Kubernetes
Sysdig offers the sysdig-deploy helm chart to provide you with a streamlined, repeatable deployment process that is easy to manage and scale.
For information on installing Sysdig Secure see, Install Sysdig Secure in Kubernetes.
Prerequisites
Review the Installation Requirements.
Install the following:
kubectl
- Helm
v3.8
or above
If you are not using the Quick Start Wizard for the installation command, collect the following:
For more information on agent configuration, see Configure Sysdig Agent.
Installation
Log in to Sysdig Monitor as an administrator.
Select Integrations > Sysdig Agent.
Click +Add Account and select Kubernetes Cluster.
The Helm installation method is recommended.
As prompted by the screen, enter the name of your Kubernetes cluster.
The Wizard will auto-populate a code snippet with the cluster name, along with the autodetected Sysdig Monitor endpoint and the agent access key.
Copy and run the Helm commands.
The command uses the
sysdig-deploy
chart to install the Sysdig Agent.You can also use a
values.yaml
to install the agent.helm repo add sysdig https://charts.sysdig.com helm repo update helm install sysdig-agent --namespace sysdig-agent --create-namespace \ --set global.sysdig.accessKey=<ACCESS_KEY> \ --set global.sysdig.region=<SAAS_REGION> \ --set nodeAnalyzer.enabled=false \ --set global.clusterConfig.name=<CLUSTER_NAME> \ sysdig/sysdig-deploy
## create a values.yaml file with the following: global: sysdig: accessKey: <ACCESS_KEY> region: <SAAS_REGION> clusterConfig: name: <CLUSTER_NAME> nodeAnalyzer: enabled: false ## Install by running the following: helm repo add sysdig https://charts.sysdig.com helm install -n sysdig-agent sysdig sysdig/sysdig-deploy -f values.sysdig.yaml
Pod Security Admission
If you’re enforcing PSA, add the privileged
policy to the sysdig-agent namespace
:
kubectl label --overwrite ns sysdig-agent pod-security.kubernetes.io/enforce=privileged
Options
The command above has the following options:
--namespace sysdig-agent
: Specifies that the agent should be installed in thesysdig-agent
namespace.--set global.sysdig.accessKey=<ACCESS_KEY>
: Specifies the Sysdig access key to use when connecting to the Sysdig backend. Replace<ACCESS_KEY>
with your actual access key.--set global.sysdig.region=<SAAS_REGION>
: Specifies the Sysdig region to use. Replace<SAAS_REGION>
with the region where your Sysdig account is located.For example,
us1
for US East (Virginia),us2
for US West AWS , andau1
for AP Australia. See Regions and IP Ranges for more information.--set nodeAnalyzer.nodeAnalyzer.benchmarkRunner.deploy=false
: Disables the Node Analyzer component. This is used by Secure users only.--set global.clusterConfig.name=<CLUSTER_NAME>
: Specifies the name of your Kubernetes cluster. Replace<CLUSTER_NAME>
with your actual Kubernetes cluster name.
After running these commands, the Sysdig agent should be installed and running on your Kubernetes cluster, and starts sending data to the Sysdig backend.
Platform-Specific Options
If you are using Openshift, GKE Standard, OKE, or MKE, enable eBPF with the following option:
--set agent.ebpf.enabled=true
If you are using GKE autopilot, enable the following option:
--set agent.gke.autopilot=true
Additional Options
For additional configuration options, including on-premise and proxy connection, seesysdig-deploy.
Configure Prometheus
promscrape
is the component responsible to collect Prometheus metrics from the Sysdig Agent. It is based on Prometheus and accepts the same configuration format. This file contains relabelling rules and filters to remove certain metrics or add some configurations to the collection. For example, add the following to the prometheus.yaml
file:
global:
scrape_interval: 15s
evaluation_interval: 15s
scrape_configs:
- job_name: 'prometheus' # config for federation
honor_labels: true
metrics_path: '/federate'
metric_relabel_configs:
- regex: 'kubernetes_pod_name'
action: labeldrop
params:
'match[]':
- '{sysdig="true"}'
sysdig_sd_configs:
- tags:
namespace: monitoring
deployment: prometheus-server
sysdig_sd_configs
selects the targets obtained by Sysdig Agents to apply the rules in the job.
For information on setting up default integrations to collect Prometheus metrics from cloud-native applications, see Configure Default Integrations.
For more information on filtering rules, see Enable Prometheus Native Service Discovery .
For additional configuration options, including on-premise and proxy connection, see sysdig-deploy.
Add Additional Volumes
To pass a new ConfigMaps or secrets used for authentication, you can mount additional secrets, ConfigMaps, or volumes to Sysdig Agent. This is typically useful while authenticating Prometheus endpoints.
For example, you can add the following configuration to your value.yaml
:
agent:
extraVolumes:
volumes:
- name: repo-new-cm
configMap:
name: my-cm
optional: true
- name: repo-new-secret
secret:
secretName: my-secret
mounts:
- mountPath: mount-path
name: repo-new-cm
- mountPath: mount-path
name: repo-new-secret
The same applies to the kmodule container under daemonset.kmodule
.
In some specific cases , such as SLES15 on Rancher, the proper ld-linux-*
library is under the host /lib64
so the kernel module build fails. To handle this, add a specific volume mount /lib64
to /host/usr/lib64
. For example:
agent:
daemonset:
kmodule:
extraVolumes:
volumes:
- name: lib64-vol
hostPath:
path: /lib64
mounts:
- mountPath: /host/usr/lib64
name: lib64-vol
Add Additional Secrets
You can create additional secrets to use, for example, for Prometheus basic authentication. The values are opaque-type secrets and must be in base64 encoded. For example:
agent:
extraSecrets:
- name: repo-new-secret
data:
repo-new-key1: <your-password>
repo-new-key2: <your-password>
Uninstall Sysdig Agent
If the agent was installed in a Kubernetes environment, remove it by using the standard Kubernetes commands.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.