Install Host & Cluster Shield on Kubernetes

This page describes how to install the Sysdig Host & Cluster Shield on Kubernetes.

You use the shield chart to install the Host and Cluster Shield components in your Kubernetes environment. In addition to providing instructions for freshly installing the shield chart, this topic also guides you through migrating from previously installed Sysdig components deployed with the sysdig-deploy chart to the Host and Cluster Shield components.

The shield chart deploys the Cluster Shield as a deployment and the Host Shield as a daemonset in your Kubernetes environment.

Prerequisites

kubectl installed
Helm v3.10 and above
Your agent access key
Sysdig Secure Endpoint for your Sysdig SaaS region

Migrate to the Shield Chart

Sysdig introduces a new chart, shield, to install Cluster Shield and Host Shield components. If you have previously installed Sysdig components in your cluster or are considering a fresh installation, use the shield chart instead of sysdig-deploy.

Since the Host and Cluster Shield replace all the components previously deployed using the sysdig-deploy chart, uninstall any existing installations before proceeding. This will prevent encountering duplicate entity errors.

To remove an existing installation, run the following command:

helm uninstall sysdig-agent --namespace sysdig-agent

If you are doing a fresh installation, you can ignore this requirement.

Install Using Helm

Configuration File

To install Host Shield and Cluster Shield, you can use the following values.yaml file:

cluster_config:
  # The name of the cluster
  name: <your-cluster-name>

sysdig_endpoint:
  # Sysdig Secure instance location region
  region: <your-sysdig-region>
  # Access key for Sysdig Secure instance
  access_key: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

features:
  kubernetes_metadata:
    # Enable Kubernetes metadata collection for the cluster
    enabled: true

  posture:
    host_posture:
      # Enable host posture assessment
      enabled: true
    cluster_posture:
      # Enable cluster posture assessment
      enabled: true

  vulnerability_management:
    host_vulnerability_management:
      # Enable host vulnerability management
      enabled: true
    container_vulnerability_management:
      # Enable container vulnerability management
      enabled: true
    in_use:
      # Enable retrieval of in-use packages
      enabled: true

  detections:
    drift_control:
      # Enable drift control detection
      enabled: true
    malware_control:
      # Enable malware control detection
      enabled: true
    ml_policies:
      # Enable machine learning policies
      enabled: true
    kubernetes_audit:
      # Enable Kubernetes audit logging
      enabled: true

  investigations:
    activity_audit:
      # Enable activity audit
      enabled: true
    live_logs:
      # Enable Kubernetes live logs
      enabled: true
    captures:
      enabled: true

host:
  # Driver for the host agent (Accepted Values: kmod (Linux Kernel > 5.8), legacy_ebpf, universal_ebpf (Linux Kernel ≥ 5.8))
  driver: universal_ebpf

Google Kubernetes Engine (GKE) Autopilot is not supported in this Technical Preview.

Installation

helm repo add sysdig https://charts.sysdig.com
helm repo update
helm upgrade --install --atomic --create-namespace \
    -n sysdig \
    -f values.yaml \
    shield \
    sysdig/shield

Parameters:

http_proxy: Specifies the URL for the HTTP proxy server.
https_proxy: Specifies the URL for the HTTPS proxy server.
no_proxy: A comma-separated list of hosts or domains to bypass the proxy. For example: localhost,127.0.0.1,.my-cluster.local

Feature Management

Feature management in Sysdig Host and Cluster Shield is handled through a values.yaml configuration file, where you can enable or disable specific features like posture, vulnerability management, admission control, and detection capabilities. Each feature has associated options, allowing customization to fit your environment’s security and compliance needs.

For example, you can enable host scanning with the following snippet:

features:
  vulnerability_management:
    host_vulnerability_management:
      enabled: true

This setup activates host vulnerability scanning, allowing you to identify and address potential security risks on your cluster’s nodes.

Additional Features

To enable the additional features, edit the values.yaml file to use the following configuration:

Network Security

Add the following configuration to your existing investigations section under the features section.

See Network for details on this feature.

features:
  investigations:
      network_security:
        enabled: true

Rapid Response

Add the following configuration to your existing responding section under the features section.

See Respond for details on this feature.

features:
  responding:
    rapid_response:
        enabled: true
        password: <password>

Proxy Settings

If your environment requires internet access through a proxy server, you can configure proxy settings in the values.yaml file. These settings ensure that Sysdig Host and Cluster Shield can communicate with Sysdig.

Add the following configuration under the proxy section:

proxy:
  http_proxy: http://customer-proxy
  https_proxy: http://customer-proxy
  no_proxy: <comma-separated-list-of-hosts-or-domains>

Advanced Settings

You can use the additional_settings section to configure advanced debugging options, such as log levels, syscall filtering, and DNS detection. It is recommended to use these settings with caution and contact Sysdig Support for guidance.

For the detailed information on configuring the shield chart, see shield.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.