Kubernetes

Helm is a popular tool for managing Kubernetes applications, and it provides a standardized way to install, upgrade, and manage applications on a Kubernetes cluster. Using Helm to install the Sysdig components on Kubernetes provides you with a streamlined, repeatable deployment process that is easy to manage and scale.

The Sysdig Helm chart sysdig-deploy includes configuration options for customizing the agent’s behavior and integrating with other Sysdig components. By using the Helm chart, you can easily deploy the Sysdig Agent on Kubernetes and take advantage of Sysdig’s powerful monitoring and security capabilities.

Prerequisites

• Kubectl installed.
• Helm v3.6 and above.

Use the Quick Start Wizard

1. Log in to Sysdig Secure as admin and select Integrations > Data Sources|Sysdig Agent.

2. Click +Add Account and select Kubernetes Cluster. The Helm installation method is recommended.

   

3. As prompted by the Wizard screen, enter:

   • Cluster Name: Specifies the name of your Kubernetes cluster.

4. The Wizard will autopopulate a code snippet from the cluster name, along with autodetected Sysdig Secure endpoint and agent access key information.

5. Copy and run the Helm commands. This will install the Sysdig agent and give you:

   • Runtime Threat Detection
   • Host Scanning
   • Runtime Image Scanning
   • Kubernetes Security Posture Management (Compliance)

Otherwise, you can use the generic Helm commands detailed below and customize as needed.

Use Generic Commands

Before you begin: Collect your agent access key and Sysdig SaaS region.

Full Deploy

This command replicates the Wizard process and installs the Sysdig Agent and the additional components to deliver runtime threat detection, host scanning, runtime image scanning, and compliance/KSPM.

It uses the Helm chart sysdig-deploy.

• Helm
• values.yaml

helm repo add sysdig https://charts.sysdig.com
helm repo update
helm install sysdig-agent --namespace sysdig-agent --create-namespace \
--set global.sysdig.accessKey=<ACCESS_KEY> \
--set global.sysdig.region=<SAAS_REGION> \
--set nodeAnalyzer.secure.vulnerabilityManagement.newEngineOnly=true \
--set global.kspm.deploy=true \
--set nodeAnalyzer.nodeAnalyzer.benchmarkRunner.deploy=false \
--set nodeAnalyzer.nodeAnalyzer.hostScanner.deploy=true
--set global.clusterConfig.name=<CLUSTER_NAME> \
sysdig/sysdig-deploy

  

## Create a values.yaml file with the following:

 global:
  sysdig:
    accessKey: <ACCESS_KEY>
    region: <SAAS_REGION>
  kspm:
    deploy: true
  clusterConfig:
    name: <CLUSTER_NAME>
nodeAnalyzer:
  secure:
    vulnerabilityManagement:
      newEngineOnly: true
  nodeAnalyzer:
    benchmarkRunner:
      deploy: false
    hostScanner:
      deploy: true

## install as follows:

  helm repo add sysdig https://charts.sysdig.com
  helm install -n sysdig-agent sysdig sysdig/sysdig-deploy -f values.sysdig.yaml

 

Runtime Threat Detection Only

To install only Runtime Threat Detection (Sysdig Agent), use:

• Helm
• values.yaml

helm repo add sysdig https://charts.sysdig.com
helm install sysdig-agent --namespace sysdig-agent --create-namespace \
    --set global.sysdig.accessKey=<ACCESS_KEY> \
    --set global.sysdig.region=<SAAS_REGION> \ \
    --set nodeAnalyzer.enabled=false \
    --set global.clusterConfig.name=<CLUSTER_NAME> \
    sysdig/sysdig-deploy
    
  

## Create a values.yaml file with the following:
global:
  sysdig:
    accessKey: <ACCESS_KEY>
    region: <SAAS_REGION>
  clusterConfig:
    name: <CLUSTER_NAME>
nodeAnalyzer:
  enabled: false

## Then, install with the following:

helm repo add sysdig https://charts.sysdig.com
helm install -n sysdig-agent sysdig sysdig/sysdig-deploy -f values.sysdig.yaml

 

Parameter Definitions

The command above specifies several options:

• --namespace sysdig-agent

  • Specifies that the Sysdig deployment should be installed in the “sysdig-agent” namespace.

• --set global.sysdig.accessKey=<ACCESS_KEY>

  • Specifies the Sysdig access key to use when connecting to the Sysdig backend. Replace <ACCESS_KEY> with your actual access key.

• --set global.sysdig.region=<SAAS_REGION>

  • Specifies the Sysdig region to use. Replace <SAAS_REGION> with the region where your Sysdig account is located.

• --set nodeAnalyzer.secure.vulnerabilityManagement.newEngineOnly=true

  • Enables the new engine for vulnerability management in Sysdig Secure.

• --set global.kspm.deploy=true

  • Enables the deployment of the KSPM Collector and Analyzer components.

• --set nodeAnalyzer.nodeAnalyzer.benchmarkRunner.deploy=false

  • Disables the deployment of the legacy Node Analyzer Benchmark Runner component.

• --set nodeAnalyzer.nodeAnalyzer.hostScanner.deploy=true

  • Installs the Host Scanner.

• --set global.clusterConfig.name=<CLUSTER_NAME>

  • Specifies the name of your Kubernetes cluster. Replace <CLUSTER_NAME> with your actual cluster name.

After running these commands, the Sysdig agent and associated components should be installed and running on your Kubernetes cluster, and will begin sending data to the Sysdig backend for analysis and monitoring.

About Host Scanner

The runtime scanner and host scanner are deployed by default with the given Helm commands.

Opting Out

If for some reason you don’t want to use host scanning, you can opt-out using the Helm chart flag:

--set nodeAnalyzer.nodeAnalyzer.hostScanner.deploy=false

Specific Kubernetes Platforms

If you are using Openshift, GKE Standard, OKE, or MKE, you will need to enable eBPF with the following option:

• --set agent.ebpf.enabled=true

If you are using GKE autopilot, you will need to enable the following option:

• -–set agent.gke.autopilot=true

Additional Options

For additional configuration options, including on-premise, using a proxy etc., see the sysdig-deploy readme.

You can also use Helm to

Install Kubernetes Audit Logging (Admission Controller)

Install Rapid Response