Manage Agent Privileges

You can modify Sysdig Agent privileges to enhance the security of your deployments. The Sysdig Agent can operate with the securityContext.privileged parameter set to false, enhancing your deployment’s security posture without interrupting essential monitoring and security functions. We recommend configuring the Sysdig Agent with privileged: false to reduce the attack surface and to align with container security best practices..

Benefits of Setting privileged: false

  1. Enhanced Security: By setting the privileged parameter to false, you can limit Linux capabilities, minimizing the attack surface.
  2. Mitigating Risk: Restricting the Sysdig Agent’s permissions helps mitigate risks associated with container privilege escalations.

Prerequisites

  • Sysdig Agent version 13.3.0 and later.
  • The Sysdig Agent operates exclusively with eBPF drivers (either universal eBPF or eBPF based on kernel requirements). Ensure your environment is compatible with eBPF for optimal functionality.
  • The Sysdig Agent does not support Google Kubernetes Engine (GKE) Autopilot.
  • The Sysdig Agent does not support AWS Bottlerocket on ARM architecture.

Disable the Privileged Parameter

To set the privileged parameter to false with Helm, use the sysdig-deploy Helm chart, and specify agent.privileged=false. See Sysdig Deploy.

To learn more about agent configuraiton, see Configure the Agent.