Steps for OpenShift

You can review Agent Install: Kubernetes and the Agent Installation Requirements for additional context, if desired.

RHCOS environments require eBPF probe to support agent installation.

Preparation

RHCOS/eBPF-Specific Requirements

  • Linux kernel version 4.14 or above.
  • When performing the installation steps, you will add one additional parameter to install the eBPF probe. See Step 7, below.

Kernel Headers

The Sysdig agent requires kernel header files to install successfully on a Kubernetes cluster. If the hosts in your environment match the pre-compiled kernel modules available from Sysdig, no special action is required.

In some cases, the nodes in your Kubernetes environment might use Unix versions that do not match the provided headers, and the agent might fail to install correctly. In those cases, you must install the kernel headers manually on each node.

To do so:

For Debian-style distributions, run the command:

apt-get -y install linux-headers-$(uname -r)

For RHEL-style distributions, run the command:

yum -y install kernel-devel-$(uname -r)

For more information on troubleshooting, see About Kernel Headers and the Kernel Module.

Configure for OpenShift

If you are using Red Hat OpenShift, these steps are required. They describe how to create a project, assign and label the node selector, create a privileged service account, and add it to a cluster role.

Copy/Paste Sample Code Block

In the example code, this document uses sysdig-agent for the PROJECT NAME (-n) and the SERVICE ACCOUNT (-z).

You can copy and paste the code as is, or follow the steps below to customize your naming conventions.

oc adm new-project sysdig-agent --node-selector=''
oc project sysdig-agent
oc create serviceaccount sysdig-agent
oc adm policy add-scc-to-user privileged -n sysdig-agent -z sysdig-agent -z node-analyzer
oc adm policy add-cluster-role-to-user cluster-reader -n sysdig-agent -z sysdig-agent -z node-analyzer

Customize the Code

You can use your own Project name and Service Account name if desired.

Note that if you use a different Service Account name, you will need to edit the default service account in the Sysdig Installation Steps, below.

  1. Create a new OpenShift project for the Sysdig agent deployment and use an empty string for the node selector:

    oc adm new-project PROJECT-NAME --node-selector=""
    
  2. Change to the new OpenShift Project for the Sysdig agent deployment:

    oc project PROJECT-NAME
    
  3. Create a service account for the project:

    oc create serviceaccount SERVICE-ACCOUNT
    
  4. Add the service account to privileged Security Context Constraints:

    oc adm policy add-scc-to-user privileged -n PROJECT-NAME -z SERVICE-ACCOUNT -z node-analyzer
    
  5. Add the service account to the cluster-reader Cluster Role:

    oc adm policy add-cluster-role-to-user cluster-reader -n PROJECT-NAME -z SERVICE-ACCOUNT -z node-analyzer
    

Installation

Helm

Sysdig recommends using helm charts to install Sysdig agent in Kubernetes environments. For the latest chart and installation instructions, see sysdig-deploy.

Manifests

  1. Download the sample files:

    • sysdig-agent-daemonset-v2.yaml

    • sysdig-agent-clusterrole.yaml

    • sysdig-agent-configmap.yaml

    • sysdig-agent-service.yaml

  2. Create the sysdig-agent cluster role and assign it to the service account:

     oc apply -f sysdig-agent-clusterrole.yaml
     oc adm policy add-cluster-role-to-user sysdig-agent -n PROJECT-NAME -z SERVICE-ACCOUNT
    
  3. Create a secret key:

    oc create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n PROJECT-NAME
    
  4. If you created a service account name other than sysdig-agent: Edit sysdig-agent-daemonset-v2.yamlto provide your custom value:``

    serviceAccount: SERVICE-ACCOUNT
    
  5. Edit sysdig-agent-configmap.yaml to add the collector address, port, and the SSL/TLS information:

    collector:
    collector_port:
    ssl: #true or false
    check_certificate: #true or false
    
    • For SaaS, find the collector address for your region.
    • For On-prem, enter the collector endpoint defined in your environment.
    • check_certificate should be set to false if a self-signed certificate or private, CA-signed cert is used. See also Set Up SSL Connectivity to the Backend.
  6. Apply the sysdig-agent-configmap.yaml file:

    oc apply -f sysdig-agent-configmap.yaml -n PROJECT-NAME
    
  7. FOR RHCOS ONLY: To enable the eBPF probe required for COS, uncomment the following parameters in sysdig-agent-daemonset-v2.yaml under the env section:`

    env:
      - name: SYSDIG_BPF_PROBE
        value: ""
    
  8. Apply the sysdig-agent-service.yaml file:

    oc apply -f sysdig-agent-service.yaml -n PROJECT-NAME
    

    This allows the agent to receive Kubernetes audit events from the Kubernetes API server. See Kubernetes Audit Logging for information on enabling Kubernetes audit logging.

  9. Apply the daemonset-v2.yaml file:

    oc apply -f sysdig-agent-daemonset-v2.yaml -n PROJECT-NAME
    

    The agents will be deployed and you can see some metrics in the Sysdig Monitor UI.

Next Steps

You can continue with instructions in Verify Metrics in Sysdig Monitor and optionally, Connect to Sysdig Backend.