Install Admission Controller
If you have installed the CLI-based version of the Admission Controller, the UI-based version is not backwards-compatible. You will need to uninstall the old version and install the UI-based version instead.
To understand and use the Admission Controller after installing it, see Admission Controller.
For a more technical documentation see Chart Documentation.
- Helm 3
- Kubernetes 1.21 or higher
Install the Admission Controller
The component must be installed on each cluster where you want to use it.
kubectlis pointing to the target cluster where the Admission Controller will be installed.
Add and synchronize the Helm repository:
helm repo add sysdig https://charts.sysdig.com helm repo update
Install the Admission Controller on the target cluster with full capabilities , e.g.:
helm install sysdig-admission-controller sysdig/admission-controller \ --create-namespace -n sysdig-admission-controller \ --set sysdig.secureAPIToken=$SYSDIG_API_TOKEN \ --set clusterName=$CLUSTER_NAME \ --set sysdig.url=https://$SYSDIG_SECURE_ENDPOINT \ --set features.k8sAuditDetections=true
Check that installation was successful in the Sysdig UI.
NOTE: Menu options are only available if Admission Controller is enabled.
Log in to Sysdig Secure and select
Image Scanning>Admission Controller|Policy Assignments.
Admission Controller will be disabled by default in your cluster, to avoid accidentally blocking deployment.
Cluster will be displayed in the Connected list, as healthy, but Disabled (gray colored dot).
You have to manually enable it by toggling the Enabled flag and status should change to accordingly (green colored dot):
--create-namespace: If supplied, will create a namespace
--namespace: Desired namespace where the Admission Controller will be installed
--set sysdig.secureAPIToken: Sysdig Secure API token as found in the Sysdig UI under Settings/User Profile. Note that this user must have administrator rights
--set clusterName: User-defined name for this cluster that will appear in the admission controller interface in Sysdig’s backend. The cluster name needs to match the agent cluster name.
--set sysdig.url: Sysdig endpoint. Default
https://secure.sysdig.comis for the
- For European Union, use
- For APAC, use
- For US4 (our west Google cloud region) use
- For on-prem, your own enpoints.
- See also SaaS Regions and IP Ranges.
--set features.k8sAuditDetections: (true/false) Set
trueto enable Kubernetes audit logging via the Admission Controller. See also: Kubernetes Audit Logging (legacy installation) and Select the Policy Type (Kubernetes Audit Policies)
--set verifySSL: (true/false) Sets the verification of the Sysdig Secure API; default: true (we recommend only changing this to false when doing initial testing / evaluation of an on-premises installation)
--set scanner.verifyRegistryTLS: (true/false) Verify TLS from registries on image pull; default: true (we recommend only changing this to false when doing initial testing / evaluation)
--set scanner.psp.create: (true/false) Whether to create a psp policy and role / role-binding; default: false
Enable in Sysdig Labs
Log in to Sysdig Secure as administrator and select
Under Sysdig Labs, enable the Admission Controller feature and click
The links to the Admission Controller pages will appear under Image Scanning in the left-hand navigation. If you don’t see the options it means you are either not an admin user or the legacy scanning engine is not enabled on your Sysdig instance. Please discuss the situation with your account representative, or open a [support case] (/en/docs/administration/get-help-using-sysdig-support/contact-support/).
Upgrading from Scanning-Only Admission Controller
If you already have the Sysdig Admission Controller installed and want to upgrade:
helm upgrade sysdig-admission-controller sysdig/admission-controller \ -n sysdig-admission-controller \ --set features.k8sAuditDetections=true \ --reuse-values
For those customers who already have the Admission Controller AND
already enabled Kubernetes audit logging via the legacy
method, you can still
install/upgrade to the new Admission Controller. Just be sure to set
features.k8sAuditDetections=falseto avoid collecting and displaying
Uninstall the CLI-based Version
If you have installed the CLI-basedversion of the Admission Controller, the UI-based version is not backwards-compatible. You will need to uninstall the old version and install the UI-based version.
Deploy the following:
helm uninstall -n sysdig-admission-controller sysdig-admission-controller
- More up-to-date, technical AC Troubleshooting.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.