Configure Workload Starting Policy

As of serverless agent version 3.0.2, the instrumentation starts the workload even if policies are not in place. That avoids workload starvation in case of issues like agent misconfiguration or network issues.

It is possible to customize the workload starting policy via the following environment variables:

  • agentino.run_without_policies, true by default, defines whether the Sysdig instrumentation should continue running with no policies in place. true enables the workload to run unsecured. false disallows the workload to run unsecured so, the workload will not run at all without policies.

  • agentino.delay_startup_until_policies_timeout_s, 0 (zero) by default, defines the amount of time in seconds the Sysdig instrumentation has to wait before starting up the workload. Note that the time the workload agent needs for acquiring policies depends on a number of factors like configuration, network latency, load, etc. A conservative value might be 60 seconds.

You can provide such configuration options to the Workload Agent via the SYSDIG_EXTRA_CONF environment variable. Note that SYSDIG_EXTRA_CONF expects either a valid YAML or JSON.

For example, the following configuration delays the workload startup for 60 secs to let Sysdig instrumentation acquire the policies. Moreover, it enables the workload to start after the waiting even with no policies in place.

SYSDIG_EXTRA_CONF='{"agentino": {"delay_startup_until_policies_timeout_s": 60}}'

As another example, the following configuration delays the workload startup for 60 secs to let Sysdig instrumentation acquire the policies. But it prevents the workload from starting after the waiting if policies are not in place.

SYSDIG_EXTRA_CONF='{"agentino": {"run_without_policies": false, "delay_startup_until_policies_timeout_s": 60}}'