Kubernetes on Windows

The Sysdig Secure Windows Agent provides runtime detection and policy enforcement for Windows nodes on Kubernetes by leveraging Falco to ensure workload security and compliance. The agent collects data from the Kubernetes node where it is installed. It sends the collected data to the Sysdig backend and syncs the runtime policies and rules from the Sysdig backend to the agent. The agent has two components, the Connection manager and the Security manager, which are both managed by the agent image.

Prerequisites

  • Windows Server 2019 and above.

  • ACCESS_KEY: The agent access key.

  • COLLECTOR: Use the collector address for your region.

    For more information, see SaaS Regions and IP Ranges.

  • Administrator permissions to perform the operations.

  • Kubectl installed

  • Helm v3.8 and above

Use Command Line

Runtime Threat Detection

To install Runtime Threat Detection (Sysdig Agent), use:

helm repo add sysdig https://charts.sysdig.com
helm install sysdig-agent --namespace sysdig-agent --create-namespace \
    --set global.sysdig.accessKey=<ACCESS_KEY> \
    --set global.sysdig.region=<SAAS_REGION> \
    --set nodeAnalyzer.enabled=false \
    --set global.clusterConfig.name=<CLUSTER_NAME> \
    --set agent.windows.enabled=true \
    sysdig/sysdig-deploy

  
## Create a values.yaml file with the Following:
global:
  sysdig:
    accessKey: <ACCESS_KEY>
    region: <SAAS_REGION>
  clusterConfig:
    name: <CLUSTER_NAME>
nodeAnalyzer:
  enabled: false
agent:
  windows:
    enabled: true

## Then, install with the following:

helm repo add sysdig https://charts.sysdig.com
helm install -n sysdig-agent sysdig sysdig/sysdig-deploy -f values.sysdig.yaml

Parameter Definitions

The command above specifies several options:

  • --namespace sysdig-agent

    • Specifies that the Sysdig deployment should be installed in the “sysdig-agent” namespace.

  • --set global.sysdig.accessKey=<ACCESS_KEY>

    • Specifies the Sysdig access key to use when connecting to the Sysdig backend. Replace <ACCESS_KEY> with your actual access key.

  • --set global.sysdig.region=<SAAS_REGION>

    • Specifies the Sysdig region to use. Replace <SAAS_REGION> with the region where your Sysdig account is located.

  • --set global.clusterConfig.name=<CLUSTER_NAME>

    • Specifies the name of your Kubernetes cluster. Replace <CLUSTER_NAME> with your actual cluster name.

  • --set nodeAnalyzer.enabled=false

    • Disables vulnerability management feature in Sysdig Secure.

  • --set agent.windows.enabled=true

    • Enables the Windows agent.

After running these commands, the Sysdig Agent should be installed and running on your Kubernetes cluster, and will begin sending data to the Sysdig backend for analysis and monitoring.

For additional configuration options, see the sysdig-deploy readme.