prem: Customer-specific.
Enable AWS Role Delegation with API
This section describes how to enable AWS role delegation using an API.
If a policy has already been created, search for it on this page
and select it, then skip to step. Otherwise, click Create
Policy, which opens in a new window.
Click Review policy.
Name the policy and provide an apt description. For example,
sysdig_cloudwatch.
Click Create Policy.
You can now close this window.
In the Create role window, refresh the list of policies and
select the policies you just created.
Click Next: Review.
Give the role a name and an apt description. For example,
sysdig_role.
Click Create Role.
Get Role ARN
Select Roles > sysdig-role.
Copy Role ARN.
Add the AWS Account
Using the role that you have created, add an AWS account on the Sysdig
Monitor side. Use the following API call:
Expose variables in deployment descriptors (sysdigcloud-collector,
sysdigcloud-worker, sysdigcloud-api) and reference values in the
newly created secret:
Add variables to descriptors on each platform update until new
variables are part of the installer.
Set Up Resource Discovery
The supported AWS are EC2, RDS, Elastic Load Balancer (ELB),
ElastiCache, SQS, DynamoDB, and Application Load Balancer (ALB).
By default, all the resources are fetched for all regions supported by
AWS. You can avoid this by whitelisting regions when creating a provider
key via the API. Example body of the provider key request when
whitelisting regions:
Use the AWS option in the Settings menu to configure AWS role
delegation.
Log in to the Sysdig Monitor as an administrator
Do one of the following:
Select Integrations > AWS CloudWatch.
From the user menu, select Settings > AWS.
The AWS Account page is displayed.
Click Add Accounts.
The Identity Authentication page opens to the Role Delegation
tab.
Specify the following:
Role ARN: The Role ARN associated with the role you have
created for role delegation. The ID is available on the summary
page of the role on the AWS console. For more information, see
Integrate with AWS Role
Delegation.
AWS External ID: Ensure that AWS External ID is displayed on
the page.
The Sysdig Capture feature
allows you to record detailed system trace data via remote connection
from any of your agent-installed hosts. In SaaS installations, by
default, this data will be stored on Sysdig’s secure Amazon S3 storage
location. This location will have a separate partition for your account.
In on-premises installations, by default, the data will be stored in the
Cassandra database.
The Rapid Response feature requires a custom AWS or S3-compatible bucket to be configured, for both on-prem and SaaS users.
For SaaS Users with Sysdig Secure Only
If your Sysdig license does not include Sysdig Monitor, please contact Sysdig Support for assistance creating a custom S3 bucket for rapid response logs.
This page describes two custom alternatives: using an AWS S3 bucket
(available for SaaS and on-prem) and using custom S3 storage.
if Google Cloud Storage is used as the S3 compatible storage, you will
not be able to bulk delete captures due to compatibility issues with
Google’s S3 API implementation. You can delete captures one by one or
delete them directly from the Google console.
Configure AWS S3 Storage
To configure this option, use the fields provided by Sysdig Settings UI
and then append some code to the IAM Policy you created in AWS for
Sysdig integration.
Prerequisites
Your AWS account must be integrated with Sysdig, but the CloudWatch
feature is not required to be enabled.
To use your own AWS S3 bucket to store Sysdig capture files, append
the following code snippets to the **AWS Identity and Access
Management (IAM) **page.
If you are using AWS KMS for AWS S3 encryption, ensure that
necessary privileges are given to the Sysdig Account or Role to use
the custom key.
Use the Key users option to do so:
In the Sysdig UI
Log in as an Administrator to Sysdig Monitor or Sysdig Secure.
From the user menu in the lower-left navigation, do one of the following:
Select Integrations > Capture Storage.
Select Settings > Capture Storage.
Enable the **Use a custom S3 bucket**toggle and enter your AWS
S3 bucket name.
To Test: Capture a Trace File in Sysdig Monitor UI
When enabled, you will have the option to select between “Sysdig Monitor
Storage” or your own storage bucket when configuring a file capture. See
Create a Sysdig Capture
File.
(SaaS) Configure Custom S3 Storage Endpoint
You can set up a custom Amazon-S3-compatible storage, such
as Minio or IBM Cloud Object Storage, for storing Captures in a Sysdig
SaaS deployment. The capture storage location can be used for both
Sysdig Monitor and Sysdig Secure. This is an API-only functionality and
currently, no UI support is available.
The following APIs are supported for this functionality:
List existing AWS integrations
Create a new AWS integration
Update an existing AWS integration
Configure storage configuration
Prerequisites
Ensure that the feature is enabled for your account.
Use the access key and secret as the credentials.
Configure a new AWS integration. Set the skipFetch field to
true. This will cause the AWS integration to ignore fetching data
from this account. Therefore, both the AWS metadata and AWS
CloudWatch will not be fetched and you can use this storage
exclusively for Sysdig Capture.
Configure the storage interface with the new account, by specifying
the AWS integration ID to use to authenticate the endpoint, bucket
name, and the path specified in the bucket.
Limitation
The AWS account ID is currently shown as null on the UI.
List Existing AWS Integration
The API returns the list of configured AWS integrations.
REST Resource: Providers
GET {{host}}/api/providersAuthorization:Bearer {{API_Token}}
Response Parameters
Field
Response
id
String
The unique identifier of the integration.
name
String
The name of the integration and by default is set to aws.
credentials
String
The dictionary containing the information about how Sysdig authenticates to AWS:
id: The AWS access key ID.
role : The AWS Role if role-based authentication is used.
skipFetch
Boolean
true : The account will be used only for configuring storage. In this case, it will not fetch AWS metadata and CloudWatch metrics.
false: The account will be used only for fetching AWS metadata and CloudWatch metrics.
status
String
Status denotes the status of the integration.
accountId
String
The unique identifier of the AWS account. The value will be null if you are using AWS-compatible storage.
POST {{host}}/api/providerscontent-type:application/jsonAuthorization:Bearer {{API_Token}}{"name":"aws","skipFetch": false,"credentials": {"id":"<AWS_Access_Key_ID>","role":null,"key":"<AWS_SecretKey>"}}
Request Parameters
Field
Description
name
String
The name of the integration and by default is set to aws.
skipFetch
Boolean
false: The account will be used only for fetching AWS metadata and CloudWatch metrics.
true : The account will be used only for configuring storage. In this case, it will not fetch AWS metadata and CloudWatch metrics.
credentials
The dictionary containing the information about how Sysdig authenticates to AWS:
id: The AWS access key ID.
role: The AWS Role if role-based authentication is used.
key: The secret associated with the account.
Update Custom Storage Settings
To update existing storage settings, perform a PUT HTTP call to the
endpoint as follows:
REST Resource: Settings
PUT {{host}}/api/sysdig/settingscontent-type:application/jsonAuthorization:Bearer {{API_Token}}{"enabled":true,"buckets":[{"folder":"/folder1/folder2","name":"bucketName","providerKeyId": 3,"endpoint": "http://127.0.0.1:9009"}]}
Request Parameters
Field
Description
enabled
Boolean
Indicates whether the custom storage is configured.
If the value is false, Sysdig-provided storage is used.
buckets
Returns the list of buckets that you can set. Currently, only one bucket is supported.
folder: The bucket path where the captures will be stored.
name: The unique bucket name.
providerKeyId: The unique ID of the AWS or compatible provider to be used to configure storage. Currently, only one bucket can be configured at a time.
endpoint: The endpoint of the provider. It is configured only if you wish to set AWS compatible and is automatically set for AWS.
For a full list of endpoints, please refer to the relevant provider documentation.
(On-Prem) Configure Custom S3 Endpoint
You can set up a custom Amazon-S3-compatible storage, such as
Minio or IBM Cloud Object
Storage, for storing Captures
in a Sysdig on-premises deployment. The capture storage location can be
used for both Sysdig Monitor and Sysdig Secure. This is an API-only
functionality and currently, no UI support is available.
You must configure values.yaml corresponding to your Sysdig
installation in order for this configuration to work.
Prerequisites
Your on-premise installation is
Installer-based. If
you have installed Sysdig Platform manually and you want to
configure custom S3 buckets to store your capture files, contact
your Sysdig representative.
Ensure that AWS-client compatible credentials used for
authentication are present in the environment.
Ensure that the list, get, and put operations are functional on the
S3 bucket that you wish to use. Confirm this by using the S3 native
tools, for example, as described in AWS
CLI
for IBM Cloud.
Configure Installer
Configure the following parameters in the values.yaml file so that
collectors, workers, and the API server are aware of the custom endpoint
configuration.
sysdig.s3.enabled
Required:trueDescription:Specifies if storing Sysdig Captures in S3 or S3-compatible storage is enabled or not.Options:true|falseDefault:false
For example:
sysdig:s3:enabled:true
sysdig.s3.endpoint
Required:trueDescription:The S3 or S3-compatible endpoint for the bucket. This option is ignored if sysdig.s3.enabled is not configured.
Required:falseDescription:Name of the folder in S3 bucket to be used for storing captures, this option is ignored if sysdig.s3.enabled is not configured.
For example:
sysdig:s3:capturesFolder:my_captures_folder
The path to the capture folder in the S3 bucket will be {customerId}/{my_captures_folder}. For on-prem deployments, the customerID is 1. If finance is your capture folder, the path to the folder in the S3 bucket will be 1/finance.
sysdig.s3.bucketName
Required:trueDescription:The name of the S3 or S3-compatible bucket to be used for captures. This option is ignored if sysdig.s3.enabled is not configured
For example:
sysdig:s3:bucketName:<Name of the S3-compatible bucket to be used for captures>
sysdig.accessKey
Required:trueDescription:The AWS or AWS-compatible access key to be used by Sysdig components to write captures in the S3 bucket.
For example:
sysdig:accessKey:<AWS-compatible access key>
sysdig.secretKey
Required:trueDescription:The AWS or AWS-compatible secret key to be used by Sysdig components to write captures in the s3 bucket.
For example:
sysdig:secretKey:<AWS-compatible secret key>
For example, the following AWS CLI command uploads a Sysdig Capture file
to a Minio bucket:
In this example, the endpoint is http://10.101.140.1:9000/ and the
name of the bucket is test.
When you finish the S3 configuration, continue with the instructions on
on-premise installation by using the
Installer.
1.6 - Find Your Customer ID and Name
SaaS customers of Sysdig can be identified by a unique customer number
and name, provided by email when the Sysdig environment is first
provisioned. While it is generally unnecessary to know the customer
number and it is not prominently displayed in the user interface, some
configuration settings may require it.
For on-premises environments, the customer ID will typically be 1.
On the UI
To retrieve the customer ID:
Log into the Sysdig interface.
Select one of the following from the user menu:
Authentication (SSO)
Settings > Authentication.
The Authentication section lists the Customer ID and Customer
Name associated with your account.
Using the API
To retrieve the customer ID:
Log into the Sysdig interface.
Navigate to the URL endpoint /api/user/me?_product=SDC.
E.g. https://app.sysdigcloud.com/api/user/me?_product=SDC
The JSON file contents are displayed in the browser.
Find the customer:id portion of the JSON to determine the customer
ID and name:
1.7 - Agent Installation: Overview and Key
The Agent Installation page provides a shortcut for copy/pasting the
necessary code lines for different flavors of agent installation.
You can also retrieve the agent access key (copy/paste).
This page can be hidden from non-admins if administrators choose. See
also Change Admin Settings in the User
Profile page.
Retrieve the Agent Access Key
To retrieve the key or use the agent install code snippets:
Log in to Sysdig Monitor or Sysdig Secure as an administrator.
Select one of the following:
Integrations > Agent Installation.
Settings > Agent Installation.
Choose Agent Installation.
Optional: Use the Copy button to copy the access key at the top
of the page.
Optional: Review and use the sample code to install an agent, as
listed.
1.8 - Subscription
Try all of Sysdig’s features for free; when you are ready to upgrade, contact Sysdig sales.
For one single account in one cloud region (ex.: AWS in eu-west-3)
Manage cloud posture with a daily run of CIS Benchmarks
Detect threats with out-of-the-box CloudTrail detection rules based
on Falco
Scan up to 250 images a month, both pushed into your cloud registry/repository or supported compute types.
30-Day Trial
Test all the features of Sysdig Monitor and/or Sysdig Secure with the
free 30-day trial. After 30 days, your account will be disabled and you can contact Sysdig
sales to upgrade to an Enterprise license.
For Sysdig Secure for cloud
, the default config can audit a maximum of 50 cloud accounts. If this limit needs to be increased, please contact your account team. If you exceed the license purchased, Sysdig will not block cloud connection or stop the service and the account team will reach out to you.
Enterprise Tier
You can license Sysdig Secure, Sysdig Monitor, or both (Sysdig
Platform). For details, see https://sysdig.com/pricing/.
Review Current Subscription
Log on as Administrator to Sysdig Monitor or Sysdig Secure.
From the Selector button in the left-hand navigation, choose
Settings > Subscription.
Your current plan details are displayed.
You can license each of these elements independently:
Sysdig agents (host agents)
Cloud accounts (Secure only, see also: Data
Sources)
Fargate tasks/serverless agents (Secure only, see also
Serverless Agents)
The number of licenses purchased has the following effects on how Sysdig
is used:
The agent count defines the maximum number of connected host
agents you can deploy. E.g if you purchase 100 licenses, you can
install 100 agents.
In AWS Service Monitoring powered by Cloudwatch, it also
determines the number of AWS objects that can be viewed in the
Sysdig Monitor Dashboards (unrelated to the number of agents
actually installed). In other words, if you have 100 licenses
purchased, you can only see 100 AWS objects per region, per
service type.
Fargate Tasks using Sysdig Serverless Agents: Defines the
number of serverless agents connected to Sysdig backend.
Cloud accounts- licensed number: Number of cloud accounts you
can connect to Sysdig backend.
About Host Agent Licenses
Reserved vs On-Demand Agents
The distinction between reserved and on-demand agents is financial, not
technical; when on-demand agents are used they perform exactly like
reserved agents.
Reserved Agents
Reserved agents are dedicated agents that are provisioned for a user
regardless of usage. You can purchase reserved agents on a monthly or
annual basis. As a Sysdig SaaS account administrator, you can increase
your reserved agents at any time from within the Sysdig application.
On-Demand Agents
On-demand agents are for short-term use and you pay only for what you
use at an hourly rate. You have the ability to add and control on-demand
agents. For example, an organization might schedule scale testing for
two days and license an extra 500 on-demand agents for that time frame.
In the Sysdig application, use the Customize Your Plan >
Enable On-demand Agents option on the
Subscription page to add
or remove agents. There is a hard limit of 500 agents for any account.
If the total of reserved and on-demand exceeds this limit, you will not
be able to purchase additional agents. On-demand agents are available
only in Sysdig SaaS applications.
Connect Agents to the Backend
The Sysdig platform uses a concurrent licensing model in determining
when to allow an installed agent to connect to the back-end servers and
report on host metrics. This means you can install Sysdig agents onto
any number of instances. However, only the licensed number of agents
will be allowed to connect and send metrics for recording and reporting.
Agents connect on a “first-come, first-served” basis and in the event of
an over-subscription (more agents wanting to communicate than are
licensed) they will attempt to reconnect on a periodic basis. Once an
existing communicating instance goes down and disconnects, the next
agent attempting to connect will be allowed in.
To avoid having agents refused connection due to over-subscription,
monitor the number of established and allowed connections. To see how
many licenses are in use, see the Settings > Subscription page.
Use this information to either purchase additional license capacity from
the UI, or to shut down lower-priority agents via normal orchestration
and system administration means.
Technical Details
Multiple Installs: An agent is essentially an “install” of the
software. If your system changes external IP addresses, or if you shut
down a VM image and bring it back up elsewhere, this will remain the
same agent connection. However, identical installs that are
simultaneously sending data (usually an accident) will be considered two
connections. A MAC address is used to identify a host for licensing
purposes.
Time Lag for License Release: When shutting down a host for any
reason, the agent’s license will not be immediately released. This
permits the agent to retain its licensing slot for short outages or a
reboot. The time-out interval can take up to 20 minutes, and if the
connection has not been re-established within the interval the license
will be released for use by the next host waiting to connect.
Sysdig Monitor allows you to consume and store custom metrics through a flexible and cost-effective Time Series Billing model aligned with your usage. With an enhanced billing experience, you can view your time-series consumption at a glance, analyze trends, and change subscription plans if need be.
Use the Sysdig Subscription page to view your account licensing, usage,
and spending. Based on your current subscription tier, time-series usage,
and the number of active agents, you can estimate your Sysdig time series
consumption costs and take further actions. Time Series Billing works only
in SaaS environments and is not currently available in on-prem environments.
Benefits of Time Series Billing
Flexible time series billing allows you to consume as much time series as is
necessary for your environment. Time series billing is applicable to “custom” time series, ingested via the following means:
Custom time series ingested through the Sysdig
agent
Including time series ingested from applications Monitoring Integrations, for example NGINX and Redis.
For more information understanding and controlling metric usage, including
dropping time series that is not required see Control Time Series
Ingestion.
Billing Custom Time Series
Sysdig calculates the time series ingestion overage price in the following way:
Total custom time series consumption is metered for each hour.
The consumption is compared against the custom time series entitlement for that hour, based on the subscription.
The custom time series ingestion overage for the hour is calculated as the difference between the total hourly consumption and the entitlement.
Each calendar month’s bill is calculated based on the 95th percentile of all hourly time series ingestion overages during that month.
Consuming Custom Time Series
Sysdig meters the following types of custom metrics ingested by the Sysdig agent:
Prometheus (including Monitor Integrations and custom Prometheus jobs)
JMX
App Checks
statsd
In addition, all metrics and metadata ingested via Prometheus Remote Write
and cloud platform metrics are metered against custom time series.
Metrics which do not fall into one of the above categories, such Kube State
Metrics (KSM) and container metrics, are not considered custom metrics and thus not counted
against custom time series entitlements.
Time Series Entitlement
Custom time series consumption is calculated against the reserved time
series included as an entitlement with your subscription. The basic Sysdig Monitor
plan includes a 2,000 time series entitlement per agent per hour. You can purchase
more by adding on-demand
agents
or time series packs.
Reserved time series is the number of custom time series per hour, a user is entitled to via
the Sysdig subscription. The total value of entitled time series per
account (for each hour) is calculated as (the number of reserved agents + the number of connected on-demand agents during that hour) * the number of time series per agent.
Time series consumed beyond your subscription entitlement is aggregated
across all agents running in your environment. For example, if you have two
agents running, you can consume 3,000 metrics on one agent and 1,000 on
another, for a total of 4,000 TS, without incurring additional charges (based on the default
entitlement of 2,000 TS per agent).
The default time series entitlement of 2,000 time series is applicable only
to custom metrics. Metrics which do not fall into the custom metric
category, such Kube State Metrics (KSM) and container metrics, are not
considered custom metrics and thus not counted against custom time series
entitlements.
Time Series Entitlement Example
Let’s assume that your Sysdig Monitor subscription includes 15 total Sysdig
reserved agents. Each one of those agents is entitled to 2,000 custom time series
per hour. To determine the total maximum time series for an account,
multiply the number of agents by the time series entitlement per agent –
15 * 2,000 = 30,000 – which means that the account is entitled to consume
30,000 custom time series per hour aggregated across all agents. Any one agent can consume
greater than the 2,000 entitlement as long as the maximum for all agents
does not exceed the account entitlements (in this example, 30,000).
Any time series consumed beyond your entitlement will be charged an overage
charge. Additional time series packs can be purchased to increase your
overall maximum time series entitlement.
Contact Sales to purchase time series packs to extend your subscription
entitlement.
Time Series Packs
Time series packs are available to purchase to increase your custom time series
entitlements per Account. A time series pack includes 1,000 time series and is
charged per month.
Using the above example, if you purchase ten time series packs consisting of
1,000 time series per pack, you will increase the default time series in
your account from 30,000 to 40,000. This will entitle you to consume 10,000
more metrics across all of the Sysdig agents.
View Your Subscription
Time Series Visualization
To help you visualize and better understand custom time series consumption,
Sysdig provides at-a-glance visualization of the following:
Agents - Current Usage: The number of agents currently deployed. From
here you can click the Agent Dashboard link to view individual time
series consumption by agent, metrics type, etc.
Time Series - Previous Hour: The total number of time series consumed
across all agents in the previous hour. You will see the total custom
series entitlement and time series usage against your entitled amount,
along with any time series overage beyond your entitlement.
From here you
can click the Time Series Dashboard to view details on the total time
series consumption for your account.
Also you can use the menu to download a CSV file with your hourly usages. See Download Usage.
Edit Subscription
On the Subscription page, under Agent - Current Usage, click
the three dots to the right of the Agent Dashboard link.
Click Change On Demand Agents.
The Subscription Plan page gives you the directions to change the
subscription plan.
Monitor Time Series Usage
Time Series Metrics
To help you identify the usage trends that are important to you, Sysdig
provides the following metrics via the Time Series Dashboard:
sysdig_ts_usage: The metric reports the number of time series ingested
for a user in a 20-minutes interval. The dashboard reports the 1-hour
usage, which is the maximum of the three 20-minute
sysdig_ts_usage measurements taken in an hour. This metric can be
segmented on metric categories as well.
sysdig_ts_usage_10s: The metric reports the number of time series
ingested for a user in every 10-seconds window, per host (agent), and per
metric category.
Download Usage
You can download the usage report in a CSV file. On the Subscription
page, under Subscription Details, click Download Usage to
download a copy of the usage report. You can view the following:
User ID
Time
Number of Reserved Agents
Number of Connected On-Demand Agents
Time Series included per agent
Time Series Usage Dashboard
Sysdig provides a Time Series Usage Dashboard with insight into the usage
data. You can view time series ingestion at a glance to discover and
analyze trends on where time series is coming from. The dashboard shows the total number of time series; top
hosts by time series ingestion, current ingestion rate; churn percentage;
and so on.
Access the Time Series Dashboard
On the Subscription page, under Usage, click Time Series Dashboard. You can view the following:
Current 1 Hour Ingestion
Current Ingestion from Agents
Churn Percentage
The average number of time series per host
The number of time series ingested per category
Host-level ingestion
Calculate Time Series Usage
Time series usage is calculated by using the sysdig_ts_usage metric.
The metric reports the number of time series ingested for a user in an hour
(sum of the maximum of three 20-minutes). For each hour, the number of time
series ingested is calculated, and then the value is deducted from the
number of reserved time series. This value is stored as the usage record.
An hour period is considered in order to take the
churn
into account. Sysdig uses the sysdig_ts_usage_10s metric to calculate
the spikes caused by
churns
and provides you the churn percentage in the dashboard.
Sysdig uses the 95th percentile to calculate the exceeding cost of usage.
At the end of the month, the 95th percentile of the total number of active
series ingested per hour is calculated. Calculating the 95th percentile
reduces the chances of billing you for unexpected spikes causes by churns.
Churn Rate
When a time series stops receiving new data points, it becomes inactive.
This event is called time series churn. It occurs more often during an
upgrade in a Kubernetes cluster or when containers are replaced by new ones.
Restarts, redeploys, dynamic workloads also cause churn and generate
additional time series.
For example, in such cases the container_id label in a container metric changes, and
subsequently, all the existing time series are replaced by new time series
(with the new container_id value).
The churn rate is the number of time series that churn over time. Sysdig
uses the sysdig_ts_usage_10s metric to analyze these scenarios.
The Time Series Usage Dashboard provides a ratio of time series detected at
1-hour period and 10-seconds period. This ratio is known as the churn
percentage and it is expressed as this PromQL query:
Time series collected by Prometheus Remote Write are excluded from this
ratio because they are not collected by the Sysdig agent.
Time Series Billing Example
Time series billing is calculated per month. A basic subscription will
provide you 2,000 time series per agent. This entitlement is applicable only to
custom metrics, while you can continue consuming Sysdig and KSM metrics
without incurring additional costs. Time series consumed beyond your
subscription limit will be charged and is aggregated across all agents
running in your environment.
For example, if you have three agents running in your environment with the
following consumption details:
Entitled number of time series per hour (reserved agents * 2,000): 3 *
2,000 = 6,000
Actual time series consumed by all agents = 7000
Any overage is calculated by subtracting the total entitlement value from
the actual consumption value, in this case (7,000 - 6,000) = 1,000. This
account would be charged over overage of 1,000 time series.
Control Time Series Ingestion
For more information on controlling metric usage, see the following:
Let’s say you have a Sysdig Monitor account which primarily consumes metrics
from downstream Prometheus servers via Prometheus Remote Write. As such,
you have only licensed the account for one Sysdig Agent, which entitles your
account to 2,000 time series.
Assuming the following volume examples:
Two Prometheus Servers sending metrics to Sysdig via Remote Write
Prometheus Server 1 generates 50,000 time series consistently every hour during a month
Prometheus Server 2 generates 150,000 time series consistently every hour during a month
One Sysdig agent which collects 1,000 time series consistently every hour during a month
The time series billing for the month is calculated as follows:
Time series usage is the same for every hour: Total custom time series consumed - Subscription entitlement (50,000 + 150,000 + 1,000) - 2,000 = 199,000
On-demand time series pricing is measured in blocks of 1,000 time series per month.
To determine the amount of on-demand time series you will be billed for,
divide the total time series usage from the above calculation and divide by
1,000:
The number of on-demand units consumed = (199,000 / 1,000) = 199
If the time series on-demand price is $7.5 for up to one unit of 1,000
time series, the total monthly cost for this use case = $7.5 * 199 = $1592.50 per month.
Metric Packs Time Series Consumption
Extending the above example, we can see how purchasing individual time
series packs will extend your time series entitlement.
Two Prometheus Servers
Prometheus Server 1 generates 50,000 time series
Prometheus Server 2 generates 150,000 time series
One Sysdig agent that collects 1,000 time series
100 pre-purchased time series packs, which is equivalent to 100,000 time series
The billing for the month is calculated as follows:
Total subscription capacity: (Total time series consumption - (time series entitlement from time series pack + subscription entitlement)) (50,000 + 150,000 + 1,000) - (100,000 + 2,000) = 99,000
Pre-purchased time series packs also entitle you to 1,000 time series per month
per pack.
If the pre-purchase price for time series packs is $5 ($2.50 less per 1,000
time series than the on-demand usage price), and you’ve purchased 100 packs,
that brings your pre-purchase time series entitlement cost to $500 per
month.
To calculate your overall monthly cost, you would determine the total time
series entitlement subtracted from the total time series consumed, then
include the amount already paid for in pre-paid time series packs. Any
resulting time series overage beyond the included entitlement plus the
pre-purchased time series pack entitlement would be billed at the on-demand rate
of $7.50 for each 1,000 time series block.
Total number of time series consumed = (50,000 + 150,000 + 1,000) = 201,000
Total time series entitlement: (100,000 + 2,000) = 102,000
Time series overage: (201,000 - 102,000) = 99,000
On-demand time series cost: (99,000 / 1,000) * 7.50 = $742.50 (we would
be purchasing 99 1,000 packs of on-demand time series as the overage above
what is already covered by our entitlement)
Total monthly time series cost = Cost of pre-purchased time series packs +
cost of total overage: ($500 + $742.50) = $1,242.50
1.8.2 - About AWS Cloudwatch Licensing
In the Explore tab or Dashboards of Sysdig Monitor, the number of
metrics displayed for each AWS service is limited by the number of agent
licenses purchased and/or used, by region.
The license count:
Includes Reserved agents plus On-Demand agents (even if not in use).
Is used to determine how many AWS resources are displayed for each
service in each region.
Is not transferable between different AWS services.
AWS Service Type Priorities and Limits
For each AWS service type, services are displayed in the following
priority:
EC2: Pick instances with agents installed, then instances
belonging to ECS, instance is launched before another,
alphabetically by instance ID, up to license count.
RDS: Pick by creation time, oldest instances first, up to
license count.
ELB: Pick by number of balanced instances (larger ELBs 1st),
then by creation time, oldest first, up to license count.
ElastiCache: Sort by name and display up to license count items.
SQS: Sort queues by name and pick up to license count number of
queues to fetch. Data is shown only for queues that are reporting
metrics.
DynamoDB: Sort by name and display up to license count items.
ALB: Sort by name and display up to license count items.
For more information on AWS metrics, see
AWS in the Metrics
Dictionary.
Sample Use Case
Suppose you have 200 AWS instances, have purchased 100 Sysdig agent
licenses, and have actually installed 50 agents.
The following limits would apply to your views of AWS services, per
region:
EC2: The 50 instances with agents installed would be shown
first, then 50 more instances, first from EC2, then from ECS, then
per uptime.
RDS: 100 RDS listings would be shown, oldest first.
ELB: 100 ELBs would be shown (largest first), then by creation
time, oldest first.
ElastiCache: 100 ElastiCache objects would be shown,
alphabetically by name.
SQS: 100 SQS queues that are reporting metrics would be shown.
DynamoDB: 100 DynamoDBs would be shown, alphabetically by name.
ALB: 100 ALBs would be shown, alphabetically by name.
To increase the limit of items in the AWS Services views, contact
Sysdig Sales to enable additional
resources depending on your license agreement.
1.9 - Authentication and Authorization (SaaS)
Sysdig Monitor and Sysdig Secure are designed to work with several user
authentication/authorization methods:
Type
Enabled by Default
Integration Steps Required
User email/password
Yes
No
Google OAuth
No
No
SAML
No
Yes
OpenID Connect
No
Yes
The user’s view:
The pages in this section describe the integration and enablement steps
required for SAML or OpenID Connect, and the Identity Provider (IdP)
services
that support these protocols, such as Okta, OneLogin, Keycloak.
In the SaaS environment,
Google login can be
enabled with a simple drop-down selection; the integration has already
been performed.
To integrate SAML or OpenID Connect with both Sysdig Monitor and Sysdig
Secure, you must go through the integration steps twice, once for each
Sysdig product.
Workflow
With the new Authorization UI, the basic process of enabling a Single
Sign-On (SSO) option is:
Determine which SSO option (GoogleOAuth, SAML, OpenID) your
enterprise uses, and which IdP service (Okta, OneLogin, etc.) is
used, if any.
Enter the required connection settings for the chosen SSO on the
appropriate Authentication tab. (Note: for Google, the settings
are already entered.)
Configure any associated IdP settings on the IdP side.
Select the SSO option from the Enabled Single Sign-On drop-down
and click SaveAuthentication.
If enabling for both Sysdig Monitor and Sysdig Secure, repeat the
process on the second application.
View of the Authentication page for Google OAuth in the SaaS
environment.
1.9.1 - Google OAuth (SaaS)
This guide is specific to cloud-based (SaaS) Sysdig environments. If you
are configuring an On-Premises Sysdig environment, refer to Google
OAuth (On-Prem) instead.
In the SaaS environment, Google users have the option to log in via
Google OAuth.
As the SaaS platform is preconfigured to permit such logins,
environments that already use Google services (such as G Suite) may find
this the most convenient approach for simplified login.
Enable Google OAuth
Since Google OAuth is pre-configured by Sysdig, the administrator needs
only select it as the chosen Authentication option to enable it.
Log in to Sysdig Monitor or Sysdig Secure as administrator and
select Settings.
Select Authentication.
(Select the Google OAuth tab if you want to see the preconfigured
(un-editable) settings. )
Select Google OAuth from the Enabled Single Sign-On dropdown
and click Save Authentication.
Repeat for Sysdig Monitor or Sysdig Secure, if you want to enable on
both applications.
User Experience
Note the following requirements for successful Google OAuth login:
The user must have already logged in successfully at least once to
your environment (such as via email-based Invitation and having set
an initial password)
The user’s login username in the Sysdig platform must precisely
match the user’s Google email address (that is, it cannot be a
shortened/altered Google email alias)
For such a user to log in via Google OAuth, click the
Log in with Google button.
If the user’s browser has not already successfully authenticated via
Google and/or has multiple Google profiles known by their browser, they
will be presented a Google page to select a profile and enter a password
(if necessary) before being redirected back to your Sysdig environment.
This guide is specific to cloud-based (SaaS) Sysdig environments. If you
are configuring an On-Premises Sysdig environment, refer to SAML
(On-Prem) instead.
The Sysdig platform ordinarily maintains its own user database to hold a
username and password hash. SAML instead allows for redirection to your
organization’s IdP to validate username/password and other policies
necessary to grant access to Sysdig application(s). Upon successful
authentication via SAML, a corresponding user record in the Sysdig
platform’s user database is automatically created, though the password
that was sent to the IdP is never seen nor stored by the Sysdig
platform.
This section describes how to integrate and enable SAML with both Sysdig
Monitor and Sysdig Secure.
For specific IdP integration information, refer to:
If you intend to configure IDP-initiated login flow, have your Sysdig customer number on hand. It will be referenced in later configuration steps as CUSTOMER_ID_NUMBER.
4 a. Log in to Sysdig Monitor or Sysdig Secure Settings (as admin) and enter the necessary configuration information in the UI. Enable SAML as your SSO.
4 b. Repeat the process for the other Sysdig product, if you are using both Monitor and Secure.
You will enter a separate redirect URL in your IdP for each product; otherwise, the integration processes are the same.
Administrator Steps
Configure IdP
Select the appropriate IdP from the list below, and follow the
instructions:
Log in to Sysdig Monitor or Sysdig Secure as administrator and
select Settings from the User Profile button in the left
navigation.
Select Authentication.
Select the SAML tab.
Enter the relevant parameters (see table below) and click Save.
It is strongly recommended that “Signed Assertion” and “Validate
Signature” are enabled to ensure that the SAML SSO process is as
secure as possible.
Connection Setting
Options
Description
Sample Entry
Metadata
URL
The URL provided at the end of the IdP configuration steps.
XML
An option that can be used for an IdP that doesn’t support extracting metadata XML via URL.
Signed Assertion
off/on
Should Sysdig check for assertions signed in responses (to assist in validating correct IdP).
ON
Email Parameter
email
Name of parameter in the SAML response for user email ID. Sysdig uses this to extract the user’s email from the response.
email
Validate Signature
off/on
Sysdig backend should verify that the response is signed.
ON
Verify Destination
off/on
Flag to control whether Sysdig should check the “destination” field in the SAMLResponse. Recommend ON, as a security measure. May be OFF in special cases, such as a proxy in front of the Sysdig back end.
ON
Create user on login
off/on
Flag to control whether a user record should be created in the Sysdig database after first successful SAML log in.
Disable username and password login
off/on
Switch “on” to disallow user name and password log in. (Useful with SAML OpenID.)
Select SAML for SSO
Select SAML from the Enabled Single Sign-On dropdown
Click Save Authentication.
Repeat the entire enablement process for Sysdig Monitor or Sysdig
Secure, if you want to enable it on both applications.
Configure SAML Single Logout
Sysdig supports SAML Single Logout (SLO).
SLO is a feature in federated authentication where Sysdig users can sign
out of both their Sysdig session (Service Provider) and associated IdP
(Identity Provider) simultaneously. SLO allows you to terminate all
sessions established via SAML SSO by initiating a single logout process.
Closing all user sessions prevents unauthorized users from gaining
access to Sysdig resources.
SLO Process
When a user initiates a logout, Sysdig sends a digitally-signed logout
request to the IdP. The IdP validates the request and terminates the
current login session, then redirects the user back to the Sysdig login
page.
Configure IdP
Configure logout URLs:
Monitor: <base_URL>/api/saml/slo/logout
Secure: <base_URL>/api/saml/slo/secureLogout
Choose HTTP Redirect as the binding method.
This option is an alternative to the HTTP POST method, which Sysdig
does not support currently.
If your IdP mandates, upload the public key for Sysdig.
If you are having issues retrieving the key, please contact Sysdig Support to
retrieve the public key associated with your deployment.
Certain IDPs, such as Azure, don’t require uploading the public key.
Configure Sysdig
Log in to Sysdig Monitor or Sysdig Secure as an administrator and
select Settings.
For on-prem deployments, log in as the super admin.
Navigate to Settings > Authentication, and
select SAML under Connection Settings.
Enter the SAML configuration.
Ensure that Enable SAML single logout is toggled on.
Click Save.
Ensure that you select SAML from the Enable Single Sign
On drop-down.
End User Login to Sysdig
As noted in the Basic Enablement Workflow above, you can offer users
three ways to log in with a SAML configuration:
They can begin at the Sysdig SaaS URL and click the SAML button.
See SaaS Regions and IP
Ranges and identify the
correct Sysdig SaaS URL associated with your Sysdig application and
region. For example, URLs of Monitor and Secure for US East are:
For other regions, the format is
https://<region>.app.sysdig.com/api/saml/auth.
Replace <region> with the region where your Sysidig
application is hosted. For example, for Sysdig Secure in the EU, you
use
https://eu1.app.sysdig.com/api/saml/secureAuth.
You can configure an IdP-initiated login flow when configuring your
IdP. The users then select the Sysdig application from your IDP’s
app directory and do not browse directly to a Sysdig application URL
at all.
Users that complete their first successful SAML login to Sysdig Secure
may receive the error message “User doesn’t have permission to login in
Sysdig Secure”. This is because only members of the Secure
Operations team are permitted access to Sysdig Secure, and
newly-created logins are not in this team by default. Such a user should
contact an Administrator for the Sysdig environment to be added to the
Secure Operations team.
Environments that wish to have all the users access Sysdig Secure by default
could use this sample Python
script
to frequently “sync” the team memberships.
Configure Sysdig Monitor and/or Sysdig Secure as a SAML application
using Okta’s documentation for Setting Up a SAML Application in
Okta.
The notes below call out specific steps that require additional action.
Sysdig-Specific Steps for Okta Configuration
IDP-initiated Login Flow
If you don’t intend to configure IDP-initiated login flow, check the
boxes for “Do not display application icon to users” and “Do not display
application icon in the Okta Mobile app”.
URL, URI and RelayState Values
Enter the values shown in the table below. If you wish to configure
IDP-initiated login flow, replace CUSTOMER-ID-NUMBER with the
number retrieved as described in Find Your Customer
Number.
See SaaS Regions and IP
Ranges and identify the
correct URLs associated with your Sysdig application and region. For
example, in US East, the endpoints are:
Setting
Value for Sysdig Monitor
Value for Sysdig Secure
Single sign on URL
https://app.sysdigcloud.com/api/saml/auth
https://secure.sysdig.com/api/saml/secureAuth
Audience URI (SP Entity ID)
https://app.sysdigcloud.com/api/saml/metadata
https://app.sysdigcloud.com/api/saml/metadata
Default RelayState
(optional - only configure if you intend to use IDP-initiated login flow)
#/&customer=CUSTOMER-ID-NUMBER
#/&customer=CUSTOMER-ID-NUMBER
For other regions, the format is https://<region>.app.sysdig.com.
Replace <region> with the region where your Sysidig application
is hosted. For example, for Sysdig Monitor in the EU, you use
https://eu1.app.sysdig.com/api/saml/auth.
Email and Name Values
Instead of the values shown in the Okta example, add the values:
Name
Value
email
user.email
first name
user.firstName
last name
user.lastName
Note that the attributes are case sensitive, so use caution when
entering them.
Only email is required. However, including first/last name is
recommended, since these values will now be included in the records
created in the Sysdig platform’s database when new users successfully
login via SAML for the first time.
SAML Configuration Metadata Value
Copy the URL and paste in the Metadata entry on the SAML
Configuration page in the SAML connection settings.
Test Metadata (Optional)
To ensure the metadata URL you copy at the end of the IDP configuration
procedure is correct, you can test it by directly accessing it via your
browser.
When accessing the URL, your browser should immediately download an XML
file that begins similarly to the example shown below. No entry of
credentials or other security measures should be required to
successfully download it. If this is not the case, revisit the IDP
configuration steps.
Configure Sysdig Monitor and/or Sysdig Secure as a SAML application
using OneLogin’s article titled Use the OneLogin SAML Test
Connector.
The notes below call out specific steps that require additional action.
Sysdig-Specific Steps for OneLogin Configuration
Adding the SAML Test Connector
At the step for “Adding the SAML Test Connector”, select SAML Test
Connector (IdP w/ attr w/ sign response). If you don’t intend to
configure IDP-initiated login flow, uncheck the slider so it will no
longer be “Visible in portal”.
Test Connector Configuration Page Settings
At the “Test Connector Configuration Page”, enter the values shown in
the table below. If you wish to configure IDP-initiated login flow,
replace CUSTOMER-ID-NUMBER with the number retrieved as described
in the Find Your Customer
Number article.
See SaaS Regions and IP
Ranges and identify the
correct URLs associated with your Sysdig application and region. For
example, given below are the URLs for the US East region.
Field
Value for Sysdig Monitor
Value for Sysdig Secure
RelayState
(optional - only configure if you intend to use IDP-initiated login flow)
#/&customer=CUSTOMER-ID-NUMBER
#/&customer=CUSTOMER-ID-NUMBER
Recipient
https://app.sysdigcloud.com/api/saml/auth
https://secure.sysdig.com/api/saml/secureAuth
ACS (Consumer) URL Validator
https://app.sysdigcloud.com
https://secure.sysdig.com
ACS (Consumer) URL
https://app.sysdigcloud.com/api/saml/auth
https://secure.sysdig.com/api/saml/secureAuth
For other regions, the format is https://<region>.app.sysdig.com.
Replace <region> with the region where your Sysidig application
is hosted. For example, for Sysdig Monitor in the EU, you use
https://eu1.app.sysdig.com/api/saml/auth.
(Optional) If you want the user’s First Name and Last Name to be
included in the records created in the Sysdig platform’s database when
new users successfully login via SAML for the first time, click to the
Parameters tab. Click Add parameter and create each of two New
Fields, checking the box each time to Include in SAML assertion.
Then click to Edit each field and select the Value shown from
the drop-down menu before clicking Save.
Field Name
Value
email
Email
first name
First Name
last name
Last Name
Note that the Field Names are case sensitive, so be careful to
enter them as all lowercase.
The following shows an example of a correctly-configured field for First
Name:
Issuer URL
Click to the SSO tab, copy the Issuer URL, and paste in the
Metadata entry on the SAML Configuration page in the SAML
connection settings.
Test Metadata (Optional)
To ensure the metadata URL you copy at the end of the IDP configuration
procedure is correct, you can test it by directly accessing it via your
browser.
When accessing the URL, your browser should immediately download an XML
file that begins similarly to the example shown below. No entry of
credentials or other security measures should be required to
successfully download it. If this is not the case, revisit the IDP
configuration steps.
These instructions assume you already have a working,
Internet-accessible ADFS ( Active Directory Federation Service) server.
Interoperability testing has been performed specifically with ADFS on
Windows Server 2012 R2.
Follow the instructions below to configure ADFS with the ADFS
Management tool in the Windows Server Manager.
For Service-Provider-Initiated Login Flow
Right-click to Service > Edit Federation Service Properties.
Note the hostname in the Federation Service Identifier, as this will
be used in the metadata URL that you paste in the Metadata entry on
the SAML Configuration page in the Sysdig authentication settings.
Specifically, the metadata URL will be of the format
https://HOSTNAME/FederationMetadata/2007-06/FederationMetadata.xml.
Also, so that the Sysdig platform can access this URL directly, this
host must resolve in DNS and have a valid (not self-signed)
SSL/TLS certificate.
Add a Relying Party Trust configuration for the Sysdig application.
Right-click to Relying Party Trusts > Add Relying Party
Trust and click Start to begin the wizard.
In the Select Data Source step, click the button to Enter
data about the relying party manually, then click Next
Enter a Display name of your choosing (e.g. “Sysdig Monitor”
or “Sysdig Secure”), then click Next
Click Next to accept the default option to use AD FS
profile
Click Next to skip the selection of an optional token
encryption certificate (Sysdig does not support this option)
Check the box to Enable support for the SAML 2.0 Web SSO
protocol, then enter one of the following values for Relying
party SAML 2.0 SSO service URL:
If configuring Sysdig Monitor, enter:
https://app.sysdigcloud.com/api/saml/auth
If configuring Sysdig Secure, enter:
https://secure.sysdig.com/api/saml/secureAuth
Then click Next.
For the Relying party trust identifier, enter one of the
following values:
If configuring Sysdig Monitor, enter:
https://app.sysdigcloud.com
If configuring Sysdig Secure, enter:
https://secure.sysdig.com
Then click Add, then click Next
Click Next to skip configuration of multi-factor
authentication
Choose a policy for whether users will be permitted to login to
the Sysdig application. The default to Permit all users to
access the relying party will typically be acceptable. Click
Next.
Review the summary and click Next to complete the
configuration of the Relying Party Trust
The next step will involve adding Claim Rules, so you can leave
the box checked to Open the Edit Claim Rules dialog and
click the Close button to be brought immediately into the
Claim Rules editor
Ensure that the SamlResponseSignature option matches the Sysdig
authentication configuration.
Use the
Set-AdfsRelyingPartyTrust/Get-AdfsRelyingPartyTrust cmdlets
via PowerShell to configure SamlResponseSignature .
-SamlResponseSignatureSpecifies the response signatures that the relying party expects. The acceptable values for this parameter are:AssertionOnlyMessageAndAssertionMessageOnly
Navigate to Settings > Authentication on the Sysdig
app and check the Sysdig authentication setting maps to the
SamlResponseSignature :
For MessageAndAssertion, enable both the options.
Next, use the Claim Rules to ensure that login data is sent as
needed to the Sysdig platform. A user’s login to the Sysdig platform
is based on an email address, and a default ADFS configuration would
not send the email address as required. The following configuration
ensures the correct field from Active Directory is delivered in the
claim.
If not already in the Claim Rules editor from the previous step,
navigate to it by right-clicking on the Relying Party Trust that
was just created and selecting Edit Claim Rules
Click Add Rule. At the following screen, accept the default
rule template to Send LDAP Attributes as Claims and click
Next.
Enter a name for the rule, select Active Directory as the
Attribute store, then use the pull-down selectors to pick
E-Mail as both the LDAP Attribute and Outgoing
Claim Type, then similarly make pull-down selections for
Given Name and Surname. Once these selections are made,
click Finish.
Now click Add Rule again, this time selecting the template
for Transform an incoming claim
Enter a name for the rule, then use the pull-downs to select an
Incoming claim type of E-Mail, an Outgoing
claim type of Name ID, and an Outgoing name ID format
of Email, then click Finish.
(Optional) If you want the user’s First Name and Last Name to be
included in the records created in the Sysdig platform database
when new users successfully login via SAML for the first time,
additional Transform rules must also be created. Only the
email-based username is strictly required and we already created
a rule for this, so this step is optional.
If you wish to do this, click Add Rule and once again select
the template for Transform an incoming claim. Enter a name
for the rule, then use the pull-down to select an Incoming
claim type of Given Name, and for the Outgoing claim
type, directly type first name into the field. After
clicking Finish, click Add Rule and create a similar
rule to transform the Incoming claim type of Surname to
the Outgoing claim type of last name.
Having clicked Finish after creating your last rule, you
will see all rules now in the editor. Click Ok, and your
ADFS configuration for your Sysdig application is complete.
For IdP-Initiated Login Flow (Optional)
(Optional) The steps above represent a Service-Provider-Initiated
SAML configuration. If you would prefer an IdP-initiated SAML
configuration, this is also possible with ADFS, but requires the
additional steps described below.
The Sysdig platform requires a specific setting of RelayState in
order to accept IdP-initiated login flows. On the ADFS versions
tested, we’ve found this use of RelayState is disabled by default,
and a Microsoft
article
describes the topic in detail. To enable it, as described in a
Microsoft forum
thread,
on your ADFS host, edit
%systemroot%\ADFS\Microsoft.IdentityServer.Servicehost.exe.config
and add <useRelayStateForIdpInitiatedSignOn enabled="true" />
to the <microsoft.identityserver.web> section. Once the
modification is saved, restart ADFS services for the change to take
effect.
You will need to retrieve your Sysdig customer number as described
in the Find Your Customer
Number article.
You will then need to generate an IdP-initiated login URL.
In addition to having the correct settings, it must be properly URL
encoded. To ease this configuration, use this ADFS RelayState
Generator
tool. When launched, enter the values below, then hit the Generate
URL button.
For the IDP URL String, enter
https://YOUR_ADFS_SERVER/adfs/ls/idpinitiatedsignon.aspx
For the Relying Party Identifier, enter one of the following
values:
If configuring Sysdig Monitor, enter
https://app.sysdigcloud.com
If configuring Sysdig Secure, enter
https://secure.sysdig.com
For other regions, the format
is https://<region>.app.sysdig.com. Replace <region>
with the region where your Sysidig application is hosted. For
example, for Sysdig Monitor in the EU, you
use https://eu1.app.sysdig.com/. See SaaS Regions and IP
Ranges for more
information.
For the Relay State/Target App, enter
#/&customer=CUSTOMER-ID-NUMBER, substituting the
CUSTOMER-ID-NUMBER you retrieved in the previous step
This Results URL will be used in the metadata URL that you paste
in the Metadata entry in the SAML connection
settings .
Use the Results URL from the tool to test your IdP-initiated
login. Note that per this Microsoft forum
thread,
it is apparently not possible to configure ADFS to use such a URL
when your users select the application from the pull-down menu at
https://YOUR_ADFS_SERVER/adfs/ls/idpinitiatedsignon.aspx.
However, you may embed the URL into a custom portal or bookmarks
list.
Now you can test login using an Active Directory user that has an
Email address configured.
Test Metadata (Optional)
To ensure the metadata URL you copy at the end of the IDP configuration
procedure is correct, you can test it by directly accessing it via your
browser.
When accessing the URL, your browser should immediately download an XML
file that begins similarly to the example shown below. No entry of
credentials or other security measures should be required to
successfully download it. If this is not the case, revisit the IDP
configuration steps.
This topic explains how to configure SAML Single Sign On (SSO) with
Azure Active Directory (AD) and helps you configure Sysdig to allow
users to access Sysdig application by using SSO.
Prerequisites
Administrator privileges on Sysdig and Azure.
Configure the Sysdig Application in Azure AD
Log in to the Azure AD portal.
Select Azure Active Directory, then click Enterprise
Applications.
The Enterprise applications - All application screen is displayed.
Click New Application.
On the Add an Application screen, select Non-gallery
application.
Give your application a name, and click Add at the bottom of the
page.
On the menu, select Single sign-on.
Choose SAML as the sign-on method.
Edit the Basic SAML Configuration as follows:
In the configuration page, click the edit icon.
Specify the following:
Identifier (Entity ID): Uniquely identifies the Sysdig
application. Azure AD sends the identifier to the Sysdig
application as the audience parameter of the SAML token.
Sysdig validates this as part of the SSO process.
Relay State: Specifies to the application where to
redirect the user after authentication is completed.
Typically the value is a valid URL for Sysdig. If you are
configuring SSO for SaaS, change the relay state to reflect
the correct customer number associated with your Sysdig
application. For on-prem installations, the customer number
is always 1.
Sysdig-Specific Steps for Active Directory Configuration
Under SAML Signing Certificate, copy the App Federation
Metadata URL.
Log in to your Sysdig instance as an admin.
For on-prem deployments, log in as the super admin.
Navigate to Settings > Authentication, and select SAML
under Connection Settings.
Enter the following:
Metadata: Enter the App Federation Metadata URL you
copied.
Email Parameter: Set the value to emailaddress.
Azure AD claims are:
saml = ADfirst name = user.givennamelast name = user.surnameemail = user.mailname = user.userprincipalnameUnique User Identifier = user.userprincipalname
In the Sysdig application, you need to set the email to
email which is what Azure AD sends to Sysdig in the
SAML assertion. Alternatively, Azure AD can be modified to send
another attribute.
Click Save.
Select SAML from the Enable Single Sign On drop-down.
Create a User in Azure Active Directory Domain
Log in to the Azure AD portal.
Click Azure Active Directory, and note down the domain name.
Select Azure Active Directory, then Users.
The Users - All Users screen is displayed.
Select New Users .
You can either create a new user or invite an existing AD.
Enter name, username, and other details, then click Create.
In the Profile page, add the Email and Alternate Email
parameters. The values can match
Assign the User to the Sysdig Application
Navigate to the Sysdig application.
Click Users and Group, then click the Add user button.
Select the Users and Groups checkbox, then choose the newly
created user to add to the application.
Click Select, then Assign at the bottom of the screen.
Enable Authentication Settings in the Sysdig Instance
Ensure that Flag to enable/disable create user on login is enabled.
Typically this setting is enabled by default.
If you are using both Sysdig Monitor and Secure, ensure that the user
accounts are created on both the products. A user that is created only
on one Sysdig application will not be able to log in to another by using
SAML SSO.
if you are on Sysdig Platform versions 2.4.1 or prior, contact Sysdig
Support to help with user creation.
(Optional) Configure Sysdig as a New Application
If Azure Active Directory does not allow you to create Sysdig as a
Non- Gallery application, perform the following:
In Azure AD, click Enterprise Applications > New
Application.
Select Application you’re developing.
You will be taken to the app registration page:
Select New Registration:
Provide a name for the application you are registering.
In the Overview tab click Add an Application ID URI:
Click Add a scope.
Add the application ID URI as follows:
https://<your_sysdig_url>:443
Replace <*your_sysdig_*url> with the URL appropriate to your
application and region. See SaaS Regions and IP
Ranges for more
information.
In the Overview tab, click Endpoints, and copy the
Federation Metadata URL.
Log in to Sysdig, navigate to SAML Authentication screen, and enter
the Federation Metadata URL.
You will still need to ensure that the user creation on the login
option is enabled.
Save the settings.
1.9.3 - OpenID Connect (SaaS)
This guide is specific to cloud-based (SaaS) Sysdig environments. If you
are configuring an On-Premises Sysdig environment, refer to OpenID
Connect (On-Prem) instead.
OpenID support in the Sysdig
platform allows authentication via your choice of Identity Provider
(IdP). This section
describes how to integrate and enable OpenID Connect with both Sysdig
Monitor and Sysdig Secure.
Overview
Summary of OpenID Functionality in Sysdig
The Sysdig platform ordinarily maintains its own user database to hold a
username and password hash. OpenID instead allows for redirection to
your organization’s IdP to validate username/password and other policies
necessary to grant access to Sysdig application(s). Upon successful
authentication via OpenID, a corresponding user record in the Sysdig
platform’s user database is automatically created, though the password
that was sent to the IdP is never seen nor stored by the Sysdig
platform.
Basic Enablement Workflow
Step
Options
Notes
1. Know which IdP your company uses and will be configuring.
These are the OpenID Providers for which Sysdig has performed detailed interoperability testing and confirmed how to integrate using their standard docs. If your OpenID Provider is not listed (including ones that do not support OpenID Connect Discovery), it may still work with the Sysdig platform. Contact Sysdig Support for help.
2. Decide the login flow you want users to experience: 3 options
If you intend to configure IDP-initiated login flow, you need the following:
Redirect URLs
See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, domain URLs of Monitor and Secure for US East are:
Required. Endpoint that contains key credentials for token signature verification
Token Auth Method
Authentication method.
Supported values:
client_secret_basic ,
client_secret_post . (case insensitive)
Select OpenID for SSO
Select OpenID from the Enabled Single Sign-On dropdown.
Click SaveAuthentication.
Repeat entire enablement process for Sysdig Monitor or Sysdig
Secure, if you want to enable on both applications.
User Experience
As noted in the Basic Enablement Workflow above, you can offer users
three ways to log in with an OpenID configuration:
They can begin at the Sysdig SaaS URL and click the OpenID button.
See SaaS Regions and IP
Ranges and identify the
correct SaaS URL associated with your Sysdig application and region.
For example, URLs of Monitor and Secure for US East are:
For other regions, the format is https://<region>.app.sysdig.com.
Replace <region>; with the region where your Sysdig
application is hosted. For example, for Sysdig Monitor in the EU,
you use
https://eu1.app.sysdig.com.
They will be prompted to enter a Company Name, so the Sysdig
platform can redirect the browser to your IdP for authentication.
=
You can provide an alternative URL to avoid the user having to enter
a company name, in the format:
You can configure an IdP-initiated login flow when configuring your
IdP. The users then select the Sysdig application from your IDP’s
app directory and do not browse directly to a Sysdig application URL
at all.
The notes below describe minimal steps to be taken in Okta. You may need
to adjust the steps based on the specifics of your environment.
Log in to your Okta organization as a user with administrative
privileges and click to the Admin dashboard
Click on the Add Applications shortcut, then click the Create
New App button
Select Web as the Platform type, then click OpenID Connect
as the Sign-on method, then click Create
Create a new application:
Enter your choice of General Settings.
For Login redirect URIs, enter one of the following values:
See SaaS Regions and IP
Ranges and identify
the correct domain URL (redirect URL) associated with your
Sysdig application and region. For example, domain URLs of
Monitor and Secure for US East are:
The notes below describe minimal steps to be taken in OneLogin. You may
need to adjust the steps based on the specifics of your environment.
Log in to your OneLogin organization as a user with administrative
privileges and click to Apps > Custom Connectors, then
click the New Connector button.
Create a new Connector:
Enter your choice of connector name.
Select a Sign on Method of OpenID Connect.
For Redirect URI, enter one of the following values:
See SaaS Regions and IP
Ranges and identify
the correct domain URL (redirect URL) associated with your
Sysdig application and region. For example, domain URLs of
Monitor and Secure for US East are:
From the More Actions pull-down menu, select Add App to
Connector
Click Save to add the app to your catalog. Once clicked,
additional tabs will appear.
Click to the SSO tab. Change the setting in the Token
Endpoint drop-down to POST, then click Save.
While still on the SSO tab, take note of the Client ID and
Client Secret that are shown (click Show client secret to
reveal it).
You will enter them in the OpenID settings.
Note that the Issuer URL will consist of
https://YOUR-ONELOGIN-DOMAIN.onelogin.com/oidc
You will enter them in the OpenID settings.
During testing, we’ve found OneLogin sometimes does not persist changes
that are made in the OpenID Provider configuration. If you make changes
to your OneLogin configuration and experience issues such as HTTP 400
Bad Request when attempting logins to your Sysdig application, you may
need to delete your Custom Connector and App config in OneLogin and
recreate it from scratch.
The notes below describe minimal steps to be taken in Keycloak. You may
need to adjust the steps based on the specifics of your environment.
Log in to your Keycloak server’s Administrative Console.
Select a realm or create a new one.
Click Clients, then click the Create button.
Enter the Client ID of your choosing (e.g. “SysdigMonitor”) and
take note of it.
You will enter it in the OpenID Configuration page in the Sysdig
Authentication Settings.
Make sure the Client Protocol drop-down has openid-connect
selected. Click the Save button.
Configure OpenID Connect client:
Click the toggle for Authorization Enabled to ON
For Valid Redirect URI, enter one of the following values:
See SaaS Regions and IP
Ranges and identify
the correct domain URL (Redirect URI) associated with your
Sysdig application and region. For example, domain URLs of
Monitor and Secure for US East are:
Note that the Issuer URL will consist of
https://KEYCLOAK_SERVER_ADDRESS/auth/realms/REALM_NAME, where
KEYCLOAK_SERVER_ADDRESS and REALM_NAME are derived from your
environment where you just created the configuration. You will enter
it in the OpenID settings.
1.9.3.4 - Azure (OpenID)
OpenID Connect
is a security-token based extension of the OAuth
2.0 authorization protocol to do single sign-on. Azure Active Directory
provides an
implementation
of OpenID Connect (OIDC) protocol and Sysdig supports it for single
sign-on and API access to Sysdig application.
Enabling Azure OpenID Connect for single sign-on to Sysdig applications
include configuration on the Microsoft Active Directory as well as on
the Sysdig application.
Prerequisites
Administrator privileges on Sysdig and Azure Active Directory (AD).
Search for Azure Active Directory and do one of the following:
Select your Active Directory service
Create a new one.
Click App registration > New registration.
In the Register an application page, specify the following:
Name: Display name to identify your Sysdig application. For
example, Sysdig Secure.
Supported account types: For Sysdig SaaS, choose Accounts
in this organizational directory only (Default Directory only -
Single tenant). All user and guest accounts created in your
active directory can use Sysdig application and API.
Redirect URI: Authenticated Sysdig users are redirected to
this URI.
See SaaS Regions and IP
Ranges and identify
the correct domain URL associated with your Sysdig application
and region. For example, domain URLs of Monitor and Secure for
US East are:
Sysdig Platform supports disabling password-based authentication on both
SaaS and on-prem deployments. As an administrator (super administrator
for on-prem), you can use either the Authentication option on the UI or the API to achieve it. This configuration is
applicable to those who use single sign-on.
You can use the UI to disable password authentication only for SAML and OpenID authentication methods. For Google Oauth, use the API method as given below.
As an administrator, perform the following:
Log in to Sysdig Monitor or Sysdig Secure as administrator and select Settings.
Click Authentication.
Choose your authentication method.
Disabling password authentication through the UI is not supported for Google Oauth.
Use the Disable username and password login slider to turn off password authentication.
Click Save to save the settings.
Using the API
As an administrator, perform the following:
Get the Sysdig Platform settings:
See SaaS Regions and IP
Ranges and identify the
correct domain URL associated with your Sysdig application and
region. For example, for Sysdig Monitor on US East is:
GET https://app.sysdigcloud.com/api/auth/settings/
For other regions, the format is https://<region>.app.sysdig.com/api/auth/settings.
Replace <region> with the region where your Sysidig
application is hosted. For example, for Sysdig Monitor in the EU,
you use https://eu1.app.sysdig.com/api/auth/settings.
Find the ID of the active SSO setup:
GET https://app.sysdigcloud.com/api/auth/settings/active
Retrieve the specific settings associated with the SSO setup:
GET https://app.sysdigcloud.com/api/auth/settings/{id}
The setting is displayed in a JSON file.
In the JSON file, change the following from false to true:
settings/forbidPasswordLogin:True
Update the setting with a request to the same URL with the same
JSON, with the changed parameter. URL depends on the type of
deployment.
PUT https://app.sysdigcloud.com/api/auth/settings/{id}
1.9.5 - Configure Customized Session Expiration
(For SaaS) When you want inactive sessions to deactivate after a
time-out period, you can configure it on the Sysdig application. You can
determine how long a user’s browser can be idle after which they will be
automatically logged out from the session.
To do so
Log in to Sysdig Monitor or Sysdig Secure as administrator and
select Settings.
Select Authentication.
Scroll down and locate the Session Expiration settings.
Specify the Session Expiration setting:
Enable session expiration by using the Terminate session after
inactivity period (in minutes) of slider.
Specify the time-out period in minutes.
Click Save.
1.10 - Configure Theme Preference
A theme specifies the visual appearance of the Sysdig applications.
Theme Preferences allows you to change the look and feel of the
Sysdig applications to match your visual and accessibility requirements.
The list of available themes includes Light,Dark, Match OS
Preferences.
To configure a theme:
Log in to Sysdig Secure or Sysdig Monitor.
Navigate to User Menu. Select Theme from the upper right corner of the User Menu, OR click the Settings gear and choose Users.
Select a desirable theme from the Theme Preferences drop-down.
Match OS Preferences: The theme will be aligned with that of
your operating system. For example, if your Desktop theme is
Dark, the app theme will also be set to Dark.
Your OS theme will override the application theme preferences. For
example, changing the OS theme to Dark while your application
theme preference is Light will automatically switch the
application theme to Dark.
1.11 - Certificates Management
The Certificates Management module for Sysdig Secure provides a simple interface for administrators to create, upload, update, or delete the certificates that are used for content exported from the Sysdig environment.
Specifically, it:
Optimizes the secure handling of certificates
Supports .csr flows
Provides a UI for certificate management
Adds support for client-side certificates in the events forwarder
At this time, the feature is for Sysdig Secure SaaS only, and is integrated with the appropriate event forwarding options:
(Note: Kafka authentication is handled through a different mechanism.)
Access the Certificates Management Page
Log in to Sysdig Secure as admin and navigate to Settings from your user profile.
Select Certificates Management.
Create a Certificate
Certificate creation requires several steps, defined below.
Thereafter, you can assign the certificate to the event forwarding integrations.
Generate a CA-Signed Key and Cert
You must have a signed key and certificate from a Certificate Authority (CA), a step that your organization may already have done. If not, follow these steps:
Generate the CA key:
openssl genrsa -out ca.key 4096
Generate the CA certificate, setting the expiration to 10 years from now:
You will be prompted to provide details to populate the certificate information. Be as thorough as possible. Save the resulting ca.pem file.
Obtain the Certificate Signing Request (CSR)
The Certificates Management UI streamlines the process of obtaining a certificate-signing request (CSR).
Log in to Sysdig Secure as admin and select Settings > Certificates Management.
Select New CSR and copy the text using the Copy and Next button.
You will be prompted to leave the Sysdig UI to finish generating the certificate in an external tool.
Generate the .crt Certificate File Externally
Use a 3rd-party tool, such as OpenSSL or Digicert, to generate the .crt file. Follow the instructions given with that tool, using the CSR you generated.
Below an example with openssl:
Select the correct uploaded certificate from the Certificate field and Save.
Manage Certificates
1.12 - Ticketing Integration
Use the Ticketing Integration feature to quickly and easily set up a connection between the Sysdig platform and your organization’s task management tool, such as JIRA, to inject Sysdig tasks into your existing remediation workflow.
At this time, Sysdig sports the ticketing options listed in the following subpages.
1.12.1 - JIRA Ticketing
This integration allows Sysdig users to open JIRA tickets within the Sysdig Secure UI and assign them to team members directly. The first iteration allows users to open tickets from CIEM/Identity recommendations from the Home page, after an Administrator has configured the integration.
At this time, the JIRA issue types a user can open are: Bug, Story and Task.
Configure a JIRA Ticketing Integration
Prerequisites
Admin access to Sysdig Secure SaaS
A JIRA Cloud account with the appropriate permissions (see below)
Email: The email address of the API token holder, which matches the email used in the JIRA Cloud account
API Token: The JIRA token generated in the Prerequisites
Click Save. The Jira integration will be listed on the Ticketing Integrations page with Active status.
Test the Integration
To use the integration, go to the Sysdig Secure Home page and check an Identity finding/recommendation, as described here.
1.13 - Configure Login Message
Use this setting to create a customized login banner to help your organization comply with its security standards.
The login banner will not be displayed to the Sysdig admin users.
To create a custom banner:
Navigate to Settings > Login Message from Sysdig Monitor or Sysdig Secure.
Enter your desired message text, using Markdown to format.
Click Preview to review.
Click Save.
Log out and log back in to see the message displayed.
2 - On-Premises Deployments
The term
“on-premises” (or
“on-prem”) is both industry-standard and evolving, so it means different
things to different people.
In the context of Sysdig, on-prem customers install and manage the
Sysdig backend components as they see fit. This could be in a data
center, or in an enterprise’s cloud-provider space, such as AWS or GKE.
With version 3.6.0, the Sysdig Platform can no longer be installed using
Replicated.
Oversight Services Now Offered for All Installs and Upgrades
As part of our continued focus on our customers, we are now offering
oversight services for all on-premise installs and upgrades. Your
Technical Account Manager (TAM), in conjunction with our support
organization and Professional Services [where applicable], will work
with you to:
Assess your environment to ensure it is configured correctly
Review your infrastructure to validate the appropriate storage
capacities are available
Review and provide recommendations for backing up your Sysdig data
Work with you to ensure our teams are ready to assist you during the
install and upgrade process
Provide the software for the install
Be available during the process to ensure a successful deployment
You can always review the process in the documentation on
GitHub (v. 3.6.0+) or
the standard docs site
(for older versions).
If you are a new customer looking to explore Sysdig, please head over
here to sign up for a trial on
our SaaS Platform. Alternatively, you can contact us
here.
2.1 - Architecture & System Requirements
Before installing an on-premises solution, review the Sysdig
architecture, sizing tips, configuration options, and installation
options.
Each on-premise release is tested on several platforms and
Kubernetes orchestrators. You can find the the official matrix in
the onprem-install-docs repository. Click
the on-premise version and navigate to the release notes page
to view the supported platforms.
The actual installation instructions can be found in the onprem-install-docs repository.
2.1.1 - Architecture
Review the diagram and component descriptions. When installing
on-premises, you can decide where to deploy various components.
Sysdig Agent
Sysdig will collect monitoring and security information from all the
target entities. To achieve this, one Sysdig agent should be deployed in
each host. These hosts can be:
The nodes that make up a Kubernetes or OpenShift cluster
Virtual machines or bare metal
Living in a cloud environment (i.e. AWS, Google Cloud, IBM Cloud,
Azure, etc.) or on the customer’s premises
The Sysdig agent can be installed as a container itself using a Helm
chart, Kubernetes operator, etc.
Once the agent is installed in the host it will automatically start
collecting information from the running containers, container runtime,
the orchestration API (Kubernetes, OpenShift, etc), metrics from defined
Prometheus endpoints, auto-detected JMX sources, StatsD, and
integrations as well as the host
itself.
The Sysdig agent maintains a permanent communication channel with the
Sysdig backend which is used to encapsulate messages containing the
monitoring metrics, infrastructure metadata, and security events. The
channel is protected using standard TLS encryption and transports data
using binary messages. Using this channel, the agent can transmit data,
but also receive additional configuration from the backend, such as
security runtime policies or benchmarks.
Sysdig Backend
The Sysdig backend is used directly in its SaaS version, thus being
managed transparently by Sysdig Inc., or it can also be installed on the
customer’s premises. This distinction does not affect the operation of
the platform described below.
Once the agent messages are received in the backend, they are processed
and extracted into data available to the platform - time series,
infrastructure and security events, and infrastructure metadata.
The main components of the backend/platform include:
Extraction and post-processing of the metric data from the agent, so
that full time-series, with all the necessary infrastructure
metadata, is available to the user
Maintenance of the infrastructure metadata (most notably Kubernetes
state), so that all events and time series can be enriched and
correctly grouped
Storage of time-series and event data
Processing of time-series data to calculate alert triggers
Queuing the security events triggered by the agents to be shown on
the event feed, notifying by the configured notification channels
and alerts and forwarding via the Event Forwarder to external
platforms like Splunk, Syslog or IBM MCM / Qradar
Aggregating and post-processing other security data such as
container fingerprints that will be used to generate container
profiles, or security benchmark results.
The Sysdig platform then stores this post-processed data in a set of
internal databases that will be combined by the API service to create
the data views, such as dashboards, event feeds, vulnerability reports,
or security benchmarks.
Sysdig APIs
The Sysdig platform provides several ways to consume and present its
internal data. All APIs are RESTful, HTTP JSON-based, and secured using
TLS. The same APIs are used to power the Sysdig front end, as well as
any API clients (such as sdc-cli).
Monitor API
User and Team management API
Dashboard API
Events API
Alerts API
Data API (proprietary Sysdig API for querying time-series data)
Secure API
Image Scanning API
Security Events API
Activity Audit API
Secure Overview API
PromQL API: Prometheus compatible HTTP API for querying time
-series data
These enable different use cases:
User access to the platform via the Sysdig user interface
Programmatic input and extraction of data, i.e.
Automatic user creation
Terraform scripts to save or recover configuration state
Inline scanning to push scanning results from the CI/CD pipeline
PromQL API interface that can be used to connect any
PromQL-compatible solutions, such as Grafana.
2.1.2 - System Requirements
Supported Distributions
Linux Distributions
A 64-bit Linux distribution with a minimum kernel version of 3.10, and
support of docker-engine 1.7.1 or later, is required for each server
instance.
Recommended Linux distributions: RedHat, Ubuntu, Amazon AMI, Amazon
Linux 2.
Docker Requirements
For the Docker installation, running devicemapper in ’loopback mode'
is not supported. It has known performance problems and a different
storage driver should be used.
Installing the latest version of Docker is recommended.
Cassandra
Cassandra is used as the metrics store for Sysdig agents. It is the most
dynamic component of the system, and requires additional attention to
ensure that your system is performing well and highly responsive.
This component is stateful, and should be treated more carefully than
stateless components. Cassandra sizing is based on a minimum replication
factor as well as the number of agents writing data.
A minimum replication factor of 3 is recommended for the Sysdig
application, which allows the cluster to survive the failure of 1
Cassandra instance.
Each agent consumes anywhere from 500MB to 2GB of Cassandra storage,
with average sizing at 1.5GB/agent. Because of Sysdig’s data aggregation
model, this storage should comfortably handle multi-year history. This
needs to then be multiplied by the replication factor to determine the
total disk space required. A rough calculation might be:
100 agents = 150GB raw, X replication factor of 3, = 450GB total
To be safe we recommend that you size some additional disk space as
buffer (say 25-50%) on top of that.
Network Configuration
The following firewall/security configurations are required for inbound
and outbound traffic for the Sysdig platform:
Replicated Management Console access (for on-premises installations that don't use Kubernetes)
Warning: Port 6666 should only be opened if agents will be
communicating with the collectors without encryption.
Additional ports may need to be configured for the Replicated
infrastructure manager. Refer to the Replicated port
requirements
documentation for more information.
HTTP/HTTPS and Proxy Support
All non-airgapped hosts require outbound HTTP/S internet access for:
License validation
Pulling Sysdig/Agent containers from the Docker hub repository
Release update checks
Note: Sysdig does not support HTTP/S proxies for Sysdig platform
components.
Summary: Plan Proxy Support for Notification Channels, CloudWatch Metrics, Capture Storage
In release #760 and newer of the Sysdig platform back-end, an option is
available to configure outgoing HTTP/HTTPS connections to be made via
proxy. This has been tested and supports outgoing web connections that
are necessary to support the following features:
Notification Channels
PagerDuty
Slack
Amazon SNS
VictorOps
OpsGenie
WebHook
Gathering of AWS CloudWatch data
Capture storage to an AWS S3 bucket
Proxied web connectivity to support authentication mechanisms (SAML.
OpenID Connect, OAuth) are not supported at this time.
Configure Proxy Using JVM Options
The proxy settings are configured via the JVM options passed to the
Sysdig software components. JVM options can be added/appended at any
time (with a required restart).
If JVM settings have already been set, log in to the Replicated
Management console and choose the Settings tab. At the bottom of
the screen, check the box to Show Advanced Settings to reveal
the configuration option.
# Optional: Sysdig Cloud application JVM options. For heavy load environments you'll need to tweak# the memory or garbage collection settingssysdigcloud.jvm.api.options:""sysdigcloud.jvm.worker.options:""sysdigcloud.jvm.collector.options:""
Enter the proxy parameters, as in the example below.
This JVM options string will forward all HTTP and HTTPS traffic via
outgoing port 8888 on a proxy at hostname
proxy.example.com. The IP address may be
specified instead of hostname.
-Dhttp.proxyHost=proxy.example.com -Dhttp.proxyPort=8888 -Dhttps.proxyPort=8888 -Dhttps.proxyHost=proxy.example.com# Optional: Sysdig Cloud application JVM options. For heavy load environments you'll need to tweak# the memory or garbage collection settingssysdigcloud.jvm.api.options:-Xms2048m -Xmx2048m -Dhttp.proxyHost=xxx.xxx.sysdig.com -Dhttp.proxyPort=80 -Dhttps.proxyHost=xxx.xxx.sysdig.com -Dhttps.proxyPort=80
Exclusions
Do not use local host or 127.0.0.1. By default, HTTP/HTTPS requests
to localhost or 127.0.0.1 will not be directed by the back-end
toward any configured proxy, which is necessary for the functioning
of some web components internal to the Sysdig platform containers.
If you deploy the Sysdig platform in AWS, add an additional proxy
parameter
-Dhttp.nonProxyHosts=169.254.169.254
Rational: This provides a work-around for the backend occasionally
making HTTP requests to a special instance metadata
address
169.254.169.254, which is undesirable when using a proxy.
This IP address will be excluded from proxying by default in a
future release.
If you have additional proxy exclusions you wish to specify that are
unique to your environment, these can also be added using the pipe
separator.
For example, assume your deployment was in AWS and you also had a
webhook target 192.168.1.2 that was not reachable via your proxy.To
exclude both:
Replicated: your complete string to enter into the console for
Sysdig application JVM options would be:
Kubernetes: when setting the sysdigcloud.jvm.api.options and
sysdigcloud.jvm.worker.options in the
config.yaml
for the ConfigMap, the pipe separator must be double-escaped, such
as:
The Sysdig platform requires the system clocks to be closely
synchronized between hosts. When provisioning hosts for installation,
ensure the system clocks are synchronized.
Recommended: Install NTP to ensure all host clocks stay
synchronized.
2.1.3 - Securing User Passwords
For MySQL, Redis, and the initial “super admin”
user, a strong password
is recommended, 16-20 characters, alphanumeric.
For Cassandra and MySQL, it is also possible to set up third-party
authentication
For Redis, users can set up an SSH tunnel and Sysdig can connect
over this tunnel.
2.2 - On-Premises Installation
When planning to install Sysdig products on-premises, enterprises
should:
Organize resources for a test environment and the production
environment
Review the supported platforms and orchestrators.
You can find the the official matrix in the onprem-install-docs repository. Click
the on-premise version and navigate to the release notes page to view the supported platforms.
Oversight Services Now Offered for All Installs and Upgrades
As part of our continued focus on our customers, we are now offering
oversight services for all on-premise installs and upgrades. Your
Technical Account Manager (TAM), in conjunction with our support
organization and Professional Services [where applicable], will work
with you to:
Assess your environment to ensure it is configured correctly
Review your infrastructure to validate the appropriate storage
capacities are available
Review and provide recommendations for backing up your Sysdig data
Work with you to ensure our teams are ready to assist you during the
install and upgrade process
Provide the software for the install
Be available during the process to ensure a successful deployment
You can always review the process in the documentation on
GitHub (v. 3.6.0+) or
the standard docs site
(for older versions).
If you are a new customer looking to explore Sysdig, please head over
here to sign up for a trial on
our SaaS Platform. Alternatively, you can contact us
here.
2.2.1 - Installer (Kubernetes | OpenShift)
For v 3.6.0+, go to the GitHub
repo. On-prem
installation documentation is transitioning to GitHub.
For customers, the instructions in this section are for review purposes
only.
The Sysdig Installer tool is a binary containing a collection of scripts
that help automate the on-premises deployment of the Sysdig platform
(Sysdig Monitor and/or Sysdig Secure), for environments using Kubernetes
or OpenShift. Use the Installer to install or upgrade your Sysdig
platform. It is recommended as a replacement for the earlier Kubernetes
manual installation and upgrade procedures.
Installation Overview
To install, you will download the installer binary and a values.yaml
file for the version you’d like to install, provide a few basic parameters, and launch the Installer. In a normal installation, the rest is automatically configured and deployed.
You can perform a quick install if your environment has access to the
internet, or a partial or full airgapped installation, as needed. Each
is described below.
Use hostPath for static storage of Sysdig components
Use Kubernetes node labels and taints to run only Sysdig pods on
selected nodes in a cluster
Install vs Upgrade
With Sysdig Platform 3.5.0, the installer has been simplified from
previous versions. Upgrade differs from Install in that you run an
installer diff to discover the differences between the old and new
versions and then installer deploy for the new version.
If you are installing the Sysdig Platform for the first time, ignore the
For Upgrade Only step in the process.
If you are upgrading, check the Upgrade
notes before you begin.
Prerequisites
The installer must be run from a machine with kubectl/oc configured
with access to the target cluster where the Sysdig platform will be
installed. Note that this cluster may be different than where the Sysdig
agent will be deployed.
Requirements for Installation Machine with Internet Access
Network access to Kubernetes cluster
Network access to quay.io
A domain name you are in control of.
Additional Requirements for Airgapped Environments
Edited values.yaml with airgap registry details updated
Network and authenticated access to the private registry
Access Requirements
Sysdig license key (Monitor and/or Secure)
Quay pull secret
Storage Requirements
You may use dynamic or static storage on a variety of platforms to store
the Sysdig platform components (stateful sets). Different configuration
parameters and values are used during the install, depending on which
scenario you have.
Use Case 1: Default, undefined (AWS/GKE)
If you will use dynamic storage on AWS or GKE and haven’t configured any
storage class there yet, then the Quick Install streamlines the process
for you.
storageclassProvisioner: Enter aws or gke. The installer will
create the appropriate storage class and then use it for all the
Sysdig platform stateful sets.
storageclassName: Leave empty.
Use Case 2: Dynamic, predefined
It is also possible that you are using dynamic storage but have already
created storage classes there. This dynamic storage could be AWS, GKE,
or any other functioning dynamic storage you use. In this case, you
would enter:
storageclassProvisioner: Leave empty; anything put here would be
ignored.
storageclassName: Provide the name of the pre-configured storage
class you want to use. The installer will use this storage class for
all the Sysdig platform stateful sets.
Use Case 3: Static Storage
In cases where dynamic storage is not available, you can use static
storage for the Sysdig stateful sets. In this case, you would use:
storageclassProvisioner: Enter hostpath, then define the nodes
for the four main Sysdig components: ElasticSearch, Cassandra,
MySQL, and Postgres.storageclassProvisioner
If you have the default use case, enter aws or gke in the
storageClassProvisioner field. Otherwise, refer to Use Case 2
or 3.
sysdig.license: Sysdig license key provided with your Sysdig
purchase confirmation mail
sysdig.dnsname: The domain name the Sysdig APIs will be
served on. Note that the master node may not be used as the DNS
name when using hostNetwork mode.
sysdig.collector.dnsName: (OpenShift installs only) Domain
name the Sysdig collector will be served on. When not configured
it defaults to whatever is configured for sysdig.dnsName. Note
that the master node may not be used as the DNS name when using
hostNetwork mode.
deployment: (OpenShift installs only) Add
deployment: openshift to the root of the values.yaml file.
sysdig.ingressNetworking: The networking construct used to
expose the Sysdig API and collector.Options are:
hostnetwork: sets the hostnetworking in the ingress
daemonset and opens host ports for api and collector. This
does not create a Kubernetes service.
loadbalancer: creates a service of type loadbalancer and
expects that your Kubernetes cluster can provision a load
balancer with your cloud provider.
nodeport: creates a service of type nodeport.The node
ports can be customized with:
sysdig.ingressNetworkingInsecureApiNodePort
sysdig.ingressNetworkingApiNodePort
sysdig.ingressNetworkingCollectorNodePort
When not configured, sysdig.ingressNetworking defaults to
hostnetwork.
If doing an airgapped install , you would also edit the
following values:
- **airgapped\_registry\_name:** The URL of the airgapped
(internal) docker registry. This URL is used for installations
where the Kubernetes cluster can not pull images directly from
Quay
- **airgapped\_repository\_prefix:** This defines custom
repository prefix for airgapped\_registry. Tags and pushes
images as
`airgapped_registry_name/airgapped_repository_prefix/image_name:tag`
- **airgapped\_registry\_password:** The password for the
configured airgapped\_registry\_username. Ignore this parameter
if the registry does not require authentication.
- **airgapped\_registry\_username:** The username for the
configured airgapped\_registry\_name. Ignore this parameter if
the registry does not require authentication.
[For Upgrades Only:]
[Generate and review the diff of changes the installer is about to
introduce:
./installer diff
This will generate the differences between the installed environment
and the upgrade version. The changes will be displayed in your
terminal.
If you want to override a change, based on your environment’s custom
settings, then contact Sysdig Support for assistance.]
Save the values.yaml file in a secure location; it will be used for
future upgrades. There will also be a generated directory containing various Kubernetes
configuration yaml files that were applied by the Installer against
your cluster. It is not necessary to keep the generated directory, as
the Installer can regenerate it consistently with the same
values.yaml file.
Airgapped Installation Options
The installer can be used in airgapped environments, either with a
multi-homed installation machine that has internet access, or in an
environment with no internet access.
This assumes a private docker registry is used and the installation
machine has network access to pull from quay.io and push images to the
private registry.
The Prerequisites and workflow are the same as in the Quickstart Install
(above) with the following exceptions:
In step 2, add the airgap registry information
After step 3, make the installer push Sysdig images to the airgapped
registry by running:
./installer airgap
That will pull all the images into the images_archive directory as
tar files and push them to the airgapped registry.
If you are upgrading, run the diff as directed in Step 4.
Run the installer:
./installer deploy
Full Airgap Install
This assumes a private docker registry is used and the installation
machine does not have network access to pull from quay.io, but can push
images to the private registry.
In this situation, a machine with network access (called the “jump
machine”) will pull an image containing a self-extracting tarball which
can be copied to the installation machine.
Access Requirements
Sysdig license key (Monitor and/or Secure)
Quay pull secret
Anchore license file (if Sysdig Secure is licensed)
If you have the default use case, enter aws or gke in the
storageClassProvisioner field. Otherwise, refer to Use Case 2
or 3.
sysdig.license: Sysdig license key provided with your Sysdig
purchase confirmation mail
sysdig.dnsname: The domain name the Sysdig APIs will be
served on. Note that the master node may not be used as the DNS
name when using hostNetwork mode.
sysdig.collector.dnsName: (OpenShift installs only) Domain
name the Sysdig collector will be served on. When not configured
it defaults to whatever is configured for sysdig.dnsName. Note
that the master node may not be used as the DNS name when using
hostNetwork mode.
deployment: (OpenShift installs only) Add
deployment: openshift to the root of the values.yaml file.
sysdig.ingressNetworking: The networking construct used to
expose the Sysdig API and collector.Options are:
hostnetwork: sets the hostnetworking in the ingress
daemonset and opens host ports for api and collector. This
does not create a Kubernetes service.
loadbalancer: creates a service of type loadbalancer and
expects that your Kubernetes cluster can provision a load
balancer with your cloud provider.
nodeport: creates a service of type nodeport.The node
ports can be customized with:
sysdig.ingressNetworkingInsecureApiNodePort
sysdig.ingressNetworkingApiNodePort
sysdig.ingressNetworkingCollectorNodePort
airgapped_registry_name: The URL of the airgapped
(internal) docker registry. This URL is used for installations
where the Kubernetes cluster can not pull images directly from
Quay
airgapped_repository_prefix: This defines custom
repository prefix for airgapped_registry. Tags and pushes
images as
airgapped_registry_name/airgapped_repository_prefix/image_name:tag
airgapped_registry_password: The password for the
configured airgapped_registry_username. Ignore this parameter
if the registry does not require authentication.
airgapped_registry_username: The username for the
configured airgapped_registry_name. Ignore this parameter if
the registry does not require authentication.
Copy the tarball file to the directory where you have your
values.yaml file.
NOTE: This step will extract the images into the
images_archive directory relative to where the installer was run
and push the images to the airgapped_registry.
[For Upgrades Only:]
[Generate and review the diff of changes the installer is about to
introduce:
./installer diff
This will generate the differences between the installed environment
and the upgrade version. The changes will be displayed in your
terminal.
If you want to override a change, based on your environment’s custom
settings, then contact Sysdig Support for assistance.]
Save the values.yaml file in a secure location; it will be used for
future upgrades.
There will also be a generated directory containing various Kubernetes
configuration yaml files that were applied by the Installer against
your cluster. It is not necessary to keep the generated directory, as
the Installer can regenerate it consistently with the same
values.yaml file.
Updating Vulnerability Feed in Airgapped Environments
NOTE: Sysdig Secure users who install in an airgapped environment do
not have internet access to the continuous checks of vulnerability
databases that are used in image scanning. (See also: How Sysdig Image
Scanning
Works.)
As of installer version 3.2.0-9, airgapped environments can also
receive periodic vulnerability database updates.
When you install with the “airgapped_” parameters enabled (see Full
Airgap
Install
instructions), the installer will automatically push the latest
vulnerability database to your environment. Follow the steps below to
reinstall/refresh the vuln db, or use the script and chron job to
schedule automated updates (daily, weekly, etc.).
To automatically update the vulnerability database, you can:
Schedule a chron job to run the script on a chosen schedule (e.g. every
day):
08***feeds-database-update.sh >/dev/null 2>&1
Output
A successful installation should display output in the terminal such as:
All Pods Ready.....ContinuingCongratulations, your Sysdig installation was successful!You can now login to the UI at "https://awesome-domain.com:443" with:username:"configured-username@awesome-domain.com"password:"awesome-password"
There will also be a generated directory containing various Kubernetes
configuration yaml files which were applied by installer against your
cluster. It is not necessary to keep the generated directory, as the
installer can regenerate consistently with the same values.yaml file.
Additional Installer Resources
To see all the configuration parameters available, as well as their
definitions, values, and examples, see
configuration_parameters.md
on GitHub. Please note that this is for version 5.1.4 of the installer.
2.2.1.1 - Frequently Used Installer Configurations
SMTP Configs for Email Notifications
The available fields for SMTP configuration are documented in the
configuration_parameters.md. Each includes SMTP in its name. For
example:
sysdig:...smtpServer:smtp.sendgrid.netsmtpServerPort:587#User,Password can be empty if the server does not require authenticationsmtpUser:apikeysmtpPassword:XY.abcdefghijk...smtpProtocolTLS:truesmtpProtocolSSL:false#Optional Email HeadersmtpFromAddress:sysdig@mycompany.com
To configure email settings to be used for a notification
channel, copy the
parameters and appropriate values into your values.yaml.
Use hostPath for Static Storage of Sysdig Components
The Installer assumes the usage of a dynamic storage provider (AWS or
GKE). In case these are not used in your environment, add the entries
below to thevalues.yamlto configure static storage.
Based on the size entered in the values.yaml file
(small/medium/large), the Installer assumes a minimum number of
replicas and nodes to be provided. You will enter the names of the nodes
on which you will run the Cassandra, ElasticSearch, mySQL and Postgres
components of Sysdig in the values.yaml, as in the parameters and
example below.
Parameters
storageClassProvisioner:hostPath.
sysdig.cassandra.hostPathNodes: The number of nodes configured
here needs to be at minimum 1 when configured size is small, 3
when configured size is medium and 6 when configured size is
large.
elasticsearch.hostPathNodes: The number of nodes configured here
needs to be at minimum 1 when configured size is small, 3 when
configured size is medium and 6 when configured size is large.
sysdig.mysql.hostPathNodes: When sysdig.mysqlHA is configured to
true, this must be at least 3 nodes. When sysdig.mysqlHA is not
configured, it should be at least 1 node.
sysdig.postgresql.hostPathNodes: This can be ignored if Sysdig
Secure is not licensed or used in this environment. If Secure is
used, then the parameter should be set to 1, regardless of the
size setting
Run Only Sysdig Pods on a Node Using Taints and Tolerations
If you have a large shared Kubernetes cluster and want to dedicate a few
nodes for just the Sysdig backend component installation, you can use
the Kubernetes concept of taints and
tolerations.
Copy that section to your own values.yaml file and edit with
labels and taints you assigned.
Example from the sample file:
# To make the 'tolerations' code sample below functional, assign nodes the taint# dedicated=sysdig:NoSchedule. E.g:# kubectl taint my-awesome-node01 dedicated=sysdig:NoScheduletolerations:- key:"dedicated"operator:"Equal"value:sysdigeffect:"NoSchedule"# To make the Label code sample below functional, assign nodes the label# role=sysdig.# e.g: kubectl label nodes my-awesome-node01 role=sysdignodeaffinityLabel:key:rolevalue:sysdig
Patching
Patching can be used to customize or “tweak” the default behavior of the
Installer to accommodate the unique requirements of a specific
environment. Use patching to modify the parameters that are not exposed
by thevalues.yaml. Refer to the configuration_parameters.md for more
detail about various parameters.
The most common use case for patching is during
upgrades. When generating
the differences between an existing installation and the upgrade, you
may see previously customized configurations that the upgrade would
overwrite, but that you want to preserve.
Patching Process
If you have run generate diff and found a configuration that you
need to tweak (e.g. the installer will delete something you want to
keep, or you need to add something that isn’t there), then follow these
general steps:
Create an overlays directory in the same location as the
values.yaml.
This directory, and the PATCH.yaml you create for it, must be kept.
The installer will use it during future upgrades of Sysdig.
Create a .yaml file to be used for patching. You can name it
whatever you want; we will call it PATCH.yaml for this example.
Patch files must include, at a minimum:
apiVersion
kind
metadata.name
of the object to be patched.
Then you add the specific configuration required for your needs. See
one example below.
You will need this patch definition for every Kubernetes object you
want to patch.
Run generate diff again and check that the outcome will be what
you want.
When satisfied, complete the update by changing the scripts value to
deploy and running the installer (see Installer Upgrade
(2.5.0+).
If you want to add another patch, you can either add a separate
.yaml file or a new YAML document separated by ---.
The recommended practice is to use a single patch per Kubernetes object.
Example
Presume you have the following generated configuration:
All on-premises installations and upgrades are now scheduled with and guided by Sysdig technical account managers and professional services division. See Oversight Services Now Offered for All Installs and Upgrades. For customers, the instructions in this section are for review purposes
only.
The Sysdig platform includes both Sysdig Monitor and Sysdig Secure,
which are licensed separately. All installations include Sysdig Monitor,
while some of the Secure components are installed and configured as
additional steps, as noted.
When installing the Sysdig platform with Kubernetes as the
orchestrator, you install each backend component with separate kubectl
commands.
Installation with the Installer tool is recommended from version 2.5.0 onwards.
To perform a manual install on OpenShift, see Manual Install
(OpenShift). The manual install on Kubernetes 1.9+ is described below.
Prerequisites
Access to a running Kubernetes cluster 1.9+
(Note: if your environment is installed elsewhere, such as your own
data center, contact Sysdig Professional Services to customize the
installation instructions appropriately.)
Two items from your Sysdig purchase-confirmation email:
kubectl installed on your machine and communicating with the
Kubernetes cluster
(Note that your kubectl and Kubernetes versions should match to
avoid errors.)
An External Load Balancer (required for production – see below)
If installing in a cloud-provider environment (such as AWS, GCloud,
or Azure), you will deploy an HAProxy load balancer and point a DNS
record to that load balancer.
If installing in your own data center, then you will need two DNS
records, one for the collector and one for the UI.
A DNS server and control over a DNS name that you can point to
Sysdig
Consider Elasticsearch Default Privileges
By default, the Elasticsearch container will be installed in
privileged (root-access) mode. This mode is only needed so the
container can reconfigure the hosts’ Linux file descriptors if
necessary. See Elasticsearch’s description
here.
If you prefer not to allow Elasticsearch to run with root access to the
host, you will need to:
Set your own file descriptors on all Linux hosts in the Kubernetes
cluster.
If one host were to go down, Kubernetes could choose a different
node for Elasticsearch, so each Linux host must have the file
descriptors set.
Setprivileged:falsein the elasticsearch-statefulset.yaml
file.
See the step under Coonfigure Backend Components, below, for
details.
Configure Storage Class
If you are using EKS or GKE, default storage classes are provided; check
for them (step 1).
In other environments, you may need to create a storage class (step 2).
Finally, enter the storageClassName in the appropriate .yaml files
(step 3).
Verify whether a storage class has been created, by running the
command:
kubectl get storageclass
If no storage class has been defined, create a manifest for one, and
then deploy it.
For example, a manifest could be named
sysdigcloud-storageclass.yaml and contain the following contents
(for a storage class using GP2 volumes in AWS):
Sysdig provides the necessary scripts, images, and .yaml files in a
GitHub repository. The first step is to clone those files and check out
the latest version. (These examples use 1234.)
Create a TCP load balancer (i.e., AWS NLB) that forwards ports 80, 443,
6443 to the Kubernetes worker nodes, with a healthcheck to /healthz on
port 10253.
This can be done in three ways:
Use an existing external load balancer. Sysdig relies heavily on
DNS; you need a DNS record pointing to the load balancer.
Create a yaml with the following content and apply it to the
sysdigcloud namespace. This automatically creates a load balancer in
the cloud provider environment, with an external DNS name.
This is the fully qualified domain name required later in the
config.yaml, api-ingress.yaml and/or
api-ingress-with-secure.yaml.
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTORhaproxy-ingress-lb-service LoadBalancer 100.66.118.183 sample123.us-east-1.elb.amazonaws.com 80:31688/TCP,443:32324/TCP,6443:30668/TCP 1d run=haproxy-ingress
DNS Entry (For Test Environments without a Load Balancer)
Not for production environments.
Create a DNS entry for your Sysdig install using the fully qualified
domain name that contains all the external IPs as A records. This will
use DNS round-robin to load balance your clients to the Kubernetes
cluster.
Change the super admin name and password, which are the super
admin credentials for the entire system. See
here for details.
Find the settings in config.yaml here:
sysdigcloud.default.user:test@sysdig.com# Required: Sysdig Cloud super admin user password# NOTE: Change upon first loginsysdigcloud.default.user.password:test
Change the mysql.password from change_me to desired
credentials.
mysql.password:change_me# Required: Cassandra endpoint DNS/IP. If Cassandra is deployed as aKubernetes service, this will be the service name.# If using an external database, put the proper address (the address of asingle node will be sufficient)
**Edit the collector endpoint and api-url:**Change the defaults
(sysdigcloud-collector and sysdigcloud-api:443) to point to the
DNS name you have established for Sysdig.
Configure DNS name in api-ingress.yaml (or
api-ingress-with-secure.yaml if using Secure). (Files located in
sysdigcloud/)
Edit: host: <EXTERNAL-DNS-NAME> to suit your DNS name
Define namespace in ingress-clusterrolebinding.yaml. (File
located in
sysdigcloud/ingress_controller/) Edit namespace: sysdigcloud
Step 2 Add Storage Class to Manifests
Using either the existing storage class name from step 1, or the storage
class name defined in the previous step, edit the storageClassName in
the following .yaml files:
Step 6 (Optional) Use CA Certs for External SSL Connection
The Sysdig platform may sometimes open connections over SSL to certain
external services, including:
LDAP over SSL
SAML over SSL
OpenID Connect over SSL
HTTPS Proxies
If the signing authorities for the certificates presented by these
services are not well-known to the Sysdig Platform (e.g., if you
maintain your own Certificate Authority), they are not trusted by
default.
To allow the Sysdig platform to trust these certificates, use the
command below to upload one or more PEM-format CA certificates. You must
ensure you’ve uploaded all certificates in the CA approval chain to the
root CA.
Create the datastore statefulsets for Elasticsearch and Cassandra.
Elasticsearch and Cassandra are automatically set up with
--replica=3 generating full clusters.
After updating the configmap, the Sysdig components must be restarted
for the changed parameters to take effect. This can be done by forcing a
rolling update of the deployments.
A possible way to do so is to change something innocuous, which forces a
rolling update. E.g.:
For Sysdig installations on Kubernetes or OpenShift, version 2.5.0 and
above.
The Sysdig Installer tool is a Docker image containing a collection of
scripts that help automate the on-premises deployment of the Sysdig
platform (Sysdig Monitor and/or Sysdig Secure), for environments using
Kubernetes or OpenShift. Use the Installer to install or upgrade your
Sysdig platform. It is recommended as a replacement for the earlier
Kubernetes manual installation and upgrade procedures.
Installation Overview
To install, you will log in to quay.io, download a values.yaml
file, provide a few basic parameters in it, and launch the Installer. In
a normal installation, the rest is automatically configured and
deployed.
You can perform a quick install if your environment has access to the
internet, or a partial or full airgapped installation, as needed. Each
is described below.
Use hostPath for static storage of Sysdig components
Use Kubernetes node labels and taints to run only Sysdig pods on
selected nodes in a cluster
Prerequisites
The installer must be run from a machine with kubectl/oc configured
with access to the target cluster where the Sysdig platform will be
installed. Note that this cluster may be different than where the Sysdig
agent will be deployed.
Requirements for Installation Machine with Internet Access
Additional Requirements for Airgapped Environments
Edited values.yaml
with
airgap registry details updated
Network and authenticated access to the private registry
Access Requirements
Sysdig license key (Monitor and/or Secure)
Quay pull secret
Storage Requirements
You may use dynamic or static storage on a variety of platforms to store
the Sysdig platform components (stateful sets). Different configuration
parameters and values are used during the install, depending on which
scenario you have.
Use Case 1: Default, undefined (AWS/GKE)
If you will use dynamic storage on AWS or GKE and haven’t configured any
storage class there yet, then the Quick Install streamlines the process
for you.
storageclassProvisioner: Enter aws or gke. The installer will
create the appropriate storage class and then use it for all the
Sysdig platform stateful sets.
storageclassName: Leave empty.
Use Case 2: Dynamic, predefined
It is also possible that you are using dynamic storage but have already
created storage classes there. This dynamic storage could be AWS, GKE,
or any other functioning dynamic storage you use. In this case, you
would enter:
storageclassProvisioner: Leave empty; anything put here would be
ignored.
storageclassName: Provide the name of the pre-configured storage
class you want to use. The installer will use this storage class for
all the Sysdig platform stateful sets.
Use Case 3: Static Storage
In cases where dynamic storage is not available, you can use static
storage for the Sysdig stateful sets. In this case, you would use:
storageclassProvisioner: Enter hostpath, then define the nodes
for the four main Sysdig components: ElasticSearch, Cassandra,
MySQL, and Postgres.storageclassProvisioner
If you have the default use case, enter aws or gke in the
storageClassProvisioner field. Otherwise, refer to Use Case 2
or 3.
sysdig.license: Sysdig license key provided with your Sysdig
purchase confirmation mail
sysdig.dnsname: The domain name the Sysdig APIs will be
served on. Note that the master node may not be used as the DNS
name when using hostNetwork mode.
sysdig.collector.dnsName: (OpenShift installs only) Domain
name the Sysdig collector will be served on. When not configured
it defaults to whatever is configured for sysdig.dnsName. Note
that the master node may not be used as the DNS name when using
hostNetwork mode.
deployment: (OpenShift installs only) Add
deployment: openshift to the root of the values.yaml file.
sysdig.ingressNetworking: The networking construct used to
expose the Sysdig API and collector.Options are:
hostnetwork: sets the hostnetworking in the ingress
daemonset and opens host ports for api and collector. This
does not create a Kubernetes service.
loadbalancer: creates a service of type loadbalancer and
expects that your Kubernetes cluster can provision a load
balancer with your cloud provider.
nodeport: creates a service of type nodeport.The node
ports can be customized with:
sysdig.ingressNetworkingInsecureApiNodePort
sysdig.ingressNetworkingApiNodePort
sysdig.ingressNetworkingCollectorNodePort
When not configured, sysdig.ingressNetworking defaults to
hostnetwork.
If doing an airgapped install , you would also edit the
following values:
- **airgapped\_registry\_name:** The URL of the airgapped
(internal) docker registry. This URL is used for installations
where the Kubernetes cluster can not pull images directly from
Quay
- **airgapped\_repository\_prefix:** This defines custom
repository prefix for airgapped\_registry. Tags and pushes
images as
`airgapped_registry_name/airgapped_repository_prefix/image_name:tag`
- **airgapped\_registry\_password:** The password for the
configured airgapped\_registry\_username. Ignore this parameter
if the registry does not require authentication.
- **airgapped\_registry\_username:** The username for the
configured airgapped\_registry\_name. Ignore this parameter if
the registry does not require authentication.
Run the installer. (This step differs in Airgapped Installation,
below.)
Save the values.yaml file in a secure location; it will be used for
future upgrades.
There will also be a generated directory containing various Kubernetes
configuration yaml files that were applied by the Installer against
your cluster. It is not necessary to keep the generated directory, as
the Installer can regenerate it consistently with the same
values.yaml file.
Airgapped Installation Options
The installer can be used to install in airgapped environments, either
with a multi-homed installation machine that has internet access, or in
an environment with no internet access.
Updating Vulnerability Feed in Airgapped Environments
NOTE: Sysdig Secure users who install in an airgapped environment do
not have internet access to the continuous checks of vulnerability
databases that are used in image scanning. (See also: How Sysdig Image
Scanning
Works.)
As of installer version 3.2.0-9, airgapped environments can also
receive periodic vulnerability database updates.
When you install with the “airgapped_” parameters enabled (see Full
Airgap
Install
instructions), the installer will automatically push the latest
vulnerability database to your environment. Follow the steps below to
reinstall/refresh the vuln db, or use the script and chron job to
schedule automated updates (daily, weekly, etc.).
To automatically update the vulnerability database, you can:
This assumes a private docker registry is used and the installation
machine has network access to pull from quay.io and push images to the
private registry.
The Prerequisites and workflow are the same as in the Quickstart Install
(above) with the following exceptions:
This assumes a private docker registry is used and the installation
machine does not have network access to pull from quay.io, but can push
images to the private registry.
In this situation, a machine with network access (called the “jump
machine”) will pull an image containing a self-extracting tarball which
can be copied to the installation machine.
If you have the default use case, enter aws or gke in the
storageClassProvisioner field. Otherwise, refer to Use Case 2
or 3.
sysdig.license: Sysdig license key provided with your Sysdig
purchase confirmation mail
sysdig.dnsname: The domain name the Sysdig APIs will be
served on. Note that the master node may not be used as the DNS
name when using hostNetwork mode.
sysdig.collector.dnsName: (OpenShift installs only) Domain
name the Sysdig collector will be served on. When not configured
it defaults to whatever is configured for sysdig.dnsName. Note
that the master node may not be used as the DNS name when using
hostNetwork mode.
deployment: (OpenShift installs only) Add
deployment: openshift to the root of the values.yaml file.
sysdig.ingressNetworking: The networking construct used to
expose the Sysdig API and collector.Options are:
hostnetwork: sets the hostnetworking in the ingress
daemonset and opens host ports for api and collector. This
does not create a Kubernetes service.
loadbalancer: creates a service of type loadbalancer and
expects that your Kubernetes cluster can provision a load
balancer with your cloud provider.
nodeport: creates a service of type nodeport.The node
ports can be customized with:
sysdig.ingressNetworkingInsecureApiNodePort
sysdig.ingressNetworkingApiNodePort
sysdig.ingressNetworkingCollectorNodePort
airgapped_registry_name: The URL of the airgapped
(internal) docker registry. This URL is used for installations
where the Kubernetes cluster can not pull images directly from
Quay
airgapped_repository_prefix: This defines custom
repository prefix for airgapped_registry. Tags and pushes
images as
airgapped_registry_name/airgapped_repository_prefix/image_name:tag
airgapped_registry_password: The password for the
configured airgapped_registry_username. Ignore this parameter
if the registry does not require authentication.
airgapped_registry_username: The username for the
configured airgapped_registry_name. Ignore this parameter if
the registry does not require authentication.
Copy the tarball file to the directory where you have your
values.yaml file.
Run the tar file:
bash sysdig_installer.tar.gz
NOTE: The above step extracts images, runs the installer, and pushes
images to the remote repository in a single step. The extract/push
images can be redundant for successive installer runs. Setting
IMAGE_EXTRACT_PUSH=false runs only the installer:
Save the values.yaml file in a secure location; it will be used for
future upgrades.
There will also be a generated directory containing various Kubernetes
configuration yaml files that were applied by the Installer against
your cluster. It is not necessary to keep the generated directory, as
the Installer can regenerate it consistently with the same
values.yaml file.
Output
A successful installation should display output in the terminal such as:
All Pods Ready.....ContinuingCongratulations, your Sysdig installation was successful!You can now login to the UI at "https://awesome-domain.com:443" with:username:"configured-username@awesome-domain.com"password:"awesome-password"
There will also be a generated directory containing various Kubernetes
configuration yaml files which were applied by installer against your
cluster. It is not necessary to keep the generated directory, as the
installer can regenerate consistently with the same values.yaml file.
Additional Installer Resources
To see all the configuration parameters available, as well as their
definitions, values, and examples, see
configuration_parameters.md
on GitHub.
For customers, the instructions in this section are for review purposes only.
As of Sysdig Platform v 2.5.0, a semi-automated install option is
available and is preferred. This section describes how to install the backend components of the
Sysdig platform using an existing OpenShift cluster. It applies to
backend versions 1929 and higher.
Introduction
The Sysdig platform includes both Sysdig Monitor and Sysdig Secure,
which are licensed separately. All installations include Sysdig Monitor,
while some of the Secure components are installed and configured as
additional steps within the overall installation process. When
installing the Sysdig platform on OpenShift manually, you will install
each backend component with separate oc commands.
Prerequisites
Overview
Access to a running OpenShift 3.11+ instance
Two items from your Sysdig purchase-confirmation email:
octools installed on your machine and communicating with the
OpenShift cluster. (Note that your oc and OpenShift versions
should match to avoid errors.)
DNS Preparation
If you want more information on OpenShift’s DNS requirements; see the
OpenShift
documentation.
Option 1: DNS without Wildcard
You need to request two different DNS records from your DNS team:
one for the Sysdig API/UI and another for the Sysdig collector.
These records should point to your infrastructure nodes and are the
two routes that will be exposed, i.e., sysdig.api.example.com and
sysdig.collector.example.com.
Option 2: DNS with Wildcard
With wildcard DNS, you do not have to make an official request from
the DNS team. Your implementation team can pick any two DNS names to
use for the API/UI and Collector. These will be exposed to the
infrastructure nodes once the configuration is completed. (i.e.
sysdig.api.example.com and sysdig.collector.example.com.)
With wildcard SSL, you use the same certificate for both the API and
the collector.
SSL without Wildcard
You need two SSL certs, one for each DNS record.
Consider Elasticsearch Default Privileges
By default, the Elasticsearch container will be installed in
privileged (root-access) mode. This mode is only needed so the
container can reconfigure the hosts’ Linux file descriptors if
necessary. See Elasticsearch’s description
here.
If you prefer not to allow Elasticsearch to run with root access to the
host, you will need to:
Set your own file descriptors on all Linux hosts in the Kubernetes
cluster.
If one host were to go down, Kubernetes could choose a different
node for Elasticsearch, so each Linux host must have the file
descriptors set.
Setprivileged:falsein the elasticsearch-statefulset.yaml
file.
See the step under Coonfigure Backend Components, below, for
details.
The source link has the format:
https://github.com/draios/sysdigcloud-kubernetes/archive/<v1234>.tar.gz. To
unpack it, run the following commands (replacing version number as
appropriate):
Change the super admin name and password, which are the super
admin credentials for the entire system. See
here for details.
Find the settings in config.yaml here:
sysdigcloud.default.user:test@sysdig.com# Required: Sysdig Cloud super admin user password# NOTE: Change upon first loginsysdigcloud.default.user.password:test
**Edit the collector endpoint and API URL:**Change the placeholder
to point to the DNS names you have established for Sysdig.
Remember that you must have defined one name for the collector and
another for the API URL.
Note: Change the collector port to 443.
```yaml
collector.endpoint: <COLLECTOR_DNS_NAME>
collector.port: "443"
api.url: https://<API_DNS_NAME>:443
```
Recommended: edit the file to set the JVM options for Cassandra,
Elasticsearch, and API, worker, and collector as well.
Edit the collector DNS name in the fileopenshift-collector-router.yaml. Use the collector DNS name you
created in the Prerequisites.
The file is located in sysdigcloud/openshift/.
spec:host:<COLLECTOR_DNS_NAME>
Step 3 (Secure-Only): Edit mysql-deployment.yaml
If using Sysdig Secure :
Edit the MySQL deployment to uncomment the MYSQL_EXTRADB_*
environment variables. This forces MySQL to create the necessary
scanning database on startup.
The scanning service will not start unless MySQL creates the scanning database.
Step 4: Deploy Your Quay Pull Secret
A specific Quay pull secret is sent via email with your license key.
Edit the file sysdigcloud/pull-secret.yaml and change the
place holder <PULL_SECRET> with the provided pull secret.
vi sysdigcloud/pull-secret.yaml---apiVersion:v1kind:Secretmetadata:name:sysdigcloud-pull-secretdata:.dockerconfigjson:<PULL_SECRET>type:kubernetes.io/dockerconfigjson
Step 6: (Optional) Use CA Certs for External SSL Connections
The Sysdig platform may sometimes open connections over SSL to certain
external services, including:
LDAP over SSL
SAML over SSL
OpenID Connect over SSL
HTTPS Proxies
If the signing authorities for the certificates presented by these
services are not well-known to the Sysdig Platform (e.g., if you
maintain your own Certificate Authority), they are not trusted by
default.
To allow the Sysdig platform to trust these certificates, use the
command below to upload one or more PEM-format CA certificates. You must
ensure you’ve uploaded all certificates in the CA approval chain to the
root CA.
You need a storage class; step 2 shows how to create one if needed.
Enter the storageClassName in the appropriate .yaml files (see step
3).
Verify whether a storage class has been created, by running the
command:
oc get storageclass
If no storage class has been defined, create a manifest for one, and
then deploy it.
For example, a manifest could be named
sysdigcloud-storageclass.yaml and contain the following contents
(for a storage class using GP2 volumes in AWS):
Using either the existing storage class name from step 1, or the
storage class name defined in step 2, edit the storageClassName in
the following .yaml files:
Create the datastore statefulsets for Elasticsearch and Cassandra.
Elasticsearch and Cassandra are automatically set up with
--replica=3 generating full clusters.
Apply the appropriate ingress yaml. (The API_DNS name was entered in
step 7, in Step 2: Configure Backend
Components
This configures the route to the Sysdig UI.
After updating the configmap, the Sysdig components must be restarted
for the changed parameters to take effect. This can be done by forcing a
rolling update of the deployments.
A possible way to do so is to change something innocuous, which forces a
rolling update. E.g.:
Sysdig will deprecate support for Replicated installs in the coming
months. If you are a new customer considering installing with
Replicated, please contact Sysdig
support.
Understand the Choice Points
When planning an on-premises installation, the following choice points
must be decided upon.
Infrastructure Managers: To install Sysdig on-premises,
administrators choose one of two infrastructure managers:
Replicated: an easy-to-use orchestrator that includes a GUI
management tool.
This guide describes how to install the Replicated client and
use it to install and manage the Sysdig platform.
Single-Host or Multi-Host Install: For test or proof-of-concept
installations, a single-host install will include all components;
for production, a distributed environment is needed.
Airgapped or non-airgapped environment:
If your environment is accessible to the Internet during the install
process, then the installation options include both script-based or
GUI-based.
In airgapped environments (no Internet access), you must download
components into your airgapped repository, and can only use the
GUI-based installation.
Where to put the Replicated Management Console: When installing
on-premises using Replicated as the orchestrator, the following
Replicated components will be installed on your system:
Replicated UI (on a host you designate to host the Replicated
Management Console)
Replicated retraced containers that handle logging (on the
Management Console host only)
Replicated operator component (will go on all hosts)
In a multi-host installation, one server will be the Replicated
Management Console host. The system load for these components is minor.
No matter which installation options you choose, you will use the
Replicated GUI post-installation to:
Sysdig will deprecate support for Replicated installs in the coming months. If you are a new customer considering installing with Replicated, please contact Sysdig support.
To install the Sysdig platform on-premises, in an environment that has
no inbound or outbound paths available to internet traffic, you must use
the Replicated GUI-based installation option. No script-based option is
currently available.
Perform the following steps to download the required Sysdig installation
files, the Replicated components, and the Sysdig license file, and save
them to a repository on your airgapped server. Then perform the setup
steps in the Replicated Management Console, as described below.
Prerequisites
A server instance with Docker version 1.7.1 or later installed is
required prior to installation.
The Replicated .airgap installation script does not install
docker-engine. Sysdig recommends using the latest version of Docker
available for the server operating system.
Continue with “Setting the Replication Management Password” and the rest
of the installation steps in Install Components
(Replicated).
2.2.5.2 - Install Components (Replicated)
Sysdig will deprecate support for Replicated installs in the coming months. If you are a new customer considering installing with Replicated, please contact Sysdig support.
You can use the Replicated UI to install the Sysdig platform on either a single host or on multiple hosts. If multi-host, decide which machine
will also run the Replicated Admin Console and begin there.
If your environment is “airgapped” (no access to inbound or outbound
internet traffic), there are some setup steps you must perform before
doing the GUI-based Replicated installation.
Log in to the chosen machine with a shell and run a command to install
the Replicated components. You can also install Docker if it’s not
already on the environment.
Log into the designated server instance with SSH.
Run the following commands:
a. To install the Replicated Infrastructure and Docker:
Log In to Replicated Admin Console/ “admin console” and Set SSL Certificate
As prompted, open the Replicated Client at
https://<yourserver>:8800.
Supply the DNS hostname for the Replicated Admin Console.
Accept the self-signed certificate, or upload a custom SSL
certificate and private key.
Note: If a self-signed certificate is uploaded, it must include
the end user, all intermediate, and the root certificates, as the
certificate will be used by the Sysdig platform, as well as for the
Replicated Admin Console.
Click the Choose License button, and upload the Sysdig license
file supplied from Sysdig Sales.
Choose Online installation option if prompted.
Set the Replicated Admin Console Password
Once the Sysdig license validation is complete, secure the Replicated
Admin Console using a local password, LDAP user account, or anonymous
access (insecure).
Sysdig recommends securing the console with either a local password or
LDAP user account.
Click Continue.
Configure Sysdig Super Admin Password and Basic Settings
After clicking Continue, the Settings page is displayed. Here you enter
the configuration information that will be used by Replicated to
orchestrate the Sysdig installation.
||
||
Define Advanced Settings
These settings are typically defined with consultation from a Sysdig
Sales Engineer.
Any JVM options to be passed to the application, such as memory
constraint settings for the Java Virtual Machine components, proxy
settings, etc.
At a minimum, it is recommended to define the memory constraints, in the
format:
-Xms###g Xmx###g.
Note that if multiple components are on a single machine, adjust the
percentages as needed so JVMs all fit in a node.
Cassandra JVM options: recommended allocating 50% of the host’s
memory to this JVM
(in a multi-node environment)
Elasticsearch JVM options: recommended allocating 50% of the
host’s memory to this JVM
(in a multi-node environment)
Sysdig Cloud application JVM options: recommended to allocate up
to 80% of the host’s memory to this JVM.
NOTE: If you do not want to use SSL between the agent and the
collectors, you append the following settings to the Sysdig Cloud
application JVM options entry:
Sysdig UI port: default 80. Port used for the Sysdig Monitor/
Sysdig Secure GUI.
Sysdig UI secure port: default 433. SSL port used for Sysdig
Monitor/ Sysdig Secure GUI.
Force HTTPS: This turns off the unsecured port (80) access.
Forward Sysdig application logs to stdout: switches logging
from the application log files to Linux standard output (stdout).
Sysdig collector port: default 6443. Port used for agent metrics
collection. See also Agent
Installation.
In earlier versions, the Sysdig Agent connected to port 6666. This
behavior has been deprecated, as the Sysdig agent now connects to
port 6443.
Sysdig secure collector port: default 6443. Port used for agent
metrics collection. See also Agent
Installation.
Exposed port for HTTP traffic inbound to Sysdig Platform backend
container: 27878 – do not change without the recommendation of
Sysdig Support.
Exposed port for Collector traffic inbound: 27877 – do not
change without the recommendation of Sysdig Support.
Database Entries
Store Sysdig Captures in Cassandra (recommended): Default
checked. Used for Sysdig trace file storage when capture function is
used. If you do not store files in the Cassandra DB, you can
alternately configure an AWS S3 bucket storage location.
Sysdig data directory: default /opt. Where Cassandra, MySQL,
and Elasticsearch databases will be created on a host.
Cassandra CQL native client’s port: The default port is 9042.
Change the default port if you are running your own Cassandra
cluster with non-standard ports.
Cassandra replication factor: The value should be either 1 or 3,
never 2.
Sysdig MySQL user: default admin, recommend changing
Sysdig MySQL password: Enter a unique password and store
securely.
This password is needed for future updates and will not be visible
in the Replicated Admin Console. Retain this password for future
use.
Sysdig MySQL max connections: The default is 1024.
Cassandra CQL native client’s port: The default is 9042.
External MySQL service: The secure end of your MySQL service.
This is external to the Sysdig platform.
External Cassandra service: The secure end of your Cassandra
service. This is external to the Sysdig platform.
External Redis service: The secure end of your Redis
Service. This is external to the Sysdig platform.
Sysdig Redis password: The password associated with the Redis
account.
External Elasticsearch service URL: An external service URL with
user name and password embedded
OAuth allowed domains: List of secure Elasticsearch domains.
Google OAuth client ID: Used when integrating Google-based user
login.
Google OAuth client secret: Used when integrating Google-based
user login. See Google OAuth
(On-Prem)
SSO CA certificate: CA certificate for single sign-on.
Datastore Authorization and SSL: See Authenticating Backend
Components on Cassandra and Authenticating Backend Components on
Elasticsearch.
When fields are complete, click Save.
After Saving, click Start Now to apply settings to the environment
immediately. Click Cancel to apply settings at a later time.
Authenticating Backend Components on Cassandra
As of version 2.4.1, authenticating Sysdig
backend components
on Sysdig’s Cassandra nodes or for your own Cassandra nodes is
supported. In order to authenticate the backend components to Cassandra,
enable the option, specify credentials of the identity you want to
establish with Cassandra, and enable secure communication. This is the
additional layer of defense against unauthorized access to the
datastore.
Enable Cassandra Authentication
Enable Cassandra authentication: Select this option if you want
to authenticate Sysdig backend components to use Cassandra
datastore. The option by default is disabled.
Cassandra password for authentication: The password associated
with the username. If running Sysdig’s Cassandra database, create a
password here. If you are using your own Cassandra database, enter
the appropriate user password for Sysdig access.
Enable Cassandra TLS: (Mandatory) Establish TLS communication
between the Sysdig backend components and the Cassandra node. The
option by default is unchecked.
Cassandra username for authentication: The username of the
identity that you want to establish with Cassandra. If running
Sysdig’s Cassandra database, create a user here. If you are using
your own Cassandra database, enter the appropriate user account for
Sysdig access.
Authenticating Backend Components on Elasticsearch
As of version 2.4.1, authenticating Sysdig backend components on both
Sysdig’s Elasticsearch cluster or for your own Elasticsearch cluster is
supported. In order to authenticate the backend components to
Elasticsearch datastore, configure TLS-based authentication. You
generate certificates and keys for Elasticsearch server, client, and
admin user, and specify them along with Elasticsearch user credentials
while setting up Sysdig platform. This is the additional layer of
security to safeguard the datastore.
Before you configure Elasticsearch authentication, ensure that you set
up Sysdig Agent for data collection and TLS generate certificates.
Generate TLS Certificates
Log into Quay:
Locate your Quay pull_secret. Contact Support if you are unable
to locate it.
Run the following docker command to generate the root/admin
certificates for Elasticsearch to a directory within the current
working directory:
docker run -d -v "$(pwd)"/generated_elasticsearch_certs:/tools/out quay.io/sysdig/elasticsearch:1.0.1-es-certs
The following files are generated in
the generated_elasticsearch_certs directory. Retain the
certificates and key files to upload as part of the TLS
configuration as described in Configure TLS Authentication.
Elasticsearch root CA
root-ca.pem
root-ca.key
Elasticsearch Admin (Kirk)
kirk.pem
kirk.key
EElasticsearch Client (Spock)
spoke.pem
spoke.key
Configure TLS Authentication
Sysdig Replicated install supports Search
Guard to establish secure authentication
with Elasticsearch datastore. You set up two users in order to access
Elasticsearch datastore on behalf of the Sysdig backend components:
Admin user and read-only user.
Amin user: The admin user will have the read and write permissions
on Elasticsearch clusters and indices. Sysdig backend components use
this identity to write data to Elasticsearch clusters. This is the same
as the Search Guard admin user.
Read-only user: As the name implies, the read-only user will only
have the read permission on Elasticsearch indices. Sysdig Agent uses
this identity to read data from Elasticsearch datastore. This is the
same as the Search Guard sg_readonly user that is created as part of
the installation.
Enable Elasticsearch authentication
Enable Elasticsearch Authentication and TLS: Select this option
to enable authentication and secure communication between Sysdig
backend components and the Elasticsearch datastore. To gain access
to Elasticsearch datastore, you must prove your identity, by using
credentials and certificates. The Elastic Stack authenticates users
by identifying the users behind the requests that hit the datastore
and verifying that they are who they claim to be.
Elasticsearch admin username: The admin user is created by
default. You can edit the user name if desired. The default user is
admin.
Elasticsearch admin password: The password associated with the
Elasticsearch admin user.
Elasticsearch read-only username: Specify the username for the
read-only access to the Elasticsearch indices. If running your own
secure Elasticsearch cluster, enter the username for the read-only
Search Guard user.
Elasticsearch read-only password: The password associated with
Elasticsearch read-only username.
When fields are complete, click Save.
After saving, click Restart Now to apply settings to the environment
immediately.
Click Cancel to apply settings at a later time.
Configure Sysdig Agent
If you are monitoring Elasticsearch with sysdig-agent, ensure
the sysdig-agent configuration file, dragent.yaml, has the following
Elasticsearch configuration in the data.dragent.yaml.app_checks section
below:
Make sure that you remove the existing Agent container instead of
just stopping it. By default, the Agent container is
named sysdig-agent. If you stop the Agent container and attempt to
create a new one, you will get a name-conflict error:
docker: Error response from daemon: Conflict. The container name
"/sysdig-agent" is already in use by container <ontainer-id>.
You have to remove (or rename) that container to be able to reuse
that name.
Run the Agent container with the new additional config. For example:
After completing the Settings and restarting, no further installation
steps are required for a single-host install.
The dashboard will remain in Starting mode for approximately 4-5
minutes, depending on the internet connection bandwidth, while Sysdig
application software is downloaded and installed. Once the installation
is complete, the dashboard will move to Started mode.
Click the Open link to navigate to the Sysdig Monitor login panel.
Input the Super Admin user login credentials defined in the basic
settings, above.
Next Steps
To start, stop, and update the application, or to retrieve support
information, use the Replicated Admin Console:
https://<yourserver>:8800.
To login as a user and see metrics for hosts with the Sysdig Agent
installed, use the Sysdig Monitor Web Interface:
https://<yourserver>:80
If you have not yet done so, install Sysdig Agents to monitor
your environment. See Agent
Installation for
details.
Multi-Host Installation Wrap-Up
After configuring the settings and clicking Start Now, an error will
indicate the need to assign and install the remaining components. You
will need to define the hosts/nodes to be used and will assign the
Sysdig components to be installed on them. The steps below describe the
actions on one host; they must be repeated on all applicable hosts and
all the Sysdig components must be assigned.
Choose the Cluster tab in the Replicated Admin Console.
From here, you can tag components to be run on the local host,
and/or add new nodes.
To add and configure new nodes:
Click Add Node.
The Add Node worksheet is displayed. Here you enter the IP address
and then tag the Sysdig component(s) to be installed on that node.
Replicated will compile either an installation script or a Docker
run command out of your entries, which you will copy and use on the
given node.
On the Add Node worksheet page, do the following:
Choose Installation script or Docker run command option.
Enter private and/or public IP address, depending on the type of
access you want to permit.
Select the Sysdig components to be installed by checking the
appropriate “Tags” buttons.
Descriptions in the table below:
Name
Tag
Role Description
api
api
Application Programming Interface server
cassandradb
cassandra
Cassandra database server
elasticsearch
elasticsearch
Elasticsearch server for events storage/search
collector
collector
Agent metrics collector
lb_collector
lb_collector
Load balancer for collector service; handles connections from the agents
lb_api
lb_api
Load balancer for API service; handles user connection requests to the Sysdig application.
Use the address for this node as the DNS entry for the cluster.
mysql, redis
mysql & redis
MySQL & Redis databases
worker
worker
Metrics history processor
emailrenderer
emailrenderer
Email renderer
nginxfrontend
nginxfrontend
Frontend static server
When setting up a DNS entry for the cluster, use the address for the
‘lb_api’ node.
At the bottom of the page, a `curl` script or Docker run command is
compiled for you.
Copy the command and issue it on the targeted host.
Repeat this procedure on all desired hosts.
Restart the Sysdig application from the Replicated console.
The dashboard will be in “Starting” mode for several minutes while
software is downloaded and installed onto each server component
(depending on your internet connection bandwidth).
You should see green check marks for each host next to the
Provisioned and Connected columns, as the software is installed and
the node connects successfully to the Replicated Admin server.
Once the installation is fully completed, the infrastructure admin
dashboard will be in “Started” mode and will also show the “Open”
link that will bring you to Sysdig Monitor web interface login
screen.
At the login screen, use the credentials configured earlier (Default
User) to log in and start using the Sysdig application on-premises
solution.
To start, stop, and update the application or retrieve support
information use the Replicated Admin dashboard:
https://server_address:8800
To log in as a user and see metrics about hosts where Sysdig agents
are installed, use the Sysdig Monitor UI:
https://server_address:80
2.2.5.3 - Post-Install Configuration
Sysdig will deprecate support for Replicated installs in the coming months. If you are a new customer considering installing with Replicated, please contact Sysdig support.
These configurations are optional.
Replace a Self-Signed Cert with Custom Cert
This process differs depending on how you installed the Sysdig Platform.
For Kubernetes Installer Installs
If you installed the Sysdig Platform on Kubernetes or OpenShift using
the Installer, the
Installer automatically generates a self-signed cert on the fly. To use
a different certificate you would:
Add your cert and key to the /certs directory ex: (server.crt,
server.key)
If you installed the Sysdig Platform manually on Kubernetes or
OpenShift, the steps for managing the certs are described in Step 5 of
the installation procedures:
If you installed the Sysdig Platform using
Replicated and you
accepted the self-signed certificate for SSL/TLS communication when
installing the Sysdig components (see Define Basic Settings & License
Info
), you can exchange for a custom certificate as follows:
Log in to the Replicated Management Console and select the
Gear icon > Console Settings.
Click Upload certificate and it will automatically replace the
original self-signed certificate.
Optional: Custom Self-Signed Certificat
Sysdig Monitor/Cloud/etc uses a self-signed SSL/TLS security
certificate, unless a custom certificate is provided.
The example command below creates a custom, unsigned certificate called
MyCert.pem; the certificate has a private key called MyCert.key, and
is valid for five years:
When experiencing issues, you can collect troubleshooting data that can
help the support team. The data can be collected by hand, or Sysdig
provides a very simple get_support_bundle.sh script that takes as an
argument the namespace where Sysdig is deployed and will generate a
tarball containing some information (mostly log files). The script is
located in the GitHub repository.
$ ./scripts/get_support_bundle.sh sysdigcloudGetting support logs for sysdigcloud-api-1477528018-4od59Getting support logs for sysdigcloud-api-1477528018-ach89Getting support logs for sysdigcloud-cassandra-2987866586-fgcm8Getting support logs for sysdigcloud-collector-2526360198-e58uyGetting support logs for sysdigcloud-collector-2526360198-v1eggGetting support logs for sysdigcloud-mysql-2388886613-a8a12Getting support logs for sysdigcloud-redis-1701952711-ezg8qGetting support logs for sysdigcloud-worker-1086626503-4cio9Getting support logs for sysdigcloud-worker-1086626503-sdtrcSupport bundle generated:1473897425_sysdig_cloud_support_bundle.tgz
Docker Connectivity Issues (IPv4/IPv6)
Some issues with IPv4 and IPv6 interconnectivity between on-premises
containers and the outside world have been detected.
IP packet forwarding is governed by the ip_forward system parameter.
Packets can only pass between containers if this parameter is 1.
Usually, you will simply leave the Docker server at its default setting
--ip-forward=true and Docker will go set ip_forward to 1 for you
when the server starts up. If you set --ip-forward=false and your
system’s kernel has it enabled, the --ip-forward=false option has no
effect.
File Write Permissions Issues (SELINUX or APP ARMOR)
During the install, you may see errors writing to volumes such as
(/var or /opt) from either the onprem install scripts or Docker. You
should disable SELINUX (CENTOS/RHEL) or Apparmor (UBUNTU/DEBIAN)
during the course of the install so the valid directories can be
created. This can be accomplished by:
Centos (SELINUX)
From the command line, edit the /etc/sysconfig/selinux file. This file
is a symlink to /etc/selinux/config. The configuration file is
self-explanatory. Changing the value of SELINUX or
*SELINUXTYPE*changes the state of SELinux and the name of the policy
to be used the next time the system boots.
[root@host2a ~]# cat /etc/sysconfig/selinux# This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:# enforcing - SELinux security policy is enforced.# permissive - SELinux prints warnings instead of enforcing.# disabled - SELinux is fully disabled.SELINUX=permissive# SELINUXTYPE= type of policy in use. Possible values are:# targeted - Only targeted network daemons are protected.# strict - Full SELinux protection.SELINUXTYPE=targeted# SETLOCALDEFS= Check local definition changesSETLOCALDEFS=0
This section describes how to upgrade an on-premise installation,
depending on whether it was installed using a Kubernetes or a Replicated
orchestrator.
As needed, version-specific upgrade or migration instructions will be
added to this section.
Oversight Services Now Offered for All Installs and Upgrades
As part of our continued focus on our customers, we are now offering
oversight services for all on-premise installs and upgrades. Your
Technical Account Manager (TAM), in conjunction with our support
organization and Professional Services [where applicable], will work
with you to:
Assess your environment to ensure it is configured correctly
Review your infrastructure to validate the appropriate storage
capacities are available
Review and provide recommendations for backing up your Sysdig data
Work with you to ensure our teams are ready to assist you during the
install and upgrade process
Provide the software for the install
Be available during the process to ensure a successful deployment
You can always review the process in the documentation on
GitHub (v. 3.6.0+) or
the standard docs site
(for older versions).
If you are a new customer looking to explore Sysdig, please head over
here to sign up for a trial on
our SaaS Platform. Alternatively, you can contact us
here.
Explore the Upgrade Topics
This section provides roadmaps for upgrading Sysdig Platform components.
Review the topics appropriate to your environment.
Upgrading Sysdig Platform v2.5.0 - 3.2.2 by using the Installer tool. As of version 2.5.0, the Sysdig platform on Kubernetes or OpenShift should be upgraded using the Installer tool.
Upgrading the mandatory components of the Sysdig Platform on a Replicated environment.
Supported Migration Paths
In general, Sysdig tests and supports direct upgrade from five
releases
back to the current version. Release-specific requirements are listed in
the table below.
For Kubernetes Environments
Install Version
Incl. Hotfixes
Supported Upgrade From
Notes
Baseline Documentation
3.6.0 (by request)
3.2.2, 3.5.1
Platform changes: new inline scanner version, interactive session expiration. Sysdig Secure modules added/changed, including Compliance, Event Forwarding, Capture improvements, Image Scan results. Sysdig Monitor improvements in UI.
New/changed modules in both Sysdig Secure and Sysdig Monitor, including: New Getting Started and Overview, new Dashboards, overhauled Secure Events Feed, new navigation bar icons and layout, changed Image scanning navigation and usage, new Secure vulnerability feed and benchmark test,
In Sysdig Secure: Data retention limits for scan results, vulnerabiity comparison in scan results, redesigned Captures page, RBAC capability, activity audit improvement. In Sysdig Monitor and Secure: S3-compatible storage for Capture files.
For customers, the instructions in this section are for review purposes only.
Overview
With version 3.5.0, both installing and upgrading with the installer has
been simplified from previous versions. Upgrade differs from Install in
that you run an installer diff to discover the differences between the
old and new versions and then installer deploy for the new version.
Some guidance from Sysdig Support may be warranted in highly customized
installations.
Upgrade Steps
Upgrading is performed just like a fresh install, with the addition of
the generate diff step. Refer to the appropriate workflow, depending
on your environment:
Version 3.5.0 upgrade includes an automatic Postgres version upgrade.
Depending on the size of your database, that can take some time.
The data migration takes approximately 1 min per 1 GiB of data. The
speed of data migration ultimately depends on the underlying storage
media.
To complete the Postgres upgrade, you must also ensure there is
sufficient disk space in the volume when using a local-disk storage
provisioner in Kubernetes. For example, if your current Postgres size is
100 GiB, ensure there is at least another 100 GiB space free in the
volume. This is required temporarily for copying the data during the
upgrade.
3.5.0 - 3.5.1 Elasticsearch Upgrade
Upgrading from version 3.5.0 to 3.5.1 also upgrades Elasticsearch. Due
to the Elasticsearch update strategy of ondelete, the pods will only
be upgraded when they are restarted:
For customers, the instructions in this section are for review purposes only.
The Installer tool can be used to upgrade a Sysdig implementation. Just
as in an installation, you must meet the prerequisites, download the
values.yaml, edit the values as indicated, and run the installer. The
main difference is that you run it twice: once to discover the
differences between the old and new versions and the second time to
deploy the new version.
As this is a new feature, some guidance from Sysdig Professional
Services may be warranted in highly customized installations.
This setting will generate the differences between the installed
environment and the upgrade version. The changes will be
displayed in your terminal.
size: Specifies the size of the cluster. Size defines CPU,
Memory, Disk, and Replicas. Valid options are: small, medium and
large
quaypullsecret: quay.io provided with your Sysdig purchase
confirmation mail
storageClassProvisioner: The name of the storage class
provisioner to use when creating the configured
storageClassName parameter. When installing, if you use AWS or
GKE as your storage provisioner for Kubernetes, enter aws or
gke in the storageClassProvisioner field. If you do not use
one of those two dynamic storage provisioners, enter: hostPath
and then refer to the Advanced examples for how to configure
static storage provisioning using this option.
sysdig.license: Sysdig license key provided with your Sysdig
purchase confirmation mail
sysdig.anchoreLicensePath: The path relative to the
values.yaml where the Anchore enterprise license yaml is
located. (For Sysdig Secure users only.)
sysdig.dnsname: The domain name the Sysdig APIs will be
served on. Note that the master node may not be used as the DNS
name when using hostNetwork mode.
sysdig.collector.dnsName: (OpenShift installs only) Domain
name the Sysdig collector will be served on. When not configured
it defaults to whatever is configured for sysdig.dnsName. Note
that the master node may not be used as the DNS name when using
hostNetwork mode.
deployment: (OpenShift installs only) Add
deployment: openshift to the root of the values.yaml file.
sysdig.ingressNetworking: The networking construct used to
expose the Sysdig API and collector.Options are:
hostnetwork: sets the hostnetworking in the ingress
daemonset and opens host ports for api and collector. This
does not create a Kubernetes service.
loadbalancer: creates a service of type loadbalancer and
expects that your Kubernetes cluster can provision a load
balancer with your cloud provider.
nodeport: creates a service of type nodeport.The node
ports can be customized with:
sysdig.ingressNetworkingInsecureApiNodePort
sysdig.ingressNetworkingApiNodePort
sysdig.ingressNetworkingCollectorNodePort
If doing an airgapped install , you would also edit the
following values:
- **airgapped\_registry\_name:** The URL of the airgapped
(internal) docker registry. This URL is used for installations
where the Kubernetes cluster can not pull images directly from
Quay
- **airgapped\_registry\_password:** The password for the
configured airgapped\_registry\_username. Ignore this parameter
if the registry does not require authentication.
- **airgapped\_registry\_username:** The username for the
configured airgapped\_registry\_name. Ignore this parameter if
the registry does not require authentication.
Run the installer.
For environments with access to the internet:
docker run -e HOST_USER=$(id -u) -e KUBECONFIG=/.kube/config-v ~/.kube:/.kube:Z -v $(pwd):/manifests:Zquay.io/sysdig/installer:<version>
For customers, the instructions in this section are for review purposes only.
Sysdig platform on-premise releases are listed
here. Each
release has a version number and specific release notes.
This release has the following significant changes:
Added NATS service to deliver events to the Sysdig backend
Added services for the beta Policy Advisor, which permits a user to
auto-generate Pod Security Policies and perform dry tests or
“simulations” of them before committing them to an environment.
Added services for activity audit, which allows users to view
different data sources in-depth for monitoring, troubleshooting,
diagnostics, or to meet regulatory controls
Some Anchore reporting components are not needed anymore and have
been removed.
Download the New Version
Download the new version from Sysdig’s GitHub and unzip it.
wget https://github.com/draios/sysdigcloud-kubernetes/archive/<version_number>.tar.gz && tar xvf <version_number>.tar.gz
Edit New Files to Match Your Customized Files
It is important to use the latest YAML files for a successful upgrade.
Edit the following files within the sysdigcloud directory to match any
customizations you may have made in your existing production system.
Please do not edit the image: property.
Sysdig Component Files
Ensure that any passwords or user names are transferred from your
existing config.yaml to the new one. Suggested areas to review are
listed below.
config.yaml:
The following variables are always customized in Sysdig
installations:
Check deployment YAML files for CPU/memory settings.
Update the spec.replicas definition in the following files:
sysdigcloud/api-deployment.yaml
sysdigcloud/collector-deployment.yaml
sysdigcloud/worker-deployment.yaml
If running Sysdig Secure:
sysdigcloud/anchore-core-config.yaml
sysdigcloud/anchore-worker-config.yaml
sysdigcloud/anchore-core-deployment.yaml
sysdigcloud/anchore-worker-deployment.yaml
sysdigcloud/scanning-api-deployment.yaml
sysdigcloud/scanning-alertmgr-deployment.yaml
Postgres File (Sysdig Secure Only)
postgres-statefulset.yaml : Edit the storage class name in this
file.
The file is located in
datastores/as_kubernetes_pods/manifests/postgres/postgres-statefulsets.yaml
Storage class name appears as
spec.volumeClaimTemplates[].spec.storageClassName
Elasticsearch and Cassandra Files
elasticsearch-statefulset.yaml: For example, your environment may
have customized the values for the number of replicas, resource
constraints, amount of storage, and the storage class name:
spec.replicas and spec.template.spec.containers[elasticsearch].env[ELASTICSEARCH_GOSSIP_NODES_NUM].valuespec.template.spec.containers[].resourcesspec.volumeClaimTemplates[].spec.resources.requests.storagespec.volumeClaimTemplates[].spec.storageClassName
cassandra-statefulset.yaml: As with Elasticsearch, your
environment may have customized the values for the number of
replicas, resource constraints, amount of storage, and the storage
class name:
For customers, the instructions in this section are for review purposes only.
Sysdig platform on-premise releases are listed
here. Each
release has a version number and specific release notes.
This release has the following significant component change:
The Report service is now available for Sysdig Secure. Installing it
requires first applying an Anchore license and then applying the
appropriate report yamls, as listed below.
Download the New Version
Download the new version from Sysdig’s GitHub and unzip it.
Note that as of this release, versioning standards have changed from a
single build number (e.g. v1929) to semantic versioning (e.g. 2.3.0)
wget https://github.com/draios/sysdigcloud-kubernetes/archive/<version_number>.tar.gz && tar xvf <version_number>.tar.gz
Edit New Files to Match Your Customized Files
It is important to use the latest YAML files for a successful upgrade.
Edit the following files within the sysdigcloud directory to match any
customizations you may have made in your existing production system.
Sysdig Cloud Files
Customization involves copying the existing settings from your
environment and modifying the files listed in this section.
Update the following files with customizations from your existing
environment:
sysdigcloud/config.yaml: Pull configurations from your
sysdigcloud-config configmap to the downloaded
sysdigcloud/config.yaml.
The following variables are mandatory for Sysdig installations:
api.urlcollector.endpointsysdigcloud.license
The following variables are optional but commonly modified for
Sysdig installations:
If you have modified the previous config.yaml, copy the modified
options such as the external endpoints. You must also check
deployment YAML files for CPU/memory settings.
Copy configurations from your existing deployment and update the
spec.replicas definition in the following files:
Update the following file with customizations from your existing
environment:
Please do not edit the image: property.
Modify the storage class name,
spec.volumeClaimTemplates[].spec.storageClassName in the
datastores/as_kubernetes_pods/manifests/postgres/postgres-statefulset.yaml
file.
Elasticsearch and Cassandra Files
In version 2.3.0, Elasticsearch and Cassandra yaml configurations have
been updated. Update the new files with customizations from your
existing environment.
Please do not edit the image: property.
elasticsearch-statefulset.yaml - For example, your environment may
have customized the values for the number of replicas, resource
constraints, amount of storage, and the storage class name:
spec.replicas and spec.template.spec.containers[elasticsearch].env[ELASTICSEARCH_GOSSIP_NODES_NUM].valuespec.template.spec.containers[].resourcesspec.volumeClaimTemplates[].spec.resources.requests.storagespec.volumeClaimTemplates[].spec.storageClassName
cassandra-statefulset.yaml - As with Elasticsearch, your
environment may have customized the values for the number of
replicas, resource constraints, amount of storage, and the storage
class name:
For versions 2.4.1 and higher: To use the Reports functionality in
Sysdig Secure, it is necessary to enter a license key in the
anchore-license.yaml. If you are upgrading or installing and do not
have an anchore license please contact support. This license is used for
additional 3rd party vulnerability feed entitlements.
Edit the license YAML
file: sysdigcloud/anchore-enterprise-license.yaml. Replace <LICENSE> with
the key received from Sysdig.
---apiVersion:v1kind:Secretmetadata:name:anchore-enterprise-licensedata:# <LICENSE> is derived from `cat anchore-license.yaml | base64`anchore-license.yaml:<LICENSE>type:Opaque
For customers, the instructions in this section are for review purposes only.
Sysdig platform on-premise releases are listed
here. Each
release has a version number and specific Release
Notes.
This release has the following significant component changes:
Includes the option of securing Elasticsearch and/or Cassandra with
username/password authentication and TLS-encrypted data in transit.
This prevents both unauthorized access to the clusters and network
eavesdropping. The upgrade instructions below incorporate this new
capability when using the Sysdig-provided Cassandra and
Elasticsearch components.
Updates of the Postgres database and Anchore engine (if you are
running Sysdig Secure).
The following parameter has been renamed in config.yaml:
elasticsearch.url to elasticsearch.hostname
The value of elasticsearch.hostname does not include the protocol
(e.g.http://); just use the hostname itself. For example, if you had
elasticsearch.url: ``http://sysdigcloud-elasticsearch, it would
now be elasticsearch.hostname: sysdigcloud-elasticsearch.
Download the New Version
Download the new version from Sysdig’s GitHub and unzip it.
Note that as of this release, versioning standards have changed from a
single build number (e.g. v1929) to semantic versioning (e.g. 2.3.0)
wget https://github.com/draios/sysdigcloud-kubernetes/archive/<version_number>.tar.gz && tar xvf <version_number>.tar.gz
Edit New Files to Match Your Customized Files
It is important to use the latest YAML files for a successful upgrade.
Edit the following files within the sysdigcloud directory to match any
customizations you may have made in your existing production system.
Sysdig Cloud Files
Customization involves copying the existing settings from your
environment and modifying the files listed in this section.
Update the following files with customizations from your existing
environment:
sysdigcloud/config.yaml: Pull configurations from your
sysdigcloud-config configmap to the downloaded
sysdigcloud/config.yaml.
The following variables are mandatory for Sysdig installations:
api.urlcollector.endpointsysdigcloud.license
The following variables are optional but commonly modified for
Sysdig installations:
If you have modified the previous config.yaml, copy the modified
options such as the external endpoints. You must also check
deployment YAML files for CPU/memory settings.
Copy configurations from your existing deployment and update the
spec.replicas definition in the following files:
Update the following file with customizations from your existing
environment:
Please do not edit the image: property.
Modify the storage class name,
spec.volumeClaimTemplates[].spec.storageClassName in the
datastores/as_kubernetes_pods/manifests/postgres/postgres-statefulset.yaml
file.
Elasticsearch and Cassandra Files
In version 2.3.0, Elasticsearch and Cassandra yaml configurations have
been updated. Update the new files with customizations from your
existing environment.
Please do not edit the image: property.
elasticsearch-statefulset.yaml - For example, your environment may
have customized the values for the number of replicas, resource
constraints, amount of storage, and the storage class name:
spec.replicas and spec.template.spec.containers[elasticsearch].env[ELASTICSEARCH_GOSSIP_NODES_NUM].valuespec.template.spec.containers[].resourcesspec.volumeClaimTemplates[].spec.resources.requests.storagespec.volumeClaimTemplates[].spec.storageClassName
cassandra-statefulset.yaml - As with Elasticsearch, your
environment may have customized the values for the number of
replicas, resource constraints, amount of storage, and the storage
class name:
Run the kubectl commands to apply the relevant files to your cluster.
Note: if you run into an error replacing the statefulsets, you may need
to delete the existing one before applying the new configuration. See
the Statefulset Deletion and Creation section below.
The replace command above only replaces the Kubernetes configuration,
but not the running pods themselves. For the changes to take effect,
perform the following steps:
For Elasticsearch, run:
kubectl -n $NAMESPACE delete pod -l role=elasticsearchkubectl -n $NAMESPACE delete pod -l role=cassandra# If running Sysdig Securekubectl -n $NAMESPACE delete pod -l role=postgresql
Check that all the new pods come up Ready by running the commands
below separately:
kubectl -n $NAMESPACE get pod -l role=elasticsearchkubectl -n $NAMESPACE get pod -l role=cassandra# If running Sysdig Securekubectl -n $NAMESPACE get pod -l role=postgresql
This may take a few minutes.
2.3.6 - Manual Upgrade (v2435)
As of August 2020, Sysdig has changed its upgrade procedure.
Run the kubctl commands to apply the relevant files to the
environment.
This upgrade updates dashboards from v1 to v2. The process requires
20-30 minutes on large systems, and the environment remains live
throughout the rolling upgrade.
DO NOT create or delete dashboards during the upgrade.
The Replicated infrastructure installs its own container based agents
that deploy and manage the various Sysdig back-end components. To
confirm the currently running version of the Replicated agent, perform
replicated --version at the command line on each host. [Reference
Replicated.com]
Upgrade Replicated Client
Log in to the Replicated Management Console and stop the Sysdig
application (Sysdig Monitor and Sysdig Secure, if applicable) before
upgrading the Replicated client.
Run the following command on the management host to upgrade the
replicated infrastructure:
Pre-Version 860: Install upgrades sequentially, one version at a
time.
Version 860 - 1091: You can directly install the version you
want.*
Version 1091 - Sept 2018 release: All users must upgrade from
1091 - Sept 2018 and run the Unified Events migration tool.
Version 2266: See Note, below.
*Sequential installs (even when not strictly required) ensure
consistent database migrations and allow for easier troubleshooting,
should problems occur. Sysdig recommends staying fairly up-to-date on
the release cycle to avoid “stacking up” upgrades.
Log in to the Replicated Management Console > Dashboards.
Click View Update.
The release history is listed, and “New” for any new releases.
Click Install for the desired release.
Upgrades to version 2304
After upgrading to version 2304, you must add a node for emailrenderer
and nginxfrontend to the replicated cluster, and then run a command on
the node.
Private and Public IP Addresses: Provide the IPs where the
containers will run.
Select emailrenderer and nginxfrontend.
Run the curl command as noted in the image above, including the
optional parameters as needed for your environment.
Airgapped Installation
Upgrade Replicated Components
Check Current Version
The Replicated infrastructure installs its own container based agents
that deploy and manage the various Sysdig back-end components. To
confirm the currently running version of the Replicated agent, perform
replicated --version at the command line on each host. See also
Replicated.com.
Upgrade Replicated Client
Download the latest Replicated agent installation package:
Download the new Sysdig application .airgap installer, using the
link and password supplied for the initial installation.
Copy the .airgap file to the update directory on the management
host.
To check or configure the update path, log in to the Replicated
Management Console and click Console Settings > Airgapped Settings
section under the gear icon.
In the Replicated Management Console, select the Dashboard tab and
click Check Now.
Click Install for the desired version.
2.4 - Find the Super Admin Credentials and API Token
Sysdig on-premises installations contain several configuration options
only available to the initial admin user, or “super” admin user. This
section outlines the steps for locating the super admin user (if you do
not know who it is) and using the super user login token.
The Sysdig Monitor web interface does not currently provide a way to
identify the super user. If you are trying to use the API to make a
configuration change and it fails due to insufficient privileges, you
can use the API to locate the super user.
Find Super Admin Credentials
Two approaches:
1. Access the API endpoint to list users directly via curl and parse
the JSON output to locate the user with “ROLE_ADMIN” listed in the
“roles” section.
As with any user, you can then obtain the API token by logging in as the
“super” admin to the Sysdig UI.
When using the Sysdig API with custom scripts or applications, an API
security token (specific to each team) must be supplied.
Log in to Sysdig Monitor or Sysdig Secure and select Settings.
Select User Profile.The Sysdig Monitor or Sysdig Secure API token
is displayed (depending on which interface and team you logged in
to).
You can Copy the token for use, or click the Reset Token button
to generate a new one.
When reset, the previous token issued will immediately become
invalid and you will need to make appropriate changes to your
programs or scripts.
2.5 - Configure Interactive Session Expiration
(For On-Premises installations): When you want inactive sessions to
deactivate after a time-out period, you need to set four interlinked
configuration parameters with the installer. Two of these parameters
handle the session expiration in the backend and two of them control the
frontend tracker that handles the session expiration when the user’s
browser is idle. To achieve session expiration for a specific period of
time (for example, 30 minutes), these parameters should be aligned to
the same value.
On-premises environments may require a license upgrade to renew, extend
an expiration date, enable new features, add a service (Sysdig Secure),
or change the number of licensed agents.
For Kubernetes On-Prem Installations
As described in the Kubernetes
installation instructions,
the license file is simply entered as one of many configuration user
settings in the ConfigMap
(config.yaml)
(manual install) or values.yaml (installer-based).
To apply the new license, update the yaml file with the new license
and then restart all Sysdig API, Worker, and Collector pods.
Note If you are using Sysdig backend version 5.0.x that syncs the vulnerability feeds database from the internet, restart the following pods: anchore-api, anchore-catalog, anchore-core, and anchore-policy-engine
If you are running an airgapped environment, you must download the
license file to a local directory, then follow the steps below.
Log in to the Replicated Management Console and choose Console
Settings from the gear icon drop-down menu.
Review the current airgapped settings and note the pathname to the
license file.
If you followed the Airgapped
Installation
instructions, your current .rli license file will be in
the/var/tmp/sysdig directory as shown below.
(The name of your .rli file will vary.)
From the Linux shell, cd to the directory shown as the Update
Path and replace your prior RLI license file with the new one,
saving the prior one to a backup filename.
NOTE: the new license file may have a different name than the
prior one, and may have a non-RLI extension if it was sent to you as
an email attachment (to avoid being removed by firewalls).
The steps below are an example of renaming the license as necessary
for the environment shown above (your filenames will vary).
Continue in the Replicated Management Console to sync the license
and restart the Sysdig application, as described in the
non-airgapped instructions below.
Upgrade a Non-Airgapped License
If your environment can access the Internet, upgrading the license is a
simple sync and restart.
Log in to the Replicated Management Console.
Select View License from the Gear drop-down menu.
Click Sync License.
For license terms to take effect, restart the Sysdig application
from the Replicated Management Console.
Navigate to the Dashboard on the pull-down menu and click
theStop Nowbutton, followed by theStart Nowbutton.
2.7 - Authentication and Authorization (On-Prem Options)
This section is for the Sysdig On-Premises software platform only. If
you are using SaaS (cloud-based) Sysdig applications, see
Authentication and Authorization
(SaaS) instead.
Sysdig Monitor and Sysdig Secure are designed to work with several user
authentication/authorization methods:
Type
Enabled by Default
Integration Steps Required
User email/password
Yes
No
Google OAuth
No
Yes
SAML
No
Yes
OpenID Connect
No
Yes
LDAP
No
Yes
A sample user’s view:
The pages in this section describe the integration and enablement steps
required for SAML or OpenID Connect, and the Identity Provider (IdP)
services
that support these protocols, such as Okta, OneLogin, Keycloak.
In the SaaS environment,
Googlelogin can be enabled
with a simple drop-down selection; the integration has already been
performed.
To enable a third-party authentication method for both Sysdig Monitor
and Sysdig Secure, you must configure the SSO settings separately for
each.
Workflow
With the new Authorization UI, the basic process of enabling a Single
Sign-On (SSO) option is:
Determine which SSO option (GoogleOAuth, SAML, OpenID, LDAP) your
enterprise uses, and which IdP service (Okta, OneLogin, etc.) is
used if any.
Configure any associated IdP settings on the IdP side.
Enter the required connection settings for the chosen SSO on the
appropriate Authentication tab in Sysdig Settings.
You can also configure the settings using a script, if preferred.
Select the SSO option from the Enabled Single Sign-On drop-down
and click Save Authentication.
If enabling for both Sysdig Monitor and Sysdig Secure, perform the
necessary steps on the second application.
View of the Authentication page for Google OAuth in the on-prem
environment.
2.7.1 - Google OAuth (On-Prem)
These instructions are specific to On-Premises
Deployments of the Sysdig
platform. If you are using the cloud-based (SaaS) Sysdig platform, refer
to Google OAuth (SaaS)
instead.
Google supports OAuth 2.0, which allows users to log in to third-party
applications such as Sysdig using Google credentials. By default, the
created user will not have Admin rights within the Sysdig application,
though these rights can be subsequently assigned.
Prerequisites
The Sysdig platform on-premises installation must have a DNS name
associated with it. Google does not support applications that do not
have an associated DNS name.
For Kubernetes-based installations, ensure the api.url ConfigMap
element
contains your hostname (older installations), or use the sysdig.dnsname
(newer Installer-based).
For the examples that follow, DNS_NAME refers to this hostname you
configured in your platform settings.
In Google Console: Obtain OAuth Client Credentials
Select Credentials from the left-hand navigation, and choose the
OAuth consent screen from the navigation bar.
When prompted, select Internal or External User Type and click
Create.
Choosing Internal will limit the users to those with accounts
belonging to the same domain as the email used to create the
project, e.g. mycompany.com. Note that if some of your users have
a different domain, e.g. mycompany.uk, you will want to choose the
External user type.
On the subsequent Oauth Consent screen, enter the required Email
address and Product name, as well as other additional optional
information, then click Save.
From the Credentials tab, click the Create Credentials drop-down
and select OAuth client ID.
When prompted for Application type, select Web application,
then enter the following parameters:
Name: Use a meaningful name, such as “Sysdig”.
Authorized Javascript Origins: Enter
https://DNS_NAME:API_PORT
Authorized Redirect URLs: Enter one or more of the following
values:
If configuring Sysdig Monitor, enter:
https://DNS_NAME:API_PORT/api/oauth/google/auth
If configuring Sysdig Secure, enter:
https://DNS_NAME:API_PORT/api/oauth/google/secureAuth
Click Create.
A success message with client ID and client secret will be
displayed. Copy these to a safe place, as you will need them in the
next step.
Configure Settings in Sysdig Platform
There are three options for configuring OAuth settings on the Sysdig
side: a UI page, scripts, or entries in your Replicated or Kubernetes
orchestrator.
Option 1 UI-Based: Configure Google OAuth in Settings
To enable baseline Google Oauth functionality:
Enter Google OAuth Basic Settings
Log in to Sysdig Monitor or Sysdig Secure as “super”
Admin and select
Settings.
Select Authentication.
Select the Google OAuth tab.
Enter the relevant parameters and click Save.
Application ID: the Client ID you were sent.
Application Secret: the Client Secret you were sent
URL Redirect:
If configuring Sysdig Monitor, enter:
https://DNS_NAME:API_PORT/api/oauth/google/auth
If configuring Sysdig Secure, enter:
https://DNS_NAME:API_PORT/api/oauth/google/secureAuthAllowed Domains: Comma-separated list of domains permitted to
log in. For example, mycompany.com,
myxompanyalias.com.
Select Google OAuth for SSO
Select Google Oauth from the Enabled Single Sign-On
dropdown
Click Save Authentication.
Repeat for Sysdig Monitor or Sysdig Secure, if you want to enable on
both applications.
Option 2 Script-Based: Configure OAuth Using Scripts
The configuration of the Google OAuth feature can be viewed, updated,
and deleted by the “super”
Admin. A
google_oauth_config.sh helper script is available in the
SSO
folder at sysdig-cloud-scripts repository to assist in completing
this configuration. Invoking the script with no options will display
help text.
# ./google_oauth_config.sh -hUsage:./google_oauth_config.sh [OPTIONS]Affect Google Oauth login settings for your Sysdig software platform installation
To use the helper script, modify env.sh to set the required values
for API_TOKEN of the “super” Admin user and the URL for
accessing the Sysdig platform API (which will be the same URL that your
users access for the Sysdig Monitor application).
Depending if the API_TOKEN has been obtained from the Sysdig Monitor or
Sysdig Secure application UI, the settings will be applied to the
consequent product.
Initially no Google Oauth settings are set. A initial run of the script
would confirm that:
# ./google_oauth_config.shNogoogle-oauth settings are setRun for further info:./google_oauth_config.sh -h
Add the -s option to set the Google Oauth configuration for a
particular Sysdig application. When setting the config, you’ll use
additional options to provide the config details you saved in the
earlier Google Oauth step.
Config Detail
Option
Client ID
-i
Client Secret
-e
Allowed Domains
-a
Redirect URL
-r
If the configuration is successfully posted to the Sysdig platform, the
new configuration will be echoed back.
Depending if the API_TOKEN has been obtained from the Sysdig Monitor or
Sysdig Secure application UI, the settings will be applied to the
relevant product.
Once you’ve completed this configuration, clicking the Google Login
button at the login screen of the appropriate Sysdig application(s)
should redirect to Google Oauth login page.
If you wish to delete your Google Oauth configuration, invoke the
-d option. If successful, the disabled configuration will be
printed.
Option 3 Orchestrator-Based: Enter Settings Using Orchestrator
Replicated
If you used the Replicated
infrastructure manager to install the Sysdig platform:
Log in to the Replicated Management Console, click to the Settings
tab, then check the box to expand theAdvanced Settings.
Enter the Google OAuth client ID and Google OAuth client Secret
in the appropriate fields.
(Optional) In a comma-separated list, enter the
OAuth-allowed email domains that should be permitted to
authenticate. If set, only Google users whose email addresses are in
these domains will be able to login to your Sysdig installation. If
this setting is left blank, any user that successfully authenticates
via Google will be permitted to login to your Sysdig installation.
Click Save.The Sysdig platform will then restart to enable the
settings.
Kubernetes
Enter the OAuth allowed domains, Client ID, and Client Secret
into the appropriate elements of the Kubernetes
ConfigMap.
Use appropriate Kubernetes methods to push the updated settings and
restart the backend containers to make the changes take effect.
# Optional: OAuth allowed domains (comma separated list of domains)sysdigcloud.oauth.allowed.domains.list:""# Optional: Sysdig Cloud Google OAuth Client IDsysdigcloud.google.oauth.client.id:""# Optional: Sysdig Cloud Google OAuth Client Secretsysdigcloud.google.oauth.client.secret:""
User Experience
Note the following requirements for successful Google OAuth login:
The user must have already logged in successfully at least once to
your environment (such as via email-based Invitation and having set
an initial password)
The user’s login username in the Sysdig platform must precisely
match the user’s Google email address (that is, it cannot be a
shortened/altered Google email alias)
For such a user to log in via Google OAuth, click the
Log in with Google button.
If the user’s browser has not already successfully authenticated via
Google and/or has multiple Google profiles known by their browser, they
will be presented a Google page to select a profile and enter a password
(if necessary) before being redirected back to your Sysdig environment.
These instructions are specific to On-Premises
Deployments of the Sysdig
platform. If you are using the cloud-based (SaaS) Sysdig platform, refer
to SAML (SaaS) instead.
The Sysdig platform ordinarily maintains its own user database to hold a
username and password hash. SAML instead allows for redirection to your
organization’s IdP to validate username/password and other policies
necessary to grant access to Sysdig application(s). Upon successful
authentication via SAML, a corresponding user record in the Sysdig
platform’s user database is automatically created, though the password
that was sent to the IdP is never seen nor stored by the Sysdig
platform.
This section describes how to integrate and enable SAML with both Sysdig
Monitor and Sysdig Secure.
For specific IdP integration information, refer to:
If you intend to configure IDP-initiated login flow, have your Sysdig customer number on hand. It will be referenced in later configuration steps as CUSTOMER_ID_NUMBER. Normally 1.
4 a. Log in to Sysdig Monitor (as "super" admin) and enter the necessary configuration information in the UI. Enable SAML as your SSO.
4b. Log in to Sysdig Secure (as "super" admin) and repeat the above.
Administrator Steps
Configure IdP
Select the appropriate IdP from the list below, and follow the
instructions:
At this time, the Authorization UI is available only for Sysdig Monitor.
To enable baseline SAML functionality:
Enter SAML Connection Settings
Log in to Sysdig Monitor or Sysdig Secure as administrator and
select Settings.
Select Authentication.
Select the SAML tab.
Enter the relevant parameters (see table below) and click Save.
It is strongly recommended that "Signed Assertion" and "Validate Signature" are enabled to ensure that the SAML SSO process is as secure as possible.
Connection Setting
Options
Description
Sample Entry
Metadata
URL
The URL provided at the end of the IdP configuration steps.
XML
An option that can be used for an IdP that doesn’t support extracting metadata XML via URL.
Signed Assertion
off/on
Should Sysdig check for assertions signed in responses (to assist in validating correct IdP).
ON
Email Parameter
email
Name of parameter in the SAML response for user email ID. Sysdig uses this to extract the user’s email from the response.
email
Validate Signature
off/on
Sysdig backend should verify that the response is signed.
ON
Verify Destination
off/on
Flag to control whether Sysdig should check the “destination” field in the SAMLResponse. Recommend ON, as a security measure. May be OFF in special cases, such as a proxy in front of the Sysdig back end.
ON
Select SAML for SSO
Select SAML from the Enabled Single Sign-On dropdown
Click Save Authentication.
Repeat entire enablement process for Sysdig Monitor or Sysdig
Secure, if you want to enable on both applications.
Script-Based: Configure SAML Using Scripts
The configuration of the SAML feature can be viewed, updated, and
deleted by the “super”
Admin. A saml_config.sh
helper script is available in the
SSO
folder at sysdig-cloud-scripts repository to assist in completing
this configuration. Invoking the script with no options will display
help text.
# ./saml_config.shMust specify the Sysdig App whose SAML configuration will be viewed/setUsage:./saml_config.sh [OPTIONS]Affect SAML login settings for your Sysdig software platform installationIf no OPTIONS are specified, only the help output is displayed.
To use the helper script, modify env.sh to set the required values
for API_TOKEN of the “super” Admin user and the URL for
accessing the Sysdig platform API (which will be the same URL that your
users access for the Sysdig Monitor application).
Depending if the API_TOKEN has been obtained from the Sysdig Monitor or
Sysdig Secure application UI, the settings will be applied to the
relevant product.
Initially no SAML settings are set. A initial run of the script would
confirm that:
# ./saml_config.shNosaml settings are setRun for further info:./saml