Migrate to Cluster Shield

This topic helps you migrate from previously installed Sysdig components to cluster shield. These components remain supported individually and deployable as part of the existing sysdig-deploy Helm chart.

For fresh installation using sysdig-deploy, see Linux on Kubernetes.

You can also check out the improved shield chart, which is in Technical Preview.

You need a Secure API Token to enable the audit feature and if you are running an on-premises version older than 6.12.0.

Migrate to Cluster Shield

If you have previously installed Sysdig components in your cluster, follow the instruction given in this topic to migrate to the Cluster Shield and deploy using the sysdig-deploy chart.

Instructions given in this section are only relevant to the existing users.

The Cluster Shield replaces the following individual components:

  • Kubernetes Audit Logging (Admission Controller)

  • Secure Admission Controller (KSPM + Vulnerability Management)

  • Cluster Scanner (replaces the Runtime Scanner)

  • KSPM Collector

  • Kubernetes Metadata (replaces the delegated agents)

To migrate to the Sysdig Cluster Shield:

  1. Disable the components you have already installed by using the sysdig-deploy chart.
  2. Install the Sysdig Cluster Shield.

Disable the Sysdig Components

If you have any of the following components deployed, disable the following components in the sysdig-deploy chart:

  • Kubernetes Audit Logging (Admission Controller)
  • KSPM Collector
  • Runtime Scanner
  • Cluster Scanner

Add the following configuration to your values.yaml or edit your existing installation by using the upgrade command for the sysdig-deploy chart.

Kubernetes Audit Logging (Admission Controller)

admissionController:
  enabled: false

Disable KSPM Collector

kspmCollector:
  enabled: false

Disable Runtime Scanner

nodeAnalyzer:
  nodeAnalyzer:
    runtimeScanner:
      deploy: false

Disable Cluster Scanner

clusterScanner:
  enabled: false

Disable Delegated Agents

agent:
  sysdig:
    settings:
      k8s_delegated_nodes: 0

Install Cluster Shield

If you are a new user, see installation instruction for Kubernetes.

If you have an existing installation of Sysdig Agent you can use the usual command to enable the Cluster Shield and related features:

helm upgrade .... \
  --set clusterShield.enabled=true \
  --set clusterShield.cluster_shield.features.container_vulnerability_management.enabled=true \
  --set clusterShield.cluster_shield.features.audit.enabled=true \
  --set clusterShield.cluster_shield.features.posture.enabled=true \
  ....

Here is the list of features we enable and what they do:

  • container_vulnerability_management: replaces the Runtime Scanner or the Cluster Scanner component that you may have enabled
  • audit: replaces the Kubernetes Audit Logging (Admission Controller) component
  • posture: replaces the KSPM Collector component

Kubernetes Metadata

The Kubernetes Metadata feature in Cluster Shield collects and sends Kubernetes cluster metadata to the Sysdig backend for enrichment. This feature replaces the previous functionality handled by the Delegated Agent, streamlining how metadata is gathered and utilized.

Configure Kubernetes Metadata

To enable and configure Kubernetes Metadata, configure the agent. See Kubernetes Metadata.

Benefits

Kubernetes Metadata offers the following benefits:

  • Simplifies the agent architecture and enhances resilience by removing the need to elect a leader among delegated agents.
  • Reduces resource consumption by replacing delegated agents, which are more memory-intensive, with a uniform resource usage model. This streamlines the process of sizing Kubernetes resource requests and limits.
  • Consumes less memory by caching only essential Kubernetes resource information, resulting in lower memory consumption compared to the delegated agent.

This feature enables the generation of Kubernetes State Metrics (KSM) and the enrichment of events and metrics with Kubernetes-specific context. When enabled, you no longer need delegated Agents.