KSPM Components

Background

Sysdig Secure has multiple benchmark and compliance solutions (from oldest to newest):

KSPM components are used for the all-new, policy-as-code-based CSPM solution, Actionable Compliance, as well as other upcoming Sysdig Secure features.

Use this page to understand:

  • Why to upgrade your Sysdig Benchmark/Compliance version
  • Which version you are currently using
  • Which upgrade path is appropriate and how to complete it

Benefits of Upgrading

Actionable Compliance moves beyond just finding violations to promoting remediations from source to run.

Additionally:

  • All resources are added to a central inventory data store along with their configuration information
  • The policy evaluation happens in the backend using OPA (Open Policy Agent) as the policy engine
  • 900+ controls are evaluated OOTB supporting:
    • Kubernetes (both vanilla and managed - EKS, GKE, AKS)
    • Linux
    • Docker
    • AWS
    • GCP
    • Azure
  • Simple and intuitive creation of custom policies to match your organization’s needs
  • Unified experience across different target endpoints
  • Clear and concise explanations of violations

Which Version Am I Using?

If you are using Benchmarks (V1), the URL will have the form: https://secure.sysdig.com/#/benchmarks or https://secure-staging.sysdig.com/#/benchmarks/tasks

If you are using Benchmarks (V2)/Compliance (Legacy), the URL will have the form: https://secure.sysdig.com/#/benchmarksV2/tasks

If you are using Unified Compliance, the URL will have the form: https://secure.sysdig.com/#/compliance/tasks

Enable Actionable Compliance

Enablement requires two basic steps:

  • Agent upgrade or agent install, using Helm
  • IaC Security enablement to take advantage of PR-integrated remediation (optional)

The precise upgrade/install steps differ depending which version you are currently using. When the basic steps are complete, the UI for actionable compliance will be populated with your environment’s content.

Migrating from Benchmarks (V1)

  1. Upgrade using the original chart and add the following parameter:

    --set kspm.deploy=true
    
  2. Remove existing Benchmark Tasks. All tasks will be automatically removed on December 1, 2022, and new tasks will not be able to be created.

Migrating from any Other Version or New Install

Note that Sysdig is currently supporting two Helm chart versions: the original and the new, and the parameters differ slightly between them.

Use the new chart if:

  • You are installing agents for the first time, or
  • You installed using the new chart and now want to upgrade to enable Actionable Compliance.
  1. Replace the sysdigcloud-benchmark-runner with the KSPM collector.

    • If you installed the Sysdig agent using the original chart, add the following flags:

      --set nodeAnalyzer.benchmarkRunner.deploy=false 
      --set kspm.deploy=true
      
    • If you installed the Sysdig agent using the new chart, or are installing the agent for the first time, add the following flags:

      --set nodeAnalyzer.nodeAnalyzer.benchmarkRunner.deploy=false
      --set global.kspm.deploy=true
      --set kspmCollector.apiEndpoint=<endpoint> 
      
  2. Disable existing compliance and benchmark tasks. In the UI, switch the Enabled toggle of each task. All tasks will be automatically disabled on February 1, 2023, and will no longer be able to be created or re-enabled.