Steps for OKE

Oracle Kubernetes Engine (OKE) is a managed environment for running Kubernetes in Oracle Cloud, in order to deploy containerized applications. As of Sysdig agent version 12.0.1, Sysdig supports all flavors of OKE.

OKE environments require eBPF probe to support agent installation.

The instructions below describe a standard OKE agent install and call out the special steps needed to install the eBPF probe.

Preparation

Open Port 6443 for Agent Egress

Because OKE uses stateful firewalls, you must actively open port 6443 for the Sysdig agent outbound traffic.

OKE by default allows network access to the sysdig Agent on 6443, but ensure that firewall rules are open and the agent can connect to the Sysdig backends.

eBPF-Specific Requirements

Linux kernel version >= 4.14.
When performing the installation steps, you will add one additional parameter to install the eBPF probe. See Step 7, below.

Installation Steps

Identify the appropriate endpoint depending on your Sysdig account region. For more information, see SaaS Regions and IP Ranges. More info here https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/

After making clear which region your account belongs to, please choose one of the following methods:

Deploy Using Helm Charts

To deploy agent using Helm charts (https://helm.sh/), run the following:

Export the access token and the name of the OKE cluster:

export SDC_ACCESS_TOKEN=xxxx # Get it from the UI (User > Settings > Sysdig Secure API Token).
export SDC_COLLECTOR_URL=collector-static.sysdigcloud.com # us-west by default. Please check the right region.
export SDC_NODEANALYZER_URL=secure.sysdig.com # us-east by default. Please check the right region. 
export OKE_CLUSTER_NAME=my-cluster # OKE cluster name

Create a namespace to use for the Sysdig agent:
```
 kubectl create ns sysdig-agent
```

Set up the helm repo:

 helm repo add sysdig https://charts.sysdig.com
 helm repo update

Install the agent:

 helm install sysdig-agent --namespace sysdig-agent --set sysdig.accessKey=$SDC_ACCESS_TOKEN --set sysdig.settings.collector=$SDC_COLLECTOR_URL --set sysdig.settings.collector_port=6443 --set clusterName=$OKE_CLUSTER_NAME sysdig/sysdig --set nodeAnalyzer.apiEndpoint=$SDC_NODEANALYZER_URL

For more information,charts.

Deploy Using Daemonsets

Download the sample files:
- sysdig-agent-clusterrole.yaml
- sysdig-agent-daemonset-v2.yaml
- sysdig-agent-configmap.yaml
- sysdig-agent-service.yaml
Create a namespace to use for the Sysdig agent.
You can use whatever name you want. In this document, we used sysdig-agent for both the namespace and the service account.
```
kubectl create ns sysdig-agent
```

Create a secret key:

kubectl create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n sysdig-agent

If you are running Kubernetes 1.6 or higher, you must Create a service account for the Sysdig agent by using the clusterrole.yaml file.
The Sysdig agent must be granted read-only access to certain Kubernetes APIs, which the agent uses to populate metadata and provide component metrics.
Sysdig provides a config file in GitHub. Deploying this file creates a cluster role and service account in Kubernetes, and defines cluster role binding that grants the Sysdig agent rules in the cluster role.
Run the following commands by using the namespace you defined in Step 2:
```
kubectl apply -f sysdig-agent-clusterrole.yaml -n sysdig-agent
kubectl create serviceaccount sysdig-agent -n sysdig-agent
kubectl create clusterrolebinding sysdig-agent --clusterrole=sysdig-agent --serviceaccount=sysdig-agent:sysdig-agent
```
Edit sysdig-agent-configmap.yaml to add the collector address, port, and the SSL/TLS information :
```
collector:
collector_port:
ssl: #true or false
check_certificate: #true or false
```
- For SaaS, find the collector address for your region.
- For On-prem, enter the collector endpoint defined in your environment.
- check_certificate should be set to false if a self-signed certificate or private, CA-signed cert is used. See also Step 5 Set Up SSL Connectivity to the Backend.
(All installs) Apply the sysdig-agent-configmap.yaml file using the command:
```
kubectl apply -f sysdig-agent-configmap.yaml -n sysdig-agent
```
To enable the eBPF probe uncomment the following parameters in sysdig-agent-daemonset-v2.yaml under the env section:
```
env:
  - name: SYSDIG_BPF_PROBE
    value: ""
```
Apply the sysdig-agent-service.yaml file:
```
kubectl apply -f sysdig-agent-service.yaml -n sysdig-agent
```
This allows the agent to receive Kubernetes audit events from the Kubernetes API server. See Kubernetes Audit Logging for information on enabling Kubernetes audit logging.

(All installs) Apply the daemonset-v2.yaml file using the command:

kubectl apply -f sysdig-agent-daemonset-v2.yaml -n sysdig-agent

The agents will be deployed and you can see Getting Started with Sysdig Monitor to view some metrics in the Sysdig Monitor UI. You can make further edits to the configmap as described below.Getting Started with Sysdig Monitor

Verify Metrics in Sysdig Monitor UI

The steps below give one way to do the check.

Access Sysdig Monitor:
SaaS: See SaaS Regions and IP Ranges and identify the correct domain URL associated with your Sysdig application and region. For example, for US East, the URL is https://app.sysdigcloud.com.
For other regions, the format is https://<region>.app.sysdig.com. Replace <region> with the region where your Sysidig application is hosted. For example, for Sysdig Monitor in the EU, you use https://eu1.app.sysdig.com.
Log in with your Sysdig user name and password.
Select the Explore tab to see if metrics are displayed.
(Once you have enabled new_k8s:true): To verify that kube state metrics and cluster name are working correctly: Select the Explore tab and create a grouping by kubernetes.cluster.name and kubernetes.pod.name.
As of agent 9.6.0, new_k8s is enabled by default.
Select an individual container or pod to see details.

Kubernetes metadata (pods, deployments etc.) appear a minute or two later than the nodes/containers themselves; if pod names do not appear immediately, wait and retry the Explore view.

If agents are disconnecting, there could be an issue with your MAC addresses. See Troubleshooting Agent Installation for tips.

Additional Options

Connect to the Sysdig Backend via Static IPs (SaaS only)

Sysdig provides a list of static IP addresses that can be whitelisted in a Sysdig environment, allowing users to establish a network connection to the Sysdig backend without opening complete network connectivity. This is done by setting the Collector IP to collector-static.sysdigcloud.com.

The sysdig-agent-configmap.yaml file can be edited either locally or using the edit command in Kubernetes. refer to the section above for more information.

To configure the collector IP in a Kubernetes SaaS instance:

Open sysdig-agent-configmap.yaml in a text editor.
Uncomment the following lines:
- collector:
- collector_port
Set the collector: value to collector-static.sysdigcloud.com
Set the collector_port: value to 6443
Save the file.

The example file below shows how the sysdig-agent-configmap.yaml file should look after configuration:

apiVersion: v1
kind: ConfigMap
metadata:
  name: sysdig-agent
data:
  dragent.yaml: |
    ### Agent tags
    # tags: linux:ubuntu,dept:dev,local:nyc

    #### Sysdig Software related config ####

    # Sysdig collector address
    collector: collector-static.sysdigcloud.com

    # Collector TCP port
    collector_port: 6443

    # Whether collector accepts ssl/TLS
    ssl: true

    # collector certificate validation
    ssl_verify_certificate: true

    # Sysdig Secure
    security:
      enabled: true

    #######################################
    # new_k8s: true
    # k8s_cluster_name: production

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified May 17, 2022