This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

    Install Admission Controller

    If you have installed the CLI-based version of the Admission Controller, the UI-based version is not backwards-compatible. You will need to uninstall the old version and install the UI-based version instead.

    To understand and use the Admission Controller after installing it, see Admission Controller.

    For a more technical documentation see Chart Documentation.

    Prerequisites

    • Helm 3
    • Kubernetes 1.21 or higher

    Install the Admission Controller

    The component must be installed on each cluster where you want to use it.

    1. Make sure kubectl is pointing to the target cluster where the Admission Controller will be installed.

    2. Add and synchronize the Helm repository:

      helm repo add sysdig https://charts.sysdig.com
      helm repo update
      
    3. Install the Admission Controller on the target cluster with full capabilities , e.g.:

      helm install sysdig-admission-controller sysdig/admission-controller \
      --create-namespace -n sysdig-admission-controller \
      --set sysdig.secureAPIToken=$SYSDIG_API_TOKEN \
      --set clusterName=$CLUSTER_NAME \
      --set sysdig.url=https://$SYSDIG_SECURE_ENDPOINT \
      --set features.k8sAuditDetections=true 
      
    4. Check that installation was successful in the Sysdig UI. Log in to Sysdig Secure and select Image Scanning>Admission Controller|Policy Assignments.

      connected but disabled cluster

      Admission Controller will be disabled by default in your cluster, to avoid accidentally blocking deployment.
      Cluster will be displayed in the Connected list, as healthy, but Disabled (gray colored dot).
      You have to manually enable it by toggling the Enabled flag and status should change to accordingly (green colored dot):

      enable admission on cluster

    Installation Parameters

    Following parameters are the most common ones, but find the full list of available parmeters or specific use-cases

    • --create-namespace: If supplied, will create a namespace
    • --namespace: Desired namespace where the Admission Controller will be installed
    • --set sysdig.secureAPIToken: Sysdig Secure API token as found in the Sysdig UI under Settings/User Profile. Note that this user must have administrator rights
    • --set clusterName: User-defined name for this cluster that will appear in the admission controller interface in Sysdig’s backend. The cluster name needs to match the agent cluster name.
    • --set sysdig.url: Sysdig endpoint. Default https://secure.sysdig.com is for the us-east region.
      • For us-west use https://us2.app.sysdig.com
      • For European Union, use https://eu1.app.sysdig.com
      • For APAC, use https://app.au1.sysdig.com
      • For US4 (our west Google cloud region) use https://app.us4.sysdig.com/
      • For on-prem, your own enpoints.
      • See also SaaS Regions and IP Ranges.
    • --set features.k8sAuditDetections: (true/false) Set true to enable Kubernetes audit logging via the Admission Controller. See also: Kubernetes Audit Logging (legacy installation) and Select the Policy Type (Kubernetes Audit Policies)
    • --set verifySSL: (true/false) Sets the verification of the Sysdig Secure API; default: true (we recommend only changing this to false when doing initial testing / evaluation of an on-premises installation)
    • --set scanner.verifyRegistryTLS: (true/false) Verify TLS from registries on image pull; default: true (we recommend only changing this to false when doing initial testing / evaluation)
    • --set scanner.psp.create: (true/false) Whether to create a psp policy and role / role-binding; default: false

    Enable in Sysdig Labs (for Image Scanning)

    1. Log in to Sysdig Secure as administrator and select Settings|User Profile.

    2. Under Sysdig Labs, enable the Admission Controller feature and click Save.

      The links to the Admission Controller pages will appear under Image Scanning in the left-hand navigation.

    Upgrades

    Upgrading from Scanning-Only Admission Controller

    If you already have the Sysdig Admission Controller installed and want to upgrade:

    helm upgrade sysdig-admission-controller sysdig/admission-controller \
    -n sysdig-admission-controller \
    --set features.k8sAuditDetections=true \
    --reuse-values
    

    For those customers who already have the Admission Controller AND already enabled Kubernetes audit logging via the legacy method, you can still install/upgrade to the new Admission Controller. Just be sure to set features.k8sAuditDetections=falseto avoid collecting and displaying duplicate events.

    Uninstall the CLI-based Version

    If you have installed the CLI-based version of the Admission Controller, the UI-based version is not backwards-compatible. You will need to uninstall the old version and install the UI-based version instead.

    Deploy the following:

    helm uninstall -n sysdig-admission-controller sysdig-admission-controller
    

    Troubleshooting

    Refer to Chart Documentation - Troubleshooting.