Steps for OKE
Oracle Kubernetes Engine (OKE) is a managed environment for running Kubernetes in Oracle Cloud, in order to deploy containerized applications. As of Sysdig agent version 12.0.1, Sysdig supports all flavors of OKE.
OKE environments require eBPF probe to support agent installation.
The instructions below describe a standard OKE agent install and call out the special steps needed to install the eBPF probe.
Preparation
Open Port 6443 for Agent Egress
Because OKE uses stateful firewalls, you must actively open port 6443 for the Sysdig agent outbound traffic.
OKE by default allows network access to the sysdig Agent on 6443, but ensure that firewall rules are open and the agent can connect to the Sysdig backends.
eBPF-Specific Requirements
Linux kernel version >= 4.14.
When performing the installation steps, you will add one additional parameter to install the eBPF probe. See Step 7, below.
Installation Steps
Identify the appropriate endpoint depending on your Sysdig account region. For more information, see SaaS Regions and IP Ranges. More info here https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/
After making clear which region your account belongs to, please choose one of the following methods:
Helm
Sysdig recommends using helm charts to install Sysdig agent in Kubernetes environments. For the latest chart and installation instructions, see sysdig-deploy.
Manifests
To deploy agents using Kubernetes manifests, you can downloadmanifest files, edit them as required, and deploy them using kubectl
.
Download the sample files:
sysdig-agent-clusterrole.yaml
sysdig-agent-daemonset-v2.yaml
sysdig-agent-configmap.yaml
sysdig-agent-service.yaml
Create a namespace to use for the Sysdig agent.
Notes: You can use whatever name you want. In this document, we used
sysdig-agent
for both the namespace and the service account.kubectl create ns sysdig-agent
Create a secret key:
kubectl create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent
If you are running Kubernetes 1.6 or higher, you must create a service account for the Sysdig agent by using the
clusterrole.yaml
file.The Sysdig agent must be granted read-only access to certain Kubernetes APIs, which the agent uses to populate metadata and provide component metrics.
You can use the Sysdig-provided
sysdig-agent-clusterrole.yaml
file. Deploying it create a cluster role and service account in Kubernetes, and defines cluster role binding that grants the Sysdig agent rules in the cluster role.Run the following commands by using the namespace you’ve defined in Step 2:
kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent kubectl create serviceaccount sysdig-agent -n sysdig-agent kubectl create clusterrolebinding sysdig-agent --clusterrole=sysdig-agent --serviceaccount=sysdig-agent:sysdig-agent
Edit
sysdig-agent-configmap.yaml
to add thecollector address
,port
, and theSSL/TLS
information :collector: collector_port: ssl: #true or false check_certificate: #true or false
For SaaS, find the collector address for your region.
For On-prem, enter the collector endpoint defined in your environment.
check_certificate
should be set tofalse
if a self-signed certificate or private, CA-signed cert is used. See also Set Up SSL Connectivity to the Backend.
Apply the
sysdig-agent-configmap.yaml
file:kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
To enable the eBPF probe uncomment the following parameters in
sysdig-agent-daemonset-v2.yaml
under the env section:env: - name: SYSDIG_BPF_PROBE value: ""
Apply the
sysdig-agent-service.yaml
file:kubectl apply -f sysdig-agent-service.yaml -n sysdig-agent
This allows the agent to receive Kubernetes audit events from the Kubernetes API server. See Kubernetes Audit Logging for information on enabling Kubernetes audit logging.
Apply the
daemonset-v2.yaml
file:kubectl apply -f sysdig-agent-daemonset-v2.yaml -n sysdig-agent
The agents will be deployed and you can see some metrics in the Sysdig Monitor UI.
Next Steps
You can continue with instructions in Additional Options.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.