Steps for Kubernetes (Vanilla)
Preparation
Kernel Headers
The Sysdig agent requires kernel header files to install successfully on a host.
This setup step is required for some environments and not others, as noted.
If the hosts in your environment match the pre-compiled kernel modules available from Sysdig, no special action is required.
In some cases, the host(s) in your environment may use Unix versions that do not match the provided headers, and the agent may fail to install correctly. In those cases, you must install the kernel headers manually.
To do so:
For Debian-style distributions, run the command:
apt-get -y install linux-headers-$(uname -r)
For RHEL-style distributions, run the command:
yum -y install kernel-devel-$(uname -r)
Background info: see also About Kernel Headers and the Kernel Module.
Prerequisites
You can review Agent Install: Kubernetes | GKE | OpenShift |IBM and the Agent Installation Requirements for additional context, if desired.
Installation Steps
Deploy Using Helm Charts
To deploy agent using Helm charts, run the following:
Export the access token and the name of the OKE cluster:
export SDC_ACCESS_TOKEN=xxxx # Get it from the UI (User > Settings > Sysdig Secure API Token). export SDC_COLLECTOR_URL=collector-static.sysdigcloud.com # us-west by default. Please check the right region. export SDC_NODEANALYZER_URL=secure.sysdig.com # us-east by default. Please check the right region. export CLUSTER_NAME=my-cluster # Kubernetes cluster name
Create a namespace to use for the Sysdig agent:
kubectl create ns sysdig-agent
Set up the helm repo:
helm repo add sysdig https://charts.sysdig.com helm repo update
Install the agent:
helm install sysdig-agent --namespace sysdig-agent --set sysdig.accessKey=$SDC_ACCESS_TOKEN --set sysdig.settings.collector=$SDC_COLLECTOR_URL --set sysdig.settings.collector_port=6443 --set clusterName=$CLUSTER_NAME sysdig/sysdig --set nodeAnalyzer.apiEndpoint=$SDC_NODEANALYZER_URL
For more information, see charts.
Deploy Using Daemonsets
To deploy agents using Kubernetes daemonsets, you will download the following configuration files, edit them as required, and deploy them.
sysdig-agent-clusterrole.yaml
sysdig-agent-service.yaml
sysdig-agent-daemonset-v2.yaml
sysdig-agent-configmap.yaml
Deploy the Agents
Download the sample files:
sysdig-agent-clusterrole.yaml
sysdig-agent-daemonset-v2.yaml
sysdig-agent-configmap.yaml
sysdig-agent-service.yaml
Create a namespace to use for the Sysdig agent.
You can use whatever naming you prefer. In this document, we used
sysdig-agent
for both the namespace and the service account.The default service account name was automatically defined in
sysdig-agent-daemonset-v2.yaml, at
the line:serviceAccount: sysdig-agent.
kubectl create ns sysdig-agent
Create a secret key:
kubectl create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent
Create a cluster role and service account, and define the cluster role bindingthat grants the Sysdig agent rules in the cluster role, using the commands:
kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent kubectl create serviceaccount sysdig-agent -n sysdig-agent kubectl create clusterrolebinding sysdig-agent --clusterrole=sysdig-agent --serviceaccount=sysdig-agent:sysdig-agent
Edit
sysdig-agent-configmap.yaml
to add thecollector address
,port
, and theSSL/TLS
information:collector: collector_port: ssl: #true or false check_certificate: #true or false
For SaaS, find the collector address for your region.
For On-prem, enter the collector endpoint defined in your environment.
check_certificate
should be set tofalse
if a self-signed certificate or private, CA-signed cert is used. See also Step 5 Set Up SSL Connectivity to the Backend.
(All installs) Apply the
sysdig-agent-configmap.yaml
file:kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
(All installs) Apply the
sysdig-agent-service.yaml
file:kubectl apply -f sysdig-agent-service.yaml -n sysdig-agent
This allows the agent to receive Kubernetes audit events from the Kubernetes API server. See Kubernetes Audit Logging for information on enabling Kubernetes audit logging.
(All installs) Apply the
daemonset-v2.yaml
file :kubectl apply -f sysdig-agent-daemonset-v2.yaml -n sysdig-agent
The agents will be deployed. See Getting Started with Sysdig
Monitor
to view some metrics in the Sysdig Monitor UI. You can make further
edits to the configmap
as described below.Getting
Started with Sysdig Monitor
Enable Kube State Metrics and Cluster Name
These steps are optional but recommended.
Edit
sysdig-agent-configmap.yaml
to uncomment the line:new_k8s: true
This allows kube state metrics to be automatically detected, monitored, and displayed in Sysdig Monitor.
For more information, see the Kube State Metrics entry in the Sysdig blog.
As of agent 9.6.0,
new_k8s
is enabled by default.Edit
sysdig-agent-configmap.yaml
to uncomment the line: **k8s_cluster_name:
**and add your cluster name.Setting cluster name here allows you to view, scope, and segment metrics in the Sysdig Monitor UI by the Kubernetes cluster.
Note: Alternatively, if you assign a tag with “
cluster
” in the tag name, Sysdig Monitor will display that as the Kubernetes cluster name.Apply the configmap changes using the command:
kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
Proceed to verify the metrics in the Sysdig Monitor UI.
There are two ways to update the agent configuration
Option 1: Edit the files locally and apply the changes with
kubectl apply -f
:
kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
Option 2: Use kubectl edit
to edit files on the fly:
kubectl edit configmap sysdig-agent
-n sysdig-agent
Running agents will automatically pick the new configuration after Kubernetes pushes the changes across all the nodes in the cluster.
Additional Options
Connect to the Sysdig Backend via Static IPs (SaaS only)
Sysdig provides a list of static IP addresses that can be whitelisted in
a Sysdig environment, allowing users to establish a network connection
to the Sysdig backend without opening complete network connectivity.
This is done by setting the Collector IP to
collector-static.sysdigcloud.com
.
The sysdig-agent-configmap.yaml
file can be edited either locally or
using the edit command in Kubernetes. refer to the section above for
more information.
To configure the collector IP in a Kubernetes SaaS instance:
Open
sysdig-agent-configmap.yaml
in a text editor.Uncomment the following lines:
collector:
collector_port
Set the collector: value to collector-static.sysdigcloud.com
See SaaS Regions and IP Ranges and identify the correct URL associated with your Sysdig collector and region.
Set the collector_port: value to 6443
Save the file.
The example file below shows how the sysdig-agent-configmap.yaml
file
should look after configuration:
apiVersion: v1
kind: ConfigMap
metadata:
name: sysdig-agent
data:
dragent.yaml: |
### Agent tags
# tags: linux:ubuntu,dept:dev,local:nyc
#### Sysdig Software related config ####
# Sysdig collector address
collector: collector-static.sysdigcloud.com
# Collector TCP port
collector_port: 6443
# Whether collector accepts ssl/TLS
ssl: true
# collector certificate validation
ssl_verify_certificate: true
# Sysdig Secure
security:
enabled: true
#######################################
# new_k8s: true
# k8s_cluster_name: production
Verify Metrics in Sysdig Monitor UI
Log in to Sysdig Monitor to verify that the agent deployed and the metrics are detected and collected appropriately.
The steps below give one way to do the check.
Access Sysdig Monitor:
SaaS: See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, for US East, the URL is https://app.sysdigcloud.com.
For other regions, the format is https://<region>.app.sysdig.com. Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com.
Log in with your Sysdig user name and password.
Select the
Explore
tab to see if metrics are displayed.(Once you have enabled
new_k8s:true
): To verify that kube state metrics and cluster name are working correctly: Select theExplore
tab and create a grouping bykubernetes.cluster.name
andkubernetes.pod.name
.As of agent 9.6.0,
new_k8s
is enabled by default.Select an individual container or pod to see details.
Kubernetes metadata (pods, deployments etc.) appear a minute or two later than the nodes/containers themselves; if pod names do not appear immediately, wait and retry the Explore view.
If agents are disconnecting, there could be an issue with your MAC addresses. See Troubleshooting Agent Installation for tips.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.