This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Steps for OpenShift

    You can review Agent Install: Kubernetes and the Agent Installation Requirements for additional context, if desired.

    RHCOS environments require eBPF probe to support agent installation.


    RHCOS/eBPF-Specific Requirements

    • Linux kernel version 4.14 or above.
    • When performing the installation steps, you will add one additional parameter to install the eBPF probe. See Step 7, below.

    Kernel Headers

    The Sysdig agent requires kernel header files to install successfully on a Kubernetes cluster. If the hosts in your environment match the pre-compiled kernel modules available from Sysdig, no special action is required.

    In some cases, the nodes in your Kubernetes environment might use Unix versions that do not match the provided headers, and the agent might fail to install correctly. In those cases, you must install the kernel headers manually on each node.

    To do so:

    For RHEL-style distributions, run:

    yum -y install kernel-devel-$(uname -r)

    For more information on troubleshooting, see About Kernel Headers and the Kernel Module.

    Configure for OpenShift

    If you are using Red Hat OpenShift, these steps are required. They describe how to create a project, assign and label the node selector, create a privileged service account, and add it to a cluster role.

    Copy/Paste Sample Code Block

    In the example code, this document uses sysdig-agent for the PROJECT NAME (-n) and the SERVICE ACCOUNT (-z).

    You can copy and paste the code as is, or follow the steps below to customize your naming conventions.

    oc adm new-project sysdig-agent --node-selector=''
    oc project sysdig-agent
    oc create serviceaccount sysdig-agent
    oc adm policy add-scc-to-user privileged -n sysdig-agent -z sysdig-agent -z node-analyzer
    oc adm policy add-cluster-role-to-user cluster-reader -n sysdig-agent -z sysdig-agent -z node-analyzer

    Customize the Code

    You can use your own Project name and Service Account name if desired.

    Note that if you use a different Service Account name, you will need to edit the default service account in the Sysdig Installation Steps, below.

    1. Create a new OpenShift project for the Sysdig agent deployment and use an empty string for the node selector:

      oc adm new-project PROJECT-NAME --node-selector=""
    2. Change to the new OpenShift Project for the Sysdig agent deployment:

      oc project PROJECT-NAME
    3. Create a service account for the project:

      oc create serviceaccount SERVICE-ACCOUNT
    4. Add the service account to privileged Security Context Constraints:

      oc adm policy add-scc-to-user privileged -n PROJECT-NAME -z SERVICE-ACCOUNT -z node-analyzer
    5. Add the service account to the cluster-reader Cluster Role:

      oc adm policy add-cluster-role-to-user cluster-reader -n PROJECT-NAME -z SERVICE-ACCOUNT -z node-analyzer



    Sysdig recommends using helm charts to install Sysdig agent in Kubernetes environments. For the latest chart and installation instructions, see sysdig-deploy.


    1. Download the sample files:

      • sysdig-agent-daemonset-v2.yaml

      • sysdig-agent-clusterrole.yaml

      • sysdig-agent-configmap.yaml

      • sysdig-agent-service.yaml

    2. Create the sysdig-agent cluster role and assign it to the service account:

       oc apply -f sysdig-agent-clusterrole.yaml
       oc adm policy add-cluster-role-to-user sysdig-agent -n PROJECT-NAME -z SERVICE-ACCOUNT
    3. Create a secret key:

      oc create secret generic sysdig-agent --from-literal=access-key=<your sysdig access key> -n PROJECT-NAME
    4. If you created a service account name other than sysdig-agent: Edit sysdig-agent-daemonset-v2.yamlto provide your custom value:``

      serviceAccount: SERVICE-ACCOUNT
    5. Edit sysdig-agent-configmap.yaml to add the collector address, port, and the SSL/TLS information:

      ssl: #true or false
      check_certificate: #true or false
      • For SaaS, find the collector address for your region.
      • For On-prem, enter the collector endpoint defined in your environment.
      • check_certificate should be set to false if a self-signed certificate or private, CA-signed cert is used. See also Set Up SSL Connectivity to the Backend.
    6. Apply the sysdig-agent-configmap.yaml file:

      oc apply -f sysdig-agent-configmap.yaml -n PROJECT-NAME
    7. FOR RHCOS ONLY: To enable the eBPF probe required for COS, uncomment the following parameters in sysdig-agent-daemonset-v2.yaml under the env section:`

        - name: SYSDIG_BPF_PROBE
          value: ""
    8. Apply the sysdig-agent-service.yaml file:

      oc apply -f sysdig-agent-service.yaml -n PROJECT-NAME

      This allows the agent to receive Kubernetes audit events from the Kubernetes API server. See Kubernetes Audit Logging for information on enabling Kubernetes audit logging.

    9. Apply the daemonset-v2.yaml file:

      oc apply -f sysdig-agent-daemonset-v2.yaml -n PROJECT-NAME

      The agents will be deployed and you can see some metrics in the Sysdig Monitor UI.

    Next Steps

    You can continue with instructions in Additional Options.