1 - GKE Autopilot

Autopilot is an operation mode for creating and managing clusters in GKE. In brief, with Autopilot, Google configures and manages the underlying node infrastructure for you. This topic helps you use helm to install Sysdig agent on a GKE cluster installed in Autopilot mode.

NodeAnalyzer is not supported on Autopilot environments.


  1. Install a GKE cluster in Autopilot mode.

  2. Connect the GKE cluster.

  3. Install your workload.

Deploy Sysdig Agent

Sysdig recommends using Helm to install Sysdig agent in kubernetes environments. After connecting to the GKE cluster, use the sysdig-deplpy chart to install Sysdig agent.

To customize the configuration of the agent, see the Sysdig Agent Helm Chart.

Verify Agent Installation in Sysdig Secure

  1. Log in to Sysdig Secure.

    See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region.

  2. Navigate to Integrations > Sysdig Agents.

    The Sysdig Agents page list all the agents installed your environment. For more information, see Sysdig Agents.

Verify Metrics on the Sysdig Monitor UI

Log in to Sysdig Monitor to verify that the agent deployed and the metrics are detected and collected appropriately.

Given below is one way to do so.

  1. Access Sysdig Monitor:

    SaaS: See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, for US East, the URL is https://app.sysdigcloud.com.

    For other regions, the format is https://<region>.app.sysdig.com. Replace <region> with the region where your Sysdig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com.

    Log in with your Sysdig user name and password.

  2. Select the Explore tab to see if metrics are displayed.

  3. Verify that kube state metrics and cluster name are working correctly: select the Explore tab and create a grouping by kube_cluster_name and kube_pod_name.

  4. Select an individual container or pod to see the details.

2 - GKE Standard

Google Kubernetes Engine (GKE) is a managed environment for running Kubernetes in Google Cloud, in order to deploy containerized applications. Sysdig supports all flavors of GKE, including Ubuntu and GKE’s default Container-Optimized OS(COS).

GKE COS environments require eBPF probe to support agent installation.


Open Port 6443 for Agent Egress

Because GKE uses stateful firewalls, you must actively open port 6443 for the Sysdig agent outbound traffic.

In earlier versions, the Sysdig Agent connected to port 6666. This behavior has been deprecated, as the Sysdig agent now connects to port 6443.

GKE COS/eBPF-Specific Requirements

  • Linux kernel version >= 4.14.

  • When performing the installation steps, you will add one additional parameter to install the eBPF probe. See Step 7. Note that only the eBPF probe is supported in GKE COS environments.


You can review Agent Install: Kubernetes and the Agent Installation Requirements for additional context, if desired.

Installation Steps


Sysdig recommends using helm charts to install Sysdig agent in Kubernetes environments. For the latest chart and installation instructions, see sysdig-deploy.


To deploy agents using Kubernetes manifests, you can download the manifest files, edit them as required, and deploy them using kubectl.

  1. Download the sample files:

    • sysdig-agent-clusterrole.yaml

    • sysdig-agent-daemonset-v2.yaml

    • sysdig-agent-configmap.yaml

    • sysdig-agent-service.yaml

  2. Create a namespace to use for the Sysdig agent.

    You can use whatever name you want. In this document, we used sysdig-agent for both the namespace and the service account.

    kubectl create ns sysdig-agent
  3. Create a secret key:

    kubectl create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent
  4. If you are running Kubernetes 1.6 or higher, you must grant your user the ability to create roles in Kubernetes by running the following command:

    kubectl create clusterrolebinding your-user-cluster-admin-binding --clusterrole=cluster-admin --user=your.google.cloud.email@example.org

    See Google documentation for more information.

    Create a service account for the Sysdig agent using the clusterrole.yaml file.

    The Sysdig agent must be granted read-only access to certain Kubernetes APIs, which the agent uses to populate metadata and provide component metrics.

    You can use the Sysdig-provided, sysdig-agent-clusterrole.yaml file. Deploying this file creates a cluster role and service account in Kubernetes, and defines cluster role binding that grants the Sysdig agent rules in the cluster role.

    Run the following commands (using whatever namespace you’ve defined in Step 2):

    kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent
    kubectl create serviceaccount sysdig-agent -n sysdig-agent
    kubectl create clusterrolebinding sysdig-agent --clusterrole=sysdig-agent --serviceaccount=sysdig-agent:sysdig-agent
  5. Edit sysdig-agent-configmap.yaml to add the collector address, port, and the SSL/TLS information :

    ssl: #true or false
    check_certificate: #true or false
  6. Apply the sysdig-agent-configmap.yaml file:

    kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
  7. FOR GKE COS ONLY: To enable the eBPF probe required for COS, uncomment the following parameters in  sysdig-agent-daemonset-v2.yaml under the env section:

      - name: SYSDIG_BPF_PROBE
        value: ""
  8. Apply the sysdig-agent-service.yaml file:

    kubectl apply -f sysdig-agent-service.yaml -n sysdig-agent

    This allows the agent to receive Kubernetes audit events from the Kubernetes API server. See Kubernetes Audit Logging for information on enabling Kubernetes audit logging.

  9. Apply the daemonset-v2.yaml file:

    kubectl apply -f sysdig-agent-daemonset-v2.yaml -n sysdig-agent

The agents will be deployed and you can see some metrics in the Sysdig Monitor UI.

Next Steps

You can continue with instructions in Additional Options.