This the multi-page printable view of this section. Click here to print.
Steps for GKE
1 - GKE Autopilot
Autopilot is an operation mode for creating and managing clusters in GKE. In brief, with Autopilot, Google configures and manages the underlying node infrastructure for you. This topic helps you use helm to install Sysdig agent on a GKE cluster installed in Autopilot mode.
NodeAnalyzer is not supported on Autopilot environments.
Prerequisites
Deploy Sysdig Agent
Sysdig recommends using Helm to install Sysdig agent in kubernetes environments. After connecting to the GKE cluster, use the sysdig-deplpy chart to install Sysdig agent.
To customize the configuration of the agent, see the Sysdig Agent Helm Chart.
Verify Agent Installation in Sysdig Secure
Log in to Sysdig Secure.
See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region.
Navigate to Integrations > Sysdig Agents.
The Sysdig Agents page list all the agents installed your environment. For more information, see Sysdig Agents.
Verify Metrics on the Sysdig Monitor UI
Log in to Sysdig Monitor to verify that the agent deployed and the metrics are detected and collected appropriately.
Given below is one way to do so.
Access Sysdig Monitor:
SaaS: See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, for US East, the URL is https://app.sysdigcloud.com.
For other regions, the format is
https://<region>.app.sysdig.com. Replace<region>with the region where your Sysdig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com.Log in with your Sysdig user name and password.
Select the
Exploretab to see if metrics are displayed.Verify that kube state metrics and cluster name are working correctly: select the
Exploretab and create a grouping bykube_cluster_nameandkube_pod_name.Select an individual container or pod to see the details.
2 - GKE Standard
Google Kubernetes Engine (GKE) is a managed environment for running Kubernetes in Google Cloud, in order to deploy containerized applications. Sysdig supports all flavors of GKE, including Ubuntu and GKE’s default Container-Optimized OS(COS).
GKE COS environments require eBPF probe to support agent installation.
Preparation
Open Port 6443 for Agent Egress
Because GKE uses stateful firewalls, you must actively open port 6443 for the Sysdig agent outbound traffic.
In earlier versions, the Sysdig Agent connected to port 6666. This behavior has been deprecated, as the Sysdig agent now connects to port 6443.
GKE COS/eBPF-Specific Requirements
Linux kernel version >= 4.14.
When performing the installation steps, you will add one additional parameter to install the eBPF probe. See Step 7. Note that only the eBPF probe is supported in GKE COS environments.
Prerequisites
You can review Agent Install: Kubernetes and the Agent Installation Requirements for additional context, if desired.
Installation Steps
Helm
Sysdig recommends using helm charts to install Sysdig agent in Kubernetes environments. For the latest chart and installation instructions, see sysdig-deploy.
Manifests
To deploy agents using Kubernetes manifests, you can download the manifest files, edit them as required, and deploy them using kubectl.
Download the sample files:
sysdig-agent-clusterrole.yamlsysdig-agent-daemonset-v2.yamlsysdig-agent-configmap.yamlsysdig-agent-service.yaml
Create a namespace to use for the Sysdig agent.
You can use whatever name you want. In this document, we used
sysdig-agentfor both the namespace and the service account.kubectl create ns sysdig-agentCreate a secret key:
kubectl create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agentIf you are running Kubernetes 1.6 or higher, you must grant your user the ability to create roles in Kubernetes by running the following command:
kubectl create clusterrolebinding your-user-cluster-admin-binding --clusterrole=cluster-admin --user=your.google.cloud.email@example.orgSee Google documentation for more information.
Create a service account for the Sysdig agent using the
clusterrole.yamlfile.The Sysdig agent must be granted read-only access to certain Kubernetes APIs, which the agent uses to populate metadata and provide component metrics.
You can use the Sysdig-provided,
sysdig-agent-clusterrole.yamlfile. Deploying this file creates a cluster role and service account in Kubernetes, and defines cluster role binding that grants the Sysdig agent rules in the cluster role.Run the following commands (using whatever namespace you’ve defined in Step 2):
kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent kubectl create serviceaccount sysdig-agent -n sysdig-agent kubectl create clusterrolebinding sysdig-agent --clusterrole=sysdig-agent --serviceaccount=sysdig-agent:sysdig-agentEdit
sysdig-agent-configmap.yamlto add thecollector address,port, and theSSL/TLSinformation :collector: collector_port: ssl: #true or false check_certificate: #true or falseFor SaaS, find the collector address for your region.
For On-prem, enter the collector endpoint defined in your environment.
check_certificateshould be set tofalseif a self-signed certificate or private, CA-signed cert is used.See Set Up SSL Connectivity to the Backend for more information.
Apply the
sysdig-agent-configmap.yamlfile:kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agentFOR GKE COS ONLY: To enable the eBPF probe required for COS, uncomment the following parameters in
sysdig-agent-daemonset-v2.yamlunder the env section:env: - name: SYSDIG_BPF_PROBE value: ""Apply the
sysdig-agent-service.yamlfile:kubectl apply -f sysdig-agent-service.yaml -n sysdig-agentThis allows the agent to receive Kubernetes audit events from the Kubernetes API server. See Kubernetes Audit Logging for information on enabling Kubernetes audit logging.
Apply the
daemonset-v2.yamlfile:kubectl apply -f sysdig-agent-daemonset-v2.yaml -n sysdig-agent
The agents will be deployed and you can see some metrics in the Sysdig Monitor UI.
Next Steps
You can continue with instructions in Additional Options.