Install Admission Controller

If you have installed the CLI-based version of the Admission Controller, the UI-based version is not backwards-compatible. You will need to uninstall the old version and install the UI-based version instead.

To understand and use the Admission Controller after installing it, see Admission Controller.

For a more technical documentation see Chart Documentation.

Prerequisites

Helm 3
Kubernetes 1.21 or higher

Install the Admission Controller

The component must be installed on each cluster where you want to use it.

Make sure kubectl is pointing to the target cluster where the Admission Controller will be installed.

Add and synchronize the Helm repository:

helm repo add sysdig https://charts.sysdig.com
helm repo update

Install the Admission Controller on the target cluster with full capabilities , e.g.:
The recommended way to install the admission-controller is using the “Sysdig Deploy” Helm chart.
By default this chart installs the Sysdig agent and the Node Analyzer, however the individual subcharts like the Admission Controller can be easily switched on/off based on the <SubchartName>.enabled parameter.
NOTE: Both commands install the same components, the advantage of using Sysdig Deploy is the possibility to easily install and manage multiple Sysdig products.

Using Sysdig Deploy (Recommended)
Stand-Alone subchart installation

    helm install sysdig sysdig/sysdig-deploy \
    --create-namespace -n sysdig \
    --set global.sysdig.secureAPIToken=$SYSDIG_API_TOKEN \
    --set global.clusterConfig.name=$CLUSTER_NAME \
    --set admissionController.sysdig.url=https://$SYSDIG_SECURE_ENDPOINT \
    --set admissionController.features.k8sAuditDetections=true \
    --set admissionController.enabled=true \
    --set agent.enabled=false \
    --set nodeAnalyzer.enabled=false

helm install sysdig-admission-controller sysdig/admission-controller \
    --create-namespace -n sysdig-admission-controller \
    --set sysdig.secureAPIToken=$SYSDIG_API_TOKEN \
    --set clusterName=$CLUSTER_NAME \
    --set sysdig.url=https://$SYSDIG_SECURE_ENDPOINT \
    --set features.k8sAuditDetections=true

Check that installation was successful in the Sysdig UI.
NOTE: Menu options are only available if Admission Controller is enabled.
Log in to Sysdig Secure and select Image Scanning>Admission Controller|Policy Assignments.
Admission Controller will be disabled by default in your cluster, to avoid accidentally blocking deployment.
Cluster will be displayed in the Connected list, as healthy, but Disabled (gray colored dot).
You have to manually enable it by toggling the Enabled flag and status should change to accordingly (green colored dot):

Installation Parameters

Following parameters are the most common ones, but find the full list of available parmeters or specific use-cases

--create-namespace: If supplied, will create a namespace
--namespace: Desired namespace where the Admission Controller will be installed
--set sysdig.secureAPIToken: Sysdig Secure API token as found in the Sysdig UI under Settings/User Profile. Note that this user must have administrator rights
--set clusterName: User-defined name for this cluster that will appear in the admission controller interface in Sysdig’s backend. The cluster name needs to match the agent cluster name.
--set sysdig.url: Sysdig endpoint. Default https://secure.sysdig.com is for the us-east region.
- For us-west use https://us2.app.sysdig.com
- For European Union, use https://eu1.app.sysdig.com
- For APAC, use https://app.au1.sysdig.com
- For US4 (our west Google cloud region) use https://app.us4.sysdig.com/
- For on-prem, your own enpoints.
- See also SaaS Regions and IP Ranges.
--set features.k8sAuditDetections: (true/false) Set true to enable Kubernetes audit logging via the Admission Controller. See also: Kubernetes Audit Logging (legacy installation) and Select the Policy Type (Kubernetes Audit Policies)
--set verifySSL: (true/false) Sets the verification of the Sysdig Secure API; default: true (we recommend only changing this to false when doing initial testing / evaluation of an on-premises installation)
--set scanner.verifyRegistryTLS: (true/false) Verify TLS from registries on image pull; default: true (we recommend only changing this to false when doing initial testing / evaluation)
--set scanner.psp.create: (true/false) Whether to create a psp policy and role / role-binding; default: false

Enable in Sysdig Labs

Log in to Sysdig Secure as administrator and select Settings|User Profile.
Under Sysdig Labs, enable the Admission Controller feature and click Save.
The links to the Admission Controller pages will appear under Image Scanning in the left-hand navigation. If you don’t see the options it means you are either not an admin user or the legacy scanning engine is not enabled on your Sysdig instance. Please discuss the situation with your account representative, or open a [support case] (/en/docs/administration/get-help-using-sysdig-support/contact-support/).

Upgrades

Upgrading from Scanning-Only Admission Controller

If you already have the Sysdig Admission Controller installed and want to upgrade:

helm upgrade sysdig-admission-controller sysdig/admission-controller \
-n sysdig-admission-controller \
--set features.k8sAuditDetections=true \
--reuse-values

For those customers who already have the Admission Controller AND already enabled Kubernetes audit logging via the legacy method, you can still install/upgrade to the new Admission Controller. Just be sure to set features.k8sAuditDetections=falseto avoid collecting and displaying duplicate events.

Uninstall the CLI-based Version

If you have installed the CLI-basedversion of the Admission Controller, the UI-based version is not backwards-compatible. You will need to uninstall the old version and install the UI-based version.

Deploy the following:

helm uninstall -n sysdig-admission-controller sysdig-admission-controller

Troubleshooting

More up-to-date, technical AC Troubleshooting.