Sysdig Secure has multiple benchmark and compliance solutions (from oldest to newest):
- Benchmarks (V1) - Retired Dec. 1, 2022
- Benchmarks (V2)/Compliance (legacy) - to be retired March 1, 2023
- Compliance (Unified) - to be retired March 1, 2023
- Compliance (Formerly called “Actionable Compliance”)
KSPM components are used for the all-new, policy-as-code-based CSPM solution, Compliance, as well as other upcoming Sysdig Secure features.
Use this page to understand:
- Why to upgrade your Sysdig Benchmark/Compliance version
- Which version you are currently using
- Which upgrade path is appropriate and how to complete it
Benefits of Upgrading
The new Compliance module moves beyond just finding violations to promoting remediations from source to run.
- All resources are added to a central inventory data store along with their configuration information
- The policy evaluation happens in the backend using OPA (Open Policy Agent) as the policy engine
- 900+ controls are evaluated OOTB supporting:
- Kubernetes (both vanilla and managed - EKS, GKE, AKS)
- Simple and intuitive creation of custom policies to match your organization’s needs
- Unified experience across different target endpoints
- Clear and concise explanations of violations
Which Version Am I Using?
If you are using Benchmarks (V1), the URL will have the form: https://secure.sysdig.com/#/benchmarks or https://secure-staging.sysdig.com/#/benchmarks/tasks
If you are using Benchmarks (V2)/Compliance (Legacy), the URL will have the form: https://secure.sysdig.com/#/benchmarksV2/tasks
If you are using Unified Compliance, the URL will have the form: https://secure.sysdig.com/#/compliance/tasks
Enablement requires two basic steps:
- Agent upgrade or agent install, using Helm
- IaC Security enablement to take advantage of PR-integrated remediation (optional)
The precise upgrade/install steps differ depending which version you are currently using. When the basic steps are complete, the UI for actionable compliance will be populated with your environment’s content.
Upgrading from Benchmarks (V1)
Upgrade using the original chart and add the following parameter:
Remove existing Benchmark Tasks. All tasks will be automatically removed on December 1, 2022, and new tasks will not be able to be created.
Upgrading from any Other Version or New Install
Note that Sysdig is currently supporting two Helm chart versions: the original and the new, and the parameters differ slightly between them.
Use the new chart if:
- You are installing agents for the first time, or
- You installed using the new chart and now want to upgrade to enable Compliance. If necessary, check the Secure endpoint for your region.
sysdigcloud-benchmark-runnerwith the KSPM collector.
If you installed the Sysdig agent using the original chart, add the following flags:
--set nodeAnalyzer.benchmarkRunner.deploy=false --set kspm.deploy=true --set kspmCollector.apiEnpoint=<endpoint>
If you installed the Sysdig agent using the new chart, or are installing the agent for the first time, add the following flags:
--set nodeAnalyzer.nodeAnalyzer.benchmarkRunner.deploy=false --set global.kspm.deploy=true --set kspmCollector.apiEndpoint=<endpoint>
Disable existing compliance and benchmark tasks. In the UI, switch the
Enabledtoggle of each task. All tasks will be automatically disabled on March 15, 2023, and will no longer be able to be created or re-enabled.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.