Install Admission Controller

If you have installed the CLI-based version of the Admission Controller, the UI-based version is not backwards-compatible. You will need to uninstall the old version and install the UI-based version instead.

To understand and use the Admission Controller after installing it, see Admission Controller.

Prerequisites

  • Helm 3

  • Kubernetes 1.16 or higher

Install the Admission Controller

The component must be installed on each cluster where you want to use it.

  1. Make sure kubectl is pointing to the target cluster where the Admission Controller will be installed.

  2. Add and synchronize the Helm repository:

    helm repo add sysdig https://charts.sysdig.com
    helm repo update
    
  3. Install the Admission Controller on the target cluster, e.g.:

    helm install sysdig-admission-controller \
    --create-namespace \
    --namespace sysdig-admission-controller \
    --set sysdig.secureAPIToken=$SYSDIG_API_TOKEN \
    --set clusterName=$CLUSTER_NAME \
    --set sysdig.url=https://$SYSDIG_SECURE_ENDPOINT \
    --set features.k8sAuditDetections=true \
    sysdig/admission-controller  
    
  4. Check that installation was successful in the Sysdig UI. Log in to Sysdig Secure and select Image Scanning>Admission Controller|Policy Assignments.

    By default, the cluster shows Connected (healthy), but Disabled (grey dot right of the name). Admission Controllers are disabled by default to avoid accidentally blocking deployment.

Installation Parameters

  • --create-namespace: If supplied, will create a namespace
  • --namespace: Desired namespace where the Admission Controller will be installed
  • --set sysdig.secureAPIToken: Sysdig Secure API token as found in the Sysdig UI under Settings/User Profile. Note that this user must have administrator rights
  • --set clusterName: User-defined name for this cluster that will appear in the admission controller interface in Sysdig’s backend. The cluster name needs to match the agent cluster name.
  • --set features.k8sAuditDetections: (true/false) Set true to enable Kubernetes audit logging via the Admission Controller. See also: Kubernetes Audit Logging (legacy installation) and Select the Policy Type (Kubernetes Audit Policies)
  • --set sysdig.url: Sysdig endpoint. Default https://secure.sysdig.com is for the us-east region.
    For us-west use https://us2.app.sysdig.com
    For European Union, use https://eu1.app.sysdig.com
    For APAC, use https://app.au1.sysdig.com
    For GCP, use https://app.us4.sysdig.com/
    For on-prem, your own enpoints.
  • verifySSL: (true/false) Sets the verification of the Sysdig Secure API; default: true (we recommend only changing this to false when doing initial testing / evaluation of an on-premises installation)
  • scanner.verifyRegistryTLS: (true/false) Verify TLS from registries on image pull; default: true (we recommend only changing this to false when doing initial testing / evaluation)
  • scanner.psp.create: (true/false) Whether to create a psp policy and role / role-binding; default: false

Enable in Sysdig Labs (for Image Scanning)

  1. Log in to Sysdig Secure as administrator and select Settings|User Profile.

  2. Under Sysdig Labs, enable the Admission Controller feature and click Save.

    The links to the Admission Controller pages will appear under Image Scanning in the left-hand navigation.

Upgrades

Upgrading from Scanning-Only Admission Controller

If you already have the Sysdig Admission Controller installed and want to upgrade:

helm upgrade \
--namespace sysdig-admission-controller \
--set features.k8sAuditDetections=true \
--reuse-values \
sysdig-admission-controller sysdig/admission-controller

For those customers who already have the Admission Controller AND already enabled Kubernetes audit logging via the legacy method, you can still install/upgrade to the new Admission Controller. Just be sure to set features.k8sAuditDetections=falseto avoid collecting and displaying duplicate events.

Uninstall the CLI-based Version

If you have installed the CLI-based version of the Admission Controller, the UI-based version is not backwards-compatible. You will need to uninstall the old version and install the UI-based version instead.

Deploy the following:

$ helm uninstall -n sysdig-admission-controller sysdig-admission-controller

See Also



Last modified January 11, 2022