Linux on Kubernetes
shield chart to install Cluster Shield and Host Shield in your Kubernetes environment. In addition to providing instructions for new installations, this topic also guides you through migrating from previously installed Sysdig components deployed with the sysdig-deploy chart. The shield chart deploys the Cluster Shield as a deployment and the Host Shield as a daemonset in your Kubernetes environment.This section helps you install cluster shield using the shield chart
Prerequisites
- Helm
v3.10and above - Your agent access key
- Sysdig Monitor Endpoint for your Sysdig SaaS region
Coverage Map
| Platform | App Checks | Java Management Extensions | Prometheus | StatsD |
|---|---|---|---|---|
| EKS | ✅ | ✅ | ✅ | ✅ |
| EKS Fargate | ✅ | ✅ | ✅ | ✅ |
| GKE | ✅ | ✅ | ✅ | ✅ |
| GKE Autopilot | ❌ | ❌ | ❌ | ❌ |
| IKS | ✅ | ✅ | ✅ | ✅ |
| Kubernetes Vanilla | ✅ | ✅ | ✅ | ✅ |
| Mirantis (MKE) | ✅ | ✅ | ✅ | ✅ |
| Openshift (OCP4) | ✅ | ✅ | ✅ | ✅ |
| Rancher (RKE2) | ✅ | ✅ | ✅ | ✅ |
Migrate to the Shield Chart
Sysdig introduces a new chart, shield, to install Cluster Shield and Host Shield components. If you have previously installed Sysdig components in your cluster or are considering a fresh installation, use the shield chart instead of sysdig-deploy.
Since the Host and Cluster Shield replace all the components previously deployed using the sysdig-deploy chart, uninstall any existing installations before proceeding. This will prevent encountering duplicate entity errors.
Before uninstalling, make sure to take a backup of your Sysdig deployment to preserve configurations and data.
helm get values {RELEASE_NAME} -n {NAMESPACE} > sysdig-agent-backup.yaml
To remove an existing installation, run the following command:
helm uninstall sysdig-agent --namespace sysdig-agent
If you are doing a fresh installation, you can ignore this requirement.
Install Using Helm
Configuration File
To install Host Shield and Cluster Shield, you can use the following values.yaml file:
cluster_config:
# The name of the cluster
name: <your-cluster-name>
sysdig_endpoint:
# Sysdig Monitor instance location region
region: <your-sysdig-region>
# Access key for Sysdig Monitor instance
access_key: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
features:
monitor:
app_checks:
enabled: true
java_management_extensions:
enabled: true
prometheus:
enabled: true
# The content of the prometheus.yaml file
prometheus_yaml: {}
statsd:
enabled: true
host:
# Driver for the host agent (Accepted Values: kmod, legacy_ebpf, universal_ebpf (Linux Kernel ≥ 5.8))
driver: universal_ebpf
Google Kubernetes Engine (GKE) Autopilot is not supported.
Installation
helm repo add sysdig https://charts.sysdig.com
helm repo update
helm upgrade --install --atomic --create-namespace \
-n sysdig \
-f values.yaml \
shield \
sysdig/shield
Parameters:
http_proxy: Specifies the URL for the HTTP proxy server.https_proxy: Specifies the URL for the HTTPS proxy server.no_proxy: A comma-separated list of hosts or domains to bypass the proxy. For example:localhost,127.0.0.1,.my-cluster.local
Additional Features
To enable the additional features, edit the values.yaml file to use the following configuration:
Proxy Settings
If your environment requires internet access through a proxy server, you can configure proxy settings in the values.yaml file. These settings ensure that Sysdig Host and Cluster Shield can communicate with Sysdig.
Add the following configuration under the proxy section:
proxy:
http_proxy: http://customer-proxy
https_proxy: http://customer-proxy
no_proxy: <comma-separated-list-of-hosts-or-domains>
Advanced Settings
You can use the additional_settings section to configure advanced options, such as log levels, syscall filtering, and DNS detection. It is recommended to use these settings with caution and contact Sysdig Support for guidance.
For the detailed information on configuring the shield chart, see shield.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
